More than 75 percent of all email today is spam, placing a significant strain on your network, budget, and employee productivity. While being educated on spam is important, optimizing your messaging security technology is critical to a comprehensive spam defense strategy.
Spam volumes have been rising to record levels lately, and Symantec research (see Symantec’s monthly state of spam report) shows no signs of abating. To lessen the load on traditional content filters, customers are increasingly looking towards IP-based reputation technologies to block more spam before it’s accepted by mail servers. By blocking certain incoming SMTP connections, it’s possible to forgo computation-expensive content filtering and bolster your defenses.
This Tech Tip will discuss how to use some of the advanced features of Symantec Mail Security 8300 to enable more aggressive rejection techniques.
Catching the usual suspects
Symantec maintains lists of the IP addresses of “zombie” machines—computers around the world that have been compromised to send spam—as well as suspected spammers, computers that Symantec has seen sending spam to its nearly 100,000 mail security customer sites around the world.
Symantec Mail Security 8300 rejects SMTP connections from the zombie machines by default; however, the default setting for the suspect spammers list only defers delivery of the message. To tighten security, many users choose to change this setting to reject any incoming connection attempts from suspected spammers. To accomplish this, simply log into Symantec Mail Security 8300’s Web-based administration console, navigate to Spam > Sender Groups > Suspect Spammers, and change the action from “defer SMTP connection” to “reject SMTP connection.” This will result in fewer connections being accepted by the mail server and ensure that less unwanted email gets onto your network.
Reputation is everything
Another feature that can help reduce spam further is called SMTP Traffic Shaping. Recently, Symantec has seen a rise in distributed low-volume attacks, meaning spam is sent from compromised machines that periodically send spurts of spam, but not in enough volume or consistently enough to be considered a global threat. To confront these threats at the local level, each Symantec Mail Security 8300 appliance builds its own “local reputation” database that tracks where spam targeting specific customers is coming from. For maximum protection, enable SMTP Traffic Shaping under the Spam menu, and set its sensitivity to “high.”
Reject, don’t bounce
Spammers often attempt to get spam into an organization by sending messages to random recipients and determining which addresses are valid. In most cases, the majority will bounce back, letting spammers know that those addresses don’t exist. However, those that don’t bounce have just added a new address to the spammer’s arsenal. This type of attack is known as a directory harvest attack. To avoid accepting incoming SMTP connections from invalid recipients, make sure to enable synchronization with your company’s LDAP directory: Administration > LDAP > Add LDAP Server for Recipient Validation.
The next step is to specify the domains for which you want to enable LDAP recipient validation. For example, you will most likely want to turn it on for yourcompany.com, but if you do not have directory data for all of your domains, you can specify domains for which you do not wish to perform recipient validation. To select which domains to validate, choose from the list under Protocols > Local Domains. By only accepting mail for valid recipients, the appliance processes significantly fewer messages and the downstream groupware level will see a far lower load.
To prevent spammers from determining your valid and invalid users, after synchronization with your LDAP server is complete, go to Spam > Directory Harvest Attack and click “enable.”
Finally, you’ll most likely want to reject connections from IP addresses that have sent you viruses. Simply navigate to Virus > Email Virus Attack and click “enable.”
By following the steps outlined in this TechTip, you will be rejecting all connections from IP addresses that Symantec knows to be malicious, as well as those that your local environment has flagged.
For more detailed information about Symantec Mail Security 8300, visit the product page, or the support documentation page.
To discuss Symantec Mail Security 8300 with other users, visit the Symantec Technology Network.