advertisement
Content Control
Content scanning phrase length for credit card pattern filters
The Content Scanning feature has a default phrase length of 3, indicating that the system will only scan up to
3 words of a dictionary phrase. When enabling Credit Card patter filters, the phrase length must be increased to 4 to ensure the credit card filters are scanned properly.
To modify the content scanning phrase length:
1. Select Security > Content Control > Content Scanning .
2. Select the Enable check box.
3. Enter “ 4 ” for the Phrase length .
4. Click Apply .
Configuring pattern filters
To configure pattern filters:
1. Select Security > Content Control > Pattern Filters .
2. Click the Edit View button to see an editable list of the pattern filters.
3. Select the Enable PBMF check box to enable the Pattern Filter feature globally.
Each pattern filter can be individually enabled or disabled.
4. Click Add .
140
5. Select the Enabled check box to enable this pattern filter.
6. Enter a descriptive Name and Comment for the Pattern Filter to be more easily identified in the list of pattern filters and reports.
The name and comment can only consist of letters, numbers, spaces, periods, underscores, and dashes.
7. Select the direction of mail for the Pattern Filter rule in the Apply To field, such as All Mail , Inbound , or Outbound , depending on your requirements.
All Mail — Mail destined for any domain.
Inbound mail — Any mail that is destined to a domain for which the system is configured to accept mail for. This will be any domain listed in the Mail Routing table in Configuration > Mail > Routing .
Outbound mail — Mail destined to any domain for which the system is not configured to accept mail (every domain other than those configured in Mail Routing).
8. Select the Message Part for which to filter.
The system allows you to filter on the following parameters. These parameters will not be visible to the user. They are the handshake part of the SMTP protocol. You will need to look for these in the logs or have other knowledge of them.
<<Mail Envelope>>
This parameter allows for a match on any part of the message envelope which includes the HELO,
Client IP, and Client Host.
WatchGuard XCS
Content Control
User Guide
HELO
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: mail.example.com.
Client IP
This field will be accurately reported and may be reliably used for both blocking and trusting. It is the IP address of the system initiating the SMTP connection. For example: 192.168.1.200.
Client Host
This field will be accurately reported and may be reliably used for both blocking and trusting.
For example: mail.example.com.
The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.
Envelope Addr
This finds matches in either the Envelope To or Envelope From field. These fields are easily faked, and are not recommended for use in spam control. They may be useful in trusting a source of mail. For example: [email protected].
Envelope To
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Envelope From
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Message Header Parameters
Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in trusting certain users or legitimate source of email.
Mail Header parameters will only match on the primary header of a message and not other multipart message headers.
<<Mail Header>>
This parameter allows for a match in any part of the message header.
<<Recipient>>
This parameter finds matches in the To: or CC: fields of the message.
CC:
This parameter finds matches in the CC: (Carbon Copy) field of the message.
From:
This parameter finds matches in the From: field of the message.
Message-ID:
This parameter finds matches in the Message-ID: field of the message.
Received:
This parameter finds matches in the Received: field of the message.
Reply-to:
This parameter finds matches in the Reply-to: field of the message.
Sender:
This parameter finds matches in the Sender: field of the message.
141
Content Control
Subject:
This parameter finds matches in the Subject: field of the message.
To:
This parameter finds matches in the To: field of the message.
There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions to specify these parameters.
Message Body Parameters
<<Raw Mail Body>>
This parameter finds matches in any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content. This parameter will also match in multi-part message parts.
<<Mail Content>>
This parameter finds matches in the visible decoded message body.
STA (Token Analysis) Token
Token Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible
HTML text comments, which would not be caught by a normal pattern filter. For example, Token
Analysis extracts the token “viagra” from the text “vi<spam>ag<spam>ra” and “v.i.a.g.r.a.”.
Content Scanning
Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of Pattern Filter is used with the Content Scanning feature.
9. Select the Match Option .
Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.
Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)
Matches — The entire line or field must match the text.
Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)
Reg Exp — Enter a regular expression to match the text.
10. Enter a text Pattern (case insensitive) to search for in the message.
You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.
For example, to search for a blank message field, use the following regular expression:
^subject:[[:blank:]]*$
Although the Regular Expression feature is supported, WatchGuard cannot help with devising or debugging Regular Expressions because the expressions have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use.
142 WatchGuard XCS
User Guide
Content Control
11. Select a Priority for the filter ( High , Medium , Low ).
The entire message is read before making the decision about which filter to use. If a message matches multiple filters, the filter with the highest priority will be used. If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest
( Bypass , Reject , Discard , Quarantine , Certainly Spam , PostX Encrypt , Archive , Redirect , Trust ,
Relay , Accept , Just log ).
Discard, Quarantine, and Redirect are actions available when creating a custom Pattern Filter action in the Pattern Filter preferences screen.
If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.
12. Select an Action to perform when a rule has been triggered:
Bypass — Allow this message to bypass all Intercept Anti-Spam and Content Control (Attachment
Control, Content Scanning, Malformed Message, and OCF) processing. This action will override other Pattern Filter actions for the same priority. This action does not bypass Anti-Virus scanning.
Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam. Mail will be trained as legitimate mail.
Reject — Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if Train is also selected.
Relay — Message can be relayed externally. Message will be trained as legitimate mail or spam as determined by Intercept Anti-Spam if Train is also selected.
Accept — Mail is accepted and will be delivered regardless if the message is considered spam.
Message is trained as legitimate mail if Train is also selected.
Certainly Spam — Mail is received, trained as spam, and then the Intercept action for Certainly
Spam is applied.
Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower priority Pattern Filters to test the effect of Pattern Filters without an action taking place.
PostX Encrypt — Message is encrypted using the Encryption Option if enabled.
BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC email address set up in the Preferences section.
Do Not Train — Do not use the message for Token Analysis training purposes.
Configurable Actions — There are several configurable actions that can be defined by the administrator by clicking the Preferences button. When defined, these actions will appear in this list.
Encrypt — Redirects the message to an encryption server.
Decrypt — Redirects the message to a decryption server.
Archive (High, Medium, Low) — Redirects the message to an archiving server.
The Relay or Trust action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.
143
advertisement
Related manuals
advertisement
Table of contents
- 13 About the WatchGuard XCS
- 13 WatchGuard XCS Overview
- 13 Firewall-level network and system security
- 13 Message delivery security
- 14 Web security
- 14 Content controls
- 14 Virus and spyware scanning
- 14 Outbreak control
- 14 Malformed message protection
- 15 Intercept Anti-Spam
- 15 ReputationAuthority
- 16 Image spam analysis
- 16 Threat prevention
- 16 Trusted and blocked senders list
- 16 Spam quarantine
- 16 Secure WebMail
- 17 Integrated and external message encryption
- 17 Mail delivery encryption
- 17 Policy controls
- 18 System management
- 18 Clustering
- 19 Reporting
- 19 Security Connection
- 19 Internationalization
- 20 WatchGuard XCS on the DMZ of a network firewall
- 21 WatchGuard XCS on the internal network
- 22 Network firewall configuration
- 23 DNS configuration for mail routing
- 23 Outbound mail routing
- 24 Trusted messages
- 24 Inbound and outbound scanning
- 24 SMTP connection
- 25 Virus and spyware checking
- 25 Malformed message checking
- 25 Attachment size limits
- 25 Attachment control
- 25 Outbreak control
- 25 OCF (Objectionable Content Filter)
- 26 Pattern Filters and Specific Access Patterns
- 26 Trusted and Blocked Senders List
- 26 Content Scanning
- 26 Document Fingerprinting
- 26 Content Rules
- 26 Encryption
- 26 Anti-Spam processing
- 26 Mail mappings
- 26 Virtual mappings
- 27 Relocated Users
- 27 Mail Aliases
- 27 Mail routing
- 27 Message delivery
- 27 Message Processing Order Summary
- 27 SMTP Connection Checks
- 28 Message Checks
- 28 Intercept Anti-Spam processing
- 31 System Administration
- 31 Connect to the WatchGuard XCS
- 32 Navigate the Main Menu
- 32 Activity
- 33 Security
- 34 Configuration
- 35 Administration
- 36 Support
- 37 Console activity screen
- 37 Admin Menu
- 38 Repair Menu
- 38 Misc Menu
- 39 Configure the Admin User
- 40 Add additional administrative users
- 42 Admin automatic logout
- 42 Admin login lockout
- 44 External Proxy Server
- 46 Feature Display
- 47 Mail Delivery Settings
- 47 Network Configuration
- 49 Network interface configuration
- 50 Advanced parameters
- 51 Transparent mode and bridging
- 52 Support Access
- 53 Network Routing of Virtual Interfaces
- 54 Virtual interfaces and trusts
- 56 Subdomain routing via MX lookup
- 56 Subdomain routing and DNS caching
- 56 LDAP routing
- 57 Add rules for relays
- 58 Delivery settings
- 59 Gateway features
- 59 Default mail relay
- 59 Failback mail relay
- 60 BCC (Blind carbon copy) all mail
- 60 Annotations and delivery warnings
- 63 Advanced mail delivery options
- 63 Advanced SMTP settings
- 64 SMTP notification
- 64 Received header
- 65 Mail Aliases
- 65 Uploading Alias Lists
- 65 LDAP aliases
- 66 Mail Mappings
- 67 Mail mapping as access control
- 69 LDAP virtual mappings
- 75 Configure message archiving
- 76 Configure content control filters for archiving
- 76 Configure pattern filters for use with archiving
- 76 Configure OCF for archiving
- 77 Customizing archive headers using policies
- 79 LDAP Configuration
- 79 LDAP Overview
- 79 Naming conventions
- 80 LDAP schema
- 80 LDAP components
- 80 Clients
- 81 Protocol
- 81 Operations
- 81 Client session operations
- 81 Query operations
- 82 Modification operations
- 82 Extended operations
- 82 Security
- 83 Directory Servers
- 84 Testing LDAP servers
- 85 Searching the LDAP tree
- 89 Import settings
- 90 Mirror LDAP accounts as local users
- 90 Testing directory users
- 100 Cannot contact the LDAP server
- 100 LDAP user and group imports are failing
- 100 Mirror accounts are not created
- 101 LDAP authentication failures
- 103 Message Security
- 103 SMTP Mail Access
- 107 Anti-Virus
- 109 Updating pattern files
- 110 Spyware Detection
- 111 Configuring spyware detection in a policy
- 117 How message encryption works
- 118 Encryption configuration on the WatchGuard XCS
- 119 About Token files
- 120 Encryption with Pattern Filters
- 120 Encryption with the Objectionable Content Filter (OCF)
- 122 Manage accounts
- 123 Managing images
- 123 Managing users
- 124 Generate message activity reports
- 124 Manage secure messages
- 125 Read encrypted messages
- 126 Track encrypted messages
- 127 External Email Message Encryption
- 127 Configure the encryption server
- 128 Define mail routes for encryption and decryption
- 128 Enable encryption and decryption on the WatchGuard XCS
- 129 Define filter rules for encryption
- 132 TLS and message history
- 135 Content Control
- 135 Attachment Control
- 135 Attachment stripping
- 136 Attachment stripping and DomainKeys signatures
- 136 Configuring attachment control
- 137 Editing attachment types
- 138 Attachment size limits
- 139 Attachment size reports
- 140 Unopenable attachments
- 140 Configuring content scanning
- 141 Using pattern filters for content scanning
- 141 Using a policy compliance dictionary for content scanning
- 145 Uploading training documents
- 147 Configuring Document Fingerprinting
- 148 Document Fingerprinting and policies
- 148 Reports
- 148 Message history
- 149 Email message structure
- 150 Message envelope
- 150 Message header
- 150 Message body
- 150 Message attachment
- 151 Credit card pattern filters
- 152 Configuring pattern filters
- 156 Pattern filter preferences
- 157 Rerouting mail using pattern filters
- 158 Configuring content rules
- 161 Rule ordering
- 161 Downloading and uploading content rules
- 163 Reporting
- 163 Message history
- 164 Connection rules
- 166 Rule ordering
- 166 Reporting
- 167 Character set support
- 169 Adding a dictionary
- 170 Financial and medical dictionaries
- 171 Weighted dictionaries
- 172 Negative dictionary weights
- 172 Using weighted dictionaries
- 175 Intercept Anti-Spam
- 175 Intercept Anti-Spam Overview
- 176 Trusted and Untrusted Mail Sources
- 177 Trusted subnet
- 177 Trusting via specific access patterns
- 178 Intercept connection control aggressiveness
- 179 Intercept Anti-Spam aggressiveness
- 179 Intercept Anti-Virus aggressiveness
- 180 Intercept Connection Control
- 181 ReputationAuthority, DNSBL, and Backscatter rejects
- 182 Intercept actions
- 183 Anti-Spam header
- 184 ReputationAuthority/DNSBL/UBL timeout setting
- 187 Adding a spam words dictionary
- 188 Mail Anomalies
- 192 DNSBL servers
- 192 Timeout mode
- 194 UBL whitelist
- 195 ReputationAuthority
- 195 Domain and sender reputation
- 196 ReputationAuthority statistics sharing
- 197 Trusted clients and known mail servers
- 198 Configuring ReputationAuthority checks
- 202 How Token Analysis works
- 202 Token Analysis training
- 203 Configuring Token Analysis
- 203 Database and Training
- 204 Token Analysis advanced options
- 204 Neutral words
- 204 Token Analysis and languages
- 205 Japanese, Chinese, and Korean languages
- 205 Image analysis
- 205 PDF spam analysis
- 206 Diagnostics
- 208 Spam training
- 208 Spam settings
- 209 Dictionary spam count
- 209 Troubleshooting Token Analysis
- 211 Anti-Spam header
- 212 Configuring Backscatter detection
- 213 Sender Policy Framework (SPF)
- 213 SPF records
- 214 Configuring SPF
- 214 DomainKeys
- 215 Configuring DomainKeys
- 215 DomainKeys log messages
- 216 DomainKeys outbound message signing
- 218 DomainKeys DNS record
- 220 Recommended strategy
- 223 Web Scanning
- 223 Web Scanning Overview
- 223 Web Content Inspection
- 224 Web Proxy authentication
- 224 Single sign-on IP address-based authentication
- 224 Single sign-on IP address and portal authentication notes
- 224 TrafficAccelerator
- 225 Web Proxy chaining
- 225 Automatic client web proxy configuration
- 225 Web Proxy best practices
- 226 Deployment
- 226 Full proxy parallel deployment
- 227 Disadvantages
- 227 Internal network deployment
- 227 Advantages
- 227 Disadvantages
- 228 Advantages
- 228 Disadvantages
- 231 Transparent Mode
- 232 Disabling the Web Proxy in Transparent Mode
- 232 Web Proxy network interface settings
- 233 Configuring LDAP Web User authentication
- 234 Enabling web proxy authentication
- 235 Web Proxy authentication logout
- 236 Web Cache
- 237 Web cache disk usage
- 237 Flushing the web cache
- 238 Flush domain web cache
- 238 Web streaming Media Bypass
- 239 Configuring skipped MIME types
- 240 IP authentication browser configuration mode
- 241 PAC file
- 242 Load balancing via URL address
- 243 Bypassing the proxy for specific URLs/domains
- 243 WPAD using DNS
- 243 WPAD using DHCP
- 244 Internet Explorer client configuration
- 245 Client browser notifications
- 247 Create a trusted or blocked sites list
- 247 Configure trusted and blocked sites lists
- 248 Web Proxy URL and IP address blocking
- 253 Default blocked categories
- 253 Categories to block if required by an organization
- 254 Categories to block to enhance productivity
- 254 Configuring URL Categorization
- 255 Control list updates
- 255 Using URL categorization in policies
- 256 URL reject categorization
- 257 User Accounts
- 257 Local User Accounts
- 258 Upload and download user lists
- 258 Tiered Administration
- 260 Tiered Admin and WebMail access
- 260 Log in with Tiered Admin privileges
- 261 Delegated Domain Administration
- 261 Delegated domain administration and clustering
- 262 Creating delegated domains
- 263 Deleting a delegated domain
- 263 Uploading delegated domains
- 264 Uploaded delegated domain admin users
- 265 Delegated domain policies
- 265 Administering delegated domains
- 266 Log in to delegated domain administration
- 266 Managing the delegated domain
- 266 Viewing the delegated domain quarantine
- 267 Mirror Accounts
- 268 CRYPTOCard
- 268 SafeWord
- 268 SecurID
- 269 Remote Accounts and Directory Authentication
- 269 Configuring LDAP authentication
- 270 RADIUS authentication
- 271 POP3 and IMAP Access
- 272 Relocated Users
- 272 Vacation Notification
- 273 User vacation notification profile
- 275 Chapter 10 Spam Quarantine and Trusted/Blocked Senders
- 275 User Spam Quarantine
- 275 Local Spam Quarantine account
- 276 Configure the Spam Quarantine
- 277 Spam summary message
- 278 Accessing quarantined spam
- 278 Accessing the quarantine folder via IMAP
- 281 Trusted Senders List
- 281 Blocked Senders List
- 284 Import list file
- 287 Chapter 11 Secure WebMail
- 287 Secure WebMail Overview
- 288 Configure Secure WebMail
- 291 Enable the Secure WebMail OWA proxy
- 294 Exchange Authentication
- 300 Configuring WebMail client options
- 301 Chapter 12 Policies
- 301 Policy Overview
- 302 Policy hierarchy
- 302 Multiple group policies
- 303 Pattern filter priority
- 304 Define global settings
- 304 Configure the Default policy
- 305 Anti-Spam and Anti-Virus
- 306 Content Control policy settings
- 307 Email policy options
- 308 HTTP policy options
- 309 Add and define domain, group, and user policies
- 311 Uploading and downloading domain policy lists
- 312 Enabling Group Policy
- 313 Importing LDAP group information
- 314 Re-Ordering groups
- 315 Assigning group policies
- 315 Uploading group policy lists
- 315 Orphaned groups
- 317 Policy Diagnostics
- 319 Chapter 13 Threat Prevention
- 319 Threat Prevention Overview
- 319 How Threat Prevention works
- 320 Threat Prevention in a cluster
- 320 Configure Threat Prevention
- 323 Basic rule structure
- 323 Default connection rules
- 323 Blacklisted clients
- 324 Directory harvesters
- 324 Big virus senders
- 324 DNSBL clients (on more than one list)
- 325 Junk senders
- 325 Internal DoS
- 326 Excessive senders
- 326 Create connection rules
- 327 Build condition statements
- 327 General statistics
- 328 Email Statistics
- 330 Connection rules script error checking
- 332 Uploading and downloading addresses
- 333 Integration with F5 and Cisco devices
- 333 Configuring data groups
- 336 Configuring F5 data groups
- 338 WatchGuard XCS and F5 integration notes
- 339 Enabling data transfer to a Cisco device
- 340 Cisco device configuration
- 343 Chapter 14 Clustering
- 343 Clustering Overview
- 343 Cluster architecture
- 344 Load balancing
- 344 Email load balancing via DNS
- 345 Traffic load balancing using a load balancing device
- 345 Configure Clustering
- 345 Hardware and licensing
- 345 Cluster network configuration
- 346 Select a cluster mode
- 347 Cluster Management
- 347 Cluster activity
- 348 HTTP statistics
- 349 Stop and start messaging queues
- 349 Changing cluster run modes
- 350 Cluster system maintenance
- 350 Updating cluster systems
- 350 Cluster reporting and message history
- 350 Cluster system failures
- 351 Backup and restore in a cluster
- 351 Recovering a primary cluster system
- 351 Recovering a Secondary and Client cluster system
- 351 Threat prevention and clustering
- 351 Clustering and centralized management
- 353 Chapter 15 Centralized Management
- 353 About Centralized Management
- 354 Centralized Management and Clustering
- 354 Centralized Management features
- 355 Centralized Management in a Cluster
- 356 Networking ports and addresses
- 357 Create a Centralized Management Federation
- 357 Enable Centralized Management on the Manager system
- 358 Configure Manager Systems in a Cluster
- 360 Enable Centralized Management on Entity systems
- 361 Adding Entities to a Federation via the Manager system
- 363 Configuration Set Features
- 365 Create a configuration set
- 366 Define a configuration set
- 367 Apply a configuration set
- 367 Viewing a configuration set on an Entity
- 368 Purge local settings
- 369 Entity Status
- 370 Centralized Management Reports
- 370 Viewing Centralized Management reports
- 373 Chapter 16 Reports and Logs
- 373 Reports Overview
- 374 Domain reporting
- 374 Inbound and outbound reporting
- 374 Scheduling reports
- 375 Create a new report
- 376 Domain reporting
- 377 View reports
- 383 Configure Reports
- 384 Spam logging
- 386 Searching the mail logs
- 387 Searching the system log
- 388 WatchGuard XCS Logs
- 389 Previous Searches
- 391 Log search configuration
- 393 Chapter 17 System Management
- 393 Backup and Restore
- 393 Restore from backup
- 394 Backup file naming conventions
- 394 Starting a backup
- 395 FTP backup options
- 396 SCP backup options
- 397 Local disk options
- 398 Restoring from backup
- 398 FTP restore options
- 399 Restore from SCP
- 400 Restore from local disk
- 401 Backup and restore errors
- 402 Reset the WatchGuard XCS
- 404 Get a feature key from LiveSecurity
- 405 Adding a feature key to your WatchGuard XCS
- 406 Updating a feature key
- 407 Removing a feature key
- 407 Feature key expiration
- 412 Selecting performance settings
- 417 Chapter 18 Monitor your WatchGuard XCS
- 417 Dashboard
- 418 Mail summary
- 418 Mail resources
- 419 Mail traffic summary
- 421 Web traffic
- 423 Recent web activity
- 424 Status and actions
- 427 System status
- 429 Diagnostics
- 429 Current admin and WebMail users
- 429 Configuration information
- 432 Quarantine expiry options
- 435 Advanced search
- 436 Message history search tips
- 436 System history
- 442 Configure SNMP
- 442 Permitted clients
- 443 MIB files
- 445 Alarms in a cluster
- 445 Configuring alarms
- 446 Alarms list
- 447 Chapter 19 Troubleshoot your WatchGuard XCS
- 447 Troubleshoot Message Delivery
- 448 Troubleshooting Tools
- 448 Monitoring the Dashboard
- 450 Examine Log Files
- 451 Flush mail queue
- 451 Flush DNS cache
- 451 Flush web cache
- 451 Flush domain web cache
- 452 Policy trace
- 452 Flush web single sign-on sessions
- 452 Hostname lookup
- 453 SMTP probe
- 457 Message history