Using Anti-Spam and Mail

Introduction to Anti-Spam and Mail Security

The relentless and unprecedented growth in unwanted email now poses an unexpected security threat to the network. As the amount of resources (disk space, network bandwidth, CPU) devoted to handling unsolicited emails increases from year to year, employees waste more and more time sorting through unsolicited bulk email commonly known as spam. Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM. and Mail provides network administrators with an easy and central way to eliminate most of the spam reaching their networks.

Anti-Spam and Mail Features

Feature	Explanation
Content based Anti-Spam	The core of the Anti-Spam functionality is the content based classification engine.
IP Reputation Anti-Spam	Using an IP reputation service, most of the incoming spam is blocked at connect time.
Block List Anti-Spam	Block specific senders based on IP address or sender's address.
Mail Anti-Virus	Scan and filter mail for malware.
Zero Hour Malware Protection	Filter mail using rapid response signatures.
IPS	Intrusion prevention system for mail protection.

Mail Security Overview

Anti-Spam

The Anti-Spam functionality employs unique licensed technology. Unlike many Anti-Spam applications that rely on searching for keywords and a lexical analysis of the content of an email message, Check Point Anti-Spam identifies spam by analyzing known and emerging distribution patterns. By avoiding a search for key words and phrases that might classify a legitimate email as spam and instead focusing on other message characteristics, this solution offers a high spam detection rate with a low number of false positives.

To preserve personal privacy and business confidentiality, only select characteristics are extracted from the message envelope, headers, and body (no reference to actual content or attachments are included). Hashed values of these message characteristics are sent to a Detection Center for pattern analysis. The Detection Center identifies spam outbreaks in any language, message format, or encoding type. Responses are returned to the enterprise gateway within 300 milliseconds.

Once identified, the network of spam generating machines is blacklisted. If the network changes its behavior, it is removed from the black list.

Adaptive Continuous Download

To prevent delays, Adaptive Continuous Download starts delivering the email to the recipient while Anti-Spam scanning is still in progress. If the email is designated as Spam, it is flagged as spam before it is completely transferred to the recipient. Both the SMTP and POP3 protocols support Adaptive Continuous Download for the entire email message.

Configuring Anti-Spam

Configuring a Content Anti-Spam Policy

To configure a content Anti-Spam policy

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens and shows the Anti-Spam & Mail tab.
2	On the Overview page, under Content based Anti-Spam, click Settings.
3	Use the slider to select an Anti-Spam policy protection level.
4	Select flagging options.
5	In the Security Gateway Engine settings section, set a maximum data size to scan.
6	Select Tracking Options for Spam, Suspected Spam, or Non Spam. Tracking options include None (no logging) Log Popup Alert Mail Alert SNMP trap alert User Defined Alert
7	Click Save, and then close SmartDashboard.
8	In SmartConsole, install the Access Control policy.

Configuring an IP Reputation Policy

This window enables IP reputation, an Anti-Spam mechanism that checks the IP address of the message sender (contained in the opening SYN packet) against a dynamic database of suspect IP addresses. If, according to the IP reputation service, the originating network has a reputation for sending spam, then the spam session is blocked at connect time. This way, the IP reputation feature creates a list of trusted email sources.

To configure an IP reputation policy

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	On the Overview page, under IP Reputation Anti-Spam, click Settings.
3	Use the slider to select an IP Reputation Policy Off - IP Reputation service is disabled Monitor only - Monitors known and suspected spam but does not block it Medium Protection - Blocks known spam and monitors suspected spam High Protections - Blocks known and suspected spam
4	Select tracking options for Spam, Suspected Spam, or Non spam. Tracking options include None (no logging) Log Popup Alert Mail Alert SNMP trap alert Three custom user-defined scripts
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Configuring a Block List

You can configure a list of email sources to block according to the sender's name, domain name, or IP address.

To configure a block list

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	On the Overview page, under Block List Anti-Spam, click Settings.
3	Use the slider to select a Block Policy: Off - Not blocked Monitor Only - Not Blocked, but monitors senders by IP address and email address Block - Blocks senders by IP address and email address
4	In the Blocked senders\domains section, click Add and enter the name of a sender or domain to be rejected.
5	In the Blocked IPs section, click Add and enter an IP address that should be blocked.
6	From the drop-down list in the Tracking section, select a tracking option for blocked mail or non-spam.
7	Click Save, and then close SmartDashboard.
8	In SmartConsole, install the Access Control policy.

Configuring Anti-Spam SMTP

SMTP traffic can be scanned according to direction or IP addresses.

To configure Anti-Spam SMTP

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, click Advanced > SMTP.
3	Make sure that Scan SMTP traffic with Anti-Spam engine for Anti-Spam, IP reputation and Block list protection is selected.
4	Select to scan SMTP traffic By Mail Direction or By IPs. If you selected scan By IPs, click Add Rule to configure rules for IP addresses to scan. If you selected scan By Mail Direction, select a scanning direction for: Incoming files Outgoing files Internal files through the gateway
5	Select Activate Continuous Download to avoid client time-outs when large files are scanned. (See Adaptive Continuous Download for further information).
6	Click Save, and then close SmartDashboard.
7	In SmartConsole, install the Access Control policy.

Configuring Anti-Spam POP3

POP3 traffic can be scanned according to direction

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, click Advanced > POP3.
3	Make sure that Scan POP3 traffic with Anti-Spam engine for Anti-Spam, IP reputation and Block list protection is selected.
4	Select to scan POP3 traffic By Mail Direction or By IPs.
5	If you selected scan By IPs, click Add Rule to configure rules for IP addresses to scan.
6	If you selected scan By Mail Direction, select a scanning direction for: Incoming mail Outgoing mail Internal mail
7	Select Activate Continuous Download to avoid client time-outs when large files are scanned. (See Adaptive Continuous Download for further information).
8	Click Save, and then close SmartDashboard.
9	In SmartConsole, install the Access Control policy.

Configuring Network Exceptions

An Anti-Spam policy can be enforced on all email traffic or only on traffic that was not deliberately excluded from the policy.

To exclude sources and destinations

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree click Advanced > Network Exceptions.
3	Select Enforce the Anti-Spam policy on all traffic except for traffic between the following sources and destinations.
4	Click Add. The Network Exception window opens.
5	For Source and Destination, select Any, or select Specific and one gateway from each list.
6	Click OK.
7	Click Save, and then close SmartDashboard.
	In SmartConsole, install the Access Control policy.

Configuring an Allow List

You can configure a list of allowed email sources according to the sender's name and name, or according to the IP address.

To configure an allow list

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree click Advanced > Allow List.
3	In the Allowed Senders / Domains section, click Add and enter the name of a sender or domain to be allowed.
4	In the Allowed IPs section, click Add and enter an allowed IP address.
5	From the drop-down list in the Tracking section, select a tracking option.
6	Click Save, and then close SmartDashboard.
7	In SmartConsole, install the Access Control policy.

Selecting a Customized Server

You can select an alternative Detection Center for Anti-Spam analysis.

To select a Detection Center

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree click Advanced > Customized Server.
3	Select Use Customized Server.
4	From the drop-down list, select a server.
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Bridge Mode and Anti-Spam

If an UTM-1 appliance is configured to run in bridge mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology., Anti-Spam is supported providing that:

The bridge interface has an IP address
The bridge interface has a default gateway

Configuring Anti-Virus Protection for Mail

Configuring Mail Anti-Virus

The Mail Anti-Virus policy prevents use of email as a virus delivery mechanism.

To configure a mail Anti-Virus policy

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > Mail Anti-Virus.
3	Set the slider to Block.
4	Select tracking options for either all POP3 and SMTP mail, or just blocked mail. Tracking options include None (no logging) Log Popup Alert Mail Alert SNMP Trap Alert User Defined Alert
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Configuring Zero Hour Malware Protection

By proactively scanning the Internet, the Detection Center identifies massive virus outbreaks as soon as they occur. This Zero-Hour solution provides protection during the critical time it takes to discover a new virus outbreak and assign it a signature.

To configure zero hour malware protection

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > Zero Hour Malware Protection.
3	With the slider, select a Zero hour malware protection level: Off Monitor Only Block
4	Select tracking options for blocked, SMTP and POP3 mail. Tracking options include None (no logging) Log Popup alert Mail alert SNMP trap alert Three custom user-defined scripts
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Configuring SMTP and POP3

SMTP and POP3 traffic can be scanned according to direction or by IP addresses.

To configure SMTP and POP3

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Traditional Anti-Virus > Security Gateway > Mail Protocols > SMTP or POP3.
3	Using the slider, select a protection level: Off Monitor Only - SMTP and HTTP are the only protocols that support this protection level Block
4	Select to scan SMTP traffic By Mail Direction or By IPs. When you scan by File Direction, select a scanning direction for: Incoming files Outgoing files Internal files through the gateway When you scan by IP addresses, create rules for the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. to define the source and destination of the data to be scanned.
5	For SMTP and HTTP, select the Activate Proactive Detection (impacts performance) checkbox to enable file-based Traditional Anti-Virus detection. Clear the checkbox to enable stream mode detection. See Understanding Proactive and Stream Mode Detection for further information. FTP and POP3 are set to Proactive Detection mode automatically.
6	If Proactive Detection was configured, select the Activate Continuous Download checkbox to prevent client time-outs when large files are scanned. See Not Adaptive Continuous Download for more information.
7	Click Save, and then close SmartDashboard.
8	In SmartConsole, install the Access Control policy.

Configuring File Types

You can set an action to take place when a file of a certain type passes through the gateway. Certain file types can pass through the gateway without being scanned for viruses. For example, picture and video files are normally considered safe. Other formats can be considered safe because they are relatively hard to tamper with. Update the list as necessary.

To configure the file types

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Traditional Anti-Virus > Security Gateway > File Types.
3	Configure the file types.
4	Optional: Click Update to update the list using a file.
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Configuring Settings

Define maximum sizes for scanned files and archives. Configure actions to take if the set limits are exceeded, or when a scan fails.

To configure scan failure and scan settings

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Traditional Anti-Virus > Security Gateway > Settings.
3	In the Scan Failure section, select the default behavior if there are problems with the scan.
4	In the File Handling section, select the maximum file size to scan and the default behavior if the file exceeds the size limit.
5	In the Archive File Handling section, select the maximum nesting level to scan, the compression ratio, and the default behavior if the file exceeds the limits or cannot be extracted.
6	Click Save, and then close SmartDashboard.
7	In SmartConsole, install the Access Control policy.

Configuring a Disclaimer

You can create your own custom disclaimer notice.

To configure a disclaimer

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard. SmartDashboard opens and shows the Anti-Spam & Mail tab.
2	From the navigation tree, select Advanced > Disclaimer.
3	Select Add disclaimer to email scanned by Anti-Virus and Anti-Spam engines.
4	In the text box, type your disclaimer notice.
5	Click Save, and then close SmartDashboard.
6	In SmartConsole, install the Access Control policy.

Anti-Spam Logging and Monitoring

Anti-Spam logging and monitoring options are available in the Logs & Monitor view in SmartConsole.

Logs derived from Anti-Spam scanning are sent to Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and show in the Logs & Monitor > Logs view. In the Logs & Monitor view, you can see detailed views and reports of the Anti-Spam activity, customize these views and reports, or generate new ones (see Threat Analysis in the Logs & Monitor View).