About blocking and allowing messages using sender groups

Article:HOWTO15766  |  Created: 2009-01-31  |  Updated: 2010-01-30  |  Article URL http://www.symantec.com/docs/HOWTO15766
Article Type
How To

Product(s)

Environment


About blocking and allowing messages using sender groups

Filtering email based on the sender's domain, IP address, or email address provides administrators and end users a powerful way to reduce spam and malware.

Note:
This section describes administrator-defined and global sender groups, which are applied at the server level for your organization. To allow end users to maintain individual sender lists, enable personal good and bad sender lists by going to Administration > Users > Groups.

See Enabling and disabling end user settings for policy groups.

Symantec Brightmail Gateway lets you customize spam detection in the following ways:

Define good senders

Symantec Brightmail Gateway treats mail coming from an address or connection in the Local Good Sender Domains and Local Good Sender IPs groups as legitimate mail. The good sender groups reduce the small risk that messages sent from trusted senders will be treated as spam or filtered in any way. By default messages from these senders are delivered normally.

Define bad senders

Symantec Brightmail Gateway supports a number of actions for mail from a sender or connection in the Local Bad Sender Domains and Local Bad Sender IPs groups. By default, messages from senders in the Local Bad Sender Domains group are deleted. By default, SMTP connections from senders in the Local Bad Sender IPs and Third Party Bad Senders groups are rejected. However, you can instead choose other actions.

Use global sender groups

By default, Symantec Brightmail Gateway is configured to use Symantec Global Good Senders and Symantec Global Bad Senders. Symantec monitors hundreds of thousands of email sources to determine how much email sent from these IP addresses is legitimate and how much is spam.

Symantec Global Good Senders consists of IP addresses known as legitimate senders based on reputation data collected by Symantec. Symantec Global Bad Senders consists of IP addresses that have sent large amounts of spam to mail servers protected by Symantec.

Both groups are continuously compiled, updated, and incorporated into Symantec Brightmail Gateway filtering processes at your site. No configuration is required for these lists. You can choose to disable either of these lists.

By default, messages from senders in the Symantec Global Good Senders group are delivered normally. By default, SMTP connections from senders in the Symantec Global Bad Senders group are rejected. However, you can instead choose other actions.

Incorporate lists managed by other parties

Third parties compile and manage lists of desirable or undesirable IP addresses. These lists are queried using DNS lookups. You can add third-party sender lists to your Third Party Bad Senders or Third Party Good Senders groups.

By default, SMTP connections from bad senders in these groups are rejected, and message from good senders in these groups are delivered normally. However, you can instead choose other actions.

Note:
Be sure to confirm the quality of a third party list before using it. Symantec is unable to resolve false positives that result from third-party lists.


Table: Use cases for good and bad sender groups describes why you might want to maintain lists of good or bad senders for your organization and gives examples of patterns that you might use to match the sender.

Table: Use cases for good and bad sender groups

Problem

Solution

Pattern example

Mail from an end-user's colleague is occasionally flagged as spam.

If personal good and bad sender lists are enabled for end users, the user can add the colleague's email address to their Good Senders list. To enable this capability for an end user, go to Administration > Users > Policy Groups, edit the policy group containing the end user, and click on the End User tab. The user can then add colleague@trustedco.com to their Good Senders list.

See Enabling and disabling end user settings for policy groups.

colleague@trustedco.com

Desired newsletter from a mailing list is occasionally flagged as spam.

Add newsletter.com to the Local Good Sender Domains group.

See Adding senders to administrator and third party sender groups.

latest@newsletter.com

An individual is sending unwanted mail to people in your organization.

Add Joe.unwanted@getmail.com to the Local Bad Sender Domains group.

See Adding senders to administrator and third party sender groups.

Joe.unwanted@getmail.com

Numerous people from a specific range of IP addresses are sending unsolicited mail to people in your organization.

After analyzing the received headers to determine the sender's network and IP address, add 218.187.0.0/255.255.0.0 to the Local Bad Sender IPs group.

See Adding senders to administrator and third party sender groups.

See Supported methods for identifying senders.

218.187.0.0/255.255.0.0


When evaluating domain name matches, Symantec Brightmail Gateway automatically expands the specified domain to include subdomains. For example, Symantec Brightmail Gateway expands example.com to include biz.example.com and jenny@foo.example.com, to ensure that any possible subdomains are allowed or blocked as appropriate.

See Supported methods for identifying senders.

You cannot have the exact same entry in both a good sender group and a bad sender group. If an entry already exists in one group, you see an error message when you try to add the same entry to the other group. If you prefer that an entry in one group appear as an entry on the other, first delete the entry from the group where it currently resides, then add it to the other group.

Incorporating third-party lists adds additional steps to the filter process. For example, similar to a typical DNS query, the IP address of the sending mail server for each incoming message is checked against a DNS list maintained in the third-party database. If the sending mail server is on the list, the mail is flagged as spam. If your mail volume is sufficiently high, running incoming mail through a third-party database could hamper performance because of the requisite DNS lookups. Symantec recommends that you use the Symantec Global Good Senders and Symantec Global Bad Senders groups instead of enabling third-party lists.

When deployed at the gateway, Symantec Brightmail Gateway obtains the physical or peer IP connection for an incoming message and compares it to entries in the good sender and bad sender groups. If a Scanner is deployed elsewhere in your network, for example, downstream from a gateway MTA that is not identified as an internal mail host, Symantec Brightmail Gateway may identify the IP address of your gateway server as a source of spam. You should accurately identify all internal mail hosts that are upstream relative to inbound mail flow from your Symantec Brightmail Gateway appliance.

See Specifying internal mail hosts for non-gateway deployments.

In addition to internal mail hosts you can add, Symantec Brightmail Gateway includes a series of IP address ranges in the internal hosts list as follows:

  • 0.0.0.0/255.0.0.0

  • 10.0.0.0/255.0.0.0

  • 127.0.0.0/255.0.0.0

  • 169.254.0.0/255.255.0.0

  • 172.16.0.0/255.240.0.0

  • 192.168.0.0/255.255.0.0

Symantec Brightmail Gateway will exclude the IP addresses of internal mail hosts from the following verdicts:

  • Local Good Sender IPs

  • Local Good Third Party Senders

  • Local Bad Sender IPs

  • Local Bad Third Party Senders

  • Directory Harvest Attacks

  • Symantec Global Bad Senders

  • Symantec Global Good Senders

  • Connection Classification

  • Email Virus Attacks

  • Fastpass


Legacy ID



322116


Article URL http://www.symantec.com/docs/HOWTO15766


Terms of use for this information are found in Legal Notices