The antispam module can be enabled by determining the analyses to be enabled. Two options are available on the firewall:
|Enable reputation-based analysis (DNS blacklists - RBL)||
This option allows validating the sender by comparing against a public list of known spam senders (DNSBL).
|Activate heuristic analysis||
This option allows examining the contents of the e-mail to determine its impact.
The trusted server concerns the SMTP server. By filling in this field, which is optional, e-mails will be analyzed more thoroughly by the Antispam module.
|SMTP server domain name (FQDN)||
This optional field allows defining a “trusted” domain.
Mail relayed by a server belonging to the domain indicated will therefore be exempt from the domain scan. This value may be defined for mail relayed by internal servers, for example.
SMTP allows mail relay servers to fill in a field indicating their identity. If mail passes through a server belonging to the trusted domain, the earlier servers will be considered legitimate and the scan will only apply to the following servers.
There are 4 possible actions that will allow the SMTP proxy to respond to the remote SMTP server by indicating that the message has been rejected as it is spam.
For example, if you set a limit of 100 for the heuristic analysis, e-mails with a score higher than 100 will be considered spam. From 100 to 200, the level of trust will be low, from 200 to 300 it will be moderate and above 300, it will be high. If you have indicated a moderate level of trust for this option, all e-mails of moderate and high level (above 200) will be rejected whereas those from 100 to 200 will be kept.
When several methods of analysis are used simultaneously, the highest score will be assigned.
The Antispam module on Stormshield Network UTM appliances does not delete messages that are identified as spam. However, it modifies messages detected as spam in such a way that the webmail client can process it in the future, for example. There are two ways of tagging messages:
|Insert X-Spam headers||
When this option is selected, the Antispam module will add a header summarizing the result of its analysis to messages identified as spam. The webmail client can then use this antispam header, in “spam assassin” format, to perform the necessary actions on the tagged message.
The DNS blacklist analysis or RBL (Real-time Blackhole List) enables identifying the message as spam through RBL servers. The following menus allow configuring the list of RBL servers which will be used for this analysis as well as the level of trust assigned to each of the servers.
List of DNS blacklist severs (RBL)
A table displays the list of RBL servers which the Firewall queries to check that an e-mail is not spam. This list is updated by Active Update and cannot be modified, but certain servers can be disabled by clicking on the checkbox at the start of each line (in the Enabled column).
The levels indicated in the columns of the table refer to the levels of trust assigned to the server.
You can also configure the RBL servers to which you would like your Firewall to connect. To add a server, click on Add. A new line will appear. Up to 50 RBL servers can be defined.
Specify a name for this server (a unique name for the RBL server list), a DNS target (Field: Domain name only, which should be a valid domain name), a level of trust (Low, Medium and High) and comments (optional). Click on Apply.
To delete a configured server, select it in the list and click on Delete.
RBL servers in Stormshield Network’s native configuration are differentiated from customized servers by a padlock symbol (), which indicates RBL servers in Stormshield Network’s native configuration.
Reminder: Active Update only updates the list of these servers.
Some operations listed in the taskbar can be performed by right-clicking on the table of blacklisted servers:
The heuristic analysis is based on VadeRetro's antispam engine. Using a set of calculations, this antispam will derive a message’s degree of legitimacy.
The antispam module will calculate and assign a score that defines a message’s “unwantedness”. E-mails that obtain a value exceeding or equal to the threshold set will be considered Advertisement or Spam.
The heuristic analysis will then suggest adding a prefix to the subject of these e-mails, making it possible, for example, to isolate them in a dedicated folder in the Mail Client.
In order to detect advertising e-mails, enable the option Detect advertising e-mails.
|Add advertisement tag to mail subjects (prefix)||
The subjects of e-mails that have been identified as advertisements will be preceded by a string of defined characters. This string is (ADS *) by default, where * represents the assigned level of trust. This score ranges from 1 to 3, a higher number meaning the higher the possibility of the e-mail being an advertisement. Regardless of the character string used, it is necessary to provide for the insertion of the level of trust in this string by using “*”. This “*” will thereafter be replaced by the score. The maximum length of the prefix can be 128 characters. E-mails identified as advertisements will be transmitted without being deleted.
Double quote characters are not allowed.
|Add spam tag to subject fields (prefix)||
The subject of messages identified as spam will be preceded by a string of defined characters. This string is (ADS *) by default, where * represents the assigned level of trust. This score ranges from 1 to 3, a higher number meaning the higher the possibility of the e-mail being spam. Regardless of the character string used, it is necessary to provide for the insertion of the level of trust in this string by using “*”. This “*” will thereafter be replaced by the score. The maximum length of the prefix can be 128 characters. E-mails identified as spam will be transmitted without being deleted.
Double quote characters are not allowed.
|Minimum score for spam definition [1-5000] :||
The heuristic analysis performed by the Antispam module calculates a value that defines a message’s “unwantedness”. E-mails that obtain a value exceeding or equal to the threshold set will be considered spam. Stormshield Network’s default value is 200. This section enables the definition of a threshold to apply.
By modifying the score, the minimum value of the 3 trust thresholds will be modified.
Furthermore, the higher the calculated value, the higher will be the level of trust that the antispam module assigns to the analysis. Thresholds for the levels of trust cannot be configured in the web administration interface.