Symantec Messaging Gateway (SMG) provides a number of reputation-based message filtering features intended to identify and limit mail acceptance from bad sources or to exempt known good senders from some message filtering services.
The major categories of Reputation filtering are:
Unless otherwise specified, Reputation filtering is applied to Inbound email traffic only.
Identifying bad senders occurs based on a number of features including local static lists of sender domains and email addresses, local lists of bad IP addresses and networks, the Symantec Global Bad Sender blacklist, optional third party bad sender or blacklists, directory harvest attack detection, and virus attack detection.
The Local Bad Sender Domains list allows customers to configure lists of sending domains and email addresses that are not allowed to deliver messages to SMG. The Local Bad Sender Domains list can be configured with any combination of individual email addresses such as [email protected] or entire domains such as bad-domain.net. Wildcard characters can be used in the local part of an email address but cannot be used in the domain part of email addresses. For example:
|example.com||[email protected], [email protected], [email protected], [email protected]|
|*.example.com||server1.example.com, server2.example.com (but not example.com)|
|[email protected]||[email protected]|
|email@example.com||[email protected], [email protected]|
|[email protected]||[email protected], [email protected]|
Entries in the Local Bad Sender Domains list are compared against both the SMTP envelope sender and against the message From: header.
The default action for messages with the Local Bad Sender Domain verdict is to delete the message.
SMG can take action against messages based on the connecting or logical IP via the Local Bad Sender IP list. The list can contain IPv4 addresses, IPv6 addresses, and network blocks in CIDR notation. Network mask is also accepted, but entries with network masks for non-contiguous sets of addresses (example: 126.96.36.199/255.0.255.0) are rejected.
Logical IPs vs Connecting IPs
The connecting IP is defined as the remote IP address of the SMTP network connection. In the event that the connecting IP address is configured as an Internal Mail Host via the Administration > Configuration > host > Internal Mail Hosts table, the message is accepted by the firewall and the first non-Internal Mail Host IP in the Received headers is considered the Logical IP as that is the first IP in the route that is not internal to the SMG network. By default, all private IP networks are considered to be internal.
The default behavior for the Local Bad IP List is to reject the network connection for Connecting IPs on the list and to delete the message for Logical IPs on the list.
SMG can be configured to consult third-party DNS-based bad sender lists. This is generally not recommended unless you have confirmed the quality of the third party list. Symantec is unable to resolve any false positives resulting from the use of third-party lists.
To configure a third party DNS list, add the list domain to the Third Party Bad Senders list i.e. rbl.example.com.
The default behavior for the Third Party Bad Senders list is to reject the SMTP connection.
Symantec maintains a vetted DNS reputation list based on reputation data generated from the Symantec Global Intelligence Network. This list cannot be modified apart from enabling or disabling the feature and setting the Action to be taken.
The default action for the Symantec Global Bad Senders list is to reject the SMTP connection.
If you believe that the Symantec Global Bad Senders list is generating false positives, please submit the connecting IP for the rejected connection to http://ipremoval.sms.symantec.com/lookup/ for review. The sending history of the IP is reviewed, and its status may be changed.
If the Recipient Validation feature has been configured, the Directory Harvest Attack (DHA) feature can temporarily defer SMTP connections from IP addresses that attempt delivery to too many invalid recipients over a configurable period of time.
If enabled, a connecting IP that attempts delivery to too many invalid recipients is placed in a "penalty box" and all connection attempts by that IP is deferred for 60 minutes.
The default action for DHA is to temporarily defer connections. This feature is not enabled by default.
If a connecting IP sends too many virus-infected messages in too short a time, the IP is placed in a penalty box similar to that of the DHA feature and connections from that IP is deferred for three hours.
The default action for Virus Attacks is to temporarily defer connections. This feature is not enabled by default.
The Connection Classification feature allows SMG to generate local IP reputation for connecting IPs based on the history and quality of messages delivered from that IP. An IP that sends too many spam messages is moved to connection classes that have increasingly restrictive limits on the number of connections and messages accepted from the IP. Similarly, IPs that send few or no spam messages is moved to increasingly permissive connection classes, and has their connection and message limits increased from the default values.
IP reputation is accumulated independently on every SMG scanner. Reputation is not shared between scanners.
Connection Classification is a complex feature both in its operation and configuration and it is not recommended that the connection classes be modified unless Symantec Customer Support is consulted. The default connection class configuration is tuned to provided maximum benefit while limiting message acceptance from low-quality sources.
You can reset the local reputation or connection class for an IP via the Reputation > IP Reputation Lookup page.
SMG treats mail coming from Good Sender sources a legitimate and does not apply spam verdicts to messages from those sources. Messages are still scanned for content violations, malware, and threats.
This list allows administrators to configure lists of domains and email addresses which should be exempted from spam and newsletter verdicts. Entries in the Local Good Sender Domains list are formatted in the same way as entries in the Local Bad Sender Domains list.
The default action for this group is to deliver the message normally.
This list allows administrators to configure trusted IP addresses and network as sources which are exempted from spam and newsletter verdicts. Messages from sources in the Local Good Sender IP list are also locked into Connection Class 1. Entries in the Local Good Sender IP List are formatted in the same way as entries in the Local Bad Sender IP List.
The default action for this group is to deliver messages normally.
SMG can be configured to consult third-party DNS-based good sender lists. This is generally not recommended unless you have confirmed the quality of the third party list.
Symantec maintains a vetted list of trusted senders which can be exempted from spam and newsletter scanning.
The Fastpass feature allows SMG to exempt some fraction of messages from high reputation sources from spam scanning in order to improve performance. Once a source delivers a configurable number of legitimate messages, there is a chance that the source is briefly treated as trusted and messages not scanned for spam or newsletter content.
Messages which receive a Fastpass verdict are still scanned for malware, threats, and content violations.