Using Anti-Spam and Mail

In This Section: Introduction to Anti-Spam and Mail Security Mail Security Overview Configuring Anti-Spam Configuring Anti-Virus Protection for Mail Configuring a Disclaimer Anti-Spam Logging and Monitoring

Introduction to Anti-Spam and Mail Security

The relentless and unprecedented growth in unwanted email now poses an unexpected security threat to the network. As the amount of resources (disk space, network bandwidth, CPU) devoted to handling unsolicited emails increases from year to year, employees waste more and more time sorting through unsolicited bulk email commonly known as spam. Anti-Spam and Mail provides network administrators with an easy and central way to eliminate most of the spam reaching their networks.

Anti-Spam and Mail Features

Feature	Explanation
Content based Anti-Spam	The core of the Anti-Spam functionality is the content based classification engine.
IP Reputation Anti-Spam	Using an IP reputation service, most of the incoming spam is blocked at connect time.
Block List Anti-Spam	Block specific senders based on IP address or sender's address.
Mail Anti-Virus	Scan and filter mail for malware.
Zero Hour Malware Protection	Filter mail using rapid response signatures.
IPS	Intrusion prevention system for mail protection.

Mail Security Overview

On the Anti-Spam & Mail tab:

• Select gateways that enforce Anti-Virus checking
• Select gateways that enforce Anti-Spam protection
• Enable automatic updates
• View settings and logs

Anti-Spam

The Anti-Spam functionality employs unique licensed technology. Unlike many Anti-Spam applications that rely on searching for keywords and a lexical analysis of the content of an email message, Check Point Anti-Spam identifies spam by analyzing known and emerging distribution patterns. By avoiding a search for key words and phrases that might classify a legitimate email as spam and instead focusing on other message characteristics, this solution offers a high spam detection rate with a low number of false positives.

To preserve personal privacy and business confidentiality, only select characteristics are extracted from the message envelope, headers, and body (no reference to actual content or attachments are included). Hashed values of these message characteristics are sent to a Detection Center for pattern analysis. The Detection Center identifies spam outbreaks in any language, message format, or encoding type. Responses are returned to the enterprise gateway within 300 milliseconds.

Once identified, the network of spam generating machines is blacklisted. If the network changes its behavior, it is removed from the black list.

Adaptive Continuous Download

To prevent delays, Adaptive Continuous Download starts delivering the email to the recipient while Anti-Spam scanning is still in progress. If the email is designated as Spam, it is flagged as spam before it is completely transferred to the recipient. Both the SMTP and POP3 protocols support Adaptive Continuous Download for the entire email message.

Configuring Anti-Spam

Configuring a Content Anti-Spam Policy

To configure a content Anti-Spam policy:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. On the Overview page, under Content based Anti-Spam, click Settings.
3. Use the slider to select an Anti-Spam policy protection level.
4. Select flagging options.
5. In the Security Gateway Engine settings section, set a maximum data size to scan.
6. In the UTM-1 Edge Engine settings section, set a confidence level for spam and suspected spam.

   A spam confidence level is a grade or rating (usually between zero and a hundred) used decide whether a particular email message should be treated as spam. For example, if the confidence level is set to 70, then all email messages rated at 70 or above will be treated as spam.

7. Select Tracking Options for Spam, Suspected Spam, or Non Spam. Tracking options include:
   • None (no logging)
   • Log
   • Popup Alert
   • Mail Alert
   • SNMP trap alert
   • Three custom user-defined scripts.
8. Click Save and then close SmartDashboard.
9. From SmartConsole, install the Access Control policy.

Configuring an IP Reputation Policy

This window enables IP reputation, an Anti-Spam mechanism that checks the IP address of the message sender (contained in the opening SYN packet) against a dynamic database of suspect IP addresses. If, according to the IP reputation service, the originating network has a reputation for sending spam, then the spam session is blocked at connect time. This way, the IP reputation feature creates a list of trusted email sources.

To configure an IP reputation policy:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. On the Overview page, under IP Reputation Anti-Spam, click Settings.
3. Use the slider to select an IP Reputation Policy:
   • Off - IP Reputation service is disabled
   • Monitor - Monitors known and suspected spam but does not block it
   • Medium Protection - Blocks known spam and monitors suspected spam
   • High Protections - Blocks known and suspected spam
4. Select tracking options for Spam, Suspected Spam, or Non spam. Tracking options include
   • None (no logging)
   • Log
   • Popup Alert
   • Mail Alert
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.
   • SNMP trap alert
   • Three custom user-defined scripts.

Configuring a Block List

You can configure a list of email sources to block according to the sender's name, domain name, or IP address.

To configure a block list:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. On the Overview page, under Block List Anti-Spam, click Settings.
3. Use the slider to select a Block Policy:
   • Off - Not blocked
   • Monitor Only - Not Blocked, but monitors senders by IP address and email address
   • Block - Blocks senders by IP address and email address
4. In the Blocked senders\domains section, click Add and enter the name of a sender or domain to be rejected.
5. In the Blocked IPs section, click Add and enter an IP address that should be blocked.
6. From the drop-down list in the Tracking section, select a tracking option for blocked mail or non-spam.
7. Click Save and then close SmartDashboard.
8. From SmartConsole, install the Access Control policy.

Configuring Anti-Spam SMTP

SMTP traffic can be scanned according to direction or IPs.

To configure Anti-Spam SMTP:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, click Advanced > SMTP.
3. Make sure that Scan SMTP traffic with Anti-Spam engine for Anti-Spam, IP reputation and Block list protection is selected.
4. Select to scan SMTP traffic By Mail Direction or By IPs.
   1. If you selected scan By IPs, click Add Rule to configure rules for IP addresses to scan.
   2. If you selected scan By Mail Direction, select a scanning direction for:
      • Incoming files
      • Outgoing files
      • Internal files through the gateway
5. Select Activate Continuous Download to avoid client time-outs when large files are scanned.

   See Adaptive Continuous Download for further information.

6. Click Save and then close SmartDashboard.
7. From SmartConsole, install the Access Control policy.

Configuring Anti-Spam POP3

POP3 traffic can be scanned according to direction.

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree click Advanced > POP3.
3. Make sure that Scan POP3 traffic with Anti-Spam engine for Anti-Spam, IP reputation and Block list protection is selected.
4. Select to scan POP3 traffic By Mail Direction or By IPs.
5. If you selected scan By IPs, click Add Rule to configure rules for IP addresses to scan.
6. If you selected scan By Mail Direction, select a scanning direction for:
   • Incoming mail
   • Outgoing mail
   • Internal mail
7. Select Activate Continuous Download to avoid client time-outs when large files are scanned.

   See Adaptive Continuous Download for further information.

8. Click Save and then close SmartDashboard.
9. From SmartConsole, install the Access Control policy.

Configuring Network Exceptions

An Anti-Spam policy can be enforced on all email traffic or only on traffic that was not deliberately excluded from the policy.

To exclude sources and destinations:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree click Advanced > Network Exceptions.
3. Select Enforce the Anti-Spam policy on all traffic except for traffic between the following sources and destinations.
4. Click Add. The Network Exception window opens.
5. For Source and Destination, select Any, or select Specific and one gateway from each list.
6. Click OK.
7. Click Save and then close SmartDashboard.
8. From SmartConsole, install the Access Control policy.

Configuring an Allow List

You can configure a list of allowed email sources according to the sender's name and domain name, or according to the IP address.

To configure an allow list:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree click Advanced > Allow List.
3. In the Allowed Senders / Domains section, click Add and enter the name of a sender or domain to be allowed.
4. In the Allowed IPs section, click Add and enter an allowed IP address.
5. From the drop-down list in the Tracking section, select a tracking option.
6. Click Save and then close SmartDashboard.
7. From SmartConsole, install the Access Control policy.

Selecting a Customized Server

You can select an alternative Detection Center for Anti-Spam analysis.

To select a Detection Center:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree click Advanced > Customized Server.
3. Select Use Customized Server.
4. From the drop-down list, select a server.
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.

Anti-Spam on UTM-1 Edge Devices

Anti-Spam protection is available on UTM-1 Edge devices.

To configure Anti-Spam on UTM-1 Edge devices:

1. Open the General Properties window of the UTM-1 Edge gateway.
2. Select Anti-Spam.

Bridge Mode and Anti-Spam

If an UTM-1 appliance is configured to run in bridge mode, Anti-Spam is supported providing that:

• The bridge interface has an IP address
• The bridge interface has a default gateway

Configuring Anti-Virus Protection for Mail

Configuring Mail Anti-Virus

The Mail Anti-Virus policy prevents use of email as a virus delivery mechanism.

To configure a mail Anti-Virus policy:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > Mail Anti-Virus.
3. Set the slider to Block.
4. Select tracking options for either all POP3 and SMTP mail, or just blocked mail. Tracking options include:
   • None (no logging)
   • Log
   • Popup alert
   • Mail alert
   • SNMP trap alert
   • Three custom user-defined scripts
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.

Configuring Zero Hour Malware Protection

By proactively scanning the Internet, the Detection Center identifies massive virus outbreaks as soon as they occur. This Zero-Hour solution provides protection during the critical time it takes to discover a new virus outbreak and assign it a signature.

To configure zero hour malware protection:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > Zero Hour Malware Protection.
3. With the slider, select a Zero hour malware protection level:
   • Off
   • Monitor Only
   • Block
4. Select tracking options for blocked, SMTP and POP3 mail. Tracking options include:
   • None (no logging)
   • Log
   • Popup alert
   • Mail alert
   • SNMP trap alert
   • Three custom user-defined scripts
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.

Configuring SMTP and POP3

SMTP and POP3 traffic can be scanned according to direction or by IPs.

To configure SMTP and POP3:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > SMTP or POP3.
3. Using the slider, select a protection level:
   • Off
   • Monitor Only - SMTP and HTTP are the only protocols that support this protection level
   • Block
4. Select to scan SMTP traffic By Mail Direction or By IPs
   1. When you scan by File Direction, select a scanning direction for:
      • Incoming files
      • Outgoing files
      • Internal files through the gateway
   2. When you scan by IPs, create rules for the Rule Base to define the source and destination of the data to be scanned.
5. For SMTP and HTTP, select the Activate Proactive Detection (impacts performance) checkbox to enable file-based Traditional Anti-Virus detection. Clear the checkbox to enable stream mode detection. See Understanding Proactive and Stream Mode Detection for further information. FTP and POP3 are set to Proactive Detection mode automatically.
6. If Proactive Detection was configured, select the Activate Continuous Download checkbox to prevent client time-outs when large files are scanned.

   See Continuous Download for further information.

7. Click Save and then close SmartDashboard.
8. From SmartConsole, install the Access Control policy.

Configuring File Types

You can set an action to take place when a file of a certain type passes through the gateway. Certain file types can pass through the gateway without being scanned for viruses. For example, picture and video files are normally considered safe. Other formats can be considered safe because they are relatively hard to tamper with. Update the list as necessary.

To configure the file types:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Traditional Anti-Virus > Security Gateway > File Types.
3. Configure the file types.
4. Optional: Click Update to update the list using a file.
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.

Configuring Settings

Define maximum sizes for scanned files and archives. Configure actions to take if the set limits are exceeded, or when a scan fails.

To configure scan failure and scan settings:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Traditional Anti-Virus > Security Gateway > Settings.
3. In the Scan Failure section, select the default behavior if there are problems with the scan.
4. In the File Handling section, select the maximum file size to scan and the default behavior if the file exceeds the size limit.
5. In the Archive File Handling section, select the maximum nesting level to scan, the compression ratio, and the default behavior if the file exceeds the limits or cannot be extracted.
6. Click Save and then close SmartDashboard.
7. From SmartConsole, install the Access Control policy.

Configuring a Disclaimer

You can create your own custom disclaimer notice.

To configure a disclaimer:

1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

   SmartDashboard opens and shows the Anti-Spam & Mail tab.

2. From the navigation tree, select Advanced > Disclaimer.
3. Select Add disclaimer to email scanned by Anti-Virus and Anti-Spam engines.
4. In the text box, type your disclaimer notice.
5. Click Save and then close SmartDashboard.
6. From SmartConsole, install the Access Control policy.

Anti-Spam Logging and Monitoring

Anti-Spam logging and monitoring options are available in the Logs & Monitor view in SmartConsole.

Logs derived from Anti-Spam scanning are sent to Security Management Server, and show in the Logs & Monitor > Logs view. In the Logs & Monitor view, you can see detailed views and reports of the Anti-Spam activity, customize these views and reports, or generate new ones.

Threat Prevention Best Practices Video