Configuring Symantec Premium AntiSpam to detect spam

Products

Mail Security for Microsoft Exchange

Issue/Introduction

Resolution

Before you configure Symantec Premium AntiSpam, ensure that you have done the following:

If you have an ISA server, register Symantec Premium AntiSpam through the ISA server.
See About registering Symantec Premium AntiSpam through an ISA server
Configure your proxy server to permit downloads for Symantec Premium AntiSpam.
See Configuring your proxy server to download spam definition updates
Install the Symantec Premium AntiSpam license.
See About licensing

Configure the following settings to detect and handle spam:

Reputation service: Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the source's reputation value as determined by Symantec.

Enable Ruleset based sender IP reputation	The Rule Based Reputation Service is the name for a set of downloadable IP address lists that you can use to block SMTP connections from known spam IP addresses or allow SMTP connections from known reputable IP addresses. The Rule Based Reputation Service currently includes the following classification lists of IP addresses, which are continuously compiled and updated: Open proxy list : Enables the open proxy list service. The open proxy list contains of IP addresses that are open proxies that are used by spammers or 'zombie' computers that are co-opted by spammers. Safe List: Enables the safe list service. The safe list contains IP addresses from which virtually no outgoing email is spam.
Suspect List	Contains the IP addresses from which virtually all of the outgoing email is spam. This list is always enabled.
Fast Pass	The Fast Pass feature conserves resources by providing a temporary exemption from spam scanning for senders with a demonstrated history of sending no spam messages. Thus senders with the best local reputation are exempted from spam scanning.
Marketing mail	Emails that contain commercial or fund-raising messages, which may have been requested by the user. When the messages are detected by this policy it takes the action configured under Suspected Spam.
Newsletter	Emails that include content on specific topics for a known period, often weekly or monthly. The user may have requested to receive these publications. When the messages are detected by this policy it takes the action configured under Suspected Spam.
Suspicious URL	Suspicious URLs include free hosting sites, URL shortening services, and URL redirecting services that can potentially be abused to deliver spam or malware payloads. SMSMSE can filter against email messages that contain one or more suspicious URLs. When the messages are detected by this policy it takes the action configured under Suspected Spam.

DNS IP Reputation:

Note:

DNS IP reputation feature will be disabled by default during a fresh install.

Note:

DNS IP reputation feature will be disabled by default for all upgrade scenarios.

Enable DNS IP Reputation

DNS-based IP (DNS IP) reputation allows the delivery of the Symantec Global Bad Senders list, which is the largest Symantec IP reputation list. When an inbound email arrives in your organization and the DNS IP reputation feature is enabled, the IP address of this inbound email is sent to the Symantec DNS reputation server. If this IP address in the Symantec DNS reputation server is recorded as bad, the verdict is provided back to the Symantec Mail Security for Microsoft Exchange.

Note:

We strongly recommend either enable DNS based IP Reputation feature or Rule Based Reputation feature. Enabling both of them at the same time will lead to heavy utilization of network resources.

Spam Scoring

Flag messages as suspected spam

Flags messages as suspected spam when their scores reach the suspected spam threshold.

Lower spam threshold

Indicates the minimum threshold for suspected spam.

You can enter a value between 25 and 89. The default value is 72.

You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam.

See About licensing

To configure Symantec Premium AntiSpam to detect spam

In the console on the primary navigation bar, click Policies.
In the sidebar under Antispam, click Premium AntiSpam Settings.
In the content area, under Symantec Premium AntiSpam Settings, check Enable Symantec Premium AntiSpam.
Under Reputation Services, check Enable Ruleset based sender IP reputation and then select any of the following that you want to use:
- Open proxy list
- Safe list
Check Suspect list which contains emails sources that primarily send spam. This option is selected by default and cannot be changed.
To bypass AntiSpam filtering of email messages from verified senders check Fast Pass.
Under DNS IP reputation, check the Enable DNS IP Reputation option. This DNS-based IP (DNS IP) reputation allows the delivery of the Symantec Global Bad Senders list, which is the largest Symantec IP reputation list.
Note:
It is highly recommended to use either Enable Ruleset based sender IP or DNS IP reputation services to avoid heavy network bandwidth consumption.
Under Spam Scoring, check Flag messages as suspected spam if you want messages flagged as suspected spam if you want messages flagged as suspected spam. In the Lower spam threshold box, type the suspected spam threshold level if you choose to identify suspected spam.
On the toolbar, click Deploy changes to apply your changes.
See Deploying settings and changes to a server or group