Dnsbl Spam Filtering - D-Link NetDefend DFL-210 User Manual

6.2.5. The SMTP ALG
security issue on the public Internet. Unsolicited email, sent out in massive quantities by groups
known as spammers, can waste resources, transport malware as well as try to direct the reader to
webpages which might exploit browser vulnerabilities.
Integral to the NetDefendOS SMTP ALG is a SPAM module that provides the ability to apply spam
filtering to incoming email based on its origin. This can significantly reduce the burden of such
email in the mailboxes of users behind the NetDefend Firewall. NetDefendOS offers two
approaches to handling SPAM:
• Dropping email which has a very high probability of being SPAM.
• Letting through but flagging email that has a moderate probability of being SPAM.
The NetDefendOS Implementation
SMTP functions as a protocol for sending emails between servers. NetDefendOS applies SPAM
filtering to emails as they pass through the NetDefend Firewall from a remote SMTP server to the
local SMTP server (from which local clients will later download the emails). Typically the local
SMTP server will be set up on a DMZ and there will usually be only one "hop" between the sending
server and the local, receiving server.
A number of trusted organizations maintain publicly available databases of the origin IP address of
known spamming SMTP servers and these can be queried over the public Internet. These lists are
known as DNS Black List (DNSBL) databases and the information is accessible using a standardized
query method supported by NetDefendOS. The image below illustrates all the components involved:
When the NetDefendOS SPAM filtering function is configured, the IP address of the email's
sending server can be sent to one or more DNSBL servers to find out if any DNSBL servers think it
is from a spammer or not (NetDefendOS examines the IP packet headers to do this). The reply sent
back by a server is either a not listed response or a listed response. In the latter case of being listed,
the DSNBL server is indicating the email might be SPAM and it will usually also provide
information known as a TXT record which is a textual explanation for the listing.
Figure 6.4. DNSBL SPAM Filtering
The administrator can configure the NetDefendOS SMTP ALG to consult multiple DNSBL servers
in order to form a consensus opinion on an email's origin address. As each new email arrives,
servers are queried to assess the likelihood that the email is SPAM, based on its origin address. The
NetDefendOS administrator assigns a weight greater than zero to each configured server so that a
222
Chapter 6. Security Mechanisms