Cyberoam anti spam implementation guide
Upcoming SlideShare
Loading in...5
×
 

Cyberoam anti spam implementation guide

on

  • 1,901 views

 

Statistics

Views

Total Views
1,901
Views on SlideShare
1,901
Embed Views
0

Actions

Likes
0
Downloads
52
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cyberoam anti spam implementation guide Cyberoam anti spam implementation guide Document Transcript

    • Cyberoam Anti SpamImplementation Guide Version 9 Document version 96-1.0-12/05/2009
    • Cyberoam Anti Spam Implementation GuideIMPORTANT NOTICEElitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented withoutwarranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecoreassumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to makechanges in product design or specifications. Information is subject to change without notice.USER’S LICENSEThe Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Pleaseread these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by theterms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance andmanual (with proof of payment) to the place of purchase for a full refund.LIMITED WARRANTYSoftware: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on whichthe Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Softwaresubstantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limitedwarranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecoreand its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of thesoftware if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecorewarrant that the Software is error free, or that the customer will be able to operate the software without problems orinterruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and byCommtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It isspecified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will notoccasionally erroneously report a virus in a title not infected by that virus.Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electricalcomponents will be free from material defects in workmanship and materials for a period of One (1) year. Elitecores soleobligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardwareneed not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or anypart thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in allmaterial respects to the defective Hardware.DISCLAIMER OF WARRANTYExcept as specified in this warranty, all expressed or implied conditions, representations, and warranties including, withoutlimitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course ofdealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential,incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability touse the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shallElitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed theprice paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including,without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore orits suppliers have been advised of the possibility of such damages.RESTRICTED RIGHTSCopyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of ElitecoreTechnologies Ltd.CORPORATE HEADQUARTERSElitecore Technologies Ltd.904 Silicon Tower,Off. C.G. Road,Ahmedabad – 380015, INDIAPhone: +91-79-66065606Fax: +91-79-26407640Web site: www.elitecore.com , www.cyberoam.com 2
    • Cyberoam Anti Spam Implementation GuideContents Technical Support ............................................................................................................................ 4 Typographic Conventions ................................................................................................................ 5 Overview.............................................................................................................................................. 6 Spam ................................................................................................................................................... 6 Cyberoam Gateway Anti Spam ........................................................................................................... 7 Configuration ....................................................................................................................................... 7 Spam Policy......................................................................................................................................... 8 Types of Policies .......................................................................................................................... 8 Detection of spam attributes ........................................................................................................ 8 Actions.......................................................................................................................................... 9 Global policy .................................................................................................................................. 10 Default policy ................................................................................................................................. 11 Custom policy ................................................................................................................................ 12 Create Custom Scan policy........................................................................................................ 12 Manage Custom Spam policy .................................................................................................... 13 Add Advanced Rules.................................................................................................................. 14 Change Advanced action rules Order ........................................................................................17 Delete Custom Spam policy....................................................................................................... 18 Address Groups................................................................................................................................. 19 Create Address Groups ................................................................................................................. 19 Delete Address Groups.................................................................................................................. 20 Delete individual address from Group ........................................................................................... 20 Spam Rule......................................................................................................................................... 22 Create Spam rule........................................................................................................................... 22 Delete Spam Rule.......................................................................................................................... 23 Change Spam rule Order............................................................................................................... 23 Local Domains................................................................................................................................... 25 Add Domains ................................................................................................................................. 25 Delete Domains ............................................................................................................................. 25 Enable Scanning ............................................................................................................................... 26 General Configuration ....................................................................................................................... 27 Bypass Reporting .............................................................................................................................. 31 3
    • Cyberoam Anti Spam Implementation GuideTechnical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information. 4
    • Cyberoam Anti Spam Implementation GuideTypographic Conventions Material in this manual is presented in text, screen displays, or command-line notation. Item Convention Example Server Machine where Cyberoam Software - Server component is installed Client Machine where Cyberoam Software - Client component is installed User The end user Username Username uniquely identifies the user of the system Part titles Bold and Report shaded font typefaces Topic titles Shaded font Introduction typefaces Subtitles Bold & Black typefaces Notation conventions Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a Lowercase Enter policy name, replace policy name with the specific particular italic type name of a policy parameter / Or field / command Click Name to select where Name denotes command button button text text which is to be clicked Cross Hyperlink in refer to Customizing User database Clicking on the link will references different color open the particular topic Notes & points Bold typeface Note to remember between the black borders Prerequisites Bold typefaces Prerequisite between the Prerequisite details black borders 5
    • Cyberoam Anti Spam Implementation GuideOverview Welcome to Cyberoam’s – Anti Spam User guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam’s perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Cyberoam Anti Spam as a part of unified solution along with Anti Virus and IPS (Intrusion Prevention System) provides real time virus and spam scanning. Anti Spam module is an add-on module which needs to be subscribed before use.Spam Spam refers to electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited e-mail. Spamming is to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. In other words, it is an inappropriate attempt to use a mailing list, or other networked communications facility as a broadcast medium by sending the same message to a large number of people who did not ask for it. In addition to being a nuisance, it also eats up a lot of network bandwidth. Because the Internet is a public network, little can be done to prevent spam, just as it is impossible to prevent junk mail. However, the use of software filters in e-mail programs can be used to remove most spam sent through e-mail to certain extent. With the number of computer users growing and the exchange of information via the Internet and email increases in volume, spamming has become an almost everyday occurrence. Apart from network bandwidth, it also affects the employees productive as deletion of such mails is a huge task. Anti spam protection is therefore a priority for anyone who uses a computer. 6
    • Cyberoam Anti Spam Implementation GuideCyberoam Gateway Anti Spam Cyberoam Anti Spam as a part of unified solution along with Anti Virus and IPS (Intrusion Prevention System), provides real time virus scanning that protects all network nodes – workstations, files servers, mail system from known and unknown attacks by worms and viruses, Trojans, spyware, adware, spam, hackers and all other cyber threats. Cyberoam detects spam mails based on: • RBL (Realtime Blackhole List) for which Gateway Anti Spam module subscription is not required. But, by implementing only the RBL-based filtering might increase number of false- positives. It can be implemented by enabling “Sender IP address blacklisted by RBL” from Spam policy. • Mass distribution pattern using RPD (Recurrent Pattern Detection) technology for which Gateway Anti Spam module subscription is required. RPD technology responsible for proactively probing the Internet to gather information about massive spam outbreaks from the time they are launched. This technology is used to identify recurrent patterns that characterize massive spam outbreaks. Cyberoam Gateway Anti Spam provides you with powerful tools for scanning and detecting spam in the e-mail traffic. Cyberoam Gateway Anti Spam inspects all incoming emails - SMTP, POP3 and IMAP traffic - before the messages are delivered to the receivers mail box. If spam is detected, depending on the policy and rules set, emails are processed and delivered to the recipient unaltered, reject and generate a notification on the message rejection, add or change subject or change the receiver. Cyberoam Gateway Anti Spam is fully compatible with all the mail systems and therefore can be easily integrated into the existing network. Cyberoam Anti Spam allows to: • Scan email messages for spamming by protocols namely SMTP, POP3, IMAP • Monitors and proactively detect recurrent patterns in spam mails and combat multi-format – text, images, HTML etc. and multi-language threats • Monitors mails received from Domain/IP address • Detect spam mails using RBLs. If Anti Spam module is not subscribed, Cyberoam will detect spam mails based on RBL only and not on recurrent patterns in mails. • Accept/Reject messages based on message size and message header • Customize protection of incoming and outgoing e-mail messages by defining scan policies • Set different actions for SMTP, POP and IMAP spam mails • Quarantine SMTP mails and release quarantine mails • Configure action for individual email address • Notify receivers about spam messages • Configure Digest service to notify receivers about spam messagesConfiguration Configuration task for implementing spam solution: 1. Create Spam policy. Optionally use global or default policy provided by Cyberoam 7
    • Cyberoam Anti Spam Implementation Guide 2. Create Spam rule for the policy created in step 1 i.e. create spam rule and attach policy to the rule 3. Enable scanning from firewall ruleSpam Policy As soon as you register Cyberoam Gateway Anti-spam module, default spam policy is applicable to all the incoming email traffic. Default spam policy is the general policy and not fit-for-all policy and hence might allow certain spam mails while block certain required mails also. Fine tuning the policies means reducing the spam attacks and chances of loosing any important and required mails. Spam policy defines what action is to be taken if the mail is identified as a spam and to which email address the copy of mail is to be send. As network scanning rules control all the traffic passing through the Cyberoam and decide whether to scan or bypass mail, policy will be applied to that traffic only that is filtered by network scanning rule. To reduce the risk of losing the legitimate messages, Spam quarantine repository - a storage location, provides administrators a way to automatically quarantine messages that are identified as spam. This will help in managing spam and probable spam quarantined mails and can take appropriate actions on such mails.Types of Policies 1. Global Global policy is applicable to all the mail recipients i.e. Email address and Email address groups. Cyberoam provides blank corporate policy which can be customized as per the requirement. 2. Default Default policy is applicable to all the recipients i.e. Email address and Email address group except for those for whom the custom policy is defined. Default policy is applicable to all the recipients as soon as you register the Anti Spam module. 3. Custom/Personal Cyberoam allows defining custom policy for specific individual recipient or address group and is applicable to only to those specific individual recipient or address group and not all the recipients. Scanning rules defines which scanning policy is to be applied to which recipient email address i.e. maps scanning policy to the email address.Detection of spam attributes Cyberoam uses content filtering and three RBLs - Real time Black hole Lists – to check for the spam attributes as well as POP3/IMAP mails: • Message size • Message header • Premium RBL 8
    • Cyberoam Anti Spam Implementation Guide • Reliable RBL • Standard RBL RBL is a list of IP addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. Cyberoam will check each RBL for the connecting IP address. If the IP address matches to the one on the list then the specified action in policy is taken.Actions Accept – Accepts and delivers the mail to the intended receiver. This action can be defined for both SMTP and POP/IMAP protocols. Reject – Rejects the mail. This action sends the notification message to sender. This action can be defined only for SMTP protocol. Drop – Drops the mail. This action does not send any notification message to sender. This action can be defined only for SMTP protocol. Change Recipient - Accepts the mail but delivers the mail to the specified receiver and not to the receiver for whom the mail was originally send. This action can be defined only for SMTP protocol only. Prefix Subject – Accepts and delivers the mail to the intended receiver but after changing the subject of the mail. You can customize the subject in such a way that the receiver knows that the mail is a spam mail. This action can be defined for both SMTP and POP/IMAP protocols. 9
    • Cyberoam Anti Spam Implementation GuideGlobal policy Cyberoam provides the blank global policy which can be customized as per your requirement. By default, global policy applies to all the users. There is no need to apply the global policy to the users using rules. Select Anti Spam Spam Policy Global policy to customize policy. Refer to Add advanced rules for more details. 10
    • Cyberoam Anti Spam Implementation GuideDefault policy As soon as you subscribe Cyberoam Gateway Anti Spam, default spam policy is applicable to the all incoming email traffic. Default spam policy is the general policy and not fit-for-all policy and hence might allow certain spam mails while block certain required mails also. Default policy can be customized as per your requirement. Default policy will be applied to those users only for whom custom/personal policy is not defined. As per your requirements, Cyberoam allows you to define multiple policies instead of single global policy. Fine tuning the policies means reducing the spam attacks and chances of loosing any important and required mails. Select Anti Spam Spam Policy Default policy to customize policy. Refer to Add advanced rules for more details. 11
    • Cyberoam Anti Spam Implementation GuideCustom policy Custom scan policy allows you to specify the spam filtering level security i.e. action severity based on your requirement.Create Custom Scan policy Select Anti Spam Spam policy Create Custom policy to open the create page Screen - Create Custom Spam policy Screen Elements Description Spam Policy details Name Specify policy name. Choose a name that best describes the policy Send copy to email Specify email addresses to which the mail copy is to be send. address If Cyberoam detects the spam mail then it sends the spam notification to the mail receiver. Cyberoam will forward such a mail to the receiver only if configured in the Spam policy. But in case you want Administrator or any other person in the organization to know about spam and receive this spam mail then specify all the emails address to whom you want to forward the copy of such mails. More than one address can be specified using comma For example john@hotmail.com,,joe@yahoo.com This option can be applied for SMTP protocol only Policy Description Specify full description of the policy Create button Creates the policy Cancel button Cancels the current operation Add button If the policy is successfully created, create advanced scanning rules to specify what action is to be taken on mail identified as SPAM after successful creation of the policy. Refer to Manage Custom Policy for more detail for defining actions. Table – Create Custom Spam policy screen elements 12
    • Cyberoam Anti Spam Implementation GuideManage Custom Spam policy Select Anti Spam Spam Policy Manage Custom policy to view the list of policies created. Click the policy to be modified. Screen – Manage Custom Spam policy Screen Elements Description Spam Policy details Name Displays policy name Send copy to email Displays email addresses to which the mail copy will be send, address modify if required. More than one address can be specified using comma For example john@hotmail.com,,joe@yahoo.com This option can be applied for SMTP protocol only. Policy Description Displays full description of the policy, modify if required Update button Updates and saves modifications done in any of the above fields Cancel button Cancels the current operation Advanced Rules Add button Click to define the action to be taken on mails if the matching condition is found. Refer Add Advanced Rules for details. Table – Manage Custom Spam policy screen elements 13
    • Cyberoam Anti Spam Implementation GuideAdd Advanced Rules Select Anti Spam Spam Policy Manage Custom policy to view the list of policies created. Click the policy to which action rules are to be added. Conditions • When Cyberoam Anti Spam identifies Mail as SPAM, Cyberoam accepts and delivers the mail to the intended receiver but only after adding a prefix ‘SPAM’ to the original subject of the mail. Original subject: ‘This is a test’ Receiver will receive the mail with subject line as: ‘SPAM: This is a test’ You can customize the subject in such a way that the receiver knows that the mail is a spam mail. To specify the contents to be prefixed to the existing subject line, select ‘Prefix Subject’ as action. You can set different actions for SMTP and POP. • When Cyberoam Anti Spam identifies Mail as PROBABLE SPAM, Cyberoam accepts and delivers the mail to the intended receiver but after adding a prefix ‘PROBABLE SPAM’ to the original subject of the mail. 14
    • Cyberoam Anti Spam Implementation Guide Original subject: ‘This is a test’ Receiver will receive the mail with subject line as: ‘PROBABLE SPAM: This is a test’ You can customize the subject in such a way that the receiver knows that the mail is a spam mail. To specify the contents to be prefixed to the existing subject line, select ‘Prefix Subject’ as action. You can set different actions for SMTP and POP.• When Cyberoam Anti Spam identifies Mail as VIRUS OUTBREAK, Cyberoam accepts and delivers the mail to the intended receiver but only after adding a prefix ‘SPAM’ to the original subject of the mail. Original subject: ‘This is a test’ Receiver will receive the mail with subject line as: ‘SPAM: This is a test’ You can customize the subject in such a way that the receiver knows that the mail is a spam mail. To specify the contents to be prefixed to the existing subject line, select ‘Prefix Subject’ as action. You can set different actions for SMTP and POP mails• When Cyberoam Anti Spam identifies Mail as PROBABLE VIRUS OUTBREAK, Cyberoam accepts and delivers the mail to the intended receiver but only after adding a prefix ‘SPAM’ to the original subject of the mail. Original subject: ‘This is a test’ Receiver will receive the mail with subject line as: ‘SPAM: This is a test’ You can customize the subject in such a way that the receiver knows that the mail is a spam mail. To specify the contents to be prefixed to the existing subject line, select ‘Prefix Subject’ as action. You can set different actions for SMTP and POP mails.• From Email Address/IP address – Specified action will be taken if the mail sender email or IP address matches the specified email address or IP address. You can set action for SMTP only.• From Email Address/IP address – Specified action will be taken if the mail sender email or IP address belongs to the specified email address or IP address group. You can set action for SMTP only.• Message Size - Specified action will be taken if the mail size matches the specified size. You can set different actions for SMTP and POP.• Message Header - Specified action will be taken if the message header contains the specified text. You can set different actions for SMTP and POP. You can scan message header for spam in: Subject – Specified action will be taken if the header contains the matching subject From - Specified action will be taken if the header contains the matching text in the From address. 15
    • Cyberoam Anti Spam Implementation Guide To - Specified action will be taken if the header contains the matching text in the To address. Others – Specified action will be taken if the matching text is found in the header • RBL - Specified action will be taken if the sender is listed in the specified RBL Group. You can set different actions for SMTP and POP mails.ActionsFollowing actions can be taken on the mail identified as the SPAM, Probable SPAM, VIRUSOUTBREAK or Probable VIRUS OUTBREAK Protocol Action Meaning SMTP Reject Mail is rejected and rejection notification is send to the mail sender SMTP Drop Mail is rejected but rejection notification is not send to the mail sender SMTP, Accept Mail is accepted and delivered to the intended receiver POP3 SMTP Change Mail is accepted but is not delivered to the receiver for whom Recipient the message was originally send. Mail is send to the receiver specified in the spam policy SMTP, Prefix Subject Mail is accepted and delivered to the intended receiver but POP3 after tagging the subject line. Tagging content is specified in spam policy. You can customize subject tagging in such a way that the receiver knows that the mail is a spam mail. For Example Contents to be prefixed to the original subject: ‘Spam notification from Cyberoam – ‘ Original subject: ‘This is a test’ Receiver will receive mail with subject line as: ‘Spam notification from Cyberoam - This is a test’ SMTP Quarantine Mail is quarantined and can be viewed or downloaded from the quarantine area. 16
    • Cyberoam Anti Spam Implementation GuideChange Advanced action rules Order Advanced action rules are ordered by their priority. When the rules are applied, they are processed from the top downwards and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put strict rules before moderate and general rules. Select Anti Spam Manage Custom policy to view the list of policies created. Click the policy whose action rule order is to be changed. Click the rule whose order is to be changed Click “Move Up” button to move the selected rule one-step up Click “Move Down” button to move the selected rule one-step down Click “Update Order” button to save the order 17
    • Cyberoam Anti Spam Implementation GuideDelete Custom Spam policy • Prerequisite • Not assigned any Rule Select Anti Spam Spam policy Manage Custom policy to view the list of policies created Screen – Delete Custom Spam policy Screen Elements Description Del checkbox Click against the policy to be deleted Select All checkbox Click to select all the policies for deletion Delete button Click to delete all the selected policies Table – Delete Custom Spam policy screen elements Note Default policy cannot be deleted. 18
    • Cyberoam Anti Spam Implementation GuideAddress Groups Scanning rule can be defined for individual or group of • Email address • IP address • RBL (Real time black hole List) Address group is the group of email addresses, IP addresses, or RBLs. Whenever the policy is applied to the address group, policy is applied to all the addresses included in the group. RBL is a list of IP addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. This IP addresses might also be used for spreading virus. Cyberoam will check each RBL for the connecting IP address. If the IP address matches to the one on the list then the specified action in policy is taken.Create Address Groups Select Anti Spam Configuration Address Groups to open the Address group page. Click Create to open the create page. Screen – Create Email Address Group 19
    • Cyberoam Anti Spam Implementation Guide Screen Elements Description Address Group details Name Specify group name Group Specify group type. You can create group of RBLs, IP address or Email address. RBL is a list of IP addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. Cyberoam will check each RBL for the connecting IP address. If the IP address matches to the one on the list then the specified action in policy is taken. Description Specify full description Create button Creates group and depending on the group type allows adding email address, IP addresses or RBL names Click “Add “ Type all the email addresses to be grouped specified by comma e.g. john@yahoo.com, joe@hotmail.com Cancel button Cancels the current operation Table – Create Email Address Group screen elementsDelete Address Groups Select Anti Spam Configuration Address Groups to view the list of groups created Screen – Delete Address Group Screen Elements Description Del checkbox Click against the address group to be deleted Select All checkbox Click to select all the address group(s) for deletion Delete button Click to delete all the selected address group(s) Table – Delete Address Group screen elementsDelete individual address from Group Select Anti Spam Configuration Address Groups to view the list of groups created. Click the group from which the address is to be deleted 20
    • Cyberoam Anti Spam Implementation Guide Screen – Delete Address from GroupScreen Elements DescriptionDel checkbox Click against the address to be deletedSelect All checkbox Click to select all the address (s) for deletionDelete button Click to delete all the selected address (s) Table – Delete Address from Group screen elements 21
    • Cyberoam Anti Spam Implementation GuideSpam Rule Scanning rules defines which scanning policy is to be applied to which recipient email address i.e. map scanning policy with the email address. A rule allows to apply: • single policy for a email address or group of addresses • multiple policies for a particular email address or group of addressesCreate Spam rule Prerequisite • Policy created • Address group created (if rule is for group) Select Anti Spam Spam Rules to open the create page Screen - Create Spam Rule Screen Elements Description Spam Rule Details Action Item Select whether the rule is for individual email address or group 22
    • Cyberoam Anti Spam Implementation Guide Screen Elements Description Recipient Email Specify recipient email address Address If the rule is for the complete domain the specify as @domainname If Action Item is e.g. @cyberoam.com “Recipient Email Address” Address Group Specify address group If Action Item is “Address Group” Policy Name Specify policy to be applied. According to the action specified in the policy, mails will be delivered as original or will be tagged and forwarded to the receiver. Add button Creates rule Cancel button Cancels the current operation Table – Create Spam Rule screen elementsDelete Spam Rule Select Anti Spam Spam Rules to view the list of rules created. Screen - Delete Spam Rule Screen Elements Description Del checkbox Click against the rule(s) to be deleted Select All checkbox Click to select all the rule(s) for deletion Delete button Click to delete all the selected rule(s) Table – Delete Spam Rule screen elementsChange Spam rule Order Rules are ordered by their priority. When the rules are applied, they are processed from the top downwards and the first suitable rule found is applied. Hence, while adding multiple rules, it is 23
    • Cyberoam Anti Spam Implementation Guidenecessary to put strict rules before moderate and general rules. Default policy order cannot bechanges.Select Anti Spam Spam RulesClick the rule whose order is to be changedClick “Move Up” button to move the selected rule one-step upClick “Move Down” button to move the selected rule one-step downClick “Update Order” button to save the order 24
    • Cyberoam Anti Spam Implementation GuideLocal Domains Cyberoam also allows bypassing RBL scanning of mails for certain domains. To bypass RBL scanning of certain domains, define such domains as trusted domainsAdd Domains Select Anti Spam Configuration Local Domains, type Domain name or IP address and click “Add” button. Cyberoam will not perform RBL-based scanning for the mails from the configured domains.Delete Domains Select Anti Spam Configuration Local Domain to view the list of domains that will be bypassed from RBL scanning Screen Elements Description Del checkbox Click against the domain to be deleted Select All checkbox Click to select all the domain(s) for deletion Delete button Click to delete all the selected domain(s) 25
    • Cyberoam Anti Spam Implementation GuideEnable Scanning Enable anti-spam scanning using firewall rules. While anti-spam settings can be configured for system-wide use, they can also be implemented with specific settings on a per user basis. Refer to Cyberoam User Guide, Firewall section for creating firewall rules for enabling the anti-spam scanning. You can enable anti spam scanning by creating firewall rule for: • Zone • User/User Group • Host/Host Group By enabling scanning through firewall, you can customize levels of protection. For example, while traffic between LAN and WAN might need strict protection, traffic between trusted internal addresses might need moderate protection. Hence you can enable/disable scanning for particular combination of source and destination IP address or domain. 26
    • Cyberoam Anti Spam Implementation GuideGeneral Configuration Select Anti Spam Configuration General Configuration to open the configuration page • If Anti spam module is not subscribed configuration page will display the message that module is not subscribed and Cyberoam will not detect spam mails 27
    • Cyberoam Anti Spam Implementation GuideScreen Elements DescriptionAnti Spam Engine informationAnti Spam Engine Anti Spam Engine statusInformation - Anti Spam server is down - Anti Spam server is up Cyberoam Anti Spam Center connectivity status - Cyberoam is not connected and will not be able to detect spam mails - Cyberoam is connected with Cyberoam Anti Spam Center’s server Cyberoam Anti spam definition database contains currently identified spam signatures/definitions which are used for identifying spam mails. By default, database updates are automatically downloaded and installed on your computer every 30 minutes.SettingsBypass Spam check for Click “Bypass Spam check for SMTP authenticated Connections”SMTP authenticated checkbox to enforce RBL and RPD based spam checking. IfConnections enabled, SMTP authenticated connections are bypassed from RBL and RPD based spam checking. By default, it is enabled.Verify Sender’s IP Enable IP reputation, if you want to verify the reputation of thereputation sender IP address. Cyberoam dynamically checks the sender IP address and denies SMTP connection if IP address is found to be responsible for sending spam mails or malicious contents. If both “Bypass Spam check for SMTP authenticated Connections” and “Verify Sender’s IP reputation” are enabled, for the authenticated connections, spam scanning based on RBL and RPD will be given the precedence. Feature will be available only on purchase of new license of Gateway Anti Spam module.SMTP Mails greater Specify maximum file size (in KB) for scanning.than size Files exceeding this size received through SMTP will not be scanned.Over Sized Mail Action Specify the action to be taken on oversize mails. Available option Accept - All the oversize mails will be forwarded to the recipient without scanning Reject – All the oversized mails are rejected and notification message is send to the mail sender. Drop – All the oversized mails are dropped. By default, files exceeding 50 MB will not be scanned. 28
    • Cyberoam Anti Spam Implementation Guide Screen Elements Description POP3/IMAP Mails Specify maximum size (in KB) of the file to be scanned. Files greater than size exceeding this size received through POP/IMAP will not be scanned and forwarded to the recipient without scanning. By default, files exceeding 10 MB will not be scanned. Quarantine Area Total Utilization ( Anti Displays percentage of quarantined spam and virus infected Virus + Anti Spam ) messages. Click to search or download any quarantined mail. Quarantined mails can be searched based on sender email address, receiver email address, and subject. Cyberoam reserves 5GB for Quarantine area. To maintain the total size of Quarantine area, Cyberoam removes older mails once the repository is filled by 80% i.e. once the repository level crosses 4GB, Cyberoam automatically deletes the oldest quarantined mails. Cyberoam stores Quarantined mail in Quarantine area (repository) and Log area. Log area is purged as per the days configured in the Auto Purge utility while Quarantine area is purged once the repository is filled by 80%. Due to this, there are chances of utilization of Quarantine area but no quarantined mails are available to download when you click Quarantine area. Cyberoam recommends to download the quarantine mails before they are purged from the Log area. Check the purge configuration from System>Manage Data>Configure Auto Purge Utility page Update button Click to save the configuration Header to detect recipient for POP3/IMAP Click Add to specify header which should be used for detecting the recipient’s address. By default, Cyberoam uses Delivered-To and Received headers. Default headers cannot be deletedSpam Digest Spam digest is an email and contains a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam mails the spam digest as per the configured frequency to the user. Digest provides a link of User My Account from where user can access his quarantined messages and take the required action. • Configure Digest service • Release Quarantined Spam mailConfigure Digest Service Digest service can be configured globally for all the users or for individual users. Cyberoam mails the spam digest as per the configured frequency to the user. 29
    • Cyberoam Anti Spam Implementation GuideThe Spam Digest provides following information for each quarantined message:• Date and time: Date and time when message was received• Sender: Email address of the sender• Recipient: Email address of the receiver• Subject: Subject of the messageSelect Anti Spam Spam Quarantine Spam Digest Settings to open the digestconfiguration pageScreen Elements DescriptionSpam Quarantine Digest SettingsEnable Spam Click to enable digest service for all the usersQuarantine DigestEmail Frequency Configure spam digest mail frequency. Digest can be mailed every hour, every day at configured time or every week on the configured day and time.Send Test Spam Digest Click and specify the email address to send the test spam digestbutton mailFrom email Address Specify mail address from which the mail should be send. Digest mail will be send from the configured mail address.Display Name Specify mail sender name. Digest mail will be send with the configured name.Reference “MyAccount” Select Interface/Port IP from the ‘Reference “MyAccount” IP’IP dropdown list. User My Account link in Digest mail will point to this IP address. User can click the link to access his quarantined messages and take the required action. The users not falling under the specified Interface will have to access the quarantine mail directly from their MyAccount. 30
    • Cyberoam Anti Spam Implementation Guide Screen Elements Description Allow Override Click “Allow user to override digest setting”, if you want each user to override the digest setting i.e. user can disable the digest service so that they do not receive the spam digest. Apply button Click to save the configuration Change User’s Spam Click to change the digest setting of the individual user. It opens a Digest Settings button new page which allows selecting group and updating the spam digest setting of group members.Release Quarantined Spam mail Either Administrator or user himself can release the quarantined spam mails. Administrator can release the quarantined spam mails from Quarantine area while user can release from his My Account. Released quarantined spam mails are delivered to the intended recipient’s inbox. Administrator can access Spam Quarantine area from Anti Spam > Configuration > General Configuration while user can logon to My Account and access Spam Quarantine area from Quarantine Mails > Spam > Spam Quarantine area. If Spam Digest is configured, user will be mailed Digest which consists of all the quarantined spam mails.Bypass Reporting By default, Cyberoam Anti Spam generates reports for all the Internal Domains and Email Ids. To bypass reporting of certain domains and email ids, Administrator has to create an Exclusion domain list and email id list. All the domains and email ids included in the exclusion list will not be included in the Anti Spam reports. To define the exclusion list, select Reports Configure Local Domains or select Reports Configure Bypass Email Ids 31