advertisement
Intercept Anti-Spam
Configuring ReputationAuthority checks
To configure ReputationAuthority:
1. Select Security > Anti-Spam > ReputationAuthority .
186
2. Enter the ReputationAuthority Domain to query.
The default is WatchGuard’s ReputationAuthority domain, and should not be modified.
3. Select a Timeout Mode option to ensure the timely recovery of lookup timeouts to the
ReputationAuthority domain and to improve redundancy via alternate ReputationAuthority domains in the event the primary domain is unavailable and cannot be contacted.
In the event the primary ReputationAuthority domain is unavailable and the timeout mode is set to
Alternate , an alternate ReputationAuthority domain will be queried. If the primary or alternate
ReputationAuthority domains cannot be contacted, the ReputationAuthority check will be skipped for the message. An alarm will also be triggered to notify the administrator if a service cannot be contacted.
Disable — No ReputationAuthority lookups will be performed if the ReputationAuthority domain is unavailable and cannot be contacted. The system will check the status of the domain every 5 minutes. Domain queries will resume when the service becomes available again.
Alternate — Use an alternate ReputationAuthority domain for queries. The system will check the status of the primary domain every 5 minutes. The system will revert to the primary domain when the primary domain service is restored. The alternate ReputationAuthority domain is preconfigured and is not configurable by the administrator.
Ignore — Continue to attempt a lookup to the ReputationAuthority domain. An alarm will be triggered if the timeout threshold (900 seconds) is exceeded and the domain query will be skipped.
4. Select the Share Statistics check box to allow ReputationAuthority information, such as spam and virus statistics for connecting client IP addresses, from this system to be shared with the
ReputationAuthority network.
TCP Port 443 must be enabled outbound to allow statistics to be uploaded to the reputation server.
There are no security risks associated with sharing statistics. The system does not relay any private or sensitive information to the ReputationAuthority.
WatchGuard XCS
User Guide
Intercept Anti-Spam
5. Select the Use Domain and Sender Behaviour check box to make use of domain and sender behavior when performing ReputationAuthority checks.
This option will increase the effectiveness of ReputationAuthority by examining not only the IP reputation of a sender, but also the domain name and envelope sender information from that IP address.
6. Select the Reject on Reputation check box to reject messages from senders whose reputation is above the configured Reputation Threshold.
A reputation of “0” indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of “100” indicates the sender is extremely unreliable and often sends spam or viruses. An
IP address with no previous information from any source is assigned a value “50”.
To override a ReputationAuthority reject, add the system to the internal hosts and friendly mail relays list. ReputationAuthority rejects can also be overridden by creating a Specific Access Pattern to Trust the rejected address. ReputationAuthority rejects cannot be overridden by a policy.
Pattern Based Message Filtering can also be set to Bypass (to bypass all Anti-Spam and content checks), Trust (to accept and train as valid mail) or Accept (just accept without training) the message, however, this may interfere with later message processing and using the mail relays list is recommended.
7. Enter a Rejection Threshold over which a message will be rejected.
The default value is “99”. If the reputation of a connecting system is greater than this value, it will be rejected. The lower the reputation threshold, the greater the chance that a system with valid mail will be blocked. This setting is only valid when Reject on Reputation is enabled.
8. Select Reject on Infection to reject messages from senders based on the criteria configured in the
Infection Threshold option.
9. Select an Infection Threshold that indicates the criteria for rejecting messages based on whether the sending host is Currently infected (received in last hour), or Recently infected (received in last day).
This is setting is only valid when Reject on Infection is enabled.
10. Select the Reject Connection From Dial-ups check box to reject messages sent directly from dial-up connections.
If a message is not rejected because it violates a reputation threshold, the reputation score and information about whether the sender is a dial-up can be incorporated into the overall Intercept
Anti-Spam decision.
187
Intercept Anti-Spam
11. Customize the ReputationAuthority Reject Message as required.
This option allows the administrator to customize the reject message for ReputationAuthority. Use
“%s” to specify the IP address of the rejected sender, such as: go to http://www.reputationauthority.org/lookup?ip=%s
ReputationAuthority rejection, infection, and dial-up log messages will include a URL similar to the following:
450: blocked by Intercept: http://www.reputationauthority.org/ lookup?ip=207.236.65.226&d=4ECD2A71BB0D0E6A&u=45F00D38BFC08DFC where the IP address is the connecting system that was rejected. The “d=” and “u=” section are domain and user hashes for the domain and sender reputation. Clicking the URL will open up a web page displaying ReputationAuthority reputation statistics for the specified IP address, domain, and user.
188
12. Select the Enable ReputationAuthority for Anti-Spam check box to check incoming messages against the spam information gathered by the ReputationAuthority network.
13. In the Check Relays text box, specify how many received headers to check with ReputationAuthority.
For example, an email message may have been relayed by four mail servers before it reached the system. Use this field to specify how many relay points, starting from the latest headers to the earliest, should have their reputation checked via ReputationAuthority. Acceptable values are between “0” and
“ALL”. The default is “5”.
Check Relays should be enabled if the system is installed behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked.
WatchGuard XCS
User Guide
Intercept Anti-Spam
14. In the Exclude Relays field, specify how many received headers to exclude from ReputationAuthority checks, starting from the earliest header to the most recent.
For example, if Check Relays is enabled, setting this value to “1” means that the first relay point will not be checked. Note that some ISPs include the originating dial-up IP as the first relay point which can lead to legitimate mail being classified as spam by ReputationAuthority. Recommended values are “0”
(off) or “1”. The default is “1”.
The Exclude Relays setting will only be enabled if Check Relays is also enabled.
As an example of using the Check Relays and Exclude Relays options, consider the following scenario:
Server A -> Server B -> Server C -> Server D -> WatchGuard XCS
With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order:
Received: D
Received: C
Received: B
Received: A
With Check Relays enabled, the system starts with server D and checks the configured number of received headers. If Check Relays is set to “3”, it will check D, C, and B.
Use the Exclude Relays option to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to
“1”, then server A will be excluded from the checks.
189
advertisement
Related manuals
advertisement