If a query to a DNSBL server times out then NetDefendOS will consider that the query has failed
and the weight given to that server will be automatically subtracted from both the spam and
drop thresholds for the scoring calculation done for that email.
If enough DNSBL servers do not respond then this subtraction could mean that the threshold
values become negative. Since the scoring calculation will always produce a value of zero or
greater (servers cannot have negative weights) then all email will be allowed through if both the
Spam and Drop thresholds become negative.
A log message is generated whenever a configured DNSBL server does not respond within the
required time. This is done only once at the beginning of a consecutive sequence of response
failures from a single server to avoid unnecessarily repeating the message.
Verifying the Sender Email
As part of the anti-spam module, the option exists to check for a mismatch of the "From" address
in the SMTP protocol command with the actual email header "From" address. Spammers can
deliberately make these different to get email past filters so this feature provides an extra check
on email integrity.
If a mismatch is detected, one of two actions can be configured:
• The email is dropped.
• Allow the email to pass but tag it using the configured spam tag.
When sender address verification is enabled, there is an additional option to only compare the
domain names in the "From" addresses.
Logging
There are three types of logging performed by the spam filtering in the ALG:
• Logging of dropped or spam tagged emails - These log messages include the source email
address and IP as well as its weighted points score and which DNSBLs caused the event.
• DNSBLs not responding - DNSBL query timeouts are logged.
• All defined DNSBLs stop responding - This is a high severity event since all email will be
allowed through if this happens.
Setup Summary
To set up DNSBL spam filtering in the SMTP ALG, the following list summarizes the steps:
• Specify the DNSBL servers that are to be used. There can be one or multiple. Multiple servers
can act both as backups to each other as well as confirmation of a sender's status.
• Specify a weight for each server which will determine how important it is in deciding if email
is spam or not in the calculation of a weighted sum.
• Specify the thresholds for designating any email as spam. If the weighted sum is equal or
greater than these then an email will be considered to be spam. Two thresholds are specified:
i. Spam Threshold - The threshold for tagging mail as spam.
ii. Drop Threshold - The threshold for dropping mail.
The Spam Threshold should be less than the Drop Threshold. If the two are equal then only the
Chapter 6: Security Mechanisms
537
To Next Page
Loading...
