Overview of AntiSpam detection settings and actions

book

Article ID: 178323

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

Overview of AntiSpam detection settings and actions

This guide will help you define which detection methods to use for the AntiSpam service.

You can associate a specific action for spam emails that are detected by each detection method. Applying the detection settings at global level, domain level, or group level. In this way, you can use specific detection methods and actions for a specific domain or group.

The available detection settings are described below in the following table.

Table: Email AntiSpam detection settings

Detection methods

Description

Approved senders list

You can define a list of IP addresses, domains, or email addresses that are approved senders. Emails that are received from these senders are not identified as spam. You can also use the approved senders list to ensure that wanted email newsletters go through the AntiSpam service without interruption.

Spoofed Sender Protection (SPF)

SPF (Sender Policy Framework) detects sender spoofing, blocking phishing attempts in which domain spoofing is commonplace. Some organizations publish an SPF record in their DNS. The SPF record authorizes sending hosts for their domains. The recipient verifies the email sender against the authorized hosts. If verification fails, the email sender is spoofing and the email should not be trusted.

When you use SPF spam detection for a domain, inbound email to your domain is verified against the SPF policy of the reported sender. If the reported sender publishes a hard-fail SPF policy and the inbound email fails SPF verification, the email is blocked and deleted. The block and delete action enforces the sender's hard fail policy, which says not to accept emails that are not from my authorized hosts. A 5xx error is returned to the sender. Other types of SPF policy, for example, soft-fail, are ignored.

You can enable spoofed sender detection for all of your domains or for individual domains. You cannot enable it for individual groups or users.

http://www.symantec.com/docs/HOWTO101611

Spoofed Sender Protection (DMARC)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps thwart phishing attempts that can lead to security breaches by detecting email sender spoofing. DMARC standardizes how email recipients perform SPF and DKIM email authentication. Organizations publish a DMARC policy that indicates that their emails are protected by SPF, DKIM, or both. The DMARC policy tells a recipient what to do if neither of these authentication methods passes.

When you enable DMARC for a domain, inbound email to that domain is verified against the DMARC policy of the reported sender. If DMARC authentication passes, then the message is delivered normally. If DMARC authentication fails, then the message is quarantined or rejected, according to the email sender's policy. If quarantine is not enabled, then message subject lines can be modified to notify recipients that DMARC authentication has failed.

You can enable spoofed sender detection for all of your domains or for individual domains. You cannot enable it for individual groups or users.

http://www.symantec.com/docs/HOWTO124382

Custom blocked senders list

You can define a list of IP addresses, domains, or email addresses that you recognize as sources of spam or other unwanted email.

Dynamic IP block list

The AntiSpam service can detect email from globally known sources of spam. Companies and individuals in the dynamic public block list have demonstrated patterns of junk emailing. The block list is a recognized public block list of IP addresses.

See Using the dynamic IP block list.

Signaturing system

A signature is a unique string that defines a specific spam email. This string is used to detect further instances of the email. The signaturing system uses proprietary and commercially-available signature-building engines to create a vast knowledgebase of spam message samples that are currently in email circulation. The signaturing system enables exact matching of spam, and reduces the chances that the scanner stops genuine business emails. In addition, the signaturing system speeds the spam identification process and the message handling process.

Skeptic™ heuristic engine

Skeptic™ uses artificial intelligence to create an ever-expanding knowledgebase to identify spam. The heuristics method scores each email against a set of rules. If an email achieves more than a specified score, it is immediately identified as spam.

Newsletters can be a burden for organizations. The AntiSpam service distinguishes spam from newsletters. To block unwanted newsletters, you must have the Skeptic™ heuristic detection setting enabled.

See Enabling predictive (heuristic) spam detection.

For each spam detection method, define an action for the spam emails that are detected. The available actions are described here.

Table: Actions for detected emails

Action

Description

Append a header but allow the email through

The Append a header… actions add a string to the email header. The format for the string is:

X-Spam-Flag:YES

This string identifies the email as spam and enables further action when it enters your email system or your users' email client. For example, you can divert the email into a folder that you have set up to receive spam.

The detected email is delivered to the recipient's email inbox.

Append a header and redirect the email to a bulk mail address

The string is added to the header as described above.

The detected email does not reach the intended recipient. The email is redirected to the email address that you specify for bulk email.

Block and delete the email

The detected email is not sent to the intended recipient's email inbox. The email is deleted.

Tag the subject line but allow the email through

The Tag the subject line… action adds some text that you define to the email's subject line.

The detected email is delivered to the recipient's email inbox.

Note:

When you first configure AntiSpam, it is useful to specify a bulk email address to see that spam is trapped as expected.

Quarantine the email

The detected email is not delivered to the recipient's email inbox.

The email is quarantined. Depending on your Spam Manager settings, the recipient may be notified that they have received spam. They may have the option to view it and release it to their inbox.

If your organization's AntiSpam service configuration does not include Spam Quarantine, the quarantine option is not available.

The risk that AntiSpam may stop genuine business emails (false-positives) is minimal. See the section in your contract that states the false-positive rates for spam. We recommend that you select "Block and delete the mail" with the signaturing and the public block elements methods. If you do not select Block and delete the mail, your mailbox collects a large amount of spam in a short time.