D-Link NetDefend DFL-210 User Manual page 213

6.2.5. The SMTP ALG
And this is what the email's recipient will see in the summary of their inbox contents. The individual
user could then decide to set up their own filters in the local client to deal with such tagged emails,
possibly sending it to a separate folder.
Adding X-SPAM Information
If an email is determined to be SPAM and a forwarding address is configured for dropped emails,
then the administrator has the option to Add TXT Records to the email. A TXT Record is the
information sent back from the DNSBL server when the server thinks the sender is a source of
SPAM. This information can be inserted into the header of the email using the X-SPAM tagging
convention before it is sent on. The X-SPAM fields added are:
• X-Spam-Flag - This value will always be Yes.
• X-Spam-Checker-Version - The NetDefendOS version that tagged the email.
• X-Spam-Status - This will always be DNSBL.
• X-Spam-Report - A list of DNSBL servers that flagged the email as SPAM.
• X-Spam-TXT-Records - A list of TXT records sent by the DNSBL servers that identified the
email as SPAM.
• X-Spam_Sender-IP - IP address used by the email sender.
These fields can be referred to in filtering rules set up by the administrator in mail server software.
Allowing for Failed DNSBL Servers
If a query to a DNSBL server times out then NetDefendOS will consider that the query has failed
and the weight given to that server will be automatically subtracted from both the SPAM and Drop
thresholds for the scoring calculation done for that email.
If enough DNSBL servers do not respond then this subtraction could mean that the threshold values
become negative. Since the scoring calculation will always produce a value of zero or greater
(servers cannot have negative weights) then all email will be allowed through if both the SPAM and
Drop thresholds become negative.
A log message is generated whenever a configured DNSBL server does not respond within the
required time. This is done only once at the beginning of a consecutive sequence of response
failures from a single server to avoid unnecessarily repeating the message.
Verifying the Sender Email
As part of the Anti-SPAM module, the option to verify the email sender denies emails with a
mismatch of the SMTP "From" address and the header "From" address. In other words, the source
address in the SMTP protocol header and the SMTP data load header must be the same. Spamming
can cause these to be different so this feature provides an extra check on email integrity.
Logging
There are three types of logging done by the SPAM filtering module:
• Logging of dropped or SPAM tagged emails - These log messages include the source email
address and IP as well as its weighted points score and which DNSBLs caused the event.
• DNSBLs not responding - DNSBL query timeouts are logged.
• All defined DNBSLs stop responding - This is a high severity event since all email will be
213
Chapter 6. Security Mechanisms