Table of Contents
Advertisement
The ALG Anti-Spam Implementation
SMTP functions as a protocol for sending emails between servers. NetDefendOS applies spam
filtering to emails as they pass through the NetDefend Firewall from an external remote SMTP
server to a local SMTP server (from which local clients will later download their emails). Typically,
the local, protected SMTP server will be set up on a DMZ network and there will usually be only
one "hop" between the sending server and the local, receiving server.
The SMTP ALG offers two approaches when spam is detected:
•
Dropping email which has a very high probability of being spam.
•
Letting through but flagging email that has a moderate probability of being spam.
Creating a DNSBL Consensus
The administrator can configure the NetDefendOS SMTP ALG to consult multiple DNSBL servers
in order to form a consensus opinion on an email's origin address. For each new email,
configured servers are queried to assess the likelihood that the email is spam, based on its origin
address. The way DNSBL functions is described in Section 6.4.3, "DNSBL Databases".
With the SNMP ALG, the administrator assigns a weight greater than zero to each configured
DNSBL server so that a weighted sum can then be calculated based on all responses. The
administrator can then configure one of the following actions based on the weighted sum
calculated:
•
Dropped
If the sum is greater than or equal to a predefined Drop threshold then the email is considered
to be definitely spam and is discarded or alternatively sent to a single, special mailbox.
If it is discarded then the administrator has the option that an error message is sent back to
the sending SMTP server (this error message is similar to the one used with blacklisting).
•
Flagged as Spam
If the sum is greater than or equal to a predefined Spam Threshold then the email is
considered as probably being spam but forwarded to the recipient with notifying text
inserted into it.
A Threshold Calculation Example
As an example, suppose that three DNSBL servers are configured: dnsbl1, dnsbl2 and dnsbl3.
Weights of 3, 2 and 2 are assigned to these respectively. The spam threshold is then set to be 5.
If dnsbl1 and dnsbl2 say an email is spam but dnsbl3 does not, then the total calculated will be
3+2+0=5. Since the total of 5 is equal to (or greater than) the threshold then the email will be
treated as spam.
If the Drop threshold in this example is set at 7 then all three DNSBL servers would have to
respond in order for the calculated sum to cause the email to be dropped (3+2+2=7).
Alternative Actions for Dropped Spam
If the calculated sum is greater than or equal to the Drop threshold value then the email is not
forwarded to the intended recipient. Instead the administrator can choose one of two
535
Chapter 6: Security Mechanisms
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
