Chapter 14 - Using mailhost filtering

  • Article

 

Applies to: Microsoft Antigen

Mailhost filtering is available for use with the SMTP Scan Job. It is designed to prevent mail from specific IP addresses from entering your Exchange environment. There are three components of mailhost filtering: Allowed Mailhosts, Rejected Mailhosts, and Real-Time Block List (RBL) Servers. All three are configured by clicking Mailhost in the FILTERING area of the Shuttle Navigator.

To validate domain names or IP addresses, Antigen performs a reverse DNS lookup to compare against entries in the Allowed Mailhosts or Rejected Mailhosts lists. If you prefer to have Antigen use the domain name found in the MIME Received header field of the message, you can disable reverse DNS lookups by changing the General Options setting Perform Reverse DNS Lookups.

The following table describes the options for this setting:

Setting Description

Enable All

Use DNS lookup for mailhost and RBL filtering and outbound mail determination.

Disable All

Do not use DNS lookups.

Only for Mailhost Filtering

Use DNS lookups only for mailhost filtering.

Only for Outbound Determination

Use DNS lookups to determine whether a message is outbound.

For more information on changing this setting, see “General Options” in Chapter 4 - Using the Antigen Administrator.

About mailhosts scanning priority

The scanning priority for mailhost filtering is that RBL filtering is done first. If there is a match, the Allowed Mailhosts list is checked. If there is no match, the Rejected Mailhosts List is checked.

Using RBL servers

RBL servers are third-party servers that maintain lists of known spammers or servers that maintain open relays. When these servers are enabled, Antigen uses them to perform reverse DNS lookups on the domain names of the mail servers sending mail to your environment. Domain names that appear on these lists are identified as spam.

To enable this function, you must identify the RBL server that you would like Antigen to use for this function. No specific list is recommended, so you need to investigate what is available. Some lists are provided for free; others are provided for a fee. Each RBL server Web site should provide instructions for using its list and the proper address to use.

Note

Some RBL services are much more aggressive than others. This can result in too many false positive detections for your organization. Make sure that you test a service before activating it in your network. This is easily done by using the Skip: detect only setting, which logs spam detections without blocking the e-mails.
Each additional RBL you use will cause increasingly adverse effects on system performance. It is recommended that you start with one RBL and increase the number of RBLs only if needed. Using more than three RBLs is not recommended.
If you enable multiple RBL lists, Antigen checks the first server on the list. If it finds a match and the action is set to Purge: eliminate message, Antigen stops searching and sends a notification (if notifications are enabled). If the action is set to Skip: detect only, Antigen sends a notification (once again, if enabled) and continues to the next RBL server. Keep this in mind when enabling multiple RBL servers for use by Antigen.

To configure an RBL service

  1. In the Antigen Administrator, click FILTERING in the left navigation shuttle, and then click the Mailhost icon. The Mailhost Filtering work pane appears.

  2. Select a scan job in the upper work pane (for example, the SMTP Scan Job).

  3. In the Mailhosts Lists work pane, select RBL Servers, and then click the Add button. The RBL Servers work pane appears.

  4. In the RBL Servers work pane, type the domain name or IP address of the RBL Server.

  5. Set the Filter to Enabled.

  6. Choose the Action. When first testing a new RBL service, it is recommended that you use the Skip: detect only setting. When you are satisfied that the service meets your needs, you can switch to the Purge or Identify setting, as desired.

  7. Enable or disable notifications and quarantine files that are detected by this filter.

  8. Click Save.

Using allowed mailhosts lists

Allowed mailhosts lists provide a way to ensure that mail from safe mailhosts is not filtered by Antigen RBL filtering.

To create an allowed mailhosts list

  1. Open the Filter Lists view using the Shuttle Navigator.

  2. Select Allowed Mailhosts in the List Types field at the top of the work pane.

  3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and then click Save.

  4. Click the Edit button. The Edit Filter List dialog box will appear so that you can edit the list.

  5. Click the Add button to add each domain name or IP address that you would like Antigen to allow. You can enter the domain name or IP address. You should place an asterisk (*) before each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address.

    The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the allowed list. This will prevent these names from being added accidentally when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.)

  6. Click OK, and then click Save.

After you have created your Allowed Mailhosts list, configure the Maximum Allowed Mailhosts Lookup General Option, and then enable the list.

To configure and enable an allowed mailhosts list

  1. In the General Options work pane, enter the appropriate number in the Maximum Allowed Mailhosts Lookup field for your organization’s messaging topology. This number should reflect the number of relay servers with public IP addresses within your organization, plus one. This ensures that the last external IP address will be checked against your Allowed Mailhosts list. For example, if your organization has two public IP addresses that an e-mail can pass through, then the Maximum Allowed Mailhosts Lookups setting should be set to 3. The internal public IP addresses can be relay servers that are located inside the perimeter network.

  2. Optionally, if you want to skip content filtering as well as RBL filtering, select Skip Content Filtering for Allowed Mailhosts in the General Options work pane.

  3. Click Save.

  4. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator.

  5. Click Allowed Mailhosts in the Mailhost List box.

  6. Select the Allowed Mailhosts list that you want to enable.

  7. Select Enabled in the Filter drop down box. Each Allowed Mailhosts list must be enabled individually.

  8. Click Save.

    Note

    Entries in the Allowed Mailhosts list will not override entries in the Rejected Mailhosts list.

Using rejected mailhosts lists

Rejected mailhosts lists provide a way to exclude mail from mailhosts that you do not want entering your environment.

To create a rejected mailhosts list

  1. Open the Filter Lists view using the Shuttle Navigator.

  2. Select Rejected Mailhosts in the List Types field at the top of the work pane.

  3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and then click Save.

  4. Click the Edit button. The Edit Filter dialog box will appear so that you can edit the list.

  5. Click the Add button to add each domain name or IP address you would like Antigen to reject. You may enter the domain name or IP address. You should place an asterisk (*) in front of each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address.

    The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the rejected list. This will prevent these names from accidentally being added when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.)

  6. Click OK, and then click Save.

After you have created a Rejected Mailhosts list, you must enable and configure it.

To enable and configure a rejected mailhosts list

  1. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator.

  2. Click Rejected Mailhosts in the Mailhost List box.

  3. Select the Rejected Mailhosts list that you want to enable.

  4. Select Enabled in the Filter drop down box. Each Allowed Mailhosts list must be enabled individually.

  5. Set the Action (for more information, see Action).

  6. Enable or disable notifications and quarantine files that are detected by this filter.

  7. Click Save.

Action

Antigen can perform the following actions when performing RBL filtering and using rejected mailhosts lists.

Action Description

Skip: Detect Only

Records the number of messages that meet the filter criteria, but allows messages to route in the usual way.

Purge: Eliminate Message

Deletes the message from your mail system. When you select this option, a warning will appear informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue. Note: In ESE or VSAPI 2.0 mode, the Realtime scanner can purge only outbound messages, but the Internet Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime scanner is available when running VSAPI 2.5.

Identify: Tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by pressing the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, will be used for all filters associated with the particular scan job.

When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 server, the Tag Message action also enables you to set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

Importing new items into a filter list

Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list using the Antigen Administrator.

To create and import entries into a filter list

  1. Create a list and save it as a text file. Place each filter on its own line in the file.

  2. Open the Antigen Administrator, and then click Filter Lists in the FILTERING area of the Shuttle Navigator.

  3. Select the filter list into which you will be importing data.

  4. Click the Edit button. The Edit Filter List dialog box appears.

  5. Click the Import button. A File Explorer window opens so that you can navigate to the text file you created in step 1.

  6. Select the file, and then click Open.

  7. The file will be imported into the middle pane of the Import List editor to enable you to select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

  8. When you have moved all the desired items, click OK.

  9. Click Save.

About mailhost filtering notifications

All mailhost filtering uses the Spam/RBL Administrator notification. The %filter% field in the notification will be in one of the following formats:

MAILHOST=<rbl-server>:<ip-addr>

MAILHOST=<rejected-mailhost-list-name>:<ip-addr>

MAILHOST=<rejected-mailhost-list-name>:<domain>:<ip-addr>

Chapter 13 - Using content filtering

Chapter 15 - Using keyword filtering