advertisement
Intercept Anti-Spam
Configuring ReputationAuthority checks
To configure ReputationAuthority:
1. Select Security > Anti-Spam > ReputationAuthority .
186
2. Enter the ReputationAuthority Domain to query.
The default is WatchGuard’s ReputationAuthority domain, and should not be modified.
3. Select a Timeout Mode option to ensure the timely recovery of lookup timeouts to the
ReputationAuthority domain and to improve redundancy via alternate ReputationAuthority domains in the event the primary domain is unavailable and cannot be contacted.
In the event the primary ReputationAuthority domain is unavailable and the timeout mode is set to
Alternate , an alternate ReputationAuthority domain will be queried. If the primary or alternate
ReputationAuthority domains cannot be contacted, the ReputationAuthority check will be skipped for the message. An alarm will also be triggered to notify the administrator if a service cannot be contacted.
Disable — No ReputationAuthority lookups will be performed if the ReputationAuthority domain is unavailable and cannot be contacted. The system will check the status of the domain every 5 minutes. Domain queries will resume when the service becomes available again.
Alternate — Use an alternate ReputationAuthority domain for queries. The system will check the status of the primary domain every 5 minutes. The system will revert to the primary domain when the primary domain service is restored. The alternate ReputationAuthority domain is preconfigured and is not configurable by the administrator.
Ignore — Continue to attempt a lookup to the ReputationAuthority domain. An alarm will be triggered if the timeout threshold (900 seconds) is exceeded and the domain query will be skipped.
4. Select the Share Statistics check box to allow ReputationAuthority information, such as spam and virus statistics for connecting client IP addresses, from this system to be shared with the
ReputationAuthority network.
TCP Port 443 must be enabled outbound to allow statistics to be uploaded to the reputation server.
There are no security risks associated with sharing statistics. The system does not relay any private or sensitive information to the ReputationAuthority.
WatchGuard XCS
User Guide
Intercept Anti-Spam
5. Select the Use Domain and Sender Behaviour check box to make use of domain and sender behavior when performing ReputationAuthority checks.
This option will increase the effectiveness of ReputationAuthority by examining not only the IP reputation of a sender, but also the domain name and envelope sender information from that IP address.
6. Select the Reject on Reputation check box to reject messages from senders whose reputation is above the configured Reputation Threshold.
A reputation of “0” indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of “100” indicates the sender is extremely unreliable and often sends spam or viruses. An
IP address with no previous information from any source is assigned a value “50”.
To override a ReputationAuthority reject, add the system to the internal hosts and friendly mail relays list. ReputationAuthority rejects can also be overridden by creating a Specific Access Pattern to Trust the rejected address. ReputationAuthority rejects cannot be overridden by a policy.
Pattern Based Message Filtering can also be set to Bypass (to bypass all Anti-Spam and content checks), Trust (to accept and train as valid mail) or Accept (just accept without training) the message, however, this may interfere with later message processing and using the mail relays list is recommended.
7. Enter a Rejection Threshold over which a message will be rejected.
The default value is “99”. If the reputation of a connecting system is greater than this value, it will be rejected. The lower the reputation threshold, the greater the chance that a system with valid mail will be blocked. This setting is only valid when Reject on Reputation is enabled.
8. Select Reject on Infection to reject messages from senders based on the criteria configured in the
Infection Threshold option.
9. Select an Infection Threshold that indicates the criteria for rejecting messages based on whether the sending host is Currently infected (received in last hour), or Recently infected (received in last day).
This is setting is only valid when Reject on Infection is enabled.
10. Select the Reject Connection From Dial-ups check box to reject messages sent directly from dial-up connections.
If a message is not rejected because it violates a reputation threshold, the reputation score and information about whether the sender is a dial-up can be incorporated into the overall Intercept
Anti-Spam decision.
187
Intercept Anti-Spam
11. Customize the ReputationAuthority Reject Message as required.
This option allows the administrator to customize the reject message for ReputationAuthority. Use
“%s” to specify the IP address of the rejected sender, such as: go to http://www.reputationauthority.org/lookup?ip=%s
ReputationAuthority rejection, infection, and dial-up log messages will include a URL similar to the following:
450: blocked by Intercept: http://www.reputationauthority.org/ lookup?ip=207.236.65.226&d=4ECD2A71BB0D0E6A&u=45F00D38BFC08DFC where the IP address is the connecting system that was rejected. The “d=” and “u=” section are domain and user hashes for the domain and sender reputation. Clicking the URL will open up a web page displaying ReputationAuthority reputation statistics for the specified IP address, domain, and user.
188
12. Select the Enable ReputationAuthority for Anti-Spam check box to check incoming messages against the spam information gathered by the ReputationAuthority network.
13. In the Check Relays text box, specify how many received headers to check with ReputationAuthority.
For example, an email message may have been relayed by four mail servers before it reached the system. Use this field to specify how many relay points, starting from the latest headers to the earliest, should have their reputation checked via ReputationAuthority. Acceptable values are between “0” and
“ALL”. The default is “5”.
Check Relays should be enabled if the system is installed behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked.
WatchGuard XCS
User Guide
Intercept Anti-Spam
14. In the Exclude Relays field, specify how many received headers to exclude from ReputationAuthority checks, starting from the earliest header to the most recent.
For example, if Check Relays is enabled, setting this value to “1” means that the first relay point will not be checked. Note that some ISPs include the originating dial-up IP as the first relay point which can lead to legitimate mail being classified as spam by ReputationAuthority. Recommended values are “0”
(off) or “1”. The default is “1”.
The Exclude Relays setting will only be enabled if Check Relays is also enabled.
As an example of using the Check Relays and Exclude Relays options, consider the following scenario:
Server A -> Server B -> Server C -> Server D -> WatchGuard XCS
With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order:
Received: D
Received: C
Received: B
Received: A
With Check Relays enabled, the system starts with server D and checks the configured number of received headers. If Check Relays is set to “3”, it will check D, C, and B.
Use the Exclude Relays option to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to
“1”, then server A will be excluded from the checks.
189
advertisement
Related manuals
advertisement
Table of contents
- 13 About the WatchGuard XCS
- 13 WatchGuard XCS Overview
- 13 Firewall-level network and system security
- 13 Message delivery security
- 14 Web security
- 14 Content controls
- 14 Virus and spyware scanning
- 14 Outbreak control
- 14 Malformed message protection
- 15 Intercept Anti-Spam
- 15 ReputationAuthority
- 16 Image spam analysis
- 16 Threat prevention
- 16 Trusted and blocked senders list
- 16 Spam quarantine
- 16 Secure WebMail
- 17 Integrated and external message encryption
- 17 Mail delivery encryption
- 17 Policy controls
- 18 System management
- 18 Clustering
- 19 Reporting
- 19 Security Connection
- 19 Internationalization
- 20 WatchGuard XCS on the DMZ of a network firewall
- 21 WatchGuard XCS on the internal network
- 22 Network firewall configuration
- 23 DNS configuration for mail routing
- 23 Outbound mail routing
- 24 Trusted messages
- 24 Inbound and outbound scanning
- 24 SMTP connection
- 25 Virus and spyware checking
- 25 Malformed message checking
- 25 Attachment size limits
- 25 Attachment control
- 25 Outbreak control
- 25 OCF (Objectionable Content Filter)
- 26 Pattern Filters and Specific Access Patterns
- 26 Trusted and Blocked Senders List
- 26 Content Scanning
- 26 Document Fingerprinting
- 26 Content Rules
- 26 Encryption
- 26 Anti-Spam processing
- 26 Mail mappings
- 26 Virtual mappings
- 27 Relocated Users
- 27 Mail Aliases
- 27 Mail routing
- 27 Message delivery
- 27 Message Processing Order Summary
- 27 SMTP Connection Checks
- 28 Message Checks
- 28 Intercept Anti-Spam processing
- 31 System Administration
- 31 Connect to the WatchGuard XCS
- 32 Navigate the Main Menu
- 32 Activity
- 33 Security
- 34 Configuration
- 35 Administration
- 36 Support
- 37 Console activity screen
- 37 Admin Menu
- 38 Repair Menu
- 38 Misc Menu
- 39 Configure the Admin User
- 40 Add additional administrative users
- 42 Admin automatic logout
- 42 Admin login lockout
- 44 External Proxy Server
- 46 Feature Display
- 47 Mail Delivery Settings
- 47 Network Configuration
- 49 Network interface configuration
- 50 Advanced parameters
- 51 Transparent mode and bridging
- 52 Support Access
- 53 Network Routing of Virtual Interfaces
- 54 Virtual interfaces and trusts
- 56 Subdomain routing via MX lookup
- 56 Subdomain routing and DNS caching
- 56 LDAP routing
- 57 Add rules for relays
- 58 Delivery settings
- 59 Gateway features
- 59 Default mail relay
- 59 Failback mail relay
- 60 BCC (Blind carbon copy) all mail
- 60 Annotations and delivery warnings
- 63 Advanced mail delivery options
- 63 Advanced SMTP settings
- 64 SMTP notification
- 64 Received header
- 65 Mail Aliases
- 65 Uploading Alias Lists
- 65 LDAP aliases
- 66 Mail Mappings
- 67 Mail mapping as access control
- 69 LDAP virtual mappings
- 75 Configure message archiving
- 76 Configure content control filters for archiving
- 76 Configure pattern filters for use with archiving
- 76 Configure OCF for archiving
- 77 Customizing archive headers using policies
- 79 LDAP Configuration
- 79 LDAP Overview
- 79 Naming conventions
- 80 LDAP schema
- 80 LDAP components
- 80 Clients
- 81 Protocol
- 81 Operations
- 81 Client session operations
- 81 Query operations
- 82 Modification operations
- 82 Extended operations
- 82 Security
- 83 Directory Servers
- 84 Testing LDAP servers
- 85 Searching the LDAP tree
- 89 Import settings
- 90 Mirror LDAP accounts as local users
- 90 Testing directory users
- 100 Cannot contact the LDAP server
- 100 LDAP user and group imports are failing
- 100 Mirror accounts are not created
- 101 LDAP authentication failures
- 103 Message Security
- 103 SMTP Mail Access
- 107 Anti-Virus
- 109 Updating pattern files
- 110 Spyware Detection
- 111 Configuring spyware detection in a policy
- 117 How message encryption works
- 118 Encryption configuration on the WatchGuard XCS
- 119 About Token files
- 120 Encryption with Pattern Filters
- 120 Encryption with the Objectionable Content Filter (OCF)
- 122 Manage accounts
- 123 Managing images
- 123 Managing users
- 124 Generate message activity reports
- 124 Manage secure messages
- 125 Read encrypted messages
- 126 Track encrypted messages
- 127 External Email Message Encryption
- 127 Configure the encryption server
- 128 Define mail routes for encryption and decryption
- 128 Enable encryption and decryption on the WatchGuard XCS
- 129 Define filter rules for encryption
- 132 TLS and message history
- 135 Content Control
- 135 Attachment Control
- 135 Attachment stripping
- 136 Attachment stripping and DomainKeys signatures
- 136 Configuring attachment control
- 137 Editing attachment types
- 138 Attachment size limits
- 139 Attachment size reports
- 140 Unopenable attachments
- 140 Configuring content scanning
- 141 Using pattern filters for content scanning
- 141 Using a policy compliance dictionary for content scanning
- 145 Uploading training documents
- 147 Configuring Document Fingerprinting
- 148 Document Fingerprinting and policies
- 148 Reports
- 148 Message history
- 149 Email message structure
- 150 Message envelope
- 150 Message header
- 150 Message body
- 150 Message attachment
- 151 Credit card pattern filters
- 152 Configuring pattern filters
- 156 Pattern filter preferences
- 157 Rerouting mail using pattern filters
- 158 Configuring content rules
- 161 Rule ordering
- 161 Downloading and uploading content rules
- 163 Reporting
- 163 Message history
- 164 Connection rules
- 166 Rule ordering
- 166 Reporting
- 167 Character set support
- 169 Adding a dictionary
- 170 Financial and medical dictionaries
- 171 Weighted dictionaries
- 172 Negative dictionary weights
- 172 Using weighted dictionaries
- 175 Intercept Anti-Spam
- 175 Intercept Anti-Spam Overview
- 176 Trusted and Untrusted Mail Sources
- 177 Trusted subnet
- 177 Trusting via specific access patterns
- 178 Intercept connection control aggressiveness
- 179 Intercept Anti-Spam aggressiveness
- 179 Intercept Anti-Virus aggressiveness
- 180 Intercept Connection Control
- 181 ReputationAuthority, DNSBL, and Backscatter rejects
- 182 Intercept actions
- 183 Anti-Spam header
- 184 ReputationAuthority/DNSBL/UBL timeout setting
- 187 Adding a spam words dictionary
- 188 Mail Anomalies
- 192 DNSBL servers
- 192 Timeout mode
- 194 UBL whitelist
- 195 ReputationAuthority
- 195 Domain and sender reputation
- 196 ReputationAuthority statistics sharing
- 197 Trusted clients and known mail servers
- 198 Configuring ReputationAuthority checks
- 202 How Token Analysis works
- 202 Token Analysis training
- 203 Configuring Token Analysis
- 203 Database and Training
- 204 Token Analysis advanced options
- 204 Neutral words
- 204 Token Analysis and languages
- 205 Japanese, Chinese, and Korean languages
- 205 Image analysis
- 205 PDF spam analysis
- 206 Diagnostics
- 208 Spam training
- 208 Spam settings
- 209 Dictionary spam count
- 209 Troubleshooting Token Analysis
- 211 Anti-Spam header
- 212 Configuring Backscatter detection
- 213 Sender Policy Framework (SPF)
- 213 SPF records
- 214 Configuring SPF
- 214 DomainKeys
- 215 Configuring DomainKeys
- 215 DomainKeys log messages
- 216 DomainKeys outbound message signing
- 218 DomainKeys DNS record
- 220 Recommended strategy
- 223 Web Scanning
- 223 Web Scanning Overview
- 223 Web Content Inspection
- 224 Web Proxy authentication
- 224 Single sign-on IP address-based authentication
- 224 Single sign-on IP address and portal authentication notes
- 224 TrafficAccelerator
- 225 Web Proxy chaining
- 225 Automatic client web proxy configuration
- 225 Web Proxy best practices
- 226 Deployment
- 226 Full proxy parallel deployment
- 227 Disadvantages
- 227 Internal network deployment
- 227 Advantages
- 227 Disadvantages
- 228 Advantages
- 228 Disadvantages
- 231 Transparent Mode
- 232 Disabling the Web Proxy in Transparent Mode
- 232 Web Proxy network interface settings
- 233 Configuring LDAP Web User authentication
- 234 Enabling web proxy authentication
- 235 Web Proxy authentication logout
- 236 Web Cache
- 237 Web cache disk usage
- 237 Flushing the web cache
- 238 Flush domain web cache
- 238 Web streaming Media Bypass
- 239 Configuring skipped MIME types
- 240 IP authentication browser configuration mode
- 241 PAC file
- 242 Load balancing via URL address
- 243 Bypassing the proxy for specific URLs/domains
- 243 WPAD using DNS
- 243 WPAD using DHCP
- 244 Internet Explorer client configuration
- 245 Client browser notifications
- 247 Create a trusted or blocked sites list
- 247 Configure trusted and blocked sites lists
- 248 Web Proxy URL and IP address blocking
- 253 Default blocked categories
- 253 Categories to block if required by an organization
- 254 Categories to block to enhance productivity
- 254 Configuring URL Categorization
- 255 Control list updates
- 255 Using URL categorization in policies
- 256 URL reject categorization
- 257 User Accounts
- 257 Local User Accounts
- 258 Upload and download user lists
- 258 Tiered Administration
- 260 Tiered Admin and WebMail access
- 260 Log in with Tiered Admin privileges
- 261 Delegated Domain Administration
- 261 Delegated domain administration and clustering
- 262 Creating delegated domains
- 263 Deleting a delegated domain
- 263 Uploading delegated domains
- 264 Uploaded delegated domain admin users
- 265 Delegated domain policies
- 265 Administering delegated domains
- 266 Log in to delegated domain administration
- 266 Managing the delegated domain
- 266 Viewing the delegated domain quarantine
- 267 Mirror Accounts
- 268 CRYPTOCard
- 268 SafeWord
- 268 SecurID
- 269 Remote Accounts and Directory Authentication
- 269 Configuring LDAP authentication
- 270 RADIUS authentication
- 271 POP3 and IMAP Access
- 272 Relocated Users
- 272 Vacation Notification
- 273 User vacation notification profile
- 275 Chapter 10 Spam Quarantine and Trusted/Blocked Senders
- 275 User Spam Quarantine
- 275 Local Spam Quarantine account
- 276 Configure the Spam Quarantine
- 277 Spam summary message
- 278 Accessing quarantined spam
- 278 Accessing the quarantine folder via IMAP
- 281 Trusted Senders List
- 281 Blocked Senders List
- 284 Import list file
- 287 Chapter 11 Secure WebMail
- 287 Secure WebMail Overview
- 288 Configure Secure WebMail
- 291 Enable the Secure WebMail OWA proxy
- 294 Exchange Authentication
- 300 Configuring WebMail client options
- 301 Chapter 12 Policies
- 301 Policy Overview
- 302 Policy hierarchy
- 302 Multiple group policies
- 303 Pattern filter priority
- 304 Define global settings
- 304 Configure the Default policy
- 305 Anti-Spam and Anti-Virus
- 306 Content Control policy settings
- 307 Email policy options
- 308 HTTP policy options
- 309 Add and define domain, group, and user policies
- 311 Uploading and downloading domain policy lists
- 312 Enabling Group Policy
- 313 Importing LDAP group information
- 314 Re-Ordering groups
- 315 Assigning group policies
- 315 Uploading group policy lists
- 315 Orphaned groups
- 317 Policy Diagnostics
- 319 Chapter 13 Threat Prevention
- 319 Threat Prevention Overview
- 319 How Threat Prevention works
- 320 Threat Prevention in a cluster
- 320 Configure Threat Prevention
- 323 Basic rule structure
- 323 Default connection rules
- 323 Blacklisted clients
- 324 Directory harvesters
- 324 Big virus senders
- 324 DNSBL clients (on more than one list)
- 325 Junk senders
- 325 Internal DoS
- 326 Excessive senders
- 326 Create connection rules
- 327 Build condition statements
- 327 General statistics
- 328 Email Statistics
- 330 Connection rules script error checking
- 332 Uploading and downloading addresses
- 333 Integration with F5 and Cisco devices
- 333 Configuring data groups
- 336 Configuring F5 data groups
- 338 WatchGuard XCS and F5 integration notes
- 339 Enabling data transfer to a Cisco device
- 340 Cisco device configuration
- 343 Chapter 14 Clustering
- 343 Clustering Overview
- 343 Cluster architecture
- 344 Load balancing
- 344 Email load balancing via DNS
- 345 Traffic load balancing using a load balancing device
- 345 Configure Clustering
- 345 Hardware and licensing
- 345 Cluster network configuration
- 346 Select a cluster mode
- 347 Cluster Management
- 347 Cluster activity
- 348 HTTP statistics
- 349 Stop and start messaging queues
- 349 Changing cluster run modes
- 350 Cluster system maintenance
- 350 Updating cluster systems
- 350 Cluster reporting and message history
- 350 Cluster system failures
- 351 Backup and restore in a cluster
- 351 Recovering a primary cluster system
- 351 Recovering a Secondary and Client cluster system
- 351 Threat prevention and clustering
- 351 Clustering and centralized management
- 353 Chapter 15 Centralized Management
- 353 About Centralized Management
- 354 Centralized Management and Clustering
- 354 Centralized Management features
- 355 Centralized Management in a Cluster
- 356 Networking ports and addresses
- 357 Create a Centralized Management Federation
- 357 Enable Centralized Management on the Manager system
- 358 Configure Manager Systems in a Cluster
- 360 Enable Centralized Management on Entity systems
- 361 Adding Entities to a Federation via the Manager system
- 363 Configuration Set Features
- 365 Create a configuration set
- 366 Define a configuration set
- 367 Apply a configuration set
- 367 Viewing a configuration set on an Entity
- 368 Purge local settings
- 369 Entity Status
- 370 Centralized Management Reports
- 370 Viewing Centralized Management reports
- 373 Chapter 16 Reports and Logs
- 373 Reports Overview
- 374 Domain reporting
- 374 Inbound and outbound reporting
- 374 Scheduling reports
- 375 Create a new report
- 376 Domain reporting
- 377 View reports
- 383 Configure Reports
- 384 Spam logging
- 386 Searching the mail logs
- 387 Searching the system log
- 388 WatchGuard XCS Logs
- 389 Previous Searches
- 391 Log search configuration
- 393 Chapter 17 System Management
- 393 Backup and Restore
- 393 Restore from backup
- 394 Backup file naming conventions
- 394 Starting a backup
- 395 FTP backup options
- 396 SCP backup options
- 397 Local disk options
- 398 Restoring from backup
- 398 FTP restore options
- 399 Restore from SCP
- 400 Restore from local disk
- 401 Backup and restore errors
- 402 Reset the WatchGuard XCS
- 404 Get a feature key from LiveSecurity
- 405 Adding a feature key to your WatchGuard XCS
- 406 Updating a feature key
- 407 Removing a feature key
- 407 Feature key expiration
- 412 Selecting performance settings
- 417 Chapter 18 Monitor your WatchGuard XCS
- 417 Dashboard
- 418 Mail summary
- 418 Mail resources
- 419 Mail traffic summary
- 421 Web traffic
- 423 Recent web activity
- 424 Status and actions
- 427 System status
- 429 Diagnostics
- 429 Current admin and WebMail users
- 429 Configuration information
- 432 Quarantine expiry options
- 435 Advanced search
- 436 Message history search tips
- 436 System history
- 442 Configure SNMP
- 442 Permitted clients
- 443 MIB files
- 445 Alarms in a cluster
- 445 Configuring alarms
- 446 Alarms list
- 447 Chapter 19 Troubleshoot your WatchGuard XCS
- 447 Troubleshoot Message Delivery
- 448 Troubleshooting Tools
- 448 Monitoring the Dashboard
- 450 Examine Log Files
- 451 Flush mail queue
- 451 Flush DNS cache
- 451 Flush web cache
- 451 Flush domain web cache
- 452 Policy trace
- 452 Flush web single sign-on sessions
- 452 Hostname lookup
- 453 SMTP probe
- 457 Message history