Intercept Anti-Spam
Quick Start Guide
Software Version: 6.5.2
Date: 5/24/07
PREFACE.........................................................................................................................................3
PRODUCT DOCUMENTATION.............................................................................................................3
CONVENTIONS.................................................................................................................................3
CONTACTING TECHNICAL SUPPORT ..................................................................................................4
COPYRIGHT INFORMATION ...............................................................................................................4
OVERVIEW ......................................................................................................................................5
INTERCEPT ANTI-SPAM SOLUTION.............................................................................................5
SPECIFIC ACCESS PATTERNS...........................................................................................................6
PATTERN BASED MESSAGE FILTERS ................................................................................................6
SPAM DICTIONARIES ........................................................................................................................6
MAIL ANOMALIES .............................................................................................................................7
BORDERWARE SECURITY NETWORK ................................................................................................8
DNS BLOCK LIST (DNSBL) .............................................................................................................8
URL BLOCK LISTS ...........................................................................................................................9
BULK ANALYSIS ...............................................................................................................................9
TOKEN ANALYSIS ......................................................................................................................... 10
SPF (SENDER POLICY FRAMEWORK) AND DOMAINKEYS ................................................................ 10
SPAM CATEGORIES AND ACTIONS ......................................................................................... 11
CERTAINLY SPAM ......................................................................................................................... 11
PROBABLY SPAM .......................................................................................................................... 11
MAYBE SPAM ............................................................................................................................... 12
ANTI-SPAM HEADER ..................................................................................................................... 12
INTERCEPT DECISION STRATEGY ........................................................................................... 13
COMPONENT WEIGHTS ................................................................................................................. 14
MANAGING YOUR INTERCEPT SOLUTION .............................................................................. 14
SET UP TRUST RELATIONSHIPS ..................................................................................................... 14
USER FEEDBACK .......................................................................................................................... 15
2
Preface
This Quick Start Guide is designed to help the administrator configure and customize the
Intercept Anti-Spam components to provide a strong spam protection configuration while
minimizing false positives (messages incorrectly marked as spam).
Product Documentation
The ePrism documentation set consists of the following documents:
Document
Description
Release Notes
Installation Guide
User Guide
Intercept Anti-Spam
Quick Start Guide
Provides up to date information on the product, including new
features, improvements, issues fixed, and any known issues. If
instructions in the Release Notes differ from the Installation Guide
or User Guide, use the instructions in the Release Notes.
Provides detailed information on how to install and provide the
initial configuration for the ePrism Email Security Appliance.
Provides detailed information on how to configure and administer
the ePrism Email Security Appliance.
Describes the basic configuration details and recommended
strategies for ePrism’s Intercept Anti-Spam features.
Conventions
The following typographical conventions are used in this guide:
Typeface or
Symbol
italic
bold
courier font
Bold courier
Description
Screen name or data field names
Button names, Menu items, and
Screen names
Text displayed on the screen and File
and Directory names
Text entered by the user
Information that describes important
features or instructions
Information that alerts you to potential
problems and issues
3
Example
Activity Screen, or SMTP Port
Select Mail Delivery → AntiSpam on the menu and click
the Apply button
/backup/backup.gzip
Enter: example.com
Please see the following
section for more details
Use caution when enabling
this feature
Contacting Technical Support
St. Bernard Software telephone support is available Monday-Friday
07:00am to 4:00pm (Pacific Standard Time)
08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)
15015 Avenue of Science
San Diego, CA 92128
Main: 858.676.2277
FAX: 858.676.2299
Technical Support: 858.676.5050
Technical Support Email: [email protected]
Europe, Asia, Africa (UTC)
Unit 4, Riverside Way
Watchmoor Park, Camberley
Surrey, UK
GU15 3YQ
Main: 44.1276.401.640
FAX: 44.1276.684.479
Technical Support: 44.1276.401.642
Technical Support Email: [email protected]
Copyright Information
© 2003-2007 St. Bernard Software, Inc. All rights reserved.
St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered
trademarks are hereby acknowledged.
Information in this document is subject to change without notice.
4
Overview
This guide is designed to help the administrator configure the ePrism Intercept Anti-Spam engine
to provide a strong spam protection configuration while minimizing false positives (messages
incorrectly marked as spam.) ePrism provides an easy to use, flexible, and comprehensive AntiSpam solution designed to defend against sophisticated spam campaigns.
The Intercept solution provides the following benefits:
•
An anti-spam approach that combines multiple technologies into a single, unified solution
providing a comprehensive approach to fighting spam.
•
Multiple spam categories (Certainly Spam, Probably Spam, and Maybe Spam) allow
administrators to classify messages depending on their overall level of "spaminess".
These categories allow messages to be handled differently depending on their respective
spam scores.
•
Intercept provides the administrator with separate actions for each spam category. For
example, messages marked as Certainly Spam can be rejected, Probably Spam
messages can be marked in the subject header, and Maybe Spam messages can be just
logged. These configurable actions allow administrators to customize the solution to the
needs and requirements of their organization.
Intercept Anti-Spam Solution
Intercept’s default Anti-Spam settings provide a strong default configuration to ensure that
organizations can deal with a majority of spam messages with little additional configuration.
Intercept’s improved Anti-Spam technologies require no training to capture a majority of spam
when first enabled. As ePrism processes messages and the end users provide feedback, the
Intercept engine can be tuned to provide optimal spam protection.
The ePrism Intercept Anti-Spam engine uses multiple filtering technologies that are combined
together to provide a definitive spam score. Individual components can be included or excluded in
the calculation and each component can be individually weighted to provide a different
contribution to the score. Intercept includes the following components:
•
•
•
•
•
•
•
•
•
•
•
Specific Access Patterns
Pattern Based Message Filtering
Spam Dictionaries
Mail Anomalies
BorderWare Security Network
DNS Block List
URL Block List
Bulk Analysis
Token Analysis
SPF™
DomainKeys™ Authentication
5
Select Mail Delivery → Anti-Spam → Intercept on the menu to configure ePrism's Intercept
Anti-Spam engine. St. Bernard recommends that the following Intercept features be enabled:
The "Reject on unknown recipient" feature is an advanced option that is not covered in this
document. For more information, see the User Guide.
Specific Access Patterns
This filter provides SMTP connection and message attribute controls such as "maximum
message size" and "maximum number of recipients". This option is always enabled. Specific
Access Patterns are primarily used for trusting specific IP addresses or address blocks to prevent
them from being scanned by ePrism.
Pattern Based Message Filters
This filter is used to override the Intercept engine for allowing and blocking messages. Messages
can be filtered based on any aspect of a mail message, including the envelope, header, body,
and any attachments.
Spam Dictionaries
This filter allows administrators to tune the Intercept engine to the specific needs of an
organization by blocking a configurable list of spam words and phrases. St. Bernard provides a
Default Spam Words phrase file that contains the most common types of spam words.
It is recommended that customers review the Default Spam Words dictionary before enabling the
filter to avoid false positives that may occur with certain words that are used in your organization.
This dictionary phrase file can be viewed and edited via Mail Delivery → Content Management
→ Dictionaries. Customized dictionaries can also be created in the menu for use with the Spam
Dictionaries feature.
6
Mail Anomalies
The Mail Anomalies feature performs checks on incoming messages to help determine whether
the message is coming from a known source of spam or is legitimate mail. Systems that send
spam have certain characteristics that can give away the nature of the sending system. Many
spammers deploy scripts and use spoofed or false information when sending mail.
By checking incoming connections for patterns of these behaviours, ePrism can help determine
whether mail from an incoming system is legitimate or spam. It is recommended that the Mail
Anomalies feature be enabled with the following default configuration:
7
BorderWare Security Network
The BorderWare Security Network (BSN) helps to identify spam by reporting behavior information
for a collection of metrics about the sender of a mail message, including their overall reputation,
whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends
large amounts of spam messages. This reputation is based on information collected from
customer ePrism systems, and global DNS Block Lists. This information can be used by the
ePrism Email Security Appliance to either reject the message immediately or contribute to the
overall Intercept score if a message is detected from a source with a poor reputation or numerous
virus infections.
The following default configuration provides excellent protection from malicious systems. It is also
recommended that you set your ePrism to share statistics with the BSN network.
ePrism does not relay any private or sensitive information to the BSN when Share Statistics
is enabled.
DNS Block List (DNSBL)
This filter is used to identify known malicious systems, such as spammers, relay sites, ISP dialups, and so on. St. Bernard provides a predefined hosted DNSBL service available to all ePrism
systems. It is recommended that DNSBL be enabled using the default configuration.
8
URL Block Lists
This feature is used to determine if a message is spam by examining any URLs contained in the
body of a message to see if they appear on a block list. URL Block Lists contain a list of domains
and IP addresses of web addresses that have appeared previously in spam, phishing, or other
malicious messages. Similar to DNS Block Lists, the URL Block List will be queried to see if the
URL in the message exists on the configured block list server. If a match is found, this information
will be used by the Intercept engine to decide whether a message is spam or legitimate mail.
It is recommended that URL Block Lists be enabled with the default configuration.
Bulk Analysis
This filter uses a specialized counting method to determine whether a message has been sent to
a large number of users. Spam campaigns are usually sent out to a large amount of users, and
counting the number of times a message has been seen is a good indicator of spam. It is
recommended that the Bulk Analysis filter be enabled using the default configuration.
9
Token Analysis
This filter uses Bayesian analysis to determine the likelihood of a message being spam. Token
Analysis scans all outbound mail for good keywords and inbound mail marked as spam for bad
keywords, and builds its database over a period of time. This filter automatically adapts to an
organization's mail flow with increased accuracy over time.
It is recommended that the Token Analysis filter be enabled with the default configuration and
with the Enable X-STA Headers option enabled.
Image Spam Analysis
An Image Spam email message typically consists of random text or no text body and contains an
attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the spam
message. These types of spam messages are difficult to detect because the message contains
no helpful text or URL characteristics that can be scanned and analyzed.
The Image Spam Analysis feature performs advanced analysis of image attachments to help
determine if the message is spam or legitimate mail. Similar to ePrism's other Anti-Spam features
that detect spam characteristics in the text of a message, the Image Analysis feature extracts
certain characteristics of the attached image to determine if these characteristics are similar to
those seen in actual spam messages. Image Spam detection and analysis is enabled by default
in the Advanced menu of Token Analysis.
SPF (Sender Policy Framework) and DomainKeys
SPF and DomainKeys are sender authentication technologies used to stop phishing attacks and
fraudulent mail messages. SPF and DomainKeys are relatively new technologies that have not
yet been widely implemented. Only experienced administrators who understand the implications
of using SPF and DomainKeys should enable these filters.
10
Spam Categories and Actions
The Intercept engine provides three spam categories (Certainly Spam, Probably Spam and
Maybe Spam) each with its own configurable action. This granularity allows administrators to
achieve maximum protection with minimal false positives.
Certainly Spam
Messages marked as Certainly Spam are definitely spam and can be safely rejected and
prevented from entering the network. It is very unlikely that a message marked as Certainly Spam
will result in a false positive. Rejecting these messages also eliminates the need to quarantine
them for user review. Use the following recommended settings:
•
•
Threshold: 99
Action: Reject mail
Probably Spam
Messages marked as Probably Spam are almost certainly spam and will unlikely result in false
positives. These messages can have text inserted into the subject header and sent to the user’s
inbox where they can be placed in a quarantine folder for review. Use the following recommended
settings:
•
•
•
Threshold: 90
Action: Modify Subject Header
Action Data: [SPAM]
ePrism provides a built-in quarantine server that can be used for quarantining messages for end
user review. Otherwise, administrators must create filters in the end user's mailboxes to
quarantine locally.
11
Maybe Spam
Messages marked as Maybe Spam represent a grey area where a message could be spam, but
may occasionally be legitimate mail such as a newsletter or bulk mailing list. These messages
should be logged by ePrism to indicate that they are spam, although no action was taken. Use
the following recommended settings:
•
•
•
Threshold: 70
Action: Just Log
Action Data: none
Messages marked as Maybe Spam should be closely monitored, as this provides the
administrator with the opportunity to allow legitimate mail such as newsletters and bulk mailing
lists that may be marked incorrectly as spam. Administrators can view the Email Database to
search for all messages marked as spam so that these messages can be allowed using a Pattern
Based Message Filter.
Anti-Spam Header
Enable the Anti-Spam header for diagnostic and troubleshooting purposes.
This will include special header information in the message to help provide diagnostics to deal
with false positives and false negatives, such as the following:
X-BTI-AntiSpam:
Score:99,sta:99/022,dcc:passed,dnsbl:passed,sw:off,bsn:95
passed,spf:off,dk:off,pbmf:none,ipr:1/5,trusted:no,ts:no,ubl:match
ed/1
12
Intercept Decision Strategy
Intercept can utilize one of many different strategies when making a decision about whether a
message is spam or legitimate mail. The option to set the decision strategy is available by
selecting the Advanced button on the main Intercept page. These strategies are discussed in
greater detail in the ePrism User Guide. The following are recommendations based on extensive
St. Bernard testing.
It is recommended that administrators choose the "Heuristic 2" decision strategy. This is a
passive strategy that is effective for most environments providing an excellent spam catch rate
with a very low chance of false positives.
Advanced administrators should proceed with caution when choosing a different strategy
other than "Heuristic 2". Choosing the wrong strategy could result in false positives and a
lower spam capture rate.
In environments where there is no Token Analysis training on outbound legitimate mail (such as
some evaluation scenarios), "Heuristic 2" may result in an increase in false positives. In this case,
administrators should use the "Heuristic 1" strategy, which is identical to "Heuristic 2" except that
Token Analysis is de-emphasized and additional Anti-Spam features must be triggered for a
message to be considered "Probably Spam" or "Certainly Spam".
13
Component Weights
Administrators can customize the Intercept engine by configuring the weights for each Intercept
component that will help determine the final spam score for a message. These values represent
the scores that will be used if that component is triggered.
Valid weights for each component are from 0 to 100. Set the weight to "0" if you want that feature
to have no bearing on the final spam score of a message. Set this value to "100" if you want this
component to have a strong weight on the final spam score of a message.
The default values are recommended, however, St. Bernard recommends that the Spam
Dictionaries weight be decreased to 60. The Token Analysis weight should be decreased if it is
causing an increased amount of false positives to occur.
Managing Your Intercept Solution
After the Intercept Anti-Spam engine is initially configured, it is important that the solution is
monitored and managed to ensure optimum spam capture rates and minimal false positives.
Set up Trust Relationships
For proper spam detection, ePrism requires that a Trust relationship be set up for each mail
server in the organization. Trusted mail is considered to be any mail from a private, trusted mail
source and is not checked for spam. Untrusted mail is considered to be any unknown mail source
and is always checked for spam.
Create a Specific Access Pattern (via Mail Delivery → Anti-Spam → Intercept → Specific
Access Patterns on the menu) as follows, where 172.16.43.25 is the IP address of the
organization's mail server to be trusted:
14
User Feedback
Use the following suggested feedback mechanisms and the diagnostics tools included with
ePrism to maximize the spam capture rate and minimize false positives. Do not be overzealous in
the attempt to fight spam. Use the suggested default configuration for the Intercept engine, then
adjust the filters accordingly as feedback is received.
•
Report false positives – The administrator should create a feedback account (such as
"[email protected]") to which end users forward messages incorrectly marked as
spam (false positives). This allows the administrator to determine why a message was
marked incorrectly and allow the sender or adjust the filters as required. Use Pattern
Based Message Filters to allow newsletters and bulk mailing lists to ensure they are not
flagged as spam by Intercept.
•
Report missed spam – The administrator should create a feedback email address (such
as "[email protected]") to which end users forward spam messages that were missed
and not marked by the Intercept engine. This allows the administrator to determine why
the message was missed and block the sender or adjust the filters as required.
15