8.9.1. Antispam Configuration

If mail traffic checking is configured, UserGate NGFW can check traffic via SMTP and POP3 protocols; IMAP is not supported, including when SSL inspection is configured. Encrypted traffic of these protocols can also be checked.

The following types of validation are supported:

  • blocking SMTP by the presence of the IP address of the sending server in one of the DNSBL databases; the most effective method of dealing with spam emails;

  • marking messages based on the results of checking for spam; an appropriate license is required.

Note

Blocking based on the results of an antispam check is not recommended. It is recommended that a "spam/non-spam" decision be made on the side of the mail server (or an additional antispam application), where the flag issued by UserGate NGFW would be one of the criteria with more weight.

You can view the statistics of the antispam module in the dashboard by enabling the appropriate widgets "Mail summary" or "Mail protection graphs".

Note

Antispam activity is not displayed in the logs.

In the antispam settings, you can set both white and black lists of IP addresses. IP addresses are added to the blacklist, from which a connection will not be accepted without analysis of additional data. In mail traffic protection rules, address lists are added on the Envelope from / Envelope to tabs. If the rule is configured with the action Drop, then the rule will work as a blacklist, if Pass - as a whitelist.

In these lists, you can use the * character to mean "any". That is, *@domain.com stands for all addresses of this domain.

BATV configuration

BATV (Bounce Address Tag Validation) is a technology that helps distinguish real email bounces from spam bounces.

Forgery of sender addresses (especially those who do not use SenderPolicyFramework and YahooDomainKeys to protect their addresses from being spoofed) is widely used by spammers. Part of the spam is received by MX's of recipients, but if it is not delivered to the next server, the relay can be returned to the sender. And because the sender address is fake, the real address owners get a bounce back on spam they didn't send. Also, some spam mails are disguised as bounced emails, since some antispam checks assume that bounced emails cannot contain spam messages, which is what attackers use. BATV technology is used to distinguish real returned letters from fake ones.

It is impossible to turn off the reception of returned letters, because. this breaks the connectivity of the network (normal messages are also sometimes not delivered and returned), so you need to somehow distinguish between normal returns and returned spam. Then the BATV technology was proposed. Using BATV can be useful in systems where spam content filters are unable to detect spam in returned emails.

To enable verification, you must activate the corresponding checkbox.

DNSBL servers

DNSBL check - antispam check using DNSBL technology. Applies to SMTP traffic only. When checking mail traffic using DNSBL, the IP address of the spam sender's SMTP server is blocked at the stage of creating an SMTP connection, which significantly offloads other methods of checking mail for spam.

DNSBL or spam base is a black list of domain names and IP addresses that are seen in the distribution of spam messages.

Note

The appearance of server in this list is not an unequivocal sign that letters from this server belong to spam mailings. The frequency of false positives in this technology depends on the DNSBL lists used and is determined individually. In any case, the appearance of a server in the DNSBL lists should be qualified as an additional, but not the main sign of spam.

There are dozens of different DNSBLs on the web, each using its own criteria for adding and removing an IP address or domain from its list. Most spam filters use various DNSBLs to check that incoming emails are not sent from sites that have blacklisted domain names. Typically, DNSBLs are the first line of defense against spam.

For example, addresses of DNSBL servers are added to the list of servers: cbl.abuseat.org, zen.spamhaus.org, etc. The whitelist and blacklist add or remove certain addresses from this check.

DNSBL white list

List of servers excluded from DNSBL check.

DNSBL black list

A list of banned servers in addition to those on the DNSBL lists.