5.10 Filters

The anti-spam system searches messages for spam. There are options to select which actions to take depending on the results. A filter that has exceptions connected to it will override the block service. To add a message or message source to the list, simply input it into the provided list.

The Anti Virus event scans messages for known viruses. The anti virus engine is set and requires no further configuration. Messages which have been detected to have a virus will have the connected action applied.

The Attachment Name filter sorts attachment types according to their name, such as .doc or .iso. Attachment names may be specified in the provided field. To add a name and manage that specific type by name, simply type the desired name into the list. Multiple names may be specified by placing each name on it's own line. The attachment name differs from the fingerprint filter in that the fingerprint detects file types regardless of name, while the attachment name filter only looks at the file name.

The Attachment size event filter allows the admin to limit the size of attachments passing though the system. Message attachments which are outside of the specified size ranges will trigger this filter and cause the service selected to be enacted on that message or attachment

Black List particular address pairs or addresses users have blacklisted in QMS

SMG can use Clam Anti-Virus malware definitions to scan items.

This filter is can be added manually to a profile. It is not added when using the wizard.

Under Manage Servers each configured server will show the Clam Anti-Virus service version, which is the time stamp of the definitions in use. New definitions are downloaded and updated throughout the day.

Clam Anti-Virus is used just like the Anti-Virus filter and can be run in parallel with the Anti-virus filter.

DomainKeys Identified Mail (DKIM) provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. See DKIM.org. Very simply, DKIM adds a checksum to the email, to verify that the message is from the sender and has not been altered along the way.This is unlike the typical filter, instead of looking for things to filter a message out, this will filter to allow a message in. Depending on the use case the "Invert mode logic" switch may be needed. A DKIM filter cannot be used with tags as that would alter the message and break the verification.

The Email Address Filter scans recipient or sender addresses against the provided list. Specify the desired addresses by inputting them into the field provided. Separate multiple addresses by placing each address on its own line. The sender, recipient, or both will be scanned according to the configuration. If the Email Address Filter is triggered, it will enact the connected service for that message.

The Filter Group is an organizational placeholder, a building block to allow grouping of different filters to one node to simplify the deployment workbench. The Filter Group requires no configuration. connecting filters to this group block ties all filters to the same action or item. Organization of the workbench is simplified with this block for complex deployments. Use this block to clean up the lines connecting associated filters, services, and exceptions.

Select file type fingerprint(s): The Fingerprint Filter searches message attachments for file types, regardless of whether they are named correctly. To configure the fingerprint filter, select the desired file types from the available file type list by clicking on them. Remove file types from the selected list by clicking on them. Only file types listed are available for selection.

Some file types are subsets of other file types. For example MSOFFICEEX are all MS Office XML files, MSOFFICEXT are just MS Office Template files and would ignore non-template files and MSOFFICEXM are just MS Office XML documents that have macro enabled. If you want to filter all MS Office files the MSOFFICEEX would be the only file type you would need.

Deep/excessive compressed files

The ZIPDEEP and ZIPWIDE fingerprints are special purpose tests that provide the ability to test for compressed files that exceed reasonable limits of these files. These limits are defined within the policy management page and are used to prevent malicious attacks from causing system resource starvation. Applying these specific fingerprints will refer to the policy settings for the limits tested.

These tests will also extract archives from within archives as part of the test process, and will include all supported archive types.

The IP Address filter event scans messages for a match to any specified IP Address. Messages coming from a specific IP Address can be blocked by specifying that address in this filter. Messages coming into the filter will be scanned for a match to any IP address specified in the list. To add an address to the filter list, simply select the field and input the address or addresses into the list. For multiple addresses, place each IP address on its own line.

IP Reputation works much like a RBL or SURBL filter but also uses a whitelist for common message sources. IP Reputation will temporarily block messages from sources which are not found on either list. The temporary fail is performed via a connection drop. If the sending gateway repeats sending attempts, the messages will be allowed through. For an IP Reputation filter to be effective, it needs to be utilized on the SMTP interface with both trigger options enabled. If the trigger options are disabled, the events will not cause the filter to drop the connection and block the message.

The IP reputation sensitivity slider is used to fine tune the detection level of the IP reputation service. There is a left slider and a right slider that can be changed to change the detection level. The left slider is used to ignore IP addresses that fall into the lower range of possible Spam. The right slider is used to increase or decrease the range of IP addresses that are allowed to retry and the range that are automatically rejected. The default setting of 20% delay and 80% drop provides a generally good fit to incoming connection, where 20% are offered the option of retrying and the rest is denied access.

If the engine is delaying legitimate senders, you can adjust the left slider to ignore the range of IP addresses that are legitimate.

The message received event is activated for all messages received by the Secure Messaging Gateway system, in or outbound. This filter allows administrators to dictate general services on messages. The Message Received event may also be restricted to a specific message direction: Inbound, Outbound, Internal, and External mail. When combined with the desired services, the Message Received event may be used, for example, to append a signature on all messages leaving the system, or may be used to add header lines to all internal mail.

The Message Size filter allows the administrator to limit the size of messages passing through the system. Messages which are outside of the specified size range will trigger the event and have the associated action applied.

The Message text filter scans messages for matching text strings, in the locations selected. Custom text strings may be specified in this filter. For multiple text strings, place each on a separate line. The Text filter can scan for text in specific locations of messages. You must enable a location to be scanned before the text filter will be active. One or all locations may be selected at the same time.

The RBL (Real-time Blackhole List or Real-time Block List) Filter checks incoming messages to see if any sending server(s) are included on any of the configured RBL servers. To configure the RBL Filter, input the desired RBL server into the RBL server field. The RBL Filter may be limited to certain lines in the message. The default is to scan the entire header of a message. The 'Received header scan range' limits the lines of a header to be scanned. The beginning and end line scanned may be specified. ie. 1-5, would scan the first through the 5th line of the header, while 4-7 would only scan the 4th through 7th lines of the header.

The SMTP envelope filter checks to see if specific attributes of the SMTP connection are present. The Client authenticated test looks for the inbound SMTP connection to successfully provide valid login credentials for the system. (Username and Password) The SSL secure test looks to see if the client establishes and sends its data over a secure channel Client Switched to SSL using STARTTLS looks to see if the incoming client was secure from the beginning of the session or whether SSL was initiated after initial client connection. All features have the options 'yes', 'no', and 'don't test'. If selected either 'yes' or 'no', incoming messages will be scanned and, if detected, the selected filter will enact connected services associated.

The SPF (Sender Policy Framework) Filter attempts to verify the sender of each email message, which can eliminate spoofed email and most backscatter attacks. For SPF to work correctly, the sending domain must have an updated SPF record set up in DNS. If the sending domain does not have a SPF record set in their DNS, then their mail will not be blocked. Setting up a correct SPF record will block messages from spammers who are pretending to be you, sending messages to you.

The SURBL (previously stood for Spam URI RBL) Filter checks each message against the SURBL databases listed to see if the sending server is included on the SURBL list. To add a SURBL server to the list, simply type it into the list. Multiple servers may be listed, one on each line, however it is recommended to only have one as multiple server lists may slow performance.

The Zero Hour Virus filter checks each message for virus-like characteristics to protect against new and unidentified viruses.