config_ip_filtering
To configure IP Filtering, perform the following steps:
Enable Email reputation and IP Profiler to begin IP Filtering protection. You can enable both or one type of protection.
To enable Email reputation and IP Profiler:
Choose IP Filtering > Overview from the menu. The IP Filtering Overview screen appears.
Select the Enable IP Filtering check box. This will select both the Email reputation and IP Profiler check boxes.
Clear the Email reputation or IP Profiler check box if you do not require them.
Click Save.
IMSVA does not filter IP addresses or domains that appear in the Approved List.
To add an IP address to the Approved List:
Choose IP Filtering > Approved List from the menu. The Approved List screen appears.
Click Add. The Add IP/Domain to Approved List screen appears.
Select the Enable check box.
Type the domain or IP address that you would like to add to the Approved List.
Click Save. The domain or IP address appears in the Approved List.
IMSVA blocks IP addresses that appear in the Blocked List.
To add an IP address to the Blocked List:
Choose IP Filtering > Blocked List from the menu. The Blocked List screen appears.
Click Add. The Add IP/Domain to Blocked List screen appears.
Select the Enable check box.
Type the domain or IP address.
Select Block temporarily or Block permanently.
Click Save. The domain or IP address is added to the blocked list.
Rules are set to monitor the behavior of all IP addresses and block them according to the threshold setting. Rules can be set for the following:
Spam
Viruses
DHA attacks
Bounced mail
Before enabling IP Profiler Rules, add all of your email servers’ IP addresses (that send outgoing email messages to IMSVA) to the IP Filtering Approved List. To configure the IP Filtering Approved List, see Step 2: Adding IP Addresses to the Approved List.
To specify IP Filtering spam settings:
Choose IP Filtering > Rules from the menu. The Rules screen appears with 4 tabs, one for each type of threat.
Click the Spam tab. The Spam screen appears.
Select the Enable check box to enable blocking of spam.
Specify a value for the following:
Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of spam email messages exceeds the threshold you set.
Rate (%): Type the maximum number of allowable email messages with spam threats.
Total mails: Type the total number of spam email messages out of which the threshold percentage is calculated.
Threshold: The maximum percentage of spam email messages that IMSVA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%): Type the maximum number of allowable email messages with spam threats (the numerator).
Total mails: Type the total number of spam email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example.
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that spam blocking is active, IMSVA starts blocking IP addresses when more than 20% of the messages it receives contain spam and the total number of messages exceeds 100.
Next to Triggering action, select one of the following:
Block temporarily: Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently: Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
To specify IP Filtering virus settings:
Choose IP Filtering > Rules from the menu. The Rules screen appears with 4 tabs, one for each type of threat.
Click the Virus tab. The Virus screen appears.
Select the Enable check box to enable blocking of viruses.
Configure the following:
Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of email messages with viruses exceeds the threshold you set.
Rate (%): Type the maximum number of allowable email messages with viruses (the numerator).
Total mails: Type the total number of infected email messages out of which the threshold percentage is calculated (the denominator).
Threshold: The maximum percentage of email messages with virus threats that IMSVA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%): Type the maximum number of allowable email messages with virus threats (the numerator).
Total mails: Type the total number of virus email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example.
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that virus blocking is active, IMSVA starts blocking IP addresses when more than 20% of the messages it receives contain viruses and the total number of messages exceeds 100.
Next to Triggering action, select one of the following:
Block temporarily: Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently: Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
To specify IP Filtering Directory Harvest Attack (DHA) settings:
Choose IP Filtering > Rules from the menu. The Rules screen appears with 4 tabs, one for each type of threat.
Click the DHA Attack tab. The DHA Attack screen appears.
Select the Enable check box to enable blocking of directory harvest attacks.
Configure the following:
Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of email messages signaling a DHA attack exceeds the threshold you set.
Rate (%): Type the maximum number of allowable email messages with DHA threats (the numerator).
Total mails: Type the total number of DHA email messages out of which the threshold percentage is calculated (the denominator).
Sent to more than: Type the maximum number of recipients allowed for the threshold value.
Non-existing recipients exceeds: Type the maximum number of non-existent recipients allowed for the threshold value. DHA attacks often include randomly generated email addresses in the receiver list.
The LDAP service must be running to determine non-existing recipients.
Threshold: The maximum percentage of email messages signalling a DHA attack that IMSVA will allow during the value you set for Duration to monitor above. The threshold is a complex expression with the following:
Rate (%): Type the maximum number of allowable email messages with DHA threats (the numerator).
Total mails: Type the total number of DHA email messages out of which the threshold percentage is calculated (the denominator).
Sent to more than: Type the maximum number of recipients allowed for the threshold value.
Non-existing recipients exceeds: Type the maximum number of nonexistent recipients allowed for the threshold value. DHA attacks often include randomly generated email addresses in the receiver list.
The LDAP service must be running to determine non-existing recipients.
Next to Triggering action, select one of the following:
Block temporarily: Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently: Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Consider the following example.
Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5.
During each one-hour period that DHA blocking is active, IMSVA starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.
Technically, the LDAP server is
not a must-have. The DHA rule of IMSVA
can also obtain the DHA results returned from Postfix, which in turn passes
these results to FoxProxy through the LDAP server or other means. FoxProxy
then analyzes the results to determine if they are DHA attacks.
LDAP server is only one of the means by which Postfix checks if
a user's mailbox exists.
Click Save.
To specify IP Filtering Bounced Mail settings:
Choose IP Filtering > Rules from the menu. The Rules screen appears with 4 tabs, one for each type of threat.
Click the Bounced Mail tab. The Bounced Mail screen appears.
Select the Enable check box to enable blocking of bounced mail.
Configure the following:
Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of email messages signaling bounced mail exceeds the threshold you set.
Rate (%): Type the maximum number of allowable email messages signaling bounced mail (the numerator).
Total mails: Type the total number of bounced email messages out of which the threshold percentage is calculated (the denominator).
Threshold: The maximum percentage of email messages signalling bounced mail that IMSVA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%): Type the maximum number of allowable email messages signalling bounced mail (the numerator).
Total mails: Type the total number of bounced email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example.
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that blocking for bounced mail is active, IMSVA starts blocking IP addresses when more than 20% of the messages it receives are bounced messages and the total number of messages exceeds 100.
The LDAP service must be running to check bounced mail.
Next to Triggering action, select one of the following:
Block temporarily: Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently: Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
Email reputation verifies IP addresses of incoming email messages using the Trend Micro Email Reputation database.
To configure Email Reputation:
Choose IP Filtering > Email Reputation from the menu. The Email Reputation screen appears.
Select the Enable Email Reputation check box.
Click a radio button next to one of the following, depending on your level of service, and configure the settings:
Standard:
Default intelligent action: Email reputation permanently denies connection (550) for RBL+ matches.
Take customized action for all matches:
SMTP error code: Blocks any connections that have a certain SMTP code. Type an SMTP code.
SMTP error string: Type the message associated with the SMTP error code.
Advanced:
Default intelligent action: Email reputation permanently denies connection (550) for RBL+ matches and temporarily denies connection (450) for Zombie matches.
Take customized action for all matches:
SMTP error code: Blocks any connections that have a certain SMTP code. Type an SMTP code.
SMTP error string: Type the message associated with the SMTP error code.
The above SMTP error code and error string will be sent to the upstream MTA that will then take the necessary pre-configured actions, such as recording the error code and error string in a log file.
Click Save.
See also: