Overview of AntiSpam detection settings and actions
This guide will help you define which detection methods to use for the AntiSpam service.
You can associate a specific action for spam emails that are detected by each detection method. Applying the detection settings at global level, domain level, or group level. In this way, you can use specific detection methods and actions for a specific domain or group.
The available detection settings are described below in the following table.
Table: Email AntiSpam detection settings
|
|
|
You can define a list of IP addresses, domains, or email addresses that are approved senders. Emails that are received from these senders are not identified as spam. You can also use the approved senders list to ensure that wanted email newsletters go through the AntiSpam service without interruption.
|
|
SPF (Sender Policy Framework) detects sender spoofing, blocking phishing attempts in which domain spoofing is commonplace. Some organizations publish an SPF record in their DNS. The SPF record authorizes sending hosts for their domains. The recipient verifies the email sender against the authorized hosts. If verification fails, the email sender is spoofing and the email should not be trusted.
When you use SPF spam detection for a domain, inbound email to your domain is verified against the SPF policy of the reported sender. If the reported sender publishes a hard-fail SPF policy and the inbound email fails SPF verification, the email is blocked and deleted. The block and delete action enforces the sender's hard fail policy, which says not to accept emails that are not from my authorized hosts. A 5xx error is returned to the sender. Other types of SPF policy, for example, soft-fail, are ignored.
You can enable spoofed sender detection for all of your domains or for individual domains. You cannot enable it for individual groups or users.
http://www.symantec.com/docs/HOWTO101611
|
|
DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps thwart phishing attempts that can lead to security breaches by detecting email sender spoofing. DMARC standardizes how email recipients perform SPF and DKIM email authentication. Organizations publish a DMARC policy that indicates that their emails are protected by SPF, DKIM, or both. The DMARC policy tells a recipient what to do if neither of these authentication methods passes.
When you enable DMARC for a domain, inbound email to that domain is verified against the DMARC policy of the reported sender. If DMARC authentication passes, then the message is delivered normally. If DMARC authentication fails, then the message is quarantined or rejected, according to the email sender's policy. If quarantine is not enabled, then message subject lines can be modified to notify recipients that DMARC authentication has failed.
You can enable spoofed sender detection for all of your domains or for individual domains. You cannot enable it for individual groups or users.
http://www.symantec.com/docs/HOWTO124382
|
|
You can define a list of IP addresses, domains, or email addresses that you recognize as sources of spam or other unwanted email.
|
|
The AntiSpam service can detect email from globally known sources of spam. Companies and individuals in the dynamic public block list have demonstrated patterns of junk emailing. The block list is a recognized public block list of IP addresses.
See Using the dynamic IP block list.
|
|
A signature is a unique string that defines a specific spam email. This string is used to detect further instances of the email. The signaturing system uses proprietary and commercially-available signature-building engines to create a vast knowledgebase of spam message samples that are currently in email circulation. The signaturing system enables exact matching of spam, and reduces the chances that the scanner stops genuine business emails. In addition, the signaturing system speeds the spam identification process and the message handling process.
|
|
Skeptic™ uses artificial intelligence to create an ever-expanding knowledgebase to identify spam. The heuristics method scores each email against a set of rules. If an email achieves more than a specified score, it is immediately identified as spam.
Newsletters can be a burden for organizations. The AntiSpam service distinguishes spam from newsletters. To block unwanted newsletters, you must have the Skeptic™ heuristic detection setting enabled.
See Enabling predictive (heuristic) spam detection.
|
For each spam detection method, define an action for the spam emails that are detected. The available actions are described here.
Table: Actions for detected emails
Action
|
Description
|
Append a header but allow the email through
|
The actions add a string to the email header. The format for the string is:
X-Spam-Flag:YES
This string identifies the email as spam and enables further action when it enters your email system or your users' email client. For example, you can divert the email into a folder that you have set up to receive spam.
The detected email is delivered to the recipient's email inbox.
|
Append a header and redirect the email to a bulk mail address
|
The string is added to the header as described above.
The detected email does not reach the intended recipient. The email is redirected to the email address that you specify for bulk email.
|
Block and delete the email
|
The detected email is not sent to the intended recipient's email inbox. The email is deleted.
|
Tag the subject line but allow the email through
|
The action adds some text that you define to the email's subject line.
The detected email is delivered to the recipient's email inbox.
Note:
|
When you first configure AntiSpam, it is useful to specify a bulk email address to see that spam is trapped as expected.
|
|
Quarantine the email
|
The detected email is not delivered to the recipient's email inbox.
The email is quarantined. Depending on your Spam Manager settings, the recipient may be notified that they have received spam. They may have the option to view it and release it to their inbox.
If your organization's AntiSpam service configuration does not include Spam Quarantine, the quarantine option is not available.
|
The risk that AntiSpam may stop genuine business emails (false-positives) is minimal. See the section in your contract that states the false-positive rates for spam. We recommend that you select "with the signaturing and the public block elements methods. If you do not select , your mailbox collects a large amount of spam in a short time.