Professional Documents
Culture Documents
1 C-Series Configuration
Module 6 Anti-Spam
Module Objectives
At the conclusion of this module you will be able to:
Identify the IronPort approach for defending against spam
How the Appliance recognizes spam
Configure and use the SenderBase Reputation filters Configure and Use IronPort Anti-Spam for spam defense
Module Map
The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)
Reputation Filters
IronPort Anti-Spam
Connection Based
Content Based
View into over 25% of email traffic 20M+ IP addresses tracked globally Data from 100,000+ sources; 8 of the 10 largest ISPs Millions of human reporters & spamtraps
5
SenderBase Network
SpamCop, SpamHaus (SBL), NJABL, Bonded Sender Spam, phishing, virus reports Complaint Reports IP Blacklists & Whitelists
Spamvertized URLs, Domain Blacklists phishing URLs, spyware sites & Safelists
Spam Traps
Global Volume Data Over 100,000 organizations, email traffic, web traffic
Other Data Fortune 1000, length of sending history, location, where the domain is hosted, how long has it been registered, how long has the site been up
First to combine email & web data Over 90 email and 20 web parameters tracked
Reputation Filtering
Anti-Spam Engine
Incoming Mail
Good, Bad, and Grey or Unknown Email
150 Parameters
SenderBase Data
An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Definitely sending primarily spam.
A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.
-10
-5
+5
+10
Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Still guaranteed to be spam.
9
May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server. Possibly spam
10
Module Map
The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)
11
1. SenderBase IronPort
Customer Site
Score CASE
What? Where?
12
FROM: Header
SECURITY MODELING
Sender Reputation
Mutating spam outbreaks randomize message content Threat Evidence Clustering identifies nontransient elements Over 100,000 message attributes are examined
FROM: Header
URL
NEW RULES
FROM: Header Web Server Owner
COMBINED EVIDENCE
Ergonomic Mouse
Sender Reputation
Ergonomic Mouse
13
Monitor SenderBase Network & profile new attacks 24 x 7 real-time Outbreak Rules Rapid closed loop verification of reports Maintain real-time, globally representative email corpus
Expert team of skilled analysts Staffed 24 x 7 x 365 32 languages spoken Documented & verified processes State-of-the-art tools & techniques
14
15
Module Map
The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)
16
Getting Started
Define Mail Flow Policies
Conservative Moderate Aggressive
17
bp c
Policy
Conservative bo th Moderate va phi
tch cc
Blocked
-10 to -7 -10 to -4 -10 to -2
Throttle
-7 to -2 -4 to -1 -2 to -.05
Accepted
-2 to 7 -1 to 6 0.4 to 4
Trusted
7 to 10 6 to 10 4 to 10
Aggressive
18
Sender Group
In the Basic User Guide, IronPort recommends Aggressive settings for blocking and Moderate settings for throttling, similar to the values shown above
19
21
SBRS allows you to watch out for sites without reputation scores Remember to click on Commit Changes
22
Policy Name
$TRUSTED $BLOCKED $THROTTLED
Action
ACCEPT REJECT ACCEPT ACCEPT ACCEPT
Policy Name
$RELAYED $BLOCKED
Action
ACCEPT REJECT
Module Map
The SenderBase Network IronPort Anti-Spam Configuring and using SenderBase Reputation Filters (SBRF) Configuring and using IronPort Anti-Spam (IPAS)
24
Positively Identified
Drop
Deliver with [Positive Spam] added to the subject of messages Deliver with [Suspected Spam] added to the subject of messages
Suspected
25
26
Once a message is flagged to skip Anti-Spam, no successive policy will change that
27
28
Redirect , ,quarantine , ,or Redirect quarantine or archive the message if archive the message if you youwant wantto toavoid avoidnormal normal delivery delivery
29
Example
X-IronPort-Anti-Spam-Result: AISrAr..
Use
Troubleshooting - IronPort Support can decipher this to understand the verdict on a message Troubleshooting - Confirm message was scanned by AntiSpam Testing - Used to trigger a spam positive verdict Testing - Used to trigger a suspected spam verdict Testing - Insert in body to trigger a spam positive verdict
X-IronPort-Anti-Spam-Filtered: true
Status header Definite spam X-advertisement: spam header Suspect spam X-advertisement: suspect spam header Definite spam *GTUBE-STANDARD-ANTI-UBEbody TEST-EMAIL*C.34X
31
XJS*C4JDBQADN1.NSBN3*2IDNEN
32
33
34
Module Summary
You are now able to: Identify the IronPort approach for defending against spam
How the Appliance recognizes spam
Configure and use the SenderBase Reputation filters Configure and use IronPort Anti-Spam for spam defense
35
36