Anti-Spam

This section describes how to activate, configure, and manage the Comprehensive Anti-Spam Service on a Dell SonicWALL network security appliance.

NOTE: The Comprehensive Anti-Spam Service is not available on SuperMassive appliances.

Topics:

•	Anti-Spam Overview

•	Purchasing an Anti-Spam License

Anti-Spam Overview

This section provides an introduction to the Comprehensive Anti-Spam Service.

Topics:

•	What is Anti-Spam?

•

Benefits

•	How the Anti-Spam Service Works

•	Purchasing an Anti-Spam License

What is Anti-Spam?

The Anti-Spam feature provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and anti-virus capabilities to your existing firewall.

In a typical configuration of Anti-Spam, the administrator chooses to add Anti-Spam capabilities by selecting it in the SonicOS interface and licensing it. The firewall then uses the same advanced spam-filtering technology as the Dell SonicWALL Email Security products to reduce the amount of junk email the organization delivers to users.

There are two primary ways inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation Management and Cloud-based Advanced Content Management. IP Address Reputation uses the GRID Network to identify the IP addresses of known spammers, and reject any mail from those senders without even allowing a connection. GRID Network Sender IP Reputation Management checks the IP address of incoming connecting requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable email. The lists are compiled using the collaborative intelligence of the Dell SonicWALL GRID Network. Known spammers are prevented from connecting to the firewall, and their junk email payloads never consume system resources on the targeted systems.

Email that does not come from known spammers is analyzed based on “GRIDprints” generated by SonicWALL’s research laboratories and are based on data from millions of business endpoints, hundreds of millions of messages, and billions of reputation votes from the users of the GRID Network. Our Grid Network uses data from multiple SonicWALL solutions to create a collaborative intelligence network that defends against the worldwide threat landscape. GRIDprints uniquely identify messages without exposing data contained in the email message.

The Anti-Spam service determines that an email fits only one of the following threats: Spam, Likely Spam, Phishing, Likely Phishing, Virus, or Likely Virus. It uses the following precedence order when evaluating threats in email messages:

•

Phishing

•	Likely Phishing

•

Virus

•

Spam

•	Likely Spam

•	Likely Virus

For example, if a message is both a virus and a spam, the message will be categorized as a virus since virus is higher in precedence than spam.

If the Anti-Spam service determines that the message is not any of the above threats, it is judged as good email and is delivered to the destination server.

Benefits

Adding anti-spam protection to your firewall increases the efficiency of your system as a whole by filtering and rejecting junk messages before users see them in their inboxes.

•	Reduced amount of bandwidth and resources consumed by junk email in your network

•	Reduced number of incoming messages sent to the mail server

•	Reduced threat to the organization, because users cannot accidentally infect their computers by clicking on virus spam

•	Better protection for users from phishing attacks

How the Anti-Spam Service Works

This section describes the Anti-Spam feature, including the Dell SonicWALL GRID Network, and how it interacts with SonicOS as a whole. The two points of significant connection with SonicOS are Address and Service Objects. You can use the address and service objects to configure the Anti-Spam feature to function smoothly with SonicOS. For example, use the Anti-Spam Service Object to configure NAT policies to archive inbound email as well as sending it through a filter.

The Comprehensive Anti-Spam Service analyzes messages’ headers and contents, and uses collaborative GRID printing to block spam email.

Topics:

•	GRID Network

•	Address and Service Objects

GRID Network

This section describes the GRID Connection Management with Sender IP Reputation feature that is used by SonicWALL Email Security and by the Anti-Spam service in SonicOS. GRID Network Sender IP Reputation is the reputation a particular IP address has with members of the Dell SonicWALL GRID Network. When this feature is enabled, email is not accepted from IP addresses with a bad reputation. When SonicOS will not accept a connection from a known bad IP address, mail from that IP address never reaches the email server.

GRID Network Sender IP Reputation checks the IP address of incoming connection requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable email. The lists are compiled using the collaborative intelligence of the Dell SonicWALL GRID Network. Known spammers are prevented from connecting to the firewall, and their junk email payloads never consume system resources on the targeted systems.

Topics:

•

Benefits:

•	GRID Connection Management with Sender IP Reputation and Connection Management Precedence Order

Benefits:

•	As much as 80 percent of junk email is blocked at the connection level, before the email is ever accepted into your network. Fewer resources are required to maintain your level of spam protection.

•	Your bandwidth is not wasted on receiving junk email on your servers, only to analyze and delete it.

•	A global network watches for spammers and helps legitimate users restore their IP reputations if needed.

GRID Connection Management with Sender IP Reputation and Connection Management Precedence Order

When a request is sent to your first-touch firewall, the Anti-Spam service evaluates the ‘reputation’ of the requestor. The reputation is compiled from white lists of known-good senders, block lists of known spammers, and denial-of-service thresholds.

If IP Reputation is enabled, the source IP address is checked in this order:

 

Table 68. IP address evaluations

Evaluation	Description
Allow-list	If an IP address is on this list, it is allowed to pass messages through Connection Management. The messages will be analyzed by your firewall as usual.
Block-list	This IP address is banned from connecting to the firewall.
Reputation-list	If the IP address is not in the previous lists, the firewall checks with the GRID Network to see if this IP address has a bad reputation.
Defer-list	Connections from this IP address are deferred. A set interval must pass before the connection is allowed.
DoS	If the IP address is not on the previous lists, the firewall checks to see if the IP address has crossed the Denial of Service threshold. If it has, the appliance uses the existing DoS settings to take action.

Only if the IP address passes all of these tests does the firewall allow that server to make a connection and transfer mail. If the IP address does not pass the tests, there is a message from SonicOS to the requesting server indicating that there is no SMTP server. The connection request is not accepted.

Address and Service Objects

The Anti-Spam feature of SonicOS supports new Address and Service Objects to manage a customer’s email server(s). These objects are used by the Anti-Spam Service for its NAT and Access Rule policies. Automatically-created rules are not editable and will be deleted if the Anti-Spam Service is disabled.

When enabled, the Anti-Spam service creates NAT policies and Access Rules to control and redirect email traffic. The policies and rules are visible in the Network > NAT Policies and Firewall Rules pages, but are not editable. These automatically-created policies are only available when the Anti-Spam service is enabled.

When the Anti-Spam service is licensed and activated, the Anti-Spam > Settings page shows a single checkbox to enable Anti-Spam. Selecting the checkbox invokes the Destination Mail Server Policy Wizard if there is no existing custom access rule and NAT policy for an already-deployed scenario. When you set up generated policies, the Anti-Spam service must know where the emails are routed behind the firewall. Specifically it needs the destination mail server IP address and its zone assignment. The Destination Mail Server Policy Wizard is launched if this data cannot be found.

You will need the following information for the wizard:

•	Destination Mail Server Public IP Address – The IP address to which external MTAs will be connecting by SMTP.

•	Destination Mail Server Private IP Address – The internal IP address of the Exchange or SMTP server (behind the firewall).

•	Zone Assignment – The zone to which the Exchange server is assigned.

•	Inbound Email Port – The TCP service port number to which emails will be sent, also known as the inbound SMTP port.

Policies and Address Objects created by the wizard are editable and persist even if the Anti-Spam service is disabled.

Topics:

•	Objects Created When the Anti-Spam Service Is Enabled

•	Objects Created by the Wizard

•	Policy and Object Changes

Objects Created When the Anti-Spam Service Is Enabled

This section provides an example of the type of rules and objects generated automatically as Firewall Access Rules, NAT Policies and Service Objects. These objects are not editable and will be removed if the Anti-Spam service is disabled.

The Firewall > Access Rules page shows the generated rules used for Anti-Spam.

Figure 28. Generated access rules

The rows outlined in red are the access rules generated when Anti-Spam is activated. The row outlined in green is the default rule that Anti-Spam creates if there are no existing mail server policies.

You could also create the following access rules:

•	WAN to WAN rule for incoming email (SMTP) from any source to all the WAN IP addresses

•	WAN to LAN rule for processed email from Email Security Service to all the WAN IP address using the Anti-Spam service port (default:10025)

The Anti-Spam Service Object is created in the Network > Services page.

Figure 29. Generated anti-spam service object

This Service Object is referenced by the generated NAT policies.

Figure 30. Generated NAT policies

The rows outlined in red are the policies generated when Anti-Spam is activated. The row outlined in green is the default policy that Anti-Spam creates if there are no existing mail server policies.

Objects Created by the Wizard

Objects created from the wizard can be edited and stay in the system even if the Anti-Spam service is disabled.

The following considerations apply to the auto-generation of policies:

•	A system Address Group Object called the Public Mail Server Address Group is created as a default for the original destination for generated policies. This group contains the Address Object, Destination Mail Server Public IP, which takes the IP address value provided during the wizard.

•	In the case where a SonicWALL appliance already has existing policies for SMTP, the following procedures occur:

•	If the existing policy’s original destination is a host type Address Object, then the generated policies use the Public Mail Server Address Group object as their original destination.

•	If the existing policy’s original destination is a non-host type Address Object, the generated policies use this non-host type Address Object as their original destination.

•	If there is more than one public IP address for SMTP, the administrator can manually add Address Objects to the Public Mail Server Address Group.

Policy and Object Changes

 

In the diag.html page, the Reset GRID Name Cache button can be used to clear all the entries in the GRID name cache.

The Delete Policies and Objects button can be used to remove Anti-Spam Address and Service Objects and policies that are not deleted when the service is turned off. When this button is clicked, SonicOS attempts to remove all the automatically generated objects and policies. This operation is only allowed when the Anti-Spam service is off.

The other diag.html page options relating to Anti-Spam are:

•	Disable SYN Flood Protection for Anti-Spam related connections – SYN Flood protection by default is turned on for SMTP (25) and Anti-Spam service (10025) ports. This disables the protection.

•	Use GRID IP reputation check only – When selected, this overrides the probing result and simulates the Anti-Spam service being unavailable (admin down). When an email is sent, it still goes through both the SYN FLOOD check and GRID IP check, but other email scanning is not performed.