Anti-spam filtering – Amer Networks E5Web GUI User Manual
Page 402
extension list that is returned to the client by an SMTP server behind the Clavister Security
Gateway. When an extension is removed, a log message is generated with the text:
unsupported_extension
capability_removed
The parameter "capa=" in the log message indicates which extension the ALG removed from the
server response. For example, this parameter may appear in the log message as:
capa=PIPELINING
To indicate that the pipelining extension was removed from the SMTP server reply to an EHLO
client command.
Although ESMTP extensions may be removed by the ALG and related log messages generated,
this does not mean that any emails are dropped. Email transfers will take place as usual but
without making use of unsupported extensions removed by the ALG.
6.2.5.1. Anti-Spam Filtering
Unsolicited email, often referred to as Spam, has become both a major annoyance as well as a
security issue on the public Internet. Unsolicited email, sent out in massive quantities by groups
known as spammers, can waste resources, transport malware as well as try to direct the reader to
webpages which might exploit browser vulnerabilities.
Integral to the cOS Core SMTP ALG is a spam module that provides the ability to apply spam
filtering to incoming email as it passes through the Clavister Security Gateway on its way to a
local SMTP email server. Filtering is done based on the email's origin. This approach can
significantly reduce the burden of such email in the mailboxes of users behind the Clavister
Security Gateway.
cOS Core offers two approaches to handling spam:
•
Dropping email which has a very high probability of being spam.
•
Letting through but flagging email that has a moderate probability of being spam.
The cOS Core Anti-Spam Implementation
SMTP functions as a protocol for sending emails between servers. cOS Core applies Spam
filtering to emails as they pass through the Clavister Security Gateway from an external remote
SMTP server to a local SMTP server (from which local clients will later download their emails).
Typically, the local, protected SMTP server will be set up on a DMZ network and there will usually
be only one "hop" between the sending server and the local, receiving server.
DNSBL Databases
A number of trusted organizations maintain publicly available databases of the origin IP address
of known spamming SMTP servers and these can be queried over the public Internet. These lists
are known as DNS Black List (DNSBL) databases and the information is accessible using a
standardized query method supported by cOS Core. The image below illustrates all the
components involved:
DNSBL Server Queries
When the cOS Core Anti-Spam filtering function is configured, the IP address of the email's
sending server is sent to one or more DNSBL servers to find out if any DNSBL servers think the
Chapter 6: Security Mechanisms
402