advertisement
Intercept Anti-Spam such as .zip. Token Analysis can improve detection of PDF spam by analyzing specific information in the PDF such as the document meta-properties (author, creation date, etc.) and the text and images contained in the
PDF. The Token Analysis scanner will create tokens for each of these unique PDF properties to be able to detect characteristics of PDF spam.
The PDF Analysis feature uses the Token Analysis component to analyze PDF spam messages. Token
Analysis must be enabled for PDF Spam detection to work. To perform content inspection of archive files, such as .zip, that contain PDF files, Kaspersky Anti-Virus must be enabled.
Tokens generated by the PDF analysis feature (by analyzing text in the PDF) are also utilized by the Spam
Words and URL Block List (UBL) features. They cannot be used for the Objectionable Content Filter.
Enable PDF Analysis — Enables PDF analysis to allow the system to scan PDF files for spam. This is enabled by default.
If the PDF document size is larger than 45kb, analysis of the document will be skipped. Larger documents are less likely to be spam messages the PDF document size is larger than 45kb, analysis of the document will be skipped. Larger documents are less likely to be spam messages.
Analyze PDF Text — Select this check box to extract and analyze the text in a PDF file. This allows the scanner to examine the PDF text for words that may indicate it is a spam message. Tokens created from the text in a PDF are used by Token Analysis, Spam Words, and the URL Block list features.
Analyze PDF Images — Select this check box to analyze images in PDF documents for image spam.
The Enable Image Analysis option must also be enabled to analyze images in PDF documents.
PDF text and image analysis are enabled by default. These options should be disabled if there is an increased amount of false positives (legitimate mail identified as spam), or system message processing performance is affected.
Diagnostics
The diagnostics section allows administrators to configure diagnostic options for Token Analysis to help with troubleshooting.
Enable X-STA Headers — This setting inserts X-STA (Token Analysis) headers into all messages. These are not visible to the user (although they can be filtered in most mail clients), but can be used to gather information on why mail is processed in a particular way.
The following headers will be inserted:
X-STA-Metric — The score assigned by Token Analysis, such as 95, which would indicate a spam message.
X-STA-NotSpam — Indicates the words with the highest non-spam value found in the message.
X-STA-Spam — Indicates the words with the highest spam value found in the message.
Enable Monitoring — Select the check box to enable the monitoring of messages received by the specified email address.
Monitor email for — Enter an email address that you would like to monitor.
Copy to — Copy messages and the Token Analysis diagnostic to this email address.
194 WatchGuard XCS
Intercept Anti-Spam
Token Analysis training
The following sections allow you to define advanced parameters for Token Analysis training, such as legitimate and spam mail training settings.
User Guide
Valid Training Sources — Select Trusted/Local Mail to train all local trusted network mail for Token
Analysis, or select No Training .
If “No Training” is selected, the Heuristic 1 Intercept Decision strategy should be used that deemphasizes Token Analysis. This prevents false positives from occurring when using the Heuristic 2 strategy.
Local Limit — Enter the maximum number of messages from local users that can be used for Token
Analysis training. When the limit is reached, older training messages are deleted as new messages arrive. Default is 20000.
Local Threshold — Set the threshold for messages from local users to be used for training. If the Token
Analysis classification for the message is greater than or equal to the specified number, the message will be used for training.
Source Weighting % — For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database supplied by WatchGuard represents well selected data, and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail from the trusted network.
Default — Enter a percentage for the weight of the WatchGuard maintained Token Analysis database of valid mail.
Uploaded — Enter the weight of locally uploaded valid mail. Legitimate mail can be uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective.
195
advertisement
Related manuals
advertisement