Dnsbl Spam Filtering - D-Link NetDefend DFL-210 User Manual

6.2.5. SMTP
Email Rate Limiting
Email Size Limiting
Email address blacklisting
Email address whitelisting
Verify MIME-type
Anti-Virus Scanning

6.2.5.1. DNSBL SPAM Filtering

Unsolicited email, often referred to as SPAM, has become both a major annoyance as well as a
security issue on the public Internet. Unsolicited email, sent out in massive quantities by groups
known as spammers, can waste resources, transport malware as well as try to direct the reader to
webpages which might exploit browser vulnerabilities.
Integral to the NetDefendOS SMTP ALG is a SPAM module that provides the ability to apply spam
filtering to incoming email based on its origin. This can significantly reduce the burden of such
email in the mailboxes of users behind a D-Link Firewall. NetDefendOS offers the options of:
• Dropping email which has a very high probability of being SPAM.
• Letting through but flagging email that has a moderate probability of being SPAM.
The NetDefendOS Implementation
SMTP functions as a protocol for sending emails between servers. NetDefendOS applies SPAM
filtering to emails as they pass through a D-Link Firewall from a remote SMTP server to the local
SMTP server (from which local clients will later download the emails). Typically the local SMTP
server will be set up on a DMZ and there will usually be only one "hop" between the sending server
and the local, receiving server.
A number of trusted organisations maintain publicly available databases of the origin IP address of
known spamming SMTP servers and these can be queried over the public Internet. These lists are
known as DNS Black List (DNSBL) databases and the information is accessible using a standardized
query method supported by NetDefendOS. The image below illustrates all the components involved:
Figure 6.1. DNSBL SPAM Filtering
A maximum allowable rate of email messages can be
specified.
A maximum allowable size of email messages can be
specified. This feature counts the total amount of bytes sent
for a single email which is the header size plus body size plus
the size of any email attachments after they are encoded. It
should be kept in mind that an email with, for example, an
attachment of 100 KBytes, will be larger than 100 KBytes.
The transferred size might be 120 KBytes or more since the
encoding which takes place automatically for attachments
may substantially increase the transferred attachment size.
The administrator should therefore add a reasonable margin
above the anticipated email size when setting this limit.
A blacklist of email addresses can be specified so that mail
from those addresses is blocked.
A whitelist of email addresses can be specified so that mail
from those addresses is allowed to pass by the ALG.
Mail attachment file content can be checked against its
filetype. A list of all filetypes checked can be found in
Appendix C, Checked MIME filetypes.
The NetDefendOS Anti-Virus module can scan email
attachments searching for malicious code. This feature is
described fully in Section 6.4, "Anti-Virus Scanning".
147
Chapter 6. Security Mechanisms