search cancel

Reputation filtering guide for Messaging Gateway

book

Article ID: 150859

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Symantec Messaging Gateway (SMG) provides a number of reputation-based message filtering features intended to identify and limit mail acceptance from bad sources or to exempt known good senders from some message filtering services.

The major categories of Reputation filtering are:

  • Bad Senders
  • Connection Classification
  • Good Senders

Unless otherwise specified, Reputation filtering is applied to Inbound email traffic only.

Resolution

Bad Senders

Identifying bad senders occurs based on a number of features including local static lists of sender domains and email addresses, local lists of bad IP addresses and networks, the Symantec Global Bad Sender blacklist, optional third party bad sender or blacklists, directory harvest attack detection, and virus attack detection.

Local Bad Sender Domains

The Local Bad Sender Domains list allows customers to configure lists of sending domains and email addresses that are not allowed to deliver messages to SMG. The Local Bad Sender Domains list can be configured with any combination of individual email addresses such as [email protected] or entire domains such as bad-domain.net. Wildcard characters can be used in the local part of an email address but cannot be used in the domain part of email addresses. For example:

Example Sample Matches
 example.com  [email protected], [email protected], [email protected], [email protected]
 *.example.com   server1.example.com, server2.example.com (but not example.com)
 example*.com  example1.com, example2.com
 [email protected]    [email protected]
 john*@example.net  [email protected], [email protected]
 [email protected]  [email protected], [email protected]

Entries in the Local Bad Sender Domains list are compared against both the SMTP envelope sender and against the message From: header.

The default action for messages with the Local Bad Sender Domain verdict is to delete the message.

Local Bad Sender IPs

SMG can take action against messages based on the connecting or logical IP via the Local Bad Sender IP list. The list can contain IPv4 addresses, IPv6 addresses, and network blocks in CIDR notation. Network mask is also accepted, but entries with network masks for non-contiguous sets of addresses (example: 69.84.35.0/255.0.255.0) are rejected.

Logical IPs vs Connecting IPs

The connecting IP is defined as the remote IP address of the SMTP network connection. In the event that the connecting IP address is configured as an Internal Mail Host via the Administration > Configuration > host > Internal Mail Hosts table, the message is accepted by the firewall and the first non-Internal Mail Host IP in the Received headers is considered the Logical IP as that is the first IP in the route that is not internal to the SMG network. By default, all private IP networks are considered to be internal.

The default behavior for the Local Bad IP List is to reject the network connection for Connecting IPs on the list and to delete the message for Logical IPs on the list.

Third Party Bad Senders

SMG can be configured to consult third-party DNS-based bad sender lists. This is generally not recommended unless you have confirmed the quality of the third party list. Symantec is unable to resolve any false positives resulting from the use of third-party lists.

To configure a third party DNS list, add the list domain to the Third Party Bad Senders list i.e. rbl.example.com.

The default behavior for the Third Party Bad Senders list is to reject the SMTP connection.

Symantec Global Bad Senders

Symantec maintains a vetted DNS reputation list based on reputation data generated from the Symantec Global Intelligence Network. This list cannot be modified apart from enabling or disabling the feature and setting the Action to be taken.

The default action for the Symantec Global Bad Senders list is to reject the SMTP connection.

If you believe that the Symantec Global Bad Senders list is generating false positives, please submit the connecting IP for the rejected connection to http://ipremoval.sms.symantec.com/lookup/ for review. The sending history of the IP is reviewed, and its status may be changed.

Directory Harvest Attack

If the Recipient Validation feature has been configured, the Directory Harvest Attack (DHA) feature can temporarily defer SMTP connections from IP addresses that attempt delivery to too many invalid recipients over a configurable period of time.

If enabled, a connecting IP that attempts delivery to too many invalid recipients is placed in a "penalty box" and all connection attempts by that IP is deferred for 60 minutes.

The default action for DHA is to temporarily defer connections. This feature is not enabled by default.

Email Virus Attacks

If a connecting IP sends too many virus-infected messages in too short a time, the IP is placed in a penalty box similar to that of the DHA feature and connections from that IP is deferred for three hours.

The default action for Virus Attacks is to temporarily defer connections. This feature is not enabled by default.

Connection Classification

The Connection Classification feature allows SMG to generate local IP reputation for connecting IPs based on the history and quality of messages delivered from that IP. An IP that sends too many spam messages is moved to connection classes that have increasingly restrictive limits on the number of connections and messages accepted from the IP. Similarly, IPs that send few or no spam messages is moved to increasingly permissive connection classes, and has their connection and message limits increased from the default values.

IP reputation is accumulated independently on every SMG scanner. Reputation is not shared between scanners.

Connection Classification is a complex feature both in its operation and configuration and it is not recommended that the connection classes be modified unless Symantec Customer Support is consulted. The default connection class configuration is tuned to provided maximum benefit while limiting message acceptance from low-quality sources.

  • Maximum Connections - This is the total number of simultaneous connections allowed for all IPs in a particular connection class. This is expressed as a percentage of the maximum number of SMTP connections allowed (default 2000). For example, connection class 5 is allowed 200 simultaneous connections for all IPs in that connection class, SMG defers connections from IPs in class 5 when that 200 connection limit is reached.
  • Maximum Connections per IP - This is the maximum number of simultaneous SMTP connections an IP address in the connection class can make. Connections above this limit are deferred. This overrides the default limit of 40 connections per IP.
  • Messages per Connection - The total number of messages (not recipients) allowed over a single SMTP connection. Limits on the maximum number of recipients per message are still applied.
  • Reconnect Timeout - How long an IP must wait after disconnecting or having a connection deferred before it is allowed to connect again. Some mail servers attempt a fast reconnect when a connection is deferred which can result in a large number of deferrals in a short period of time.
  • Deferred Messages - This is the probability that a connection is immediately deferred out of hand. The higher quality connection classes are never arbitrarily deferred but IPs low-quality connection classes may have a connection attempt summarily deferred based solely by chance. This is not an upper limit on the number of connection attempts that are deferred. Connection Classification defers connections from any source that has exceeded the resources of its assigned class.

You can reset the local reputation or connection class for an IP via the Reputation > IP Reputation Lookup page.

Good Senders

SMG treats mail coming from Good Sender sources a legitimate and does not apply spam verdicts to messages from those sources. Messages are still scanned for content violations, malware, and threats.

Local Good Sender Domains

This list allows administrators to configure lists of domains and email addresses which should be exempted from spam and newsletter verdicts. Entries in the Local Good Sender Domains list are formatted in the same way as entries in the Local Bad Sender Domains list.

The default action for this group is to deliver the message normally.

Local Good Sender IPs

This list allows administrators to configure trusted IP addresses and network as sources which are exempted from spam and newsletter verdicts. Messages from sources in the Local Good Sender IP list are also locked into Connection Class 1. Entries in the Local Good Sender IP List are formatted in the same way as entries in the Local Bad Sender IP List.

The default action for this group is to deliver messages normally.

Third Party Good Senders

SMG can be configured to consult third-party DNS-based good sender lists. This is generally not recommended unless you have confirmed the quality of the third party list.

Symantec Global Good Senders

Symantec maintains a vetted list of trusted senders which can be exempted from spam and newsletter scanning.

Fastpass

The Fastpass feature allows SMG to exempt some fraction of messages from high reputation sources from spam scanning in order to improve performance. Once a source delivers a configurable number of legitimate messages, there is a chance that the source is briefly treated as trusted and messages not scanned for spam or newsletter content.

Messages which receive a Fastpass verdict are still scanned for malware, threats, and content violations.