Friday, 23 November 2012

SRX UTM - Antispam

The antispam module can block email messages using third party server block lists (SBL) and/or user configured blacklists and whitelists. The goal of the antispam module is to block and filter spam email messages. This module only supports the SMTP application. This post builds on UTM knowledge discussed in the UTM Overview Post, please feel free to reference this post first. The diagram below outlines the basic lab setup for this exercise.


Configure Antispam
1. Confirm Licensing
The antispam UTM module does require a license. The command 'show system license' can be used to display the installed licenses. The license 'anti_spam_key_slb' is needed for this exercise.

2. Create Custom Objects
The custom objects 'url-pattern' can be used to identify SMTP servers by dns name or IP address. In this exercise I will test antispam using a laptop with an IP address of 192.168.1.102. I have used this IP address in the blacklist. The whitelist has an example of a dns name. Shaw is my internet provider so I have added them to the whitelist. The screenshot below outlines these commands.

3. Configure Feature Profile
In this step a feature profile is created. Back and whitelists are defined by referencing the url-pattern lists created in step#1. The action of tagging the message is also defined. The screenshot below outlines these commands.

4. Configure UTM Policy
In this step a UTM policy is created. The smtp-profile we created in the previous step is referenced for the antispam module. The screenshot outlines this command.

5. Attach UTM Policy to Security
In this step the UTM policy is configured under the desired security policy. In this example we are using a preconfigured security policy that is used for general outbound internet access. The screenshot below outlines the command.




Verify Antispam
1. Verify antispam status.
The command 'show security utm anti-spam status' outlines the SLB server used.

2. Verify block from domain or user on blacklist
To test the antispam module I connected to an SMTP server from the laptop of 192.168.1.102. This laptop IP was placed in the blacklist.

The command 'show security utm anti-spam' can be used to see detailed statistics. In the screenshot output below you can see that the blacklist count is 1.


3. View Antispam Logs from CLI
First a syslog file has to be created with a match statement. The match statement to use for antispam is ANTISPAM_'. The screenshot below outlines the commands to create this log file

The command 'show log {log-file name}' can be used to view the log file. The events give the source IP (sender), the source email address and the reason the message was blocked. The screenshot below displays an example of the antispam log event.



3. Verify if an IP address is on the SLB Block list
The SLB service is provided by Sophos. They have a handy web page (http://www.sophos.com/en-us/threat-center/ip-lookup.aspx) where you can test names and IP addresses to see how they are classified by the SBL server.

4. Test IP address against an Antispam Profile
The command 'test security utm anti-spam' is also very handy. This command will test an IP address or name against a configured antispam policy. The screenshot below highlights some examples of this command.  Notice that the laptop IP address I configured in the blacklist is correctly identified in the first example.



Conclusion
The next post will focus on the UTM Antivirus module.


No comments:

Post a Comment