Chapter 10 - Using mailhost filtering

  • Article

 

Applies to: Microsoft Antigen

Mailhost filtering is available for use with the SMTP Scan Job. It is designed to prevent mail from specific IP addresses from entering your messaging environment. There are three components of mailhost filtering: Allowed Mailhosts, Rejected Mailhosts, and RBL Servers. All three are configured by clicking Mailhost in the FILTERING area of the Shuttle Navigator.

To validate domain names or IP addresses, Antigen for SMTP Gateways performs a reverse DNS lookup to compare against entries in the Allowed Mailhosts or Rejected Mailhosts lists. If you prefer to have Antigen for SMTP Gateways use the domain name found in the MIME Received header field of the message, you can disable reverse DNS lookups by changing the General Options setting Perform Reverse DNS Lookups.

The following table describes the options for this setting.

Setting Description

Enable All

Use DNS lookup for mailhost and RBL filtering and outbound mail determination.

Disable All

Do not use DNS lookups.

Only for Mailhost Filtering

Use DNS lookups only for mailhost filtering.

Only for Outbound Determination

Use DNS lookups to determine if a message is outbound.

For more information about changing this setting, see "General Options" in Chapter 4 - Antigen Administrator.

About mailhosts scanning priority

The scanning priority for mailhost filtering is: RBL filtering is done first. If there is a match, the Allowed Mailhosts list is checked. If there is no match, the Rejected Mailhosts list is checked.

Using RBL servers

Real-time block list (RBL) servers are third-party servers that maintain lists of known spammers or servers that maintain open relays. When enabled, Antigen for SMTP Gateways uses these servers to perform reverse DNS lookups on the domain names of the mail servers sending mail to your environment. Domain names that appear on these lists are identified as spam.

To enable this function, you must identify the RBL server you want Antigen for SMTP Gateways to use for this function. No specific list is recommended, so you need to investigate what is available. Some lists are provided free and others are provided for a fee. Each RBL server Web site should provide instructions for using their list and the proper address to use.

Note

Some RBL services are far more aggressive than others. This can result in too many false positive detections for your organization. Make sure that you test a service before activating it in your network. This is easily done by using the Skip: detect only setting, which logs spam detections without blocking the e-mail messages.
Each RBL you use adversely affects system performance. It is recommended that you start with one RBL and increase RBLs only if needed. It is not recommended that more than three RBLs be used.
If you enable multiple RBL lists, Antigen for SMTP Gateways checks the first server on the list. If it finds a match and the action is set to Purge: eliminate message, Antigen for SMTP Gateways stops searching and sends a notification if enabled. If the action is set to Skip: detect only, Antigen for SMTP Gateways sends a notification if enabled and continues to the next RBL server. Keep this in mind when enabling multiple RBL servers for use by Antigen for SMTP Gateways.

To configure an RBL service

  1. In the Antigen Administrator, click FILTERING in the left navigation shuttle, and then click the Mailhost icon. The Mailhost Filtering work pane appears.

  2. Select a scan job in the upper work pane (for example, the SMTP Scan Job).

  3. In the Mailhosts Lists work pane, select RBL Servers, and then click the Add button. The RBL Servers work pane appears.

  4. In the RBL Servers work pane, type the domain name or IP address of the RBL server.

  5. Set the Filter to Enabled.

  6. Choose the Action. (For more information, see Action) When first testing a new RBL service, it is recommended that you use the Skip: detect only setting. When you are satisfied that the service meets your needs, you can switch to the Purge or Identify setting, as desired.

  7. Enable or disable notifications and quarantine files that are detected by this filter.

  8. Click Save.

Using Allowed Mailhosts lists

Allowed Mailhosts lists provide a way to ensure that mail from safe mailhosts is not filtered by Antigen for SMTP Gateways RBL filtering.

To create an Allowed Mailhosts list

  1. Open the Filter Lists view using the Shuttle Navigator.

  2. Select Allowed Mailhosts in the List Types field on the top of the work pane.

  3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and click Save to save the list.

  4. Click the Edit button. The Edit Filter List dialog box is displayed so that you can edit the list.

  5. Click the Add button to add each domain name or IP address you want Antigen for SMTP Gateways to allow. You can enter the domain name or IP address. You must use an asterisk (*) before each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address.

    The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the Allowed Mailhosts list. This prevents these names from accidentally being added when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.)

  6. Click OK, and then click Save.

After you have created your Allowed Mailhosts list, configure the General Options setting Maximum Allowed Mailhosts Lookup and enable the list.

To enable an Allowed Mailhosts list

  1. In the General Options work pane, enter the appropriate number in the Maximum Allowed Mailhosts Lookup box for your organization’s messaging topology. This number should reflect the number of relay servers with public IP addresses within your organization plus one. This ensures that the last external IP address is checked against your Allowed Mailhosts list. For example, if your organization has two public IP addresses that an e-mail message can pass through, the Maximum Allowed Mailhosts Lookups setting should be set to 3. The internal public IP addresses may be relay servers that are located inside the perimeter network.

  2. Optionally, if you want to skip content filtering as well as RBL filtering, select Skip Content Filtering for Allowed Mailhosts in the General Options work pane.

  3. Click Save to save your changes.

  4. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator.

  5. Click Allowed Mailhosts in the Mailhost List box.

  6. Select the Allowed Mailhosts list you want to enable.

  7. Select Enabled in the Filter drop-down box. Each Allowed Mailhosts list must be enabled individually.

  8. Click Save.

    Note

    Entries in the Allowed Mailhosts list will not override entries in the Rejected Mailhosts list.

Using Rejected Mailhosts lists

Rejected Mailhosts lists provide a way to exclude mail from mailhosts that you do not want entering your environment.

To create a Rejected Mailhosts list

  1. Open the Filter Lists view using the Shuttle Navigator.

  2. Select Rejected Mailhosts in the List Types field on the top of the work pane.

  3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and click Save to save the list.

  4. Click the Edit button. The Edit Filter List dialog box is displayed so that you can edit the list.

  5. Click the Add button to add each domain name or IP address you want Antigen for SMTP Gateways to reject. You can enter the domain name or IP address. You should place an asterisk (*) before each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address.

    The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the rejected list. This prevents these names from accidentally being added when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.)

  6. Click OK, and then click Save.

After you have created a Rejected Mailhosts list, you must enable and configure it.

To enable and configure a Rejected Mailhosts list

  1. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator.

  2. Click Rejected Mailhosts in the Mailhost List box.

  3. Select the Rejected Mailhosts list you want to enable.

  4. Select Enabled in the Filter drop-down box. Each Allowed Mailhosts list must be enabled individually.

  5. Set the Action. (For more information, see Action.)

  6. Enable or disable notifications and quarantine files that are detected by this filter.

  7. Click Save.

Action

Antigen for SMTP Gateways can perform the following actions when performing RBL filtering and using Rejected Mailhosts lists.

Action Description

Skip: Detect Only

Records the number of messages that meet the filter criteria, but allows messages to route normally.

Purge: Eliminate Message

Deletes the message from your mail system. When you select this option, a warning appears informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

Identify: Tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by pressing the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job.

Importing new items into a filter list

Filter lists can be created offline in Notepad or a similar text editor, and then imported into the appropriate filter list using the Antigen Administrator.

To create and import entries into a filter list

  1. Create a list and save it as a text file. Place each filter on its own line in the file.

  2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator.

  3. Select the filter list into which you will be importing data.

  4. Click the Edit button. The Edit Filter List dialog box appears.

  5. Click the Import button. A File Explorer window opens so that you can navigate to the text file you created in step 1.

  6. Select the file and click Open.

  7. The file is imported into the middle pane of the Import List editor so that you can select the entries to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

  8. When you have moved all the desired items, click OK.

  9. Click Save.

About mailhost filtering notifications

All mailhost filtering uses the Spam/RBL Administrator notification. The %filter% field in the notification is in one of the following formats:

  • MAILHOST=<rbl-server>:<ip-addr>
  • MAILHOST=<rejected-mailhost-list-name>:<ip-addr>
  • MAILHOST=<rejected-mailhost-list-name>:<domain>:<ip-addr>

Chapter 9 - Using content filtering

Chapter 11 - Using keyword filtering