Chapter: 110
Driver Easy Professional free download

SpamTitan Administrator Guide

Loading...
SpamTitan® ADMINISTRATORS GUIDE v6.02

Page 1

COPYRIGHT Copyright © 2014 SpamTitan. All rights reserved. The product described in this document is furnished under a license agreement and may be used only in accordance with the terms of the agreement. SpamTitan gives no condition, warranty, expressed or implied about the fitness or quality of this manual or the accompanying product. SpamTitan reserves the right to make changes to this manual or the accompanying product, without notice to any person or company. SpamTitan shall not be liable for any indirect, incidental, special, or consequential damages, loss of profits, loss of goodwill, loss of reputation or economic loss resulting from the use of this manual or the accompanying product whether caused through SpamTitan negligence or otherwise and based on contract, tort, strict liability or otherwise, even if SpamTitan or any of its suppliers has been advised of the possibility of damages. SpamTitan is a trademark of Copperfasten Technologies Limited. Printed in Ireland. Part Number: ST-AG-504

CONTACTING SPAMTITAN CUSTOMER SUPPORT Telephone: Email: Forum: Web:

+1 201 984-3271 [email protected] http://helpdesk.spamtitan.com/support/home www.SpamTitan.com

SPAMTITAN WELCOMES YOUR COMMENTS We want to know about any corrections or clarifications that you would find useful in our documentation, which will help us improve future versions. Include the following information:  Version of the manual that you are using  Section and page number  Your suggestions about the manual Send your comments and suggestions to us at the following email address: [email protected]

Page 2

Table of Contents 1 INTRODUCTION.................................................................................................. 7 2 SETUP AND INSTALLATION .............................................................................. 8 3 SYSTEM SETUP ............................................................................................... 13 Licensing.......................................................................................................................... 13 Network Configuration: IP Configuration ............................................................................... 14 DNS Settings ........................................................................................................................................... 14 HTTP Proxy...................................................................................................................... 16 Static Routes ..................................................................................................................... 16 Port Forwarding ............................................................................................................................... 17 Alias IP Addresses ............................................................................................................. 18 Outbound Delivery Pools ..................................................................................................... 19 IPV6 Settings .................................................................................................................... 20 System Time ..................................................................................................................... 20 Mail Relay: Domains .......................................................................................................... 21 Mail Relay: IP Controls ........................................................................................................................... 23 Mail Relay: Sender Controls .................................................................................................................... 25 Mail Relay: Outbound Settings ................................................................................................................ 26 Mail Relay: General Settings ............................................................................................... 28 Mail Relay SMTP Controls .................................................................................................................... 30 Mail Relay: Greylisting ........................................................................................................................... 32 Rate Controls ........................................................................................................................................... 34 Rate Controls: SMTP Limits ................................................................................................................... 37 Rate Controls: SMTP Client Exception Settings ..................................................................................... 38 System Updates ....................................................................................................................................... 38 Shutting Down Appliance ........................................................................................................................ 40

4 CLUSTERING .................................................................................................... 41 Setting up a SpamTitan Cluster ............................................................................................................... 41 Restrictions and Considerations .............................................................................................................. 42

5 CONTENT FILTERING ...................................................................................... 43 Content Filtering: Viruses ........................................................................................................................ 43 Clam AntiVirus ........................................................................................................................................ 43 Kaspersky AntiVirus ............................................................................................................................... 43 Enabling Virus Scanning and Configuring Global Settings ......................................................... 44 Managing Virus Definition Updates ....................................................................................... 45 Content Filtering: Spam ...................................................................................................... 46 Enabling Scan Scanning and Configuring Global Settings .......................................................... 47 Spam Rule Updates ............................................................................................................ 49 Content Filtering: Attachment Filtering .................................................................................. 49 Content Filtering: Content Filtering ....................................................................................... 54

6 ANTI-SPAM ENGINE.................................................................................................... 59 Network Testing ................................................................................................................ 59 Internal Networks............................................................................................................... 61 Bayesian Database ............................................................................................................. 61 Penpals Soft Whitelisting ........................................................................................................................ 64 Optical Character Recognition................................................................................................................. 65 Botnet Analysis & Passive OS Fingerprinting .................................................................................. 65 Performance Tuning ................................................................................................................................ 66 Language Options .................................................................................................................................... 66 Anti-Spam Engine: Domain Policies ....................................................................................................... 68 Anti-Spam Engine: User Policies ............................................................................................................ 71

Page 3

Anti-Spam Engine: Roles and Permissions ............................................................................................. 72 Anti-Spam Engine: Admins ..................................................................................................................... 74 Anti-Spam Engine: Domain Groups ........................................................................................................ 74

7 SETTINGS ......................................................................................................... 76 Changing the Administrator Password .................................................................................... 76 Interface Settings ............................................................................................................... 76 Login Page Settings ........................................................................................................................................ 79 Generate Certificate Signing Request ............................................................................................................ 79 Import Certificates .......................................................................................................................................... 80 Installed Signed Certificates ........................................................................................................................... 81 TLS Encryptions ............................................................................................................................................. 82 Configuring HTTPS ........................................................................................................... 83 Restricting Web Access to the GUI........................................................................................ 83 Web Authentication ............................................................................................................ 84 Backing Up and Importing System Configuration ..................................................................... 89 Notification Templates ........................................................................................................ 91 Remote Syslog .................................................................................................................. 93 Configuring Outbound Disclaimers ....................................................................................... 94 Configuring Outbound Disclaimers Exemptions ..................................................................................... 95 SNMP Management ................................................................................................................................. 95

8 FILTER RULES.............................................................................................................. 97 Filter Rules: Configuring Global Email Blacklist ...................................................................... 97 Filter Rules: Configuring Global Email Whitelist ................................................................................... 98 Filter Rules: Configuring Pattern Filtering............................................................................................... 99

9 QUARANTINE.............................................................................................................. 100 Quarantine Management .....................................................................................................100 Quarantine Reports ............................................................................................................103 Quarantine Report Settings .................................................................................................104 Quarantine Maintenance ........................................................................................................................ 106 Quarantine Aliases ................................................................................................................................. 106

10 REPORTING .............................................................................................................. 108 Reporting: System Information ............................................................................................108 Reporting: Services ...........................................................................................................109 Reporting: System Troubleshooting ......................................................................................110 Reporting: Ping Checks ......................................................................................................................... 112 Reporting: Graphs .................................................................................................................................. 113 Reporting: Administration ........................................................................................................................... 113 Reporting: History ........................................................................................................................................ 114 Mail History: Mail Filters ............................................................................................................................ 114 Mail History: Display Settings .................................................................................................................... 117 Mail History - Log Settings ......................................................................................................................... 118 Reports .......................................................................................................................................................... 119 Today‟s On-Demand Reports ...................................................................................................................... 120 Scheduled Reports ........................................................................................................................................ 121 Archived Reports.......................................................................................................................................... 123

11 LOGGING ................................................................................................................... 124 12 OUTLOOK ADD-IN ................................................................................................... 126 13 REMOTE MANAGEMENT....................................................................................... 127

Page 4

Preface The SpamTitan Administrator Guide is designed to help mail system administrators in the operation of the SpamTitan. This guide provides an overview of the key product features, along with instructions for setting up, administrating, and monitoring SpamTitan. These instructions are intended for an experienced system administrator with knowledge of networking and email administration.

Page 5

CONVENTIONS The following conventions are used: Convention Bold

Italics Courier font

Use Indicates the name of a user interface item, for example, a dialog box, menu or button. Indicates the title of a document. Indicates the name of a user interface item, for example, a dialog box, menu, or button.

Page 6

1 INTRODUCTION

1

Introduction

This chapter provides an overview of SpamTitan.

SPAMTITAN PRODUCT OVERVIEW

SpamTitan is high-performance mail filtering security suite that provides the necessary email infrastructure to meet the needs of the most demanding enterprises. SpamTitan combines a hardened operating system and an assortment of software applications and services to produce a mail firewall appliance that eliminates spam and viruses and enforces corporate email policy. Anti-Spam defences on the appliance ensure through a multi-layered approach that over 99% of all spam is detected. Anti-Virus protection is provided through the use of two industry leading anti-virus scanning engines: ClamAV and Kaspersky anti-virus. Message filtering capabilities allows you to enforce corporate email policy on inbound and/or outbound messages. Filter rules allow you to block banned attachments or add disclaimers. These rules can be performed on a domain and/or per-user basis to provide fine-grained control. Mail monitoring features ensures that you have complete visibility of all mail that passes through the appliance with the ability to generate automated reports and/or on-demand reports.

Page 7

2 SETUP & INSTALLATION

2

Setup and Installation

This chapter guides you through the process of configuring SpamTitan for email delivery. When you have completed this chapter, SpamTitan will be able to send and receive SMTP email over the Internet and within your network.

INSTALLATION PLANNING SpamTitan will normally be installed on a server in your network between your firewall and mail server(s). This requires a rule change to your firewall to direct incoming email on Port 25 (SMTP) to the IP address of the SpamTitan server. If you are assigning a new MX record for the SpamTitan server while maintaining your existing MX records, you should be aware that spammers will target secondary or lower priority MX records. The latter is based on the assumption that secondary MX records will not be protected by spam filters. In this case any secondary MX record should be a backup mail server which will queue mail if the primary MX record is unavailable.

Page 8

2 SETUP & INSTALLATION

Preparing for Setup To successfully setup SpamTitan in you environment, you must gather important network information from your network administrator about how you would like to connect SpamTitan to your network. SpamTitan is configured via a web interface. Connect a laptop or any computer with a web browser to the SpamTitan server via a cross over network cable. If your SpamTitan server has already been pre-configured for your environment you can the plug it directly into your network. To access the web interface type in the following URL to your browser: http://192.168.168.168/ or http://.

Page 9

2 SETUP & INSTALLATION

The SpamTitan Graphical User Interface (GUI) The graphical user interface (GUI) enables you to manage and monitor the system using a web-based interface. Each page is laid out in an intuitive and consistent manner and includes numerous charts and tables detailing the current status of the system. The GUI can also be used to view real-time information on all mail flow history. Administrators can instantly report on any email users (local/remote) mail flow history and view mail statistics. Note: To access the GUI, your browser must support and be enabled to accept JavaScript and cookies, and it must be able to render HTML pages using Cascading Style Sheets (CSS). You can view the GUI by entering the IP address or hostname of the appliance as a URL. All users accessing the GUI must log in. Type your username and password, and then click Login to access the GUI. You can login with the admin account with password hiadmin. Make sure you change the admin password after logging in.

Page 10

2 SETUP & INSTALLATION

After logging in as the administrator, you are presented with the system dashboard. The dashboard provides an overview of the SpamTitan system at a glance.

SETUP After connection and gaining access to the web interface, the rest of the configuration is performed using the web interface.

NETWORK CONFIGURATION

1. Log in to the SpamTitan web interface using admin for the username and hiadmin for the password. Select System Setup > Network to configure the IP address and Default Route to be assigned to the SpamTitan server including the Subnet Mask. See “ 2. Network Configuration” on page 16 for more information on configuring the system IP Address. NOTE: When you change the IP address you must reset the browser URL to the new IP address to continue with the configuration. 3. From the System Setup > Network page you can also set your Domain Name Server (DNS) settings for the network the appliance will be installed on. If you have secondary DNS severs add their IP address here. 4. D N S Settings” on page 16 for more information on configuring DNS.

Page 11

2 SETUP & INSTALLATION

MAIL RELAY SETUP

1. Select System Setup > Mail Relay and in the General Settings section enter:  Enter the Appliance hostname as a FQDN (fully qualified domain name)  If your mail server has a size limit on incoming email then select it via the “Max message size:” drop down menu  Press the “Save” button 2. Select System Setup > Mail Relay and in the Domains section enter the details for each domain that you manage:

     

Domain as mydomain.com for example The FQDN or IP address of your email sever for this domain The Destination port for email defaults to 25 Press the “Add” button Repeat for all other domains you serve All the domains you have added will appear in a list you can now test the email function by clicking the “Test” column

3. If Recipient Verification is supported by your mail server make sure it‟s set to “Dynamic Recipient Verification”. Microsoft Exchange 2003 and most email servers now support this feature. When enabled the appliance will check the address of incoming email with the mail server, if the intended recipient is unknown then the email is dropped with a DSN (Delivery Status Notification) message and no further processing is performed. If your mail server doesn‟t support Recipient Verification you can set this field to:  No Recipient Verification  LDAP Recipient Verification if you are running Active Directory  Specify Allowed Recipients. You can then enter a list of valid email address manually or import a list from a text file with one email address per line. See “Mail Relay: Managing Domains” on page 21 for more information on managing domains and the recipient verification options. You have now completed the mandatory configuration steps that are required in order to receive mail for you organization. There are other settings that you may wish to change. Please review the default settings in each menu section. For an explanation of any setting press the help icon.

Page 12

4 CLUSTERING

3

System Setup

This chapter covers the basic setup tasks that are available from the System Setup menu.

LICENSING

In order to license SpamTitan you need to obtain a valid license file from SpamTitan. This license may then be imported through the System Setup > Licensing page. Click the Browse button, select the license file to upload and finally click the Load button. After successful loading of the license, the License Information window will show details of your license. Without a valid license, access to the web interface will be restricted, as will access to spam, virus and system updates.

Page 13

4 CLUSTERING

NETWORK CONFIGURATION: IP CONFIGURATION This section describes how to configure the network operation of SpamTitan. The appliance is given a default IP address of 192.168.100.100. You can change this address from the System Setup > Network page The Network Configuration window allows you to set the IP address, subnet mask, and default gateway for SpamTitan

Note: When you save the Network Configuration settings you may be disconnected from the SpamTitan server if the IP address is changed. You will then have to access the SpamTitan server at its new IP address.

NETWORK CONFIGURATION: DNS SETTINGS The domain name system (DNS) is a distributed data base for the management of Internet name spaces. DNS allows you to either convert a hostname to an IP address or, alternately, convert the IP address to a name (reverse lookup).

Page 14

4 CLUSTERING

The System Setup > Network page allows you to configure the DNS settings.

The following table describes the DNS settings: Field

Description

Domain

This specifies the primary domain for the appliance

DNS Server(s)

Specifies the list of primary and secondary DNS nameservers in Internet address (dot notation) format that the DNS resolver should query. Up to 3 nameservers should be listed. If you specify more than 1 name server, then the resolver will query them in the order listed. Note: Certain features of SpamTitan , such as RBL and SURBL tests for depend on DNS availability in order to correctly categorize messages.

Use DNS Cache

If enabled, all DNS queries will be cached locally on the appliance. DNS queries will first be handled by the local cache, and if the answer is available locally, returned immediately. Otherwise the, the query will be forwarded on to the specified nameserver(s). If your specified nameservers already provide DNS caching you may wish to disable this feature. DNS caching is enabled by default.

Flush Cache

Click the Flush button to clear the DNS cache.

Page 15

4 CLUSTERING

NETWORK CONFIGURATION: HTTP PROXY SpamTitan uses, by default, port 80 to retrieve Virus signature updates and spam rule updates. If you use an http proxy server in your organization the Enable the HTTP proxy setting on the System Setup > Network page, and specify the HTTP Proxy and HTTP Port. Incorrect proxy settings may cause your virus signature and spam rule updates to fail. HTTP proxy is disabled by default.

NETWORK CONFIGURATION: STATIC ROUTES If you have complex routing requirements, then you may need to manipulate the network routing tables by adding static routes. The System Setup > Network page allows you to manipulate static routes.

To add a static route enter the routing information and press the Add button. Use the following syntax when adding a route: [-net | -host] destination gateway [netmask]

where destination is the destination host or network, gateway is the next-hop intermediary via which packets should be routed. Routes to a particular host may be distinguished from those to a network by interpreting the Internet address specified as the destination argument. The optional modifiers -net and -host force the destination to be interpreted as a network or a host, respectively. Otherwise, if the destination has a “local address part” of INADDR_ANY (0.0.0.0), or if the destination is the symbolic name of a network, then the route is assumed to be to a network; otherwise, it is presumed to be a route to a host. Optionally, the destination could also be specified in the net/bits format. For example, 128.32 is interpreted as -host 128.0.0.32; 128.32.130 is interpreted as -host Page 16

4 CLUSTERING

128.32.0.130; -net 128.32 is interpreted as 128.32.0.0; -net 128.32.130 is interpreted as 128.32.130.0; and 192.168.64/20 is interpreted as -net 192.168.64 -netmask 255.255.240.0.

NETWORK CONFIGURATION: PORT FORWARDING Accessing the Port Forwarding section of System Setup > Network will let the user add a port forwarding entry

Port forwarding allows rules to be set up that will transparently redirect traffic destined for non-used ports on the appliance to a port on a different system. In the Source Port field we specify an unused TCP port on the appliance. We then add the IP address of destination server that packets will be forwarded to in the Destination IP field. In the Destination Port section we add a TCP port on the destination server.

Page 17

4 CLUSTERING

NETWORK CONFIGURATION: ALIAS IP ADDRESSES Using the Alias IP Addresses section of System Setup > Network we can add details of and IP Alias.

Additional IP addresses may be established for each network interface. This is sometimes useful when changing network numbers, and you wish to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, All configured additional IP addresses will respond on the configured SMTP port as well as the configure UI port. This is also used to configure extra alias IPs for IP Delivery Pools to deliver mail from . To add a new IP Alias, click on the Add... button. The Add IP Alias dialog is displayed. The entries on the Add/Edit IP Alias dialog are as follows: Field

Description

IP/Network

IP address to add

Address Type

Specify if the address is an IPv4 or IPv6 address

Physical Interface

The network interface card (NIC) that this address is Being added to.

IP Delivery Pool

Select the pool you wish this alias to deliver mails from. You can configure these from the System Setup > Network > Alias IP address tab.

Comment

Optional comment field.

Page 18

4 CLUSTERING

NETWORK CONFIGURATION: OUTBOUND DELIVERY POOLS By default, SpamTitan will use the primary IP address to deliver outbound messages to the MX records of the recipients. Some customers may wish to separate the outbound delivery IP from the inbound delivery IP. Also, to minimize the impact of potentially getting listed on RBL blacklists (for example, in the event of an internal spam outbreak), some users (ISPs typically) may prefer to use a pool of IP addresses which will be selected randomly to deliver the outbound mail. It's then easier for them to pull an IP if one of them gets listed on an RBL.

In addition, different IP Delivery Pools may be specified for different outbound sender domains. So, for instance when running in a multi-tenant environment, MSPs/ISPs may assign a private IP address pool to certain customers. Once IP Delivery Pools are enabled, you can assign the appliances IP addresses to 1 or more IP Delivery pools. This can be done on the IP Configuration tab and the Alias IP Addresses tab. It's important that the DNS PTR record of your connecting IP addresses matches the hostname that is supplied in the HELO/EHLO command of the SMTP conversation, as otherwise recipient mail servers may When adding an IP address to an IP Delivery pool, it's possible to set a custom HELO for the IP address in the HELO/EHLO field which defaults to the hostname of the appliance. This default is fine as long as the PTR record for the IP matches. By default, all outbound mail will use the Main Pool if IP Delivery pools are enabled. To use a specific IP Delivery Pool for all mails from a specific (internal) domain, you must edit the domain on the System Setup -> Mail Relay -> Domains tab, and specify the IP Delivery Pool from the dropdown list. tab, and an IPv6 nameserver entry may be specified on the DNS settings tab.

Page 19

4 CLUSTERING

NETWORK CONFIGURATION: IPV6 Using the IPV6 section of System Setup > Network we can alter IPV6 settings.

When IPv6 networking is enabled, the appliance may send and receive email over IPv6 networks, and those messages will be scanned for viruses and spam. To enable IPv6 support, click on the Enable button and then specify the IPv6 default route. You can then specify an IPv6 address for an interface on the Alias IP Addresses tab, and an IPv6 nameserver entry may be specified on the DNS settings tab.

SYSTEM TIME SpamTitan uses the time and date settings to time stamp log events, to automatically update anti-virus definition files and spam rule set files, and for other internal purposes. Use the System Setup > Time page to set the time and date of the appliance. The date and time can be set manually with the help of the drop-down menu or can be automatically synchronized using NTP. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes to a fraction of a millisecond. By default, the Mail Firewall Appliance uses an internal list of public NTP servers to automatically update the time.

Page 20

4 CLUSTERING

To select your time zone and automatically update the time, choose the time zone from the Time Zone menu. Then choose Use NTP to synchronize time from the NTP Settings menu to use NTP to set the time automatically. You must specify at least 1 NTP server to use for time synchronization. Press the Reset button to reset the NTP servers to the CMFA default servers. These are several publicly available servers. If you want to set the time manually, then select No NTP Server from the NTP Settings menu. Then enter the date in the Month, Day and Year fields and the time in the Hours, Minutes and Seconds fields. After selecting the time settings, click Save to update the date and time.

MAIN RELAY: DOMAINS Use the Domains section of the System Setup > Mail Relay page to add or edit domains that your organization accepts mail

The following table describes each of the fields. Field

Description

Domain

Describes the domain that will receive mail. If the resolved destination address matches one of the listed domains or a sub-domain thereof, then the message will be accepted for processing; otherwise the mail will be rejected as an unauthorized relay attempt. Typically the destination mail server would be your Microsoft Exchange Server, or alternative mail server on your local network.

Destination Server

This is the hostname or IP address of the mail server which will receive mail after been processed by SpamTitan. Multiple servers may be specified by adding additional entries to the field. They will behave differently Page 21

4 CLUSTERING

depending on the separator: Comma (","): each server will be used in round-robin order. i.e. the load will be distributed evenly between them. Space (" "): subsequent entries after the 1st entry will be treated as fallback servers which will only be used if the preceding entries are unreachable. You must either use subsequent entries as fallbacks or round-robins, the functionality cannot be mixed. Destination Port

This is the port number of the destination mail server. Default 25.

Recipient Verification

Recipient Verification provides a means of protecting against Dictionary Attacks. A Dictionary Attack is an email spamming technique in which a spammer sends out thousands of emails with randomly generated addresses using combinations of letters in the hopes of reaching a percentage of actual email addresses. This can add a significant burden to your email server and, depending on your server‟s configuration may result in a number of bounce messages. For instance, Microsoft Exchange attempts to protect against Dictionary Attacks by accepting messages for all recipients rather than rejecting invalid recipients and letting a spammer know which accounts are valid. Unfortunately, this often leads to unnecessarily high Exchange server CPU loads because the server still attempts to send one or more nondelivery notifications for every invalid recipient. If Recipient Verification is enabled, then messages to unknown users are immediately rejected, before the message even arrives in your network. SpamTitan can use several methods to perform recipient verification depending on your environment. If your mail server supports recipient verification, then you should select Dynamic Recipient Verification. Most Unix based mail servers, GroupWise, and Exchange 2003 (off by default) support this option. In the Verification Server field specify the server that the Page 22

4 CLUSTERING

verification probe should be sent to. Normally this will be the same as the Destination Server, but in some cases it may be a different server if required. For Exchange 2000 mail servers, or other mail servers that support LDAP directories, select LDAP Recipient Verification and enter in your LDAP server details. This will query the LDAP server to check if the intended recipient(s) are valid or not. If none of the above options are available, then you can Specify a list of Allowed Recipients by manually entering all allowed email addresses, or Importing a flat text file of allowed addresses. Specify one email address per line. Test

The domain Test link allows you to test your domain configuration settings. In the popup window enter a valid email address for the selected domain and press the Send button. This will attempt to send a test message to that address using the destination server configured.

MAIL RELAY: IP CONTROLS Use the IP Controls section of System Setup > Mail Relay to alter RBL as well as Whitelisted IP Addresses and Blacklisted IP Addresses settings

Page 23

4 CLUSTERING

The following table describes each of the fields: Field

Description

Realtime Blackhole Lists

Use this option to enable or disable the usage of Realtime Blackhole lists. The Realtime Blackhole List feature can be used to check external databases (DNSbl) for known spammer hosts or relays. A DNSbl (DNS Blacklist) works for IP addresses only. To add an RBL to the list of RBL Servers enter the RBL and click the Add button.

RBL Servers

Perform RBL checks

Use this to alter the settings of whether to perform RBL checks after recipient verification, when the message is confirmed to be deliverable, or before recipient verification

Bypass RBL checks

The Bypass RBL checks is a list of IP addresses or CIDR addresses that will be accepted, even if they fail an RBL test. This is to facilitate RBL false positives.

Whitelisted IP addresses

The Whitelisted IP Addresses table lists IP addresses and networks that bypass spam scoring tests.

Blacklisted IP addresses

The Blacklisted IP Addresses table lists IP addresses and networks that are rejected during the initial SMTP handshake and before the receipt of any of the message body.

Page 24

4 CLUSTERING

MAIL RELAY: SENDER CONTROLS Use the Sender Controls option in Relay System Settings > Relay Settings to alter SPF and blacklisted TLD settings.

The following table describes each of the fields: Field

Description

Sender Policy Framework

SPF allows the owner of a domain to use special DNS records to specify which machines are authorized to transmit e-mail for that domain. When receiving a message from a domain, the receiver can check the DNS records to make sure that the mail comes from locations that the domain authorizes. When Enabled messages that fail the SPF test will be rejected. This option is Disabled by default.

SPF Exemption IPs/Networks

Click “Add” to enter details of IPs/Networks that are exempt from SPF checks.

Blacklisted Top Level Domains

This section lists sender domains that are rejected during the initial SMTP connection. For example, use this section to block all mails from domains ending with .info or .biz

Page 25

4 CLUSTERING

MAIL RELAY: OUTBOUND SETTINGS

Use the Outbound section of System Settings > Relay Settings to alter the settings of mail in the outward direction

The following table describes the settings in the Outbound section:

Setting

Description

Hostname Of outbound relay(s)

Enter Hostname for the desired outbound relays here. This receives all the emails from your main mail server which are destined to the outside world and sends them to the appropriate outside mail servers. It is a good method of filtering emails that contain spam or viruses.

Trusted Networks

If you want to relay outgoing mail through SpamTitan you must specify the list of hosts and/or networks that are allowed relay mail. Use the Trusted Networks section on System Setup > Mail Relay page to configure these networks. The list of trusted networks is a list of network addresses or network/Netmask patterns specified in CIDR (Classless Inter-Domain Routing) format. The Page 26

4 CLUSTERING

Netmask specifies the number of bits in the network part of a host address. Note: The list is matched from top to bottom, and the search stops on the first match. Specify! pattern to exclude an address or network block from the list. In the example, above the trusted networks are local host (127.0.0.1), and the host 192.168.131.1. Any other client connecting from the 192.168.131.0/28 network (or any other network) will be prevented from relaying mail. Enable Smart Host

A Smart Host is a mail server which allows SpamTitan to send mail via an intermediate server instead of sending mail directly to recipient‟s servers. To enable a Smart Host click on the Enable button. It will then be possible to specify the Smart host, Smart host port number, and authentication settings. Select Yes in the Force TLS encryption dropdown to ensure that all traffic between SpamTitan and the Smart host is encrypted.

Enable SASL Authentication:

SMTP/SASL Authentication solves the problem of relaying messages from anywhere in the world via your SpamTitan server. If a mail client successfully authenticates itself providing username and password to SpamTitan, then that mail client will be permitted to relay mail. The credentials provided are compared against the user‟s credentials in an LDAP/Active Directory.

Hide Internal IP addresses:

Enable this setting to strip Received headers with internal (trusted) IP addresses from outbound mail.

TLS Encryption

To use a secure TLS encrypted channel to send outbound mail from all domains, enable TLS Encryption. By default, this enables a TLS usage policy of opportunistic TLS encryption for all connections. SpamTitan advertises and negotiates an encrypted channel with the peer for the SMTP connection. The encrypted channel is only used when the peer also supports it - hence the term opportunistic. The TLS usage policy lets you choose between:

 “Opportunistic TLS for all connections”  “Use TLS only for specified domains 

Page 27

4 CLUSTERING

MAIL RELAY: GENERAL SETTINGS The System Setup >Mail Relay page controls the SpamTitan settings for the postfix mail relay

The following table describes the settings in the General Settings section: Setting

Description

Hostname

This describes the fully qualified hostname of SpamTitan

Greeting Banner

The Greeting Banner is the text that follows the 220 status code in the SMTP greeting banner. The default value is $myhostname ESMTP $mail_name where $hostname expands to the fully qualified hostname of the appliance and $mail_name expands to Postfix.

Fallback SMTP relay(s)

The Fallback SMTP relay(s) is an optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. By default, mail is returned to the sender when a destination is not found, and delivery is deferred when a destination is unreachable. The fallback relays must be SMTP destinations. If you specify multiple SMTP destinations, SpamTitan will try them in the specified order.

Max message size

The Maximum message size setting applies to all incoming mails. If your backend server has a limitation on message sizes, you should set this ti the same or a lower limit here. A reasonable maximum setting would be 20 or 40 MB. Page 28

4 CLUSTERING

Queue Lifetime

Defer Queue Notification

The Queue Lifetime is the maximal time a message is queued for delivery before it is sent back as undeliverable. The default value is 5 days. Defer Queue Notification is the time after which the sender receives the message headers of mail that is still queued. Disable by entering 00 as value

Page 29

4 CLUSTERING

MAIL RELAY: SMTP CONTROLS The SMTP protocol has no built-in method for authenticating senders of emails, and as such spammers have employed a number of tactics for hiding their identities. Examples include spoofing the Envelope sender address on a message or using a forged HELO address. Some unsolicited commercial email (UCE) can be blocked here by applying strict SMTP checks. This will block some UCE software that violates the SMTP protocol.

The SMTP section of the System Setup > Mail Relay page allows you to manage the SMTP controls that are used to reject messages based on SMTP properties of the connection, and the originating IP address of the connection. These options allow you to screen messages before they have been downloaded to the appliance, thus saving on bandwidth and freeing the spam engine from processing messages, which could have already been identified as spam. The following table describes the Frontline Content Control settings: Setting

Description

Require HELO (EHLO)

Activate this option if you want SpamTitan to require that connecting clients send a HELO (or EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software. This option is disabled by default.

Require Fully Qualified hostname Activate this option to reject a SMTP connection when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form, as required by the RFC. Page 30

4 CLUSTERING

Reject HELO Hostname Restrictions This allows you to list HELO hostname entries that may be used by non-compliant (but legitimate) mail servers who do not adhere to the RFC. For instance if you are checking for HELO Fully Qualified hostnames and/or resolvable HELO hostnames, and a particular connecting mail server does not meet these requirements, then you can enter that clients HELO entry here to allow the connection to be accepted Note: The connection may still be rejected, if for instance, the client fails an RBL check or recipient verification check. Enforce RFC Compliance

Activate the Enforce RFC Compliance setting to control how tolerant SpamTitan is with respect to addresses given in the MAIL FROM or RCPT TO SMTP commands. If enabled, Postfix will require envelope addresses to be within angle brackets (<>) and without extraneous information as required by the RFC. Unfortunately, the widely-used Sendmail program tolerates lots of non-standard behaviour, so a lot of software expects to get away with it. As such, being strict to the RFC not only stops unwanted mail, it may also block legitimate mail from poorly-written mail applications. This option is disabled by default.

Require FQDN

Activate this option to reject connections if the address in the client MAIL FROM command is not in fully- qualified domain form or if the address in the client RCPT TO command is not in fullyqualified domain form

Reject Unknown Sender Domain

Activate this option to reject the connection when the sender mail address has no DNS A or MX record

Page 31

4 CLUSTERING

MAIL RELAY: GREYLISTING Greylisting is an anti-spam technique which will initially not accept an email from an unknown source but after some time it will eventually be accepted. Mail is identified by its Triplet. A Triplet is the CLIENT_IP / SENDER / RECIPIENT of the sending mail.

The idea behind Greylisting is that Zombie networks used by spammers will stop trying to resend their spam messages once the messages are rejected. If it is the first time that this triplet is seen or the time since the last triplet with the same details is less than the Mail Delay setting, then the mail gets rejected with a temporary error. Spammers or viruses will not try again later, as it is however required per RFC regulations for genuine mail servers to re-send. You can Enable or Disable Greylisting by clicking the Enable button (Greylisting is disabled by default). Auto-whitelist When this setting is enabled IPs that regularly send clean mail, can automatically get onto a whitelist that will bypass them from the greylisting test for all future mails. Note: Their mails will still be subject to all other spam tests that are enabled and Auto-whitelisted clients are not shown in the Client IP Exemptions table. The default auto whitelist counter is set to 5. This means SpamTitan must receive at least one clean mail from a different triplet over 5 different hours. You can change this number to anything from 1 and over, setting 0 will disable the auto-whitelist feature.

Page 32

4 CLUSTERING

Example of a Client IP that is added to the auto-whitelist Auto-whitelist setting is set to two Time 13:05 14:15

Client IP 1.2.3.4 1.2.3.4

Sender [email protected] [email protected]

Recipient [email protected] [email protected]

Different hours (√) same IP (√) different triplet (√) client IP is added to the auto-whitelist

Example of a Client IP that is not auto-whitelisted after two mails Time 17:27 17:54

Client IP 1.2.3.4 1.2.3.4

Sender [email protected] [email protected]

Recipient [email protected] [email protected]

Different hours (X) same IP (√) different triplet (√) client IP is not autowhitelisted as it did not satisfy all conditions Mail Delay specifies the amount of time (in seconds) to wait until accepting the same triplet as valid mail. This is automatically set to 300 (five minutes) but can be set to any number between 1 and one hour (3,600 seconds). Client IP Exemptions show a list of Client IP addresses to bypass Greylisting. CIDR‟s are accepted. Recipient Email Exemptions show a list of Email addresses to bypass Greylisting. Domains are accepted, entered as „test.com‟ without the at symbol.

Page 33

4 CLUSTERING

RATE CONTROLS The Rate Controls Policies feature in SpamTitan can be used to mitigate the effect of certain senders or sending servers from transmitting massive amounts of email due to possible malware infection. This is particularly important for compromised internal systems which are relaying mail outbound through SpamTitan, as going undetected; these outbreaks could lead to the appliance IP address ending up on RBL blacklists. In addition, it can also be used to ensure that a user, sending server or recipient domain remain within a specific limit of either messages or cumulative size for a certain period of time. Policies may be created to perform sender (based on envelope from address or IP address) or recipient based throttling on messages and/or cumulative message size per defined time unit. For instance, SpamTitan ships with sample policies (which are disabled by default) for rate limiting Inbound connections by tracking the number of connections from each external IP address, and rate limiting Outbound connections by tracking number of mails per sender email address during a 30 minute interval. If the threshold (default 50) is exceeded, then the message is deferred and logged in the History as Rate Controlled. The policies are implemented by assigning a time-based quota for a specific period, with usage during this period calculated using a sliding/rolling window model.

To enable the Policy based Rate Controls, click on the Enable button. The existing policies will then be displayed in order of priority - with lower priority policies having higher precedence. A policy matches when both the sender/recipient attributes both the policy source/destination. If more than one policy matches, the all policies will be tracked until a policy has Match Stops Processing set to Yes. To reorder the policies, click the

or arrow for the policy. Alternatively, you may reorder

Page 34

4 CLUSTERING

a policy rule, by setting it's priority when you edit the policy. To edit an entry for an existing policy, click on the icon in the Options column. The Edit Policy dialog is displayed. To delete an entry, click on the icon in the Options column, or alternatively, select one or more policies to delete by selecting the appropriate radio button(s), and click on the Delete button. To add a new policy, click on the Add... button. The Add Policy dialog is displayed. The entries on the Add/Edit Policy dialog are as follows: Field

Description

Policy Name:

Descriptive name for the policy.

Status:

Select ON or OFF to enable or disable this policy.

Source:

Source indicates where the message originates. Source can be one of: Any: Rule will apply to internal and external mail Internal: Originating from an internal network (as defined under System Setup -> Mail Relay -> Outbound External: Originating from and external network. From a specific domain: specify the sender email Address that should match this rule.

Destination:

Destination indications where the message is destined to. Destination can be one of: Any: To a specific domain: specify the recipient Domain that should match this rule. To a specific email address: specify the recipient Email address that should match this rule. Track specifies the attribute to maintain counters for. Track can be one of: Sender IP Address: If you select to track the sender IP address, you must specify a bitmask to apply to the sending servers' IP address, for instance /24. This will track the triplet through the entire /24 block. Sender Email Address: Each sender email address will be tracked separately Sender Domain: Each sender domain is tracked separately, and all email sent from these domains will be tracked and matched Recipient Email Address: Each recipient email address will be tracked separately Recipient Domain: Each recipient domain is

Track:

Page 35

4 CLUSTERING

tracked separately, and all email sent to these domains will be tracked and matched Match Stops Processing:

If set, when a policy matches, no further policy Rules will be processed.

Priority:

Priority to assign to the rule. All new policies default to the highest priority (1), will all other policies shifting down.

Rate Limit:

This specifies if the policy applies to Message Counts or Cumulative Message Size.

Count:

The message count threshold that the mails must exceed to trigger the rate control rule.

Size (Kb):

The cumulative size of the messages the mails must exceed to trigger the rate control rule.

Time Period:

If the rate limit threshold above is exceeded in the Time interval specified here, the message will be Deferred/rejected. Otherwise, the rule passes and The tracking counters updated. The time period Depends on the value selected below (seconds, minutes, hours). For example, if you enter 10 as the Time Period and select Minutes from the Time Period Unit drop-down list below, the time period lasts 10 minutes.

Time Period Unit:

The unit that the time period is measure in must be selected from the following options: Second, Minute, Hour. The value selected together with that entered above determines the time period.

Action:

This specifies the action to be taken when a rule matches and the rate limit threshold has been exceeded in the time interval specified. Action can be one of Defer Messages: Messages matching this rule will be deferred. The sender will receive a 4xx level error message instructing the mail server to retry after a predefined time interval. RFC compliant mail servers act upon the defer message and will try sending the message again later, while email from spambots will typically not retry sending the email again. SMTP Response: This is the response that is returned to the sender when a policy rule fires and a message is deferred or rejected.

Comment:

Optional comment to associate with this rule. Page 36

4 CLUSTERING

In a cluster, policy tracking occurs separately on each node. For instance, if the policy is to rate limit senders to 50 mails/hour and you have a two node cluster, each sender could send 100 mails/hour if both nodes are receiving mail in a round-robin fashion.

RATE CONTROLS: SMTP LIMITS The SpamTitan appliance Rate Control features provide protection against SMTP clients that make too many connections and/or too many connections in a small amount of time for example during a spam storm from a spambot. The appliance can limit the number of simultaneous connections from the same SMTP client, as well as the connection rate and the rate of certain SMTP commands from the same client. If the limits are exceeded, then further connections are deferred from that client until such time that they fall again below the thresholds.

Note:These limits must not be used to regulate legitimate traffic: mail will suffer grotesque delays if you do so. The limits are designed to protect the appliance against abuse by out-ofcontrol clients. Field Maximum Number of simultaneous Connections that an SMTP Server May Make The Maximum Number of Connections That an SMTP Server Can Make in a 60 many Second Period appliance

Description Here specify the maximum number of connections that an SMTP client may make. Default: 50. To disable this feature, specify a limit of 0. Here specify the maximum number of connections that SMTP client may make in a 60 second period. Default: 0 (disabled - i.e. a client can make as connections per 60 second time period as the can accept).

Maximum Number of Message Delivery Requests a That an SMTP Client May Make in a 60 Second Period

Here specify the maximum number of message delivery requests that an SMTP client may make in

Maximum Number of Recipient Addresses That

Here specify the maximum number of recipient addresses that an SMTP client may specify in a 60

60 second period. Default: 0 (no limit).

Page 37

4 CLUSTERING

an SMTP Client May Specify in a 60 Second Period

second period. Default: 0 (no limit).

RATE CONTROLS: SMTP CLIENT EXCEPTION SETTINGS Found at System Setup>Rate Controls, this aids the entrance of SMTP Client Exceptions

Rate Control Exceptions allow you to specify SMTP clients that are excluded from connection and rate limits specified above. By default, clients in trusted networks are excluded. (Specify a list of network blocks or IP/CIDR addresses)

MANAGING SYSTEM UPDATES SpamTitan is continually striving to improve its products. System Setup> System Updates allows you to keep up to date with the latest patches and functionality enhancements.

Periodic system updates are released from SpamTitan that may contain the following:  New features  Patches  Spam and Virus engine updates Page 38

4 CLUSTERING

 Security updates The following table describes the options on this page: Field

Description

Check for Updates Now

Click Start to check for and download any available system updates. A popup window will show the progress of the task. The download (if any) may take a few minutes depending on the size of the update. Please ensure that any pop-up blocking software does not block this new window, so you can monitor the progress of the update process.

Pre-Fetch System Updates

System Updates may also be automatically imported when they become available. Note that these imported update packages will not be immediately installed. They will be listed with other uninstalled updates under the Available Updates table

Frequency

This process can be run with a Frequency of hourly, daily (default), or weekly.

Administrator Email Address

Enter the email address of an administrator to be notified via email of new system updates that have automatically been pre-fetched.

Current System Revision

This lists the currently installed version.

Installed Updates

This lists all the updates that have been applied.

Available Updates

This lists all the updates that have been fetched, but which have not yet been installed. Always read the release notes before installing a new system update. To install an unapplied update, click the Install link for that update. Since System Updates must be applied in order, installing a package will also install lower- numbered (earlier revisions) packages automatically, if necessary. Note: System Updates uses FTP to retrieve packages. If SpamTitan is behind a firewall please ensure that FTP access is available. Page 39

4 CLUSTERING

Note: Mail Processing is disabled while installing a system update. Therefore you should apply system updates during non-business hour

SHUTTING DOWN THE APPLIANCE

The System Setup > Shutdown Restart page allows you to shutdown or reboots the application The following table describes the fields on this page: Field

Description

Uptime

The uptime shows how long the system has been running. Please note that after 497 days the uptime counter is reset to zero.

Load Averages

The load average shows the load average of the system over the last 1, 5 and 15 minutes respectively.

Actions

Select Logout to log out of the User Interface. Select Shutdown to shutdown and power off the appliance. This process will take approximately 2 minutes. After the complete shutdown you can safely switch off the appliance. All settings and configuration are saved on shutdown and restart. Select Restart to reboot the appliance. Select Reset to Factory Default to reset all configuration settings. Note: Access to the User Interface will be terminated after Shutdown and during Restart

Page 40

4 CLUSTERING

4

Clustering

SETTING UP A SPAMTITAN CLUSTER SpamTitan appliances can be clustered to provide load balancing and failover. This chapter explains how to set up a SpamTitan cluster and run reports on a cluster. Note that all non-local settings are automatically replicated across every node in the cluster, but can be individually changed by an administrator. To set up a cluster: 1. Install SpamTitan on each of the nodes that are to be included in the cluster. 2. Load a valid license on each node. Note: each license must be for an identical number of users (up to 100 users, for example). When using a Production License, the first node in the cluster must have an STP License and other nodes must have an STC License. Evaluation Licenses may also be used. 3. On the first node, navigate to the Cluster menu and enter the Shared Secret. Leave the Cluster Member blank and click Join.

4. Via the Cluster menu on the next node to be added, enter the Shared Secret and then enter the IP address of the first or primary node into the Cluster Member box. Click Join.

5. Repeat the steps for each additional node to be added.

Page 41

4 CLUSTERING

RESTRICTIONS AND CONSIDERATIONS The following restrictions and considerations should be noted prior to creating a cluster: 1. SpamTitan does not support geographically dispersed clusters. 2. Communication between nodes is via HTTP and, consequently, this should not be disabled on any of the appliances forming the cluster. 3. A minimum of 1 GB of memory per cluster node is recommended. 4. In the event that one or more nodes are unavailable, both quarantine reporting and cluster-wide reporting will be paused until such time as all nodes are again available.

Page 42

5 CONTENT FILTERING

5

Content Filtering

This chapter covers the configuration of the Virus detection engines, the Spam engine, and the message attachment filter.

CONTENT FILTERING: VIRUSES SpamTitan contains integrated virus scanning engines from ClamAV and Kaspersky. Virus scanning with Clam AV and Kaspersky Antivirus is enabled by default, with hourly checks for definition updates

CLAM ANTIVIRUS The Clam Antivirus is a powerful, fast, and most importantly accurate virus detection engine that uses a scalable multi-threaded daemon to scan for viruses and viruses. It has built in support for scanning within all archives and compressed files (and also protects against archive bombs).

KASPERSKY ANTIVIRUS SpamTitan ships with Kaspersky virus scanning engine. You activate the key when you enable Kaspersky on the Content Filtering > Viruses page. Once the Kaspersky virus scanner is enabled it will be used in parallel with the Clam Antivirus engine to detect viruses.

Page 43

5 CONTENT FILTERING

ENABLING VIRUS SCANNING AND CONFIGURING GLOBAL SETTINGS

Use the Content Filtering > Viruses page to configure the appliance to scan messages for viruses and specify the virus notification settings. If enabled, virus scanning is performed prior to anti-spam scanning. The table below describes the global filtering options:

Virus Filtering Options

Description

Virus Filtering (ON/OFF)

When virus filtering is enabled, all emails are screened for unwanted content like viruses and Trojan horses. Note: You can enable/disable virus checking for individual users and/or domains by modifying the policy for that user/domain. Virus Filtering is enabled by default.

Notify Intended Recipient

Enable this option if you want to notify the intended Recipient of a virus infected message that their email was blocked via an email notification message. The recommended setting for this is disabled.

Notify Administrator

If you also want to notify an Administrator of a virus then enable this option and enter the email address of the administrator.

Stop scanning if virus detected If both the ClamAV and Kaspersky Antivirus engines are scanning messages enabling this option will cause SpamTitan to not wait for the second (slower) engine to finish. This option is disabled by default.

Page 44

5 CONTENT FILTERING

MANAGING VIRUS DEFINITION UPDATES The Clam Antivirus engine is the default Antivirus engine for SpamTitan when virus checking is enabled.

Content Filtering > Viruses allows you to manually update the virus definition files and change the frequency of the checks. The following table describes the Clam Antivirus Update Settings: Clam Antivirus Update Options

Description

Database Last Update

Display when last Clam Update applied

Database Version

Displays the version of Clam that is currently running on SpamTitan together with the revision number for the latest definitions and when these definitions were produced

Update Now

Click Start for retrieval and installation of the latest ClamAV virus definition file

Enable Automatic Updates

Determines whether ClamAv virus definitions are automatically retrieved and applied. Recommended Setting is ON. Click Disable to disable automatic updates.

Page 45

5 CONTENT FILTERING

The Kaspersky Antivirus engine is an optional virus scanner that may be run in parallel with ClamAV to provide dual-layer virus protection. The following table describes the Kaspersky Antivirus Update Settings: Kaspersky Antivirus Update Options

Description

Status

Determines if Kaspersky antivirus is enabled or not

Expiration Date

Displays when the Kaspersky license will expire. When the license expires no more updates will be retrieved.

Database Last Update

Displays when SpamTitan last applied the Kaspersky definition updates.

Database Version

Displays the version of Kaspersky that is currently running on SpamTitan together with the revision number for the latest definitions.

Update Now

Click Start to check for, retrieve and install the latest Kaspersky virus definition file.

Enable Automatic Updates

Determines if Kaspersky virus definitions are automatically retrieved and applied. Recommended setting is ON. Click Disable to disable automatic virus updates.

Frequency

Determines the frequency with which SpamTitan will check for updates. Hourly is recommended.

Page 46

5 CONTENT FILTERING

CONTENT FILTERING: SPAM SpamTitan uses a multi-layered approach to eliminating spam at the email gateway. This cocktail approach of determining if a message is spam ensures that there are a minimum number of false positives (i.e. clean mail misclassified as spam). A spam score is assigned to each message which is calculated by combining the scoring from each layer of the message. The following tests are performed on each message:       

Harvesting/Dictionary attack protection Collaborative Spam Fingerprint checks RBL tests SURBL tests Bayesian Analysis Rule based spam scoring Whitelist/Blacklist filters

You can see a messages spam score in the Reporting message history page of the user interface. It can also be see in the X-Spam-Score and X-Spam-Status messages that are added to all inbound mail messages.

ENABLING SPAM SCANNING AND CONFIGURING GLOBAL SETTINGS

Use the Content Filtering > Spam page to configure the appliance to scan messages for spam and specify the spam notification settings.

The following table describes the Spam Filtering options: Spam Filtering Options Spam Filtering (ON/OFF)

Description When virus filtering is enabled, all emails are screened for spam.

Page 47

5 CONTENT FILTERING

Note: You can enable/disable spam scanning for individual users and/or domains by modifying the policy for that user/domain. Spam Filtering is enabled by default. Bypass analysis for mails larger than (kb) messages.

Notify Administrator

Send NDR (Inbound)

Send NDR (Outbound)

Spam messages by their nature are typically small To save on CPU resources there is no need to scan messages above a certain size. The spam scanning engine is not called when the message body is greater than 128kb (default). If you also want to notify an Administrator of a spam then enable this option and enter the email address of the administrator. This option is disabled by default. Enable to send Non Delivery Reports (NDRs) to senders when the appliance blocks spam messages This will send an NDR to external senders. As sender addresses are easily spoofed enabling these settings can lead to backscatter. Backscatter occurs when a bounce message is delivered to an innocent user from whom the spam message did not originate, and may lead to increased load on the appliance. Enable to send Non Delivery Reports (NDRs) to senders when the appliance blocks spam messages. This will send an NDR to internal senders. As sender addresses are easily spoofed enabling these settings can lead to backscatter. Backscatter occurs when a bounce message is delivered to an innocent user from whom the spam message did not originate, and may lead to increased load on the appliance.

Page 48

5 CONTENT FILTERING

SPAM RULE UPDATES Content Filtering > Spam > Spam Updates allows you to manually update the current spam definitions, as well as change the interval that SpamTitan checks for updates.

The following table describes the Spam Updates fields: Field

Description

Rules Last Update

Displays when SpamTitan last updated the spam rule definitions.

Update Now

Click Start to check for, retrieve and install the latest SpamTitan anti-spam rule definitions

Enable Automatic Updates

Determines if SpamTitan anti-spam rule definitions are automatically retrieved and applied. Recommended setting is ON. Click Disable to disable automatic spam rule updates.

Frequency

Determines the frequency with which SpamTitan will check for updates. The recommended setting is daily – ensuring that your appliance is always up-to-date with the latest spam rule definitions.

CONTENT FILTERING: ATTACHMENT FILTERING The Attachment filter facility can reject or quarantine mails which contain certain types of files based on their extensions (e.g. executable files) and/or their MIME types. If any mail part matches, the whole mail is rejected. The Attachment filters can identify file attachments using a number of different methods, and also automatically scans compressed archive files: Extension Filters: Using the messages MIME headers, the attachment filter can extract each file attachments extension, and apply filter decision based on the listed extensions. This will not recognize files correctly if the sender modified the filename. For example, if a win32 executable has been renamed photo.jpg, a exe extension will not detect it. For cases like this it is necessary to also use the File Type Filters and/or MIME Type filters. You may also select the Scan Double Extensions to identify files which may have been Page 49

5 CONTENT FILTERING

renamed in an attempt to obfuscate their true identity. Double extensions are often used to trick users into opening malware. Often mail clients such as Outlook may hide the second extension so filename.gif.exe may appear as an ordinary filename.gif file. Only alpha numeric characters are allow for filename extensions.

File Name Filters: Using the messages MIME headers, the attachment filter can extract each file attachments filename, and apply the filter decision based on the listed filenames. Use the asterisk sign (*) to match zero or more characters; use the question mark sign (?) to match a single character. For instance, to filter all executable attachments that include the word sample, create a filter *sample*.exe.

File Type Filters: SpamTitan will scan each attachment to determine its file type. If this matches any of those listed in the File Type Filters table, then the message will be filtered accordingly. This is useful in preventing users changing an attachments extension in order to try and circumvent the filters. For instance, an executable attachment will get blocked even if the file itself has a .txt extension.

The following file types are recognized: Page 50

5 CONTENT FILTERING





txt: ASCII text file pgp: PGP file jpg: JPEG image file gif: GIF image file png: PNG image file tif: TIFF image file pcx: PCX image file bmp: PC bitmap file  mp3: MP3 file avi: AVI file wav: WAVE audio file swf: Macromedia Flash file html: HTML document xml: XML document file sgml: Exported SGML document ps: Postscript file pdf: PDF file rtf: Rich Text Format file doc: Microsoft Office file lat: LaTeX file dvi: TeX DVI file  java: Compiled Java class file  url: MS Windows 95 Internet shortcut gz: gzip compressed file  lzo: lzop compressed file  Z: compressed file  zip: Zip archive  rar: RAR archive  lha: LHa archive  arc: ARC archive  arj: ARH archive  zoo: Zoo archive  tar: GNU/POSIX tar archive  cpio: ASCII cpio archive  rpm: RPM file  tnef: Transport Neutral Encapsulation Format (TNEF) file  cab: Microsoft cabinet file  uue: uuencoded file hqx: binhex file asc: ASCII file  exe-ms: MS-DOS or MS Windows executable  exe-unix: Unix (RISC, ELF, COFF) executable  exe-vms: VMS executable  exe: MS-DOS, MS Windows, VMS or Unix executable Page 51

5 CONTENT FILTERING

Mime Type Filters: The Mime Type is the file type as reported in the MIME ContentDisposition and Content-Type headers, both in their raw (encoded) form and in rfc2047decoded form if applicable. It consists of a general type and a specific type indicator; for instance image/png, video/avi or text/html.

Compressed Archive File Scanning: The attachment scanner will automatically scan files inside of compressed archive files such as .zip and .gz files. For each of the Extension, File Name, and File Type filters, you can specify if the filter should apply to files contain in archives or not using the Scan Archive setting.

Password Protected Archives: Password protected archives are archives (zip, bz2, tar, etc) which require a password in order to open, and as such cannot be inspected for viruses. Specify to allow, block or quarantine password protected archives. If you choose to allow password protected archives, then you may prepend the subject with a tag containing the contents of the Modify Subject field. Leave empty to leave the subject unmodified. Note: Modification of the subject will only occur if the recipient is local.

A mail containing attachments will only be blocked as containing a banned attachment if the attachment, or any of its decoded components, match the listed filters. Before creating filters, use the Attachment Filtering option, to Enable filtering. The creation of attachment filters is always performed at the global level; however domain and/or user policies can further control if attachment filtering should be applied for that domain or user, and what action to be performed if a banned attachment is discovered. If you want to notify the intended Recipient of blocked mails due to banned attachment filtering then Enable the Notify Intended Recipient option.

Page 52

5 CONTENT FILTERING

To edit an entry for an existing attachment filter, click on the icon in the Options column. The Edit Filter dialog is displayed. To delete an entry, click on the icon in the Options column. To create a new attachment filter, click on the Add... button. The Add Filter dialog is displayed. Each different filter type in this section has largely the same settings the differences will be mentioned in the below table. The entries on the Add/Edit Filter dialog are as follows: Field

Description

Extension/ File Name/ File Type/ Mime Type

Filter extension, filename, filetype or mime type.

Inbound Action

The action to take for inbound messages that match this filter. Options available are: Allow: Allow the message. Block: Block the message. The domain or user policy will dictate if the message is quarantined. Ignore: Perform no filtering.

Outbound Action

The action to take for outbound messages that match this filter. Options available are: Allow: Allow the message. Block: Block the message. The domain or user policy will dictate if the message is quarantined. Ignore: Perform no filtering.

Scan Archives

Indicates if the filter should match files contained within compress archive files.

Scan Double Extensions

Indicates if the filter should match files containing multiple extensions. For instance, an attachment report.txt.exe or image.png. exe (note the spaces) would match an extension filter for exe if this option is enabled.

Comment

Comment field for filter.

extension (e.g. .txt) in the hope of getting past attachment filters NOTE: Click Apply after making any changes to save and apply your changes.

Page 53

5 CONTENT FILTERING

CONTENT FILTERING: CONTENT FILTERING The Content Filters feature in SpamTitan allows you to create custom content filters for both inbound and outbound email, and take an action on any messages that contains that content. For example, you can use the Content Filters to redirect all messages containing a particular pattern in the subject to an encryption server. Note: Each message header or message body line is compared against the content filter rules line by line. When a match is found the corresponding action is executed, and the matching process is repeated for the next message header or message body line.

Note: Message headers are examined one logical header at a time, even when a message header spans multiple lines. Body lines are always examined one line at a time. The Content Filtering page shows a list of all predefined and custom content filters that may have been created. To edit an entry for an existing content filter, click on the icon in the Options column. The Edit Filter dialog is displayed. To delete an entry, click on the icon in the Options column. Note: it is not possible to delete predefined content filters. To create a new custom content filter, click on the Add... button. The Add Filter dialog is displayed. The entries on the Add/Edit Filter dialog are as follows: Field

Description

Filter Name

Descriptive name for the filter policy.

Status

Select ON or OFF to enable this filter policy.

Filter Expression

Create/edit a filter rule where the message content for the specified location: Stars with: Begins with the specified value. Page 54

5 CONTENT FILTERING

Ends with: Ends with the specified value. Contains: Contains the specified value. This option will match whole words and parts of words. For example, if the value specified is sex, and the rule is to applied to the message body, if the body contains the word sex or unisex then the rule will match. To match messages with just the word sex, without matching unisex use the matches any word in or the matches regular expression filter options. Equals: Contains only the specified value. For example, if the value specified is Free hotel rooms and the filter is to be applied to the Subject: header, then the filter will match only if the subject contains the text Free hotel rooms, and no other text. Matches any word in: Contains any of the words listed in the specified value. Separate words with spaces. Matches regular expression: Matches the specified regular expression value. See Using Regular Expressions below, for more information on writing regular expressions. Value

Enter the content which should be scanned for in messages. If you selected a filter type of starts with, ends with, contains text, equals or matches any word in: The value must be a word or phrase. The value is not case sensitive. If you selected a filter type of matches regular expression: The value can be a regular expression. Use regular expressions to scan messages for text patterns rather than specific words or phrases. The regular expression syntax is validated as you type. If the syntax is invalid, then the Value field containing your regular expression will be highlighted in red. See Using Regular Expressions for more information on writing regular expressions.

Test Filter

Enter sample message text here to test if your filter expression is correct and matches. If the filter rule matches the text entered, then then Test Filter field will be highlighted in green .escriptive name for the filter policy.

Page 55

5 CONTENT FILTERING

Apply to Body

If you want the rule to apply to the body of the message, select this checkbox.

Apply to Headers

If you want the rule to apply to the message headers, select this checkbox and enter the headers that the rule should apply to. For instance, if you want the rule to apply to the Subject, enter Subject, or Subject. The rule will match if it is found in any of the specified headers. If you want the filter rule to be applied to all headers, then leave this field blank.

Inbound/Outbound Action

The Inbound/Outbound action specifies the action to be take on a message that matches the filter rule. You can specify different actions for both inbound and outbound messages. The following actions are available: Delete: Discards the message, with no notification to the sender or recipient. Redirect to Relay: Route/relay the message to a different SMTP relay host. For the Relay field, enter the fully qualified hostname or IP address of the relay host. Specify a domain, host, host:port, [host]:port, [address] or [address]:port; the form [host] turns off MX lookups. Redirect to User: Route/redirect the message to the specified email address. In the User field, enter the email address of the intended recipient. The message will be sent to this address instead of the intended recipient(s). Note: this action affects all recipients of the message. Bounce: Reject the message. Sender will receive a bounce message. Whitelist: Send the message to the intented recipient(s) bypassing all spam checking. Quarantine: Quarantine the message. The message will not be delivered. Off: Disable the rule.

Two predefined content filters for Data Loss Prevention (DLP) are included: Credit Card Numbers: Use this filter to scan messages for content matching credit card numbers. Messages containing Visa, Mastercard, Discovery, American Express or Diners Club card numbers will be subject to the chosen action. Social Security Numbers: Use this filter to scan messages for U.S. social security numbers. Messages containing social security numbers matching the pattern nnn-nn-nnnn will be subject to the chosen action. The pattern checks for valid social security numbers by ensuring that the pattern cannot contain a group of digits that are all 0s, such as in 000Page 56

5 CONTENT FILTERING

11-1111, 111-00-1111, or 111-11-0000. The filters are designed to match most formats for representing credit card numbers and social security numbers. However, since numbers can be formatted in multiple ways, the filter patterns may not catch all messages that contain credit card numbers or social security numbers. In addition, since the pattern looks for specific patterns of numbers, it is possible that numeric patterns that are not credit card numbers or social security numbers may be matched. Using Regular Expressions Regular expressions are a standard tool used in many scripting languages and provide a powerful pattern matching tool to allow creation of filters that can match patterns of text rather than only single words or phrases. Regular expressions consist of a combination of special characters called metacharacters and alphanumeric text characters. The Content Filtering in SpamTitan uses Perl Compatible Regular Expression (PCRE) regular expressions. For more detailed information on syntax see: www.regular-expressions.info www.pcre.org The following examples show the use of some simple regular expression constructs. To match email from a specific domain Match Criteria Regular Expression Details

Match any email address form the domains example.com and example.net (\W|^)[\w.+\-]{0,25}@example\.(com|net)(\W|$)

      

\W matches a non-alphanumeric character. It prevents the regular expression from matching characters before or after the email address. ^ matches the start of a line. $ matches the end of a line. [\w.+\-] matches any word character (in the range 0-9, A-Z and az), a period, a plus sign or a hyphen. The \ character escapes the period and the hyphen to indicate that these should not be treated as metacharacters. {2,30} matches when the preceding character occurs at least 2 times but not more than 30 times, for example, fo{1,2}bar will find fobar and foobar but not fooobar. The brackets group com and net, and the | that separates them indicates that they are conditional.

Page 57

5 CONTENT FILTERING

To match a string containing IP addresses in the 192.168.1.0/24 netblock Match criteria Regular Expressi on Details

Match any IP address in 192.168.1.0/24 CIDT address (i.e. 192.168.1.0192.168.1.255 (\W|^)192\.168\.1\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([04][0-9]|5[0-5]))(\W|$)     

\W matches a non-alphanumeric character. It prevents the regular expression from matching characters before or after the IP address. ^ matches the start of a line. $ matches the end of a line. The \ before each period escapes the period, indicating that the period is not a regular expression metacharacter. For the final octet of the IP address we must match 1-255; The | character seperates the various options. o [1-9] o [1-9][0-9] o 1([0-9][0-9]) o 2([0-4][0-9]|5[0-5])

Page 58

6 ANTI-SPAM ENGINE

6

Anti-Spam Engine

Anti-Spam Engine > Settings page allows you to manage the general settings for the anti-spam engine.

SETTINGS: NETWORK TESTING SpamTitan uses a number of network based tests when determining the spam score for a message.

Razor and Pyzor are distributed, collaborative, spam detection and filtering networks that uses statistical (e.g. volume of recipients) and randomized fuzzy checksums to efficiently spot mutating spam content. These databases are continuously updated with new spam messages. Both checks are enabled by default.  

Razor: requires outbound access to TCP port 2703. Pyzor: requires outbound access on TCP and UDP port 24441.

Realtime Blackhole Lists (RBLS) are used to check if an incoming message has passed through one or more machines which are blacklisted as spam sources or relays. These DNS blocklists are a common form of network-accessible database used in spam detection. Unlike the RBLs used by the MTA, the results of these checks simply contribute to the final spam score for a message. RBLs require DNS access which must be available. Note: Network tests all require access to their servers through your firewall in order for these tests to operate. See Appendix A – Firewall Information for more information on what ports may need to be opened on your firewall for proper operation.

Page 59

6 ANTI-SPAM ENGINE

Click the Check button to check access to these network services. Note also that the remote Pyzor and Razor servers may be temporarily unavailable. If this happens and these tests are enabled then there will be a short delay in the processing of each message while these services timeout (10 seconds).

Page 60

6 ANTI-SPAM ENGINE

SETTINGS: INTERNAL NETWORKS The Spam engine will automatically attempt to figure out which Received: headers were inserted by trustworthy mail servers or relays, and which were not. This allows it to optimize RBL lookups, detect when mails never left a trusted network path, and increase spam scoring accuracy.

Internal Networks should include all hosts that act as an MX for your domains, or that may deliver mail internally in your organization. If SpamTitan is the MX for your organization then you may leave this as the default (127.0.0.1). For instance, if mail entering your organization is first processed by another server before being relayed to SpamTitan then it should appear in this list. Also if an internal mail server is relaying mail out of your organization then its IP address should appear in the list. Entries may be specified as a single host or as a network specified in CIDR (Classless Inter-Domain Routing) format.

SETTINGS: BAYESIAN DATABASE

SpamTitan contains a Bayesian classifier which tries to identify spam by looking at what are called tokens; words or short character sequences that are commonly found in spam or clean messages. For instance, if the Bayesian database has learned 100 messages with the phrase penis enlargement, the Bayesian code is pretty sure that a new message that contains that phrase is spam and as such raises the spam score of that message.

Page 61

6 ANTI-SPAM ENGINE

The following table explains the various Bayesian Database settings that are found on the Anti-Spam Engine > Settings page: Field

Description

Bayesian Analysis default.

Shows if Bayesian analysis is enabled. Enabled by (ON/OFF)

Spam Messages

This field indicates the number of mail messages that have been learned as spam by the Bayesian classifier.

Ham Messages

This field indicates the number of mail messages that have been learned as clean messages by the Bayesian classifier.

Tokens

This is the total number of individual tokens that the Bayesian classifier has learnt.

Oldest Token

Indicates the date of the oldest token in the Bayesian database.

Newest Token

Indicates the date of the newest token in the Bayesian database.

Last Expired

Indicates when tokens were last expired from the database.

Auto Learning (ON/OFF)

If auto learning is enabled the anti-spam engine will Page 62

6 ANTI-SPAM ENGINE

automatically feed high-scoring (or low-scoring mails for non-spam) into the Bayesian classifier. If auto learning is disabled then messages will only be learned when users confirm spam from their quarantine reports or release messages (false positives). Auto Learning is Enabled by default. Non-spam Threshold

This field indicates the score threshold below which a message has to score before the anti-spam engine will feed it into the Bayesian classifier as a clean message. Default is 0.1.

Spam Threshold

This field indicates the score threshold above which a message must score before the anti-spam engine will feed it into the Bayesian classifier as a spam message. Default value is 10.0. Note: The spam engine requires that the message score at least 3 points from the message headers and 3 points from the message body to auto learn the message as spam. Therefore the minimum working value for this setting is 6.

Force Bayesian Expire

In order to prevent the Bayesian database from growing too big, tokens are automatically expired from the database when certain criteria are met:

    

The last expire was attempted at least 12 hours ago. The number of tokens in the database > 100,000  There is at least a 12 hour difference between the oldest and newest token times. Use this option to force an expiry attempt of the Bayesian database, regardless of whether it may be necessary or not. The above criteria will be used to decide if tokens are actually expired or not.

Reset Bayesian Database

This option resets the Bayesian database and clears the database of all tokens.

Passive OS Fingerprint

Provides the ability to identify the connecting SMTP client operating system and to reward or penalize messages originating from specified operating systems.

Page 63

6 ANTI-SPAM ENGINE

SETTINGS: PENPALS SOFT WHITELISTING

Penpals soft-whitelisting lowers the spam score of received replies to a message previously sent by a local user to this address. This can be useful in preventing potential false positives from email addresses that users are in frequent contact with. When a message is received, SpamTitan checks if a message was sent in the reverse direction, i.e. from a local user (which is now a recipient of the current mail) to the address that is now the sender of the message being processed. If any such message exists, then the age (seconds since the most recent message) is used to calculate an exponential decay score to be deducted from the spam engine score. The more recently the message has arrived the bigger the decay Note that penpals soft-whitelisting aids incoming mail, and internal-to-internal mail, but has no effect on outgoing mail. The following table describes the file extension settings: Field

Description

Use Penpals

Indicates if penpals is enabled or not. Default is OFF. If you are using SpamTitan to process outbound email, then it is recommended to enable penpals.

Penpal bonus score

This field indicates the maximum score deducted when a message is received from a penpal (i.e. when the sender is known to have previously received mail from our local user from SpamTitan). A setting of zero (0) will disable the penpals feature. Default is 3.

Page 64

6 ANTI-SPAM ENGINE

SETTINGS: OPTICAL CHARACTER RECOGNITION

The use of Optical Character Recognition software allows SpamTitan to scan embedded images in email and protect from image-only based spam, which may otherwise go undetected. By using OCR, SpamTitan can use the text contained within an image to assign a spam score to the message. OCR scanning can be quite CPU intensive, and as such the use of OCR will add a couple of seconds to the processing time for each message which contains an embedded image. For busy servers with scarce system resources it may be desirable to disable OCR scanning.

SETTINGS: BOTNET ANALYSIS

When enabled, DNS validation is performed on the first relay looking for signs of a potentially botnet infected host. For example, no reverse DNS, a hostname that would indicate an ISP client, or other hosts that aren‟t intended to be acting as a direct mail submitter outside of their own domain.

SETTINGS: PASSIVE OS FINGERPRINTING

Passive OS Fingerprinting is a plug-in which allows SpamTitan to identify the operating system of the connecting SMTP client with reasonable accuracy. Most spam originates from the compromised Windows desktop systems. It is called passive since SpamTitan simply sniffs the network traffic as it goes by. This allows us to penalize Windows XP operating systems and reward unix operating systems. While OS fingerprinting can never be completely accurate, it does a very good job at Page 65

6 ANTI-SPAM ENGINE

identifying most Windows SP systems. Note, however that NAT routers and firewalls can make some systems unidentifiable. Also, SpamTitan will only be able to identify the OS of the last hop client- so if a spam message is relayed through one of your own relays before reaching SpamTitan, then the results would be those of the relay and not the originating SMTP spam client

SETTINGS: PERFORMANCE TUNING

The number of SMTP Processes determines how many parallel processes can be run to process mail. The default of 5 processes is suitable for most organizations, however for some organizations with a large throughput of email may need to increase this setting. Each process consumes quite a bit of memory, so the memory available can determine how may processes you can run before swapping occurs. If you increase this setting too high and the appliance starts swapping, or the load regularly goes beyond 3 then you should decrease this setting. Going beyond 10 usually brings no more improvement in overall-system throughput, it just wastes memory and could possibly degrade performance

SETTINGS: LANGUAGE OPTIONS

The language and locale settings on the Anti- Spam Engine > Settings page allows you to specify which languages and locales (country codes) are considered OK to receive mail from.

The following table describes the language options: Page 66

6 ANTI-SPAM ENGINE

Field

Description

Allow All Languages

This field specifies which languages are considered OK to receive email from. Mail using character sets used by these languages will not be marked as possibly been spam in an undesired language. The default value is to allow all languages. Note: The language cannot always be recognized with sufficient confidence, in which case no score will be assigned to that test.

Allow All Locales

This field specifies which locales (country codes) are considered OK to receive email from. Mail using character sets used by languages in these countries, will not be marked as possibly being spam in a foreign language. If you receive lots of spam in foreign languages, and never get any non-spam in these languages, this may help. Note that all ISO-8859-* character sets, and Windows code page character sets are always permitted. The default value is to allow all locales.

Page 67

6 ANTI-SPAM ENGINE

ANTI-SPAM ENGINE: DOMAIN POLICIES SpamTitan contains extensive content scanning and message filtering capabilities that allows you to enforce corporate policies on all messages that enter or leave your organization on a per-domain or per-recipient basis.

For each new domain that is added a default policy is automatically created. Therefore any mail to a user within that domain will use the policy for that domain; although a different user based policy may be created for users. Anti-Spam Engine > Domain Policies allows you to manage the per-domain policy settings. These domain settings will be inherited by all users in those domains. The following table describes the domain policy settings:

Field

Description

Select Policy

Select from the drop-down list a domain policy to manage. A policy exists for all domains created plus a policy for outbound mail.

Spam Filtering (ON/OFF)

Specifies whether spam filtering is enabled for the selected domain.

Consider mail spam when score is greater than

This is the anti-spam engine scoring threshold above which mail is considered to be spam. Default: 5.

Spam should be…

These are the actions that should be performed when a message is classified as spam:

Page 68

6 ANTI-SPAM ENGINE



Quarantine: The message is accepted but quarantined. It will appear in the Quarantine Report of the recipient(s) and may be later released from the quarantine if it is deemed by the user to be a false positive.  Passed (Tagged): The message is analyzed as normal, but will be passed onto the end recipient(s) regardless. However, headers will be added to the message so that it will be possible to filter messages on the backend mail server and/or on the end-recipients Mail User Agent (MUA). You may also prepend text to the Subject header, indicating that the message has been identified as spam. Enable Spam Modifies Subject and specify an appropriate Spam Subject Tag.  Reject: The message will be rejected. The default action is to quarantine all messages that exceed the spam threshold. Add X-Spam headers to non-spam mails (ON/OFF)

Specifies if addition headers are added to the message indicating the result of the spam analysis. The headers added are:  X-Spam-Status: This will show if the message exceeded the spam threshold and the score that it achieved. It will also list what rules where fired by the anti-spam engine.  X-Spam-Score: This simply lists the spam score achieved. Note: These headers are only added to inbound messages. If you process out-bound messages then these headers will not be added.

Virus Filtering (ON/OFF)

Specifies whether virus filtering is enabled for the selected domain. Virus Filtering is enabled by default.

Viruses should be…

These are the actions that should be performed when a message is identified as containing a virus. See spam actions above for a description of these actions.

Attachment Type Filtering (ON/OFF)

Specifies whether the corporate message attachment policy will be applied to messages to recipient in the selected domain. See “Content Filtering” on page 49 for more details on scanning for banned attachments. Default is Enabled.

Page 69

6 ANTI-SPAM ENGINE

Banned Attachments should be …

These are the actions that should be performed when a message is identified as containing a virus. See spam actions above for a description of these actions. Default action is Quarantine.

Archive Clean Mail (ON/OFF)

Enable this setting to store all clean messages received by this domain in the history. By going to Reporting > History and viewing and clicking on a clean mail, you have the following options. Release, Whitelist sender, delete message, forward to quarantine administrator and mark message as spam.

Email Quarantine Report (ON/OFF)

This field specifies whether quarantine reports should be generated for recipient in this domain. A quarantine report will be generated for each recipient who has had messages quarantined.

Language

Select which language you would like your reports to be written in. Recipient may change the language of their report by logging into the UI and changing their preferences.

Email Report every

Select the frequency of the quarantine reports. Reports may be generated every day, every weekday, every Friday, or every month. Recipient may change the frequency of their reports via the options section of the quarantine report, or by logging into the UI and changing their preferences.

Report contains

The quarantine report may contain a list of all items that are currently quarantined for each user or new quarantined items since the last report was generated (default) both of these can be viewed with or without virus infected emails included. Again, the user may change this via the options section of the quarantine report. If a user has no quarantined messages (or no new quarantined messages since last report) then no report will be delivered to them.

Exclude spam mails scoring above

Usually spam messages scoring above a certain score can be unequivocally be deemed spam and users are only interested in those messages that just fell above the spam threshold to look for false positives. If users get a significant amount of spam, then to keep the report size manageable you can exclude spam messages above, for example 30. This setting is set to 999 by default, meaning that no messages will be excluded (as a message cannot score that high).

Page 70

6 ANTI-SPAM ENGINE

Domain Administrators

Select administrators on a per-domain basis, enabling them to manage elements of their own email including license counts, mail usage and reporting.

ANTI-SPAM ENGINE: USER POLICIES By default, each recipient email address will inherit the policy as set for that domain. There are a number of circumstances where this policy can change however. For instance, if the domain policy for example.com specifies that quarantine reports are sent every weekday, then [email protected] could change their report preferences so that the quarantine report is only delivered weekly. A user can make this change either via their quarantine report or by logging into the web interface. The Anti-Spam > User Policies page shows those addresses that have a specific policy that may be different from the domain policy.

The following table describes the User Policy settings: Field

Description

Search by Domain

Use this dropdown list to filter email addresses by domain that have a user policy.

Search by Email

Use this dropdown list to filter email addresses within alphabetically ranges that have a user policy.

Show All

Shows all email addresses for which a user policy exists.

Add User(s)

Click the Add User(s) button to create a policy for specific email addresses. Enter 1 email address per line, specify the policy and click the Save button. See AntiSpam Engine: Domain Policies on page 47 for a description of all the policy settings.

Page 71

6 ANTI-SPAM ENGINE

Note: You can lock a user policy by enabling the lock policy option. This prevents changes to the domain policy been inherited by this user policy. Modify

Click the Modify button to modify the multiple user policies by selecting the checkboxes to the left of each user policy. You may also modify an individual policy by clicking the Edit link

Delete

Click the Delete button or the Delete link to remove a user policy. When you delete a user policy mail addressed to that recipient will use the domain policy for that users domain.

Impersonate

Click this button to view what specific users will be able to access and do when logged onto the GUI

ANTI-SPAM ENGINE: ROLES AND PERMISSIONS By default, each recipient email address will inherit the policy as set for that domain. From this section you can create and modify which pages administrators, domain administrators and users have access to when they log into the GUI; each sub section allows you to create varying roles for each of these types of users.

Page 72

6 ANTI-SPAM ENGINE

FILTER NAME: Name User Count Default Role

Filter policies by name The name of the policy How many users have this role assigned to them When a user admin or domain admin is created, they will automatically be given the role with default role listed as Y; in each case this is the inbuilt role added to the system and cannot be changed.

Options

Clicke the to edit the role; click the to delete the role. Click to create a new role, each role must allow at least one page to be accessible. The sections for Administrator, domain administrators and users are identical; the differences are when you create or edit a role the amount of pages you can open up to them. Add

Click Allowed or Denied beside a section‟s name to grant or block members of this role from accessing that section. You can allow and deny sub tabs by clicking on the (plus symbol) beside the section name to see the subsections within it. Each role must be allowed to access at least one page. Administrators can be allowed to access up to the entire product.

Domain administrators have fewer options and can only access pages for their own domains.

Page 73

6 ANTI-SPAM ENGINE

Users can be allowed access to a more limited amount of pages still and only relating to their own user policy.

Users with multiple roles can change which one they are viewing the GUI under by clicking their role name at the top of the page. This will bring down a dropdown menu of available roles to switch to.

ANTI-SPAM ENGINE: ADMINS Admins

From here you can view and create as many custom administrators as you wish, the access rights of custom administrators are determined by the role applied to them.

Page 74

6 ANTI-SPAM ENGINE

You may also view domain administrators, though they must be added from the „Anti Spam Engine > Domain Policies‟ tab.

ANTI-SPAM ENGINE: DOMAIN GROUPS Here you can create collections of domains so that multiple ones can be managed by a special domain group administrator. Click 'Add...' to create a new Domain Group.

To assign an administrator to the group go to the Anti-Spam Engine > Admins > Domain Group Admins section. To assign domains to a domain group go to Mail Relay > Domains section and add the domain to the domain group. The following table describes the User Policy settings: Field

Description

Domain Group Name:

Enter the name of the Domain Group here.

Timezone:

Specify the timezone that each of these groups will use. This is the timezone that all domain administrators and users within these groups will see when the log into SpamTitan.

Description:

Enter a description for the Domain Group here.

Page 75

7 SETTINGS

7

Settings

This chapter covers basic administrative tasks that are available from the Settings page.

CHANGING THE ADMINISTRATOR PASSWORD

To change the administrator password select Settings > Change Password and enter the Old Password followed by the New password and click Change. Note: Use a secure password.

INTERFACE SETTINGS The Settings > Interface Settings page allows you to customize the default logo of the GUI and set the GUI timeout.

Page 76

7 SETTINGS

The following table describes the Interface and Log in Page settings: Field

Description

Logo

This is the image that will be used on all pages in the graphical user interface.

Upload New Logo

Use the Upload New Logo option to replace default logo with your own custom logo. The image should be approximately the same size as the default logo (216x60 pixels) and must be of type jpg, png or gif.

UI Timeout Period

For security reasons the SpamTitan web interface time out after a specified period of inactivity. You can change this setting by changing the period (in minutes) and clicking the Save button. The default value is 30 minutes.

Reset to Defaults

If at any time you want to revert to the factory installed defaults for the interface appearance then click this button.

Show Forgot Password Link

This option controls whether the login screen contains a link to the email password form. This feature should be disabled if the Web Authentication (see page 62) is set to something other than the default (Internal). This option may also be disabled if you do not want to allow users retrieve their login password and thus login to the interface. This option is enabled by default.

Edit Forgot Password Template

Enabling this allows editing of the email which is sent when the users click the Forgot Password link on the login page. This email Subject, Sender Address and message body can be specified. The message body must contain the placeholder to work %%PASSWORD%% - this will get replaced with the users password. NOTE: The body of the messages may contain HTML formatted input.

Show Custom Help Link

If you enable this option then the login screen

Page 77

7 SETTINGS

will contain a Login Help link that can be redirected to your own web server that contains help for users on logging into and using the appliance. Login Help URL

Use this field to specify the URL of your help page

Page 78

7 SETTINGS

GENERATING CERTIFICATE SIGNING REQUESTS SSL management can be done on the Settings>SSL page. The use of SSL certificates ensures that all http communications to the SpamTitan UI is encrypted. SpamTitan allows you to generate private, self signed certificates which provide the same security as certificates purchased from a certificate authority. However in this case because the web browser will be unable to verify the authenticity of the unverified certificate

You can avoid this problem by purchasing a trusted certificate from a trusted certificate signing authority. The certificate will be identifiable by all browsers, and so users will not be presented with the warning message. Select which certificate you wish to use on the Settings>TLS page The following table describes each field. When your information is filled out, press Generate Certificate Singing Request (CST) to generate one. Field

Description

Common Name

This is the fully qualified domain name that will be used in the URL to access the SpamTitan UI. It must match the server name exactly as otherwise you will get a warning dialog every time you visit the site. For example, spamtitan.example.com

Page 79

7 SETTINGS

Organization

This is the name of your company or organization.

Organization Unit

This is an optional filed to specify a specific department within your organization.

City

This is the name of the city or town where the organization is located.

State/Province

This is the full name of the state or province where the organization is located.

Country

This is the two-letter country code of the location of the organization e.g. US

Generate Certificate Signing Request (CSR)

Press Run to generate a Certificate Singing Request. The request that is generated must be exactly as is when been submitted to a trusted certificate signing authority (CS) for signing.

Generate Self Signed Certificate

Press to generate a private self-signed certificate, you will still receive warnings from your web browser when using this

IMPORT CERTIFICATES

On the Settings>SSL page, when you receive the signed certificate back from the CA, use the Import Certificate from PEM option to import the certificate into SpamTitan. It is recommended in all cases that you also import the intermediate certificate which should also be provided by the CA. Without this certificate you will continue to get a warning message from your browser when connecting via SSL. If you are providing your own certificate, e.g. a wildcard certificate, you must also import its private key here.

Page 80

7 SETTINGS

INSTALLED SIGNED CERTIFICATES

On this tab you can view your Installed Certificates, their serial number and expiry date. You also have the option to view the certificate‟s details, to delete the certificate and download the private key.

TLS ENCRYPTION

Transport Layer Security (TLS), located at Settings>TLS, provides a mechanism for certificate based authentication on encrypted sessions. If enabled, then SpamTitan will attempt to negotiate an encrypted session with the peer for the SMTP connection. If a TLS session cannot be negotiated (many clients/server so not support TLS), then the session will fallback to plain text. Click Enable to enable TLS, and choose a certificate from the dropdown list. You can manage the certificates from the Settings>SSL page. To include information about the protocol and cipher used as well as the client and issuer CommonName into the Received: header, enable Include LS info in Received header. The default is disabled, as the information is not necessarily authentic. Only the final destination is reliable, since the headers might have been changed in between. To get additional information during the TLS setup and negotiations you can enable TLS Logging. When enabled startup and certificate information from the TLS subsystem will be logged to the maillog.

Page 81

7 SETTINGS

CONFIGURING HTTPS

SpamTitan can be managed via your web browser using HTTP or HTTPS. By default HTTP is enabled. You can also enable management using HTTPS which will generate a generic self-signed certificate. The following table describes the Web Management Protocol settings: Field

Description

HTTP (On/Off)

This option controls if http access is enabled to the user interface. HTTP is enabled by default.

HTTPS (On/Off)

Specifies if HTTPS access is enabled.

Port

Specifies the HTTPS port number. The default Port for HTTPS is 443. You can add another layer of security for logging into SpamTitan by changing the default port. If you specify a port other than the default HTTPS port (443) then you will have to specify the port number as well as the hostname/IP address when logging in - e.g http://192.168.10.10:789.

Certificate Common Name

The Certificate Common Name must match the site name exactly as otherwise you will get a warning dialog every time you visit the site. So if you access the UI using, for example, http://spamtitan.mydomain.com then you will need a common name of spamtitan.mydomain.com.

NOTE: Enabling HTTPS will generate a self-signed X509 certificate. A self-signed certificate provides the same functions as a certificate through a well-known certificate authority (CA), but will present an "untrusted certificate" security warning to users until the self-signed certificate is imported into their trusted root store.

Page 82

7 SETTINGS

RESTRICTING WEB ACCESS TO THE GUI You can control access to the GUI by specifying the IP address ranges that can access the administrative interface. The Allowed Networks on the Settings > Access/Authentication page lets you control the hosts and/or networks that should have access to the SpamTitan Web interface. By default, all networks (Any) and all users (with a valid username/password) are allowed access. It is recommended that this is changed to your internal network(s) to restrict access to just those users within your organization. The list of allowed networks is a list of network addresses or network/netmask patterns specified in CIDR (Classless Inter-Domain Routing) format. The netmask specifies the number of bits in the network part of a host address. Note: The list is matched from top to bottom, and the search stops on the first match. Specify !pattern to exclude an address or network block from the list. You can also specify if a particular rule applies to a particular user or for everyone by appending a colon followed by the users email address „:[email protected]‟.

In this case admin can only connect to the web interface from 192.168.0.101. All other users can connect from the 192.168.0.0/24 network except for user [email protected] who is not allowed access to the interface. It will not be possible to login from any other network. If no rule matches then access is denied.

The above screenshot shows a simpler example, which specifies that access for all users is from any client on the 192.168.0.0/24 network. Use the up and down arrow buttons to sort the rules according to your policy.

Page 83

7 SETTINGS

WEB AUTHENTICATION The Web Authentication settings on the Settings > Access/Authentication page allows you to control for each internal domain what authentication method will be used when users attempts to login to the GUI to view their quarantine and/or user preferences. The following authentication methods are supported:  Internal (default) SpamTitan will generate a unique password for each internal email address for which it processes mail. Users can receive their password via email if they click the „Forgot your Password?‟ link on the Login page and enter their email address. They can then change their password after logging in.  LDAP LDAP Authentication allows you to specify an external LDAPenabled directory to authenticate and authorize users on a per- domain basis. LDAP authentication for SpamTitan ca be configured to support any LDAP compliant directory including Microsoft Active Directory, Lotus Domino, SunOne/iPlanet Directory Server and Novell eDirectory For users to authenticate with an external LDAP server specify LDAP as the Authentication Method for that domain and enter the LDAP server details. The following table describes the LDAP fields to be entered: LDAP Settings

Description

LDAP Server

The name of the LDAP server that SpamTitan attempts to connect to for authentication purposes.

LDAP Port

The port SpamTitan uses to connect to the LDAP server for authentication purposes. Default port 389.

LDAP Anonymous Search

Some LDAP directories require that a valid user/password be provided to bind to the server in order to perform LDAP searches. Use this dropdown list to specify if Anonymous bind is allowed to the LDAP server. Page 84

7 SETTINGS

LDAP Search User DN

If anonymous bind is not permitted then you must specify the DN of the user that will be used to bind to the Directory server specified in the LDAP server and port field as administrator. This is usually an email address or directory object of the form: cn=user,dc=company,dc=com.

LDAP Password

This field contains the password for the administrator profile specified in the LDAP Search User DN field.

LDAP Query

This field specifies the attribute that contains the username of the person authenticating. The default is mail=%%EMAIL%% where %%EMAIL%% will be replaced with the email of the person authenticating. For example, if the email address of the person authenticating is [email protected] then %EMAIL%% will be replaced with [email protected] %%USER%% can be used to specify the left-hand side of the email address.

LDAP Search Base

This field specifies where in the directory the search will commence from. If the LDAP server is able to determine the defaultNamingContext (Active Directory only) then you can specify %%defaultNamingContext%% and the authentication module will determine this before doing the search.

Page 85

7 SETTINGS

 SQL Server

SQL Authentication allows you to perform authentication against an external SQL server. Specify SQL as the Authentication Method and enter the credentials that the appliance will use to connect to the SQL server. The following table describes the SQL authentication settings: SQL Settings

Description

SQL Database

This field specifies the SQL database type been used.

SQL Server

The IP address or hostname of the SQL server that SpamTitan attempts to connect to for authentication purposes.

SQL Port

The port SpamTitan uses to connect to the SQL Server for authentication purposes. Default port 3306.

SQL Username

The username used to connect to the SQL server in order to perform the authentication.

SQL Password

The password associated with the username.

SQL Database Name

The field contains the name of the database containing the authentication tables.

Page 86

7 SETTINGS

SQL Table SQL Email Column SQL Password Column SQL Password Type

The SQL table to be queried for the authentication. The column that contains the list of email addresses. This field specifies the column that contains the password. The password may be stored in plaintext format, or as a MD5 checksum, or encrypted.

 POP3

Authentication against a POP3 server is quite trivial. When this authentication method is enabled users attempting to login to the GUI will have their authentication credentials authenticated via a POP3 server. The following table describes the POP3 authentication settings:

POP3 Settings

Description

POP3 Server

The IP address or hostname of the POP3 server that SpamTitan attempts to connect to for authentication purposes.

POP3 Port

The port SpamTitan uses to connect to the POP3 server for authentication purposes. Default port 110.

POP3 Address Type

This is format required by your pop3 server for the username. If the pop3 server requires only the mailbox name for authentication, then select user. SpamTitan will then strip the domain name from the user supplied email Page 87

7 SETTINGS

address when performing authentication.  IMAP

The following table specifies the IMAP fields to be entered if using IMAP as the authentication method for the GUI. IMAP Settings

Description

IMAP Server

The IP address or hostname of the IMAP server that SpamTitan attempts to connect to for authentication purposes.

IMAP Port

The port SpamTitan uses to connect to the IMAP server for authentication purposes. Default port 143.

IMAP Address Type

This field specifies the format expected by your IMAP server. Some IMAP servers require the credentials to be specified as an email address, while others require just the left-hand side of the email address (the username).

The support of external authentication modules ensures that when possible users won‟t have to remember multiple passwords. All login attempts will be directed to the appropriate authentication server for that domain. You can use the Test Authentication feature on the Settings > Access/Authentication to ensure that your settings are correct. After saving your authentication settings, simply enter the Email Address and Password of a user to test. SpamTitan will determine the authentication method to use for that domain and validate the supplied password.

Page 88

7 SETTINGS

The SpamTitan API is a set of CGI scripts that can be used to perform SpamTitan tasks from within your own environment. For instance, the bulk addition of a number of domains, or whitelists can be cumbersome using the user interface, but with the API can be achieved quite easily. Access to the API is restricted to the IP addresses listed in the Allowed IP address(es) section, located at Settings>Access/Authentication. See Remote Management for more details on the SpamTitan API.

BACKING UP AND IMPORTING SYSTEM CONFIGURATION With the backup feature of SpamTitan the configuration of the software can be saved to a local data medium and can be restored if required. Settings saved include network settings, domains configured, user preferences and email whitelists and blacklists. To backup the system configuration select Settings > Backup and press Export Backup: Start to create a backup file. If the backup has been created successfully you will be able to download the backup and save it to a folder of your choice. To import a previous backup select Settings > Backup and click Browse… to find the backup file and click Import Backup: Start. If the uploaded file is a valid and version compatible backup then it will be restored. To save you the work of backing up your configuration manually, the backup function supports automatic backup generation and FTP to a remote FTP server. To configure scheduled backups select Settings > Backup and configure the Schedule Backup panel settings. Page 89

7 SETTINGS

The following table describes the schedule backup settings: Field

Description

Schedule Backup

Displays if scheduled backups are enabled

Frequency

Should the backup be performed daily, weekly or monthly. The time of day to perform the backup.

Hour/Minute Day of Week

If performing weekly backups, use this option to specify which day of the week to perform the scheduled backup.

Day of Month

If performing monthly backups, use this option to specify which day of the month to perform the scheduled backup.

FTP Server

The IP address of hostname of the FTP server.

FTP Login the backup FTP server.

The username that the appliance should use to log into

FTP Password the backup FTP server.

The password that the appliance should use to log into

FTP Location backup server.

The folder or path to store the backup files in on the

Click Save to save the scheduled backup settings. If you want to test that your FTP settings are correct you can Export Backup Now by pressing the Start button.

Page 90

7 SETTINGS

NOTIFICATION TEMPLATE Three types of messages are generated: Email Notification messages can be sent in response to virus, spam, or banned file attachment detection.  Administrator notifications are sent to the administrator, if enabled.  Sender (non) delivery notifications may be sent to the mail originator  Recipient warnings may be sent to envelope recipients of the email containing a virus or banned attachment. These notifications are disabled by default since they are more of a nuisance than a benefit and contribute to unwanted backscatter on the Internet. These Non-Delivery reports are only used if the appliance is configure to send them. See Content Filtering: Viruses, Content Filtering: Spam and Content Filtering: File Extensions settings starting on page 49 to see if these notifications are enabled. You can modify the templates for these notifications by editing the templates on the Settings > Notification Templates page. To reset to the system default templates press the Reset to Default button for the template that you would like to reset. Note that this will result in the loss of any custom changes. The following table lists the various templates that can be modified: Template

Description

Notify Virus Recipient

When a message is identified as containing a virus, then this message may be sent to the intended recipient of the email. This option can be specified on the Content Filtering > Viruses page.

Notify Virus Administrator

When a message is identified as containing a virus, then this message may be sent to the administrator of SpamTitan. This option can be specified on the Content Filtering > Viruses page

Notify Banned Attachment

When a message is identified as containing an attachment that is marked as banned then this message may be sent to the intended recipient of the email. This setting can be configured on the Content Filtering > File Extensions page.

Recipient

When a message is identified as containing an attachment that is marked as banned then this message may be sent to the administrator of SpamTitan.

Page 91

7 SETTINGS

Notify Banned Attachment Administrator

When a message is identified as containing an attachment that is marked as banned then this message may be sent to the sender of the email.

Notify Spam Administrator

When a message is identified as spam then this message will be sent to the administrator of SpamTitan if spam admin notifications are enabled. See Content Filtering > Spam page.

Notify Spam Sender

When a message is identified as spam then this message may be sent to the sender of the email. This message will be sent if the recipient has a policy set that will reject spam, rather than pass or quarantine it.

Notification Emails

Select which alphabet you are writing your templates in here. This will ensure that when they are received the characters used will display correctly.

Character Encoding

The following table describes the supported macros that may be used in the NDRs: Macro

Description

%h

Hostname of this host

%d

Timestamp of message reception (RFC 2822 local date-time format)

%s

Original envelope sender, rfc2821-quoted and enclosed in angle brackets

%S

Address that will get sender notification. This is normally a one-entry list containing sender address (same as %s), but may be unmangled/reconstructed in an attempt to undo the address forging done by some viruses.

%t header

First entry in the 'Received' trace of the mail

%a

Original SMTP session client IP address

%g

Original SMTP session client DNS name

%R

A list of original envelope recipients

%j

Subject header field body

%m

Message-ID header field body Page 92

7 SETTINGS

[%H| ]

A list of all header lines (field may be wrapped over more than one line). This does not include the 'Return- Path:' or 'Delivered-To:' headers, which would have been added (or will be added later) by the local delivery agent if mail would have been delivered to a mailbox.

%z

Original mail size (in bytes)

%v

Output of the (last) virus checking program

%V

A list of virus names found; contains at least one entry (possibly empty) if a virus was found, otherwise a null list

%F

A list of banned file names

%W

A list of AV scanner names detecting a virus

[%A| ]

A list of the spam engines report lines

Note: If you want to use the '[' or ']' characters in the notification messages then to take away the special macro meanings of these characters they can be quoted by a backslash. E.g. \[ or \].

REMOTE SYSLOG All system logs are written to local log files on SpamTitan using syslog and may be viewed using the GUI. Syslog is the de facto standard for forwarding log messages in an IP network. The Settings > Remote Syslog page allows you to specify a server to which SpamTitan can send syslog files. The remote server defined must run a logging daemon compatible with the syslog protocol. You can specify a separate (or same) remote syslog server for each of the Mail, Interface and Messages log files.

Page 93

7 SETTINGS

CONFIGURING OUTBOUND DISCLAIMERS SpamTitan can append a default string to the footer of all messages delivered to external recipients. The Settings > Outbound Disclaimers page allows you to define disclaimers on a perdomain basis. Both text and HTML disclaimers are supported.

The following table describes the disclaimer settings that you can set for each sender domain: Field

Description

Select Domain

Select a domain to configure disclaimers for. This allows you to selectively add disclaimers from some domains only.

Add Disclaimer

Determines whether a disclaimer is attached to outgoing messages that are sent from the selected domain.

Text Footer

The disclaimer text that is attached to text-based messages

HTML Footer

The disclaimer text attached to HTML-based messages. When you have made the required changes press the Save button to save your changes

Page 94

7 SETTINGS

CONFIGURING OUTBOUND DISCLAIMER EXEMPTIONS

The Disclaimer Exemptions section allows you to exclude disclaimers from been added to certain messages to/from certain email addresses.

The following table describes the disclaimer exemption settings: Field Description Sender Email Addresses

List of sending email addresses that will not have a disclaimer added. Specify one email address per line. Recipient Email

Addresses/Domains

List of recipient email addresses or domains (e.g. @example.com) that will not have a disclaimer added. Specify one email address/domain per line.

SNMP MANAGEMENT SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SpamTitan appliance. SpamTitan replies to SNMP Get commands for MBIBII via any interface

Page 95

7 SETTINGS

The following table describes the options to configure SNMP. SNMP Options

Description

SNMP

Click the enable\Disable button to turn the protocol on or off.

System Name

Enter the System Name. This could be for instance the hostname of the SpamTitan appliance

System Contact

In this field, type in the name and/or email address of the network administrator for the SpamTitan appliance.

System Location

The System Location field may contain additional information such as the physical location of the appliance, an email address or a pager number.

Community Name

Create a name for a group or community of administrators who can view SNMP data and enter it in the Community Name field. You should use a community string which is used/known only at your site.

Allowed Hosts/Networks

To restrict access further, enter the hostname, IP address or cidr address of those systems/networks that are allowed. perform SNMP queries. Typically this will just be the IP address of your SNMP Management station. If no hostnames/addresses are specified then any system that provides the correct community string may request the SNMP data.

Note: SpamTitan supports most SNMP v1/v2c and relevant Management Information Base II (MIBII) groups which can provide a variety of information about your SpamTitan appliance. In addition the following OIDs provide information on the size of the mail queues:

    

.1.3.6.1.4.1.2021.8.1.101.1 - Active Queue .1.3.6.1.4.1.2021.8.1.101.2 - Incoming Queue .1.3.6.1.4.1.2021.8.1.101.3 - Deferred Queue .1.3.6.1.4.1.2021.8.1.101.4 - Corrupt Queue .1.3.6.1.4.1.2021.8.1.101.5 - Hold Queue

Page 96

8 FILTER RULES

8

Filter Rules

This chapter covers the use of sender email filters and sender domain filters to allow you to blacklist or whitelist messages based on the senders email address.

FILTER RULES: CONFIGURING GLOBAL EMAIL BLACKLIST Filter Rules > Global Blacklist allows you to control which messages are always blocked by SpamTitan. Messages from these email addresses and/or domains will be automatically blacklisted, and the messages from those senders will not be scanned by the anti-spam engine.

The following table describes the fields to control the Global Blacklist. Field

Description

Sender Domain

List of domains that should be blacklisted and prevented from sending email through SpamTitan. Enter a domain (e.g. example.com) to blacklist and click the Add button to add the domain to the list of blacklisted domains.

Sender Email

Use the Edit link to modify an existing entry. Use the Delete link to delete an entry. List of email addresses that should be blacklisted and prevented from sending email through SpamTitan. Enter an email address to blacklist and click the Add button to add the email address to the list of blacklisted email addresses. Use the Edit link to modify an existing entry. Use the Page 97

8 FILTER RULES

Delete link to delete an entry. A sender may not be both whitelisted and blacklisted at the same time. If you add a sender to the blacklist, then if that sender is on the whitelist, then that sender will be removed from the whitelist.

FILTER RULES: CONFIGURING GLOBAL EMAIL WHITELIST Filter Rules > Global Whitelist allows you to add senders you trust to the global whitelist, and the messages from those senders will not be scanned by the anti-spam engine.

The following table describes the fields to control the Global Whitelist. Field

Description

Sender Domain

List of domains that should be Whitelisted and always allowed to send email through SpamTitan. Enter a domain (e.g. example.com) to Whitelist and click the Add button to add the domain to the list of Whitelisted domains. Use the Edit link to modify an existing entry. Use the Delete link to delete an entry.

Sender Email

List of email addresses that should be Whitelisted and always allowed to send email through SpamTitan. Enter an email address to Whitelist and click the Add button to add the email address to the list of Whitelisted email addresses. Use the Edit link to modify an existing entry. Use the Delete link to delete an entry.

Page 98

8 FILTER RULES

FILTER RULES: CONFIGURING PATTERN FILTERING

Filter Rules > Pattern Filtering Allows you to access current Whitelisted and Blacklisted patterns as well the functionality to add new patterns. The following table describes the fields to control pattern filtering Field

Description

Whitelist Pattern

This refers to a regular expression pattern. Adding a pattern here will ensure that any mail including this specific pattern will bypass spam testing. Can bedone by clicking Add and entering the pattern and where in the email it would be located. Patterns can be added by enclosing then in two forward slashes. e.g. applying the pattern “/spamtitan/” to the message header would ensure that any message with “spamtitan” in the header would be Whitelisted.

Blacklist Pattern

Similarly, this refers to a regular expression pattern also. Here any pattern added will make sure that any incoming mail including this specific pattern will be blacklisted. By applying the pattern “/poker/” to the message body, any email with the word poker in the message body will be blacklisted.

Page 99

9 QUARANTINE

9

Quarantine

This chapter describes the quarantine management system, and how the administrator or end-user may review their quarantined messages. The chapter also describes the end-user quarantine reports, how they may be customized, and how users may set their own preferences as to when to receive the report.

QUARANTINE MANAGEMENT When evaluating messages for Spam SpamTitan applies hundreds of rules in order to arrive at an overall spam score for the message. By default, SpamTitan sets the spam threshold score at 5. If administrators find that this setting is too aggressive, or not aggressive enough then they can change the threshold on a per domain or per user basis. Any mail scoring above the threshold is considered spam and is quarantine (by default). All messages scoring below the threshold will be considered legitimate and passed onto the recipient(s). The quarantine consists of a relational database which contains details on all messages that pass through the appliance and a reference to the quarantined file on disk.

Page 100

9 QUARANTINE

The Quarantine > Manage Quarantine page allows the administrator to view all messages for all recipients that are in the quarantine. End users can access their own quarantine by logging into the User Interface using their own email address/password. The following actions may be performed on messages in the quarantine: Quarantine Action

Description

View Messages

To safely view a message that is in the quarantine click the From, To, or Subject of a particular quarantined message from the list of quarantined messages. This will open the message in a separate window. Note: All images in the message been reviewed will be blocked to prevent possible inappropriate content. If a message is subsequently to be released and delivered to your inbox then the original images will be present.

Release Messages

Occasionally, there may be messages in the quarantine that are misidentified as spam (False positives). Users can redeliver the message to their inbox by clicking the Deliver link to the right of the message. The message will then be removed from the quarantine and the Bayesian database will be trained with the message so as to prevent this type of message from been blocked in the future.

Delete Messages

Users can choose to delete messages one at a time, or in bulk by selecting the checkbox to the left of messages to delete. Deleting messages from the quarantine is in effect confirming that the message is spam. If the Bayesian database has not already learned this message as spam, then it will do so now. Note that if a message is deleted from the quarantine by the administrator then that message will not appear in the associated users‟ quarantine (or in their quarantine report).

Page 101

9 QUARANTINE

Whitelist Sender

If the quarantine is been accessed by the administrator then this will add the sender of the selected message(s) to the global whitelist so that all future emails from this sender will bypass the SpamTitan antispam engine. They will still be scanned for viruses and banned attachments. Selecting this option will also Release the message from the quarantine. If the quarantine is been accessed by an enduser then the sender email address will be added to the users personal Whitelist. All future emails from this sender to this user will bypass the SpamTitan anti spam engine. Note: The sender email address that is added to the Whitelist is the envelope email address. This is sometimes different from the address that appears in the From header of the message. You can see the message envelope sender email address by viewing the message.

Search Quarantine

Users and administrators can search for messages in the Quarantine based on a number of criteria. These include:  Message Type  Date Range  Recipient (administrator only)  Sender

Page 102

9 QUARANTINE

QUARANTINE REPORTS As well as being able to manage their quarantine from the web interface, end users may also manage their quarantined messages through the Quarantine Digest Reports that are automatically emailed to users on a periodic basic. The Quarantine Digest Report contains a list of email messages which have been caught and quarantined by the system, and provides links for users to interact and manage their quarantine. SpamTitan will nightly generate the reports. For each user a report will only be generated if certain conditions are met: 

 

Today is a day for which the user requested a report in their preferences. E.g. if the user specified to receive reports on weekdays and today is Sunday then no report will be generated. Similarly if the user/admin specified that reports be sent weekly the report generation for that user will only occur on Fridays. The user must have quarantined messages. If the user/admin specified that the report should only contain details of quarantined messages since the last report and no such messages exist, then no report will be generated.

Custom Instructions Message Actions to deliver, Whitelist or delete quarantined items Quarantine Messages are sorted by Spam Score User Report Preferences Page 103

9 QUARANTINE

QUARANTINE REPORT SETTINGS

The Quarantine > Settings page allows you to configure settings for the users quarantine reports and customize the report with your own logo and instructions. The following table describes the various settings.

The following table describes the settings that can be applied to the Quarantine reports: Setting

Description

Run Report generation daily at Specifies the time that the overnight report generation script will be run daily. Click Save to save your changes. Logo You can change the appearance of the quarantine reports by changing the logo. This is the image that will be used in the quarantine digest report. Attach image in Report

Specifies if the logo is displayed as the heading of a report. Default On.

Upload New Logo

Use the Upload New Logo option to replace the default logo with your own custom logo. The image should be approximately the same size as the default logo. Also ensure that the size of the image is appropriately small as it will be included in all reports that are generated.

Report From Name

This field specifies the descriptive name that will appear in the From address of the quarantine report. Default: SpamTitan Spam Appliance

Report From Address

This field specifies the email address that the quarantine report will appear to have come from. Default: [email protected] This should be changed to an address in your organization.

Page 104

9 QUARANTINE

Report Subject

This field specifies the Subject for the quarantine report.

Contact Email Address

Optional contact email address that will appear in the instructions section of the quarantine report.

Miscellaneous Instructions

This field specifies optional instructions that can appear in the quarantine reports. This can be HTML formatted text. E.g. It could contain a link to an internal webpage listing detailed user instructions.

Allow Users Set Report Type Specifies if the report will contains links to allow the user change the report type that they receive. The report types are:  All quarantine messages  Quarantined messages since last report. This option is enabled by default. Allow users Set Report Frequency

Specifies if the report will contain links to allow the user change when they can receive their reports. Option is enabled by default.

Allow Users Request

Specifies if the report will contain a link to the web interface which allows the user to request an on demand report.

On Demand Reports Include UI Login link

Specifies if the report will contain a link to the web interface so that the user can login directly to the web interface from the quarantine report.

Server HTTP Address

This specifies the IP address or fully qualified domain name of SpamTitan. All links in the quarantine report will use this reference.

Use HTTPS

Specifies if all links in the quarantine report use https or regular http.

Reset to Defaults

If at any time you want to revert to the factory installed defaults for the report appearance then click the Reset button.

Page 105

9 QUARANTINE

QUARANTINE MAINTENANCE

The Quarantine> Settings page gives you access to the Quarantine Maintenance tab. Messages that are stored in the quarantine that are not released or deleted must be purged at some time, as otherwise the quarantine will fill up and we will run out of disk space. Enter the Quarantine Expiry Period specified in days and click the Save button. After this period, all mails that have not been released or deleted will be purged. You may also specify a Quarantine Administrator by entering their email address here. This will give them access to the quarantine management tools.

QUARANTINE ALIASES Enter additional names in the Aliases field that the user will receive email as. For example, if this account is for user [email protected], you may also want to allow him to receive mail at john [email protected] example.com. Enabling Aliases allows reporting data for primary email addresses and their aliases to be combined when viewing generated and quarantine reports. Aliases are used for reporting purposes only and each alias will still add to your user count. Enable this option by pressing Enable beside Unify Microsoft Exchange Email Aliases. Click Add... to add an Active directory server to pull the email addresses and aliases from. You will be returned a popup window with the following fields.

Page 106

9 QUARANTINE

Setting

Description

LDAP Server Base entry (DN)

The name of the LDAP server. The base entry distinguised name (DN) as configured on the LDAP server. The base entry serves as the starting point of the LDAP directory search. For example, dc=rainbowx,dc=net This field has an autofill function which will provide potential base entries. The username for accessing the LDAP server. £ is not permitted in the username. The password for accessing the LADP server. £ is not permitted in the password. Use this drop-down list to select the frequency at which you want to receive imports from the LDAP server.

Server login user Server login password Import Frequency

Click the box beside your server and click Import Aliases to import all the aliases.

Under Unified Email details you can view all imported emails and aliases. Click Add… to manually add email addresses and aliases

You must enter the delivery address and each alias individually. Then save Note: it is recommended to add your primary address as an alias otherwise you will not be able to view your primary mail Import Press this button to import a text file containing email addresses and their aliases. The text file must be in the following form

primary1 alias1 alias2 alias3

primary2 alias4 alias5

Note: it is recommended to add your primary address as an alias otherwise you will not be able to view your primary mail

Page 107

10 REPORTING

10

Reporting

This chapter describes the extensive reporting capabilities of SpamTitan.

REPORTING: SYSTEM INFORMATION The Reporting > System Information page provides an overview of the status of

SpamTitan. The following table describes each of these fields: Field

Description

Processor

The processor that is installed in the SpamTitan server.

Memory

The total amount of memory that is available.

CPU Temperature

Indicates the current CPU temperature. If the CPU gets excessively hot (greater than 70C) then this may indicate a problem with the on-board fan.

Mail/Log Disk Space

Indicates how much disk space is available for the message quarantine and the system log files and how much of this disk space is currently in use.

Uptime

Shows how long the SpamTitan server has been running since the last reboot.

Page 108

10 REPORTING

Load Averages

This indicates the current load on the SpamTitanserver. It shows the number of running processes in the queue waiting for processor time. The numbers reflect the load average over the last minute, over the last 5 minutes and over the last 15 minutes respectively. A load average of 1 means that there was 1 process waiting for the CPU all the time. A process which is using 100% of the CPU only for a short time will result in a peak in the 1 minute average. A process hogging the CPU for a long time will raise the base level of the 15 minute average. Therefore, a high 15 minute average (>5) indicates low CPU power

REPORTING: SERVICES SpamTitan has a number of key daemons or services that must be always running to ensure correct operation of SpamTitan. These are:  The Clam Antivirus service

Page 109

10 REPORTING

 Kaspersky Antivirus (should only be running if Kaspersky is enabled)  Postfix mail transfer agent  Amavisd mail service  Cluster Daemon If any of these services are not running, then restart them, checking the log files to ensure that they started OK.

REPORTING: SYSTEM TROUBLESHOOTING

The System Diagnostics section on the Reporting > System Information page allows you to run some troubleshooting commands on the appliance that you may then send to SpamTitan Support if required. Some basic strategies that you can employ in order to troubleshoot and solve problems with the system. However, it is important to remember that SpamTitan offers technical support for complex problems. See “Contacting SpamTitan Technical Support”. The following table illustrates the various tools that are available to you to troubleshoot problems with the system: System Tools

Description

Spam Test

You can use the Spam Test command to emulate how a message will be classified by the SpamTitan anti-spam engine. Use the Upload feature to upload a message to the appliance to test. The output of the test will be displayed in a popup window. You can see which rules fired on the particular message by viewing the Content analysis details at the end of the output.

Mail Queue

This command displays a summary of the mail messages that are queued for delivery. The Queue ID shows the internal identifier used on this system for the message along with a possible status character. The Page 110

10 REPORTING

status characters are either * to indicate the job is being processed; X to indicate that the load is too high to process the job; and – to indicate that the job is too young to process. The Size indicates the size of the message in bytes. The Arrival Time indicates the time the message was accepted into the queue, and the Sender/Recipient indicates the envelope sender and recipient(s). If a message is retained in the queue then a second line will show the reason for the message to be retained. Click the auto refresh checkbox to have the display automatically refresh every 5 seconds. Process List

The process list command displays information about all the processes that are running on the SpamTitan server.

Network Connections

This displays a list of all active network connections to and from the SpamTitan.

Routing Table

Displays the contents of the routing table on the system.

Page 111

10 REPORTING

Establish Secure Connection to SpamTitan Support

If it is necessary for SpamTitan Support to troubleshoot any issues with the appliance, then you can press the Connect button to establish a secure tunnel with SpamTitan. This will allow SpamTitan Support to gain access to the appliance to diagnose and resolve the problem.

REPORTING: PING CHECKS There are also standard network trace tools available under the Tools section which you can use to test network connectivity from the appliance to remove hosts The following table describes the various tools that are available: System Tools

Description

Ping

This allows you to test the connection with a remote host on the IP level. Please note that the ping and traceroute tools require that ICMP is not blocked on your firewall if you are trying to contact an external host. The ping utility uses the ICMP protocol to elicit an ICMP response from a host or gateway.

Traceroute

The traceroute utility is similar to the ping utility except that it will display the route packets will take from SpamTitan to the remote host or gateway. This command can be useful for diagnosing routing problems.

Dig

Dig is a tool for interrogating DNS name servers. It performs DNS name lookups and displays the answers that are returned from the name server that are configured in the System Setup section.

Flush Mail Queue

If items are retained in the mail queue, then the mail delivery agent (Postfix) will continue to try and deliver the mail for 4 days. Flushing the mail queue will attempt to deliver all those messages in the deferred mail queue. Normally, attempts to deliver delayed mail

Page 112

10 REPORTING

happen at regular intervals, the interval doubling after each failed attempt. Warning: flushing undeliverable mail frequently will result in poor delivery performance of other mail.

REPORTING: GRAPHS The graphs on the Reporting > Graphs page show daily, weekly, monthly and yearly statistics on the number of email messages processed, marked as spam and containing viruses. Here we can also find graphs on Virus Stats, as well as CPU, Memory and HDD Usage

REPORTING: ADMINISTRATION The Reporting > Administration page provides an overview of administrative events over the last 30 days.

Each row has 4 columns showing a total for the number of the particular event that occurred today, yesterday, the last 7 days and in total. Data cells contain either 2 numbers (success/failed) or only one number showing the total amount for that event. The following table describes each of the events recorded. Event

Description

Logins (success/failed)

This shows the number of successful and unsuccessful login attempts to the web interface.

Virus Definition Updates

This field shows the virus definition updates that where made for the Clam Antivirus scanner. Success shows the number of successful updates of new virus definitions. The number does not reflect the number of checks for new definitions which by default are checked every hour.

Page 113

10 REPORTING

Spam Rule Updates (success/failed)

This shows the number of successful and unsuccessful updates of the custom spam rules.

System Firmware Updates (success/failed)

This shows the number of successful and unsuccessful updates for system firmware update

Reports delivered

This shows the number of quarantine digest reports that where generated and successfully delivered.

REPORTING: HISTORY The Reporting > History page enables you to review all mail transactions that have passed through SpamTitan. The advanced search filters allow you to search based on specific criteria such as sender, recipient, IP source address etc.

MAIL HISTORY - MAIL FILTERS The following table describes the various filters that can be employed on the mail history logs. Note that the filters can be applied together to narrow the search.

Page 114

10 REPORTING

Filters

Description

Type

The type field allows you to filter messages based on how they were classified by SpamTitan. The following message type classifications are available:  All Transactions (default)  Clean messages  Spam messages  Banned Attachment messages  Virus Infected messages  False Positives (messages released from quarantine).  Messages rejected to Invalid Recipients  Messages rejected using RBL  Messages rejected due to Relay attempt  Message rejected with invalid HELO greeting  Tagged Mail (Message identified as containing spam/virus/banned attachment, but recipient has a policy to pass)  Messages rejected by SPF failure  Messages with unknown sender domain Sender without a FQDN (Fully Qualified Domain Name)  Quarantined messages Messages with a Blacklisted Top Level Domain  Messages from a Whitelisted/Blacklisted IP Messages from a Whitelisted/Blacklisted Sender Changing the message type will automatically update the history view.

Mail Filter

The filter field allows you to narrow your search criteria narrower by specifying an additional, optional filter. These are: Message Flow  Recipient email address  Sender email address  Source IP address SpamTitan ID  Spam score (equals, less than, greater than, in   range x-y) Delivery Status (Sent, Deferred, Bounced) Enter the email address, spam score or source IP address in the input box provided and press Go to update the view.

Page 115

10 REPORTING

Date Range

Here you can specify a time range. Choose between:  Last Hour  Last 3 Hours  Last 6 Hours  Just for Today (default)  From Yesterday  Last 7 Days  Custom Period.

The following table describes each of the columns that are displayed in the mail transaction history table: Column

Description

Date

Specifies the time and date that the message was processed.

Message Id

This is the internal message Id that SpamTitan has assigned to the message. Click the Message Id to view extended details on this particular message in a popup window.

Client Address

This is the source IP address of the host that sent the message to us. Note: If all your mail is relayed through an upstream mail relay before arriving at SpamTitan then this will contain the address of the upstream mail relay.

Type

The message type as classified by SpamTitan. See the History Filters table above for a description of the various message types.

From

The envelope sender address. Click the From address to filter messages from this sender.

To

The envelope recipient address. Click the To address to filter message to this recipient.

Subject

This is the subject header of the received message

Size

The size of the message

Click the Refresh link to refresh the history view. Since the entire history is not shown on one page, use the links at the bottom of the page to jump to other pages. The Download to Spreadsheet link allows you to download the all transactions for the given search criteria to a Microsoft Excel spreadsheet.

Page 116

10 REPORTING

MAIL HISTORY - DISPLAY SETTINGS

Click the Settings link on the Reporting > History page to manage the history settings. These allow you to control how long messages are stored in the database before been purged, as well as the appearance of the history view. The following table describes the various Display Settings: Setting

Description

Number of messages in log

Specifies the total number of unique records that are stored in the message history log.

Show Message Subject

Display the subject of the message.

Entries per page

How many messages to display per page.

Show Score for Clean msgs

If enabled, the score assigned by SpamTitan will be displayed in the Type column of the history view for messages classified as Clean.

Show Score for Spam msgs

If enabled, the score assigned by SpamTitan will be displayed in the Type column of the history view for messages classified as Spam. If enabled, then the name of the virus that the virus scanner detected will be displayed in the Type column of the history view for virus messages. Note: If more than 1 virus scanner is enabled then it is likely that the different virus scanners have different names for the virus. In this case the name of the virus as identified by the virus scanner which identified the virus first will be used

Show Virus Name for Virus msgs

Page 117

10 REPORTING

Show Scanner that detected Virus

If enabled, then the name(s) of the virus scanner(s) that detected the virus will be display in the Type column of the history view for virus messages

Show Message Flow

Show in which direction the Message is coming from and going to

Show TLS encryption Status

Show the status of the Transport Layer Security (TLS)

Show Delivery Status

Show Delivery Status of the message. (Sent, Bounced Deferred)

Show Delivery Response

Show response to confirm Delivery

Show RBL Name

Show the name of the RBL that blocked the message

Only show messages for local cluster node Click ing this option will ensure that only messages for the local cluster node are displayed. Show cluster node column

This will enable the user to see a cluster node column on the table displayed

MAIL HISTORY - LOG SETTINGS

The following table describes the various Log Settings: Setting

Description

Log Invalid Recipients

If disabled, then messages from invalid recipients will not be logged in the database.

Log RBL Rejects

If disabled, then messages from RBL rejects will not be logged in the database.

Page 118

10 REPORTING

Log HELO Rejects

If disabled, then messages from HELO rejects will not be logged in the database.

Log SPF Rejects

If disabled, then messages from SPF rejects will not be logged in the database.

Log Relay Denied

If disabled then massages whose relay is denied will not be logged in the database.

Log Sender Rejects

If disabled then messages from rejected senders will not be logged in the database.

Auto purge logs after

By default, messages are automatically purged from the database after 3 months. However on busy servers this may need to be lowered. Note: If the number of unique messages in the server exceeds 2 million then the oldest records (that are not quarantined) will be purged

REPORTS The Reporting > Reports page allows you to generate a number of on-demand reports

The

following table describes the options available to you when generating on-demand reports: Field

Description

Report

Date the report was generated.

Type

Select the report type from the following:  Summary Report  Top Spam Relays  Top Spam Recipient  Top Virus Relays  Top Virus Recipients  Top Viruses  Top Virus Scanners  Top RBLs  Top Invalid Recipient Relays

Page 119

10 REPORTING

Period

Report Size

 Top HELO Rejected Relays  Top Email Recipients (number of messages)  Top Email Recipients (bytes)  Top Email Senders (mails)  Top Email Senders (bytes)  Domain Summary Report Licence Usage Report This specifies the period for which the report will be generated. Options available are:  Just for Today  From Yesterday  Last 7 Days  All Note: a report period of All will generate a report based on all the records in the database. As records are automatically purged this may not include all records since the appliance was installed. See Mail History Settings on page 94 for more details. Indicates the number of items to include in the report (Relevant only for top-ten type reports). Note: The pie chart will be limited to a maximum of 25 items.

From

Select whether to run reports on the Cluster, if applicable, or on individual nodes.

TODAY’S ON-DEMAND REPORTS The Reporting > Today’s Reports Tab shows the on-demand reports that were requested today. Reports are purged from here daily. If you wish to maintain the report for longer, then you can Archive it

The Report displays the date, the report, the type of report it is, the period of time over

Page 120

10 REPORTING

which it was run and on which node the information was collected from

The report gives you the following options Options

Description

View

Click this button to view your generated report, it will display information depending on the type of report you have selected to run. It can be displayed in the form of a table and a pie chart. If your specified report settings return no information the following message will be returned: “Report produced no data with supplied attributes”.

Download to Spreadsheet

Use this link to download the report as a Microsoft Excel spreadsheet.

Delete

Pressing this button will delete the selected report.

Archive

Press this button to save the selected report in the Archive, it will now be viewable under the Reporting>Archived Reports tab.

SCHEDULED REPORTS SpamTitan provides the ability to schedule Daily, Weekly or Monthly reports can then be email to the specified distribution list and optionally archived on the appliance. Daily reports will generate a report of the specified type for the previous days activity. Weekly reports will be run each Monday and will produce a report of the specified type for the previous MondaySunday. Monthly reports will be run on the 1st of the month and will produce a report for the previous month. The reports can be produce in PDF, Text or Excel formats.

Page 121

10 REPORTING

The following table specifies the various options for scheduling reports: Field

Description

Type

The following reports may be scheduled:  Summary Report  Top Spam Relays  Top Spam Recipients  Top Virus Relays  Top Virus Recipients  Top Viruses  Top RBLs  Top Invalid Recipient Relays  Top HELO Rejected Relays  Top Email Recipients (messages)  Top Email Recipients (bytes)  Top Email Senders (mails)  Top Email Senders (bytes)  Domain Summary Report

From

Select whether to run reports on the Cluster, if applicable, or on individual nodes.

Frequency

Daily reports will generate a report of the specified type for the previous day‟s activity. Weekly reports will be run each Monday and will produce a report of the specified type for the previous Monday-Sunday period. Monthly reports will be run on the 1st of the month and will produce a report for the previous month.

Format

Reports can be generated in as a PDF document, a text document, a Microsoft Excel spreadsheet or all three.

Max Items

The maximum number of items to display in the report.

Archive

Specifies if the report should be archived on the appliance.

Email Address

The report will be emailed to the addresses in this field. Separate email addresses with spaces.

Page 122

10 REPORTING

ARCHIVED REPORTS

The Reporting > Archived Reports page lists all the reports that have been archived on SpamTitan. These are the scheduled reports that are generated periodically

Use the Type and Frequency, Domain and From settings to filter the display. The reports can be downloaded for viewing or deleted

Page 123

11 LOGGING

11

Logging

An important component in SpamTitan is its extensive logging capabilities. As well as the mail transaction log history, log files also contain the records of regular operations and exceptions from various components of the system. These logs record information regarding all email activity and server management. This information can be valuable when monitoring your SpamTitan service as well as when troubleshooting or checking performance.

The log files are recorded in plain text (ASCII) format and can be viewed via the User Interface from the Log Files page or download and viewed in your favourite editor. The log files are rotated on a daily basis at midnight and are retained on the system for 2 weeks. You can also have the log files written in real-time to a remote Syslog server. See “Remote Syslog” on page 71 for more information. The Log Files > Mail/Interface/Messages pages allow you to view, search and download log files stored on SpamTitan. To view the currently active log file, click on the View Realtime Start button. A new window with the last available log lines will be opened. The log will scroll automatically to display newly added lines in real time. To work with older log files, use the table listing all available log files for that category. You can perform an individual on a single file (View, Download or Delete) by clicking an Action type on the right of the table, or perform a global action (Download or Search) after selecting one or more files by checking their checkboxes on the left of the table. The Search Selected function allows you search for strings in log files. Only lines containing the string will be displayed. You can perform case insensitive searches of the string by checking the Case Insensitive option. It is possible to search several files at

Page 124

11 LOGGING

once. If your search string returns no matches then an empty window will be displayed. The following table summarizes the log file types that are available: Log File

Description

Mail Log

Contains all information regarding the email operations of SpamTitan. This includes all mail deliveries, bounces, failures or filtering events.

Interface Log

The Interface logs record all operations that are conducted via the web interface. It also provides details on appliance housekeeping activity and report generation – showing, for instance, all the users who receive quarantine reports.

Messages Log

This is the system log and records the following: boot information; DNS status information; spam, virus and system update attempts; disk issues; kernel issues. This log file is useful for troubleshooting general condition of the system.

Page 125

12 OUTLOOK ADD-IN

12

Outlook Add-in

The SpamTitan Outlook add-in v1.1 allows you to reports spam back to the SpamTitan anti-spam appliance. When you send mail flagged as spam, you are sending the email message body to be trained by the SpamTitan Bayesian filter as a token, aka either spam or ham (legitimate mail). What this means is that the contents of the mail are learned by the filter and that any future emails containing these characteristics will raise the spam score for that email. REQUIREMENTS 1. NET Framework 3.5 SP1 2. Office 2007 Primary Interop Assemblies 3. Visual Studio 2010 tools for Office Runtime (x86, x64) 4. Outlook 2007 or 2010 5. Windows XP / Vista / 7 If the first three requirements are not found setup will download them and install. Please be patient as the .NET install may take a few minutes. Once installed the SpamTitan Outlook Addin installer will run. If you are interested you can download the SpamTitan Outlook Add-in .EXE file.

Page 126

13 REMOTE MANAGEMENT

13

Remote Management

SpamTitan can be remotely managed via the SpamTitan API. The API enables administrators to remotely manage domains, users, policies, whitelists and blacklists. Access to the API is limited to trusted IP address. To configure an IP address as trusted, go to the Settings > Access/Authentication page and enter the IP address that you wish to trust in API Allowed Hosts.

Firewall Information The following table lists the possible ports that may need to be opened for proper operation of SpamTitan. Port

Protocol

In/Out

Description

20/21

TCP

Out

FTP out for retrieval of system updates

22

TCP

Out

SSH access to allow SpamTitan Technical support create a secure connection to the appliance for support.

25

TCP

Out

SMTP to send email

25

TCP

In

SMTP to receive email

80

TCP

In

HTTP access to the GUI for system management and monitoring, and quarantine management. Also the Clam and Kaspersky virus definition updates are retrieved via HTTP. This port need not be open if you have configured an alternative HTTP proxy port.

53

UDP

In and Out

DNS

123

UDP

In and Out

NTP if using time servers outside your firewall.

443

TCP

In

Secure HTTP access to the GUI.

Page 127

13 REMOTE MANAGEMENT

Page 128

Loading...

SpamTitan Administrator Guide

SpamTitan® ADMINISTRATORS GUIDE v6.02 Page 1 COPYRIGHT Copyright © 2014 SpamTitan. All rights reserved. The product described in this document is f...

3MB Sizes 1 Downloads 4 Views

Recommend Documents

Administrator Guide
Oct 28, 2013 - Disclaimer. Sagemcom reserves the right to make changes and alterations to its software and documentation

Orion NPM Administrator Guide
Exporting Reports as Excel and PDF from the Orion Web Console. 603. Exporting Reports from the Orion Report ...... Note:

3320DNI System Administrator Guide
Xerox Phaser 3320DN/3320DNI. System Administrator Guide. 16. 2. Press the arrow buttons to highlight Network Setup and p

Web Filtering News - SpamTitan
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limi

Web Time Administrator Guide - Paylocity
display of information. In order to maintain confidentiality, employees must contact their Company Administrator ......

Administrator Quick Start Guide - Cengage
Cengage Learning's MindLinks provide seamless, powerful integration with Blackboard Partner Cloud and your institution's

ServiceDesk Plus administrator guide - ManageEngine
The two main focuses of the ManageEngine ServiceDesk Plus are IT Request tracking and Asset Management. Using the follow

Management Console Administrator Guide - Malwarebytes
Mar 21, 2017 - Management Console Administrator Guide. 1. Introduction. This guide was produced to assist system adminis

IPitomy IP PBX Administrator Guide
Jun 1, 2010 - Draft – Final Version. Updated to include new fields for CID,. Cascading Messages from 3.1.2595 release

XERA Administrator Guide - v4.4 - Paragon
Sep 12, 2014 - XERA ADMINISTRATOR GUIDE. Indexes in XERA 85. Tallying Data 92. Monitoring and Troubleshooting Indexes 94