How do I configure Websense Email Security (and SurfControl E-mail Filter v6.0) to eliminate the most spam?

N/A

Websense Email Security includes several tools that, when fully configured, eliminate almost all spam. This article describes how to configure those components for maximum effectiveness.

If you are using SurfControl E-mail Filter v5.5, please consider upgrading to Websense Email Security v6.1. It has more anti-spam capabilities and isolates more spam than previous versions. If upgrading isn't an option, please see article 1774 for configuration guidelines.

The primary tools for combating spam include:

• Anti-Spam Agent
• Reverse DNS Lookup
• Reputation Service (RBL)
• Whitelist
• Blacklist
• Sender Policy Framework (SPF)
• Internet Threat Database
• HTML Stripper

To get the best results, use all of these tools. Click a link to jump to that section.

When a fully configured installation allows spam through, it is likely because the spammer is using a new strategy. We encourage you to send a copy of that spam to Websense for analysis and possible inclusion in the Anti-Spam Agent database. To send a spam for analysis, follow the directions in article 3173. For a method of capturing specific spam using a Dictionary rule, click here.

Links to additional important subtopics:

• Manually updating the ASA definitions
• Capturing spam that gets through the rules

Anti-Spam Agent (ASA)

Essential: ASA requires a subscription. When you register Websense Email Security or when you enable ASA updates in the Scheduler, you can activate a subscription. Provide the required information in the Registration screens. If you are running an evaluation copy, you can use ASA without a key during your 30-day evaluation period.

A complete description of the Anti-Spam Agent is located in chapter 6 of the Administrator's Guide.

ASA includes the following subcomponents. You can enable or disable any combination of these:

• Digital Fingerprinting (DFP): Checks the digital fingerprint of an email against the Websense Anti-Spam DFP database.
• Heuristics: Analyzes the email header and body (or just the header) to determine how closely the contents resemble spam.
• LexiRules: Analyzes the email for word combinations and patterns that are common in spam.

Digital Fingerprinting is very accurate and returns virtually no false positives.

Heuristics and LexiRules assess the likelihood that an email is spam. It will sometimes block a legitimate email. For example, a marketing newsletter might share some characteristics with a spam email and trigger the rule.

For best results, use all ASA components.

ASA components are preconfigured in 2 default rules:

1. The first rule enables only DFP. Email that triggers this rule is isolated in the Anti-Spam Agent-DFP folder. DFP is highly accurate; you can purge isolated messages after only a short holding period.
2. The second default rule enables Heuristics and LexiRules. It is good at identifying new spam that has not yet been digitally fingerprinted. Email that triggers this rule is isolated in the Anti-Spam Agent folder. You should monitor this folder to determine if the rule tool is giving the desired results. You can adjust the Heuristics sensitivity level accordingly. Instructions are provided in the next section.

To change the ASA components settings in an existing ASA rule:

1. In the list of rules in the Rules Administrator, click the ASA rule you want to change.
2. In the Rules Palette, right-click the "if" element labeled "Message scan contains Anti-spam Agent content" and select Properties.
3. Select the tab for the component you want to change.

Digital Fingerprinting (DFP) - Checks the digital fingerprint of an email against the Anti-Spam database. The Anti-Spam database classifies spam into 17 categories. You can decide the categories of content you want to allow or block.

To enable DFP:

1. Select the Digital Fingerprinting tab and select Enable Digital Fingerprinting.
2. Select the categories of spam to detect. The recommended setting is all categories.

Heuristics - Performs a series of tests that determine how closely an email resembles spam. You can set the sensitivity. The higher the sensitivity, the fewer spam-like traits an email needs to trigger the rule.

To enable Heuristics:

1. Select the Heuristics tab and select Enable Heuristics.
2. Use the slider to set a sensitivity level. The recommended setting is 3.

By default, the Heuristics tool scans the entire email. It is best to scan the whole message. See article 2341.

LexiRules - Performs tests that are similar to Heuristics, triggering if the email has spam-like traits.

To enable LexiRules, click on the LexiRules tab and select Enable LexiRules.

Essential: As with all rules, after creating or modifying a rule, you must save the changes and verify that the rule is enabled. Enabled rules are identified with a check in the adjacent box.

Back to top

To create a new rule that includes the Anti-Spam Agent object:

ASA rules are constructed like any other rule.

1. When you are ready to include the What object, drag the Anti-Spam Agent object into position. The Properties for Anti-Spam Agent dialog box is displayed.
2. Select the Anti-Spam Agent components to be enabled.

Back to top

Scheduling ASA definition updates:

Websense updates the ASA definitions very frequently. Websense recommends updating every 30 minutes to ensure you have the latest definitions.

To change the schedule, open the Scheduler, highlight the Anti-Spam Agent task, click Configure and adjust the update interval as needed. Click OK. If the Anti-Spam Agent task is not on the list, click Add item, select Anti-Spam Agent Update from the drop-down menu, set the update interval as needed, and click OK.

It is important to verify that update tasks are successfully completed, to minimize the amount of spam entering your system. To confirm that an ASA definition update is complete, click View Log in the Scheduler. Ensure that the most recent task completed and that the time stamp is current.

Important: Do not schedule update tasks to overlap.

Back to top

Manually updating the ASA definitions:

If the ASA update fails, you may need to download the updates manually.

To check the status of an update, in the Scheduler click View Log.

To perform a manual update, go to http://asa.surfcontrol.com and follow the instructions.

If your product key can’t be registered or if the update failed to connect to the live update server, test the server's connection to the live update host by copying "st4update.surfcontrol.com" into a Web browser. If the connection is allowed, "The Live Update Server" is displayed in the browser window. Otherwise check to see if a proxy or firewall is blocking the connection.

Back to top

Reverse DNS Lookup

By default, Reverse DNS Lookup is not enabled.

Reverse DNS Lookup verifies that email is coming from a legitimate sender by verifying that the domain name specified by the sending mail client (in the HELO/EHLO greeting) matches the domain name in its DNS record. For a complete, see the chapter 3 of the Administrator's Guide.

When a mail client requests a connection, the Receive Service performs a reverse DNS lookup on the sender's IP address to get its PTR record. The default timeout is 3 seconds. If the PTR record does not exist, or if the DNS record doesn't match the host name specified in the HELO/EHLO command, Websense Email Filter can take one of 3 actions:

• Log Only - The mismatch is displayed in the Receive Service panel and the connection is accepted and email received.
• Deny if no DNS record found - If no DNS record corresponds to the sender's IP address and the requestor fails to authenticate itself, the connection is terminated.
• Deny if DNS record fails to match HELO string - If the domain name in the DNS record does not match the one given in the HELO/EHLO command, the Receive Service terminates the connection, unless the sender authenticates itself.

The strongest setting is Deny if DNS record fails to match HELO string.

Warning: Under either of the Deny settings, if a legitimate sender has a mis-configured DNS setting or no PTR record, their messages are denied. For this reason, Websense recommends setting Reverse DNS Lookup to Log Only.

To exempt a trusted sender, see below.

To enable Reverse DNS Lookup:

1. In the Server Configuration console select the Reverse DNS Lookup function.
2. Select Enable Reverse DNS lookup.
3. Select the Log Only bullet.
4. Select an action. Click OK.

Excluding a mail server from Reverse DNS Lookup:

It is an RFC recommendation, but not a requirement, that the HELO/EHLO command contain the fully-qualified domain name (FQDN) of the sending mail client. If you have chosen to deny the connection, you may find that legitimate email is blocked because the sending mail client does not use the FQDN in its HELO/EHLO command. To avoid blocking legitimate senders, exclude them from reverse DNS lookup.

To exclude a mail server from Reverse DNS Lookup:

1. In the Server Configuration console select Reverse DNS Lookup.
2. Click Exclude. The Exclusion from Client DNS Lookup dialog box is displayed.
3. Click Add. The SMTP List Entry dialog box is displayed.
4. Enter the IP address you want to exclude from Reverse DNS Lookup and click OK.

Back to top

Reputation DNS Blacklist

This feature checks the IP address of the sender against the Websense Reputation service and/or checks the sender's True Source IP address against a list of spammers maintained by DNS Blacklist servers. You need to research and choose a DNS Blacklist server. For a complete description of Reverse DNS lookup, see chapter 3 of the Administrator's Guide.

When an IP address is found in the Websense Reputation service or a DNS Blacklist, Websense Email Security can either:

• Log Only - The information that the connection came from a sender on the Reputation DNS Blacklist server is recorded in the Connection log and displayed in the Monitor. The connection is allowed and the email is processed.
• Deny Connection: The connection is dropped and email from that sender is rejected.

To significantly reduce spam, enable this feature and select Deny Connection.

To enable the Websense Reputation service:

1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
2. Check the Activate Websense Reputation Service check box.

Checking TrueSource IP addresses against DNS Blacklist servers:

To enable checks of a sender's True Source IP address against 1 or more DNS Blacklist servers:

1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
2. Select Check IP addresses against Reputation/DNS Blacklist.
3. To add a DNS Blacklist server, click Add… The SMTP List Entry dialog box is displayed.
4. Enter the domain name of the DNS Blacklist server to use and click OK.

Excluding mail servers from Reputation DNS Blacklist server checking:

A legitimate organization can sometimes be wrongly placed on a Reputation DNS Blacklist server, for example if its domain name has been used by a spammer to send spoofed email. You can exclude legitimate IP addresses from Reputation DNS Blacklist server lookups.

To exclude a mail server from Reputation DNS Blacklist server lookups:

1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
2. Select Exclude… The Exclusions dialog box is displayed.
3. Click Add… The SMTP List Entry dialog box is displayed.
4. Enter the IP address to exclude from Reputation DNS Blacklist lookups. If you have set up Reverse DNS Lookup for a domain, you can enter that domain. Click OK.

Back to top

Whitelist

The Whitelist rule allows all email from the specified domain name or IP address, bypassing all subsequent enabled rules. Only add senders to the Whitelist when you are certain that the source is trusted.

Warning: The Whitelist can be a source of unwanted spam when a trusted sender is compromised or changes ownership or practices. When spam makes it through Websense Email Security, always check to see if the sender is on your Whitelist.

To add a sender to the list:

1. In the Rules Administrator, in the Spam rules group find the Whitelist rule.
2. In the Rule Palette right-click the "if" component and select Properties.
3. Add the domain name or IP address. Click OK.
4. Save your changes and confirm that the rule is enabled.

Back to top

Blacklist

The Blacklist blocks email from sources you specify. Blocking happens at the connection level, before receiving any messages. For a complete description, see chapter 3 of the Administrator's Guide.

You can also specify exclusions to your blacklist. For example, if the domain xyz.com is on your blacklist, but you want to receive email from user1@xyz.com, you can add user1@xyz.com to the Exclusions list.

To add or remove an item on the Blacklist:

1. In the Server Configuration console select Email Connection Management > Blacklist and click Add, Edit, Delete, or Exclude. Complete as appropriate.
2. To add an entry, click Add. The Add/Edit deny list entry dialog box is displayed.
3. Enter the domain, email address or IP address to be blacklisted. In the Comment field describe the reason the entry is blacklisted.
4. Click OK. The Blacklisted items are displayed in the list.

When an entry is added to the Blacklist, an "Update Now" message is displayed in the Monitor. If you click Yes, a "Receive service configuration reloaded" message is displayed in the Receive panel of the Monitor. The Receive Service then rejects any mail client trying to send email from any of the specified domains, email addresses or IP addresses, unless the mail client’s IP address is added to the Trusted IP list with a setting of Open Relay.

Warning: Do not add the protected domain to the Blacklist or email to the protected domain will be rejected.

Back to top

Sender Policy Framework Check

A Sender Policy Framework (SPF) check determines if a client or mail server is authorized to send email with a given "mail from" identity.

To set up SPF checking:

1. In the Server Configuration console select the SPF Check function.
2. Select Perform SPF checking against email sender, and then select an option for the connections that the check applies to.
   • For all connections
   • For all connections except when Connection Management uses True Source IP – If you have set up mail relays to use True Source IP you can use this option to remove SPF checking against senders using those mail relays.
3. Select the conditions that must be met to reject email from a sender.

Warning: Websense recommends enabling only "SPF check shows sender as not authorized". The remaining options might block legitimate mail servers.

To exclude a sender from SPF checking:

1. Click Exclude. The Exclusion from SPF check dialog box is displayed.
2. If the IP address of the legitimate server is not in the list, click Add. The Excluded servers list entry dialog box is displayed.
3. Enter the IP address of the server and click OK.

For a discussion of the use of SPF records to combat nuisance NDRs, see article 2968.

Back to top

Internet Threat Database

Essential: Internet Threat Database requires a subscription. When you register Websense Email Security or when you enable Internet Threat Database updates in the Scheduler, you can activate a subscription. Provide the required information in the Registration screens. If you are running an evaluation copy, you can use Internet Threat Database during your 30-day evaluation period.

This rule leverages Websense's Internet Threat Database to block email that contains URLs and IP addresses related to spyware, adult sites, and other unwanted categories. For more information, see chapter 6 of the Administrator's Guide.

To configure the Internet Threat Database rule:

1. In the Rules Administrator, in the list of Spam rules click the Internet Threat Database rule.
2. In the Rules Palette, right-click the "if" element labeled "Message scan contains Internet Threat Database content" and select Properties. The Properties for Internet Threat Database dialog box is displayed.
3. Select 1 or more categories to be detected, or click Select all. Click OK.
4. Save your changes and verify that the rule is enabled.

Back to top

HTML Stripper

This rule strips active HTML components from email. Active content, commonly used in spyware, is code that can execute on a client PC (such as JavaScript / VBScript, Java Applets or ActiveX objects). Active content can also include malicious actions executed by the mail client when the user is viewing the message. For more information, see chapter 6 of the Administrator's Guide.

Back to top

Capturing spam that gets through the rules

To capture spam that gets through the rules, create a new rule that uses a custom dictionary.

This method is recommended for capturing an instance of spam, including the header, that is getting through the filter to send to Websense for analysis. It is not recommended for any other purpose.

If you already have a copy of the spam that includes the header, you don't need to use this approach. Simply send a copy of the spam to Websense. Follow the instructions in article 3173.

This method uses a custom dictionary and the LexiMatch rule to isolate a specific instance of spam. This method can generate false positives and is, therefore, not recommended for any other purpose.

To create a custom dictionary, you must know several unique words contained in the spam, the more unique words the better. Article 1736 provides a good example of capturing spam based on a unique Subject line.

The new rule should be placed at the bottom of the rules. The rule need only be enabled for a few hours. After you have a copy of the spam, submit it to Websense. Follow the instructions in article 3173.

Back to top