Messaging Gateway

We're receiving almost daily spam emails to one of our group email ids.

The email content is of the kind

"Yo, honey! Here is my fresh nmbr, IMU very much. We had a great time F2F 1 day. I want to meet with u honey again, plz txt me"

As its obvious this is 100% spam but still misses detections repeatedly and we're facing the problem for over  two months now.

We have submitted over 30 such emails to customer specific submissions and i still don't see any spam mails filtered based on that verdict.

I've opened cases but symantec TAC refuses to make any spam recommendation settings with the lawyer-esque "they cannot be held responsible" line.

My suspected spam settings is at the default of 75. I think reducing it would be the best way forward.

We're not using DISARM at all. The spam emails do not contain any attachments or urls anyway.

Hi,

You could do several things, eg support case etc

But i would analyse the complete mail incl the headers to find similar parameters of all those mails to find the right action.

Eg sending ip - are they different or spam-bots, what about rdns checks?

envelope from vs from - are the domains registered, do they differ

content - you could add certain words into a patern or dictionary and create a content rule for these.

etc etc

Regards

Thomas

HI Tom,

Thanks for response.

I would like to add a detail about our SMG deployment, the way our SMG is deployed, the SMG is not able to check the "incoming email connection IP" and check the IP repuation.

As per our deployment all our incoming email appears to come from the same IP address.

The msg audit log looks like this:

Accepted From: 172.x.x.x (Logical IP =  20.x.x.x)

And because of this the SMG cant look for the orginal email source IP and block using IP repuation feature.

Do you think this is an issue and we need to changed this deployment setting?

Also would there be any other setting on the SMG so that it can check the email headers for the IP addresses without us having to do any major change on the infrastructure side?

Hi,

You should definitly think about the deployment.

Its a major option in any mail sec solution to validate the connection ip, existing rdns, helo fqdn, registered envelope from domain, etc.

Eg we block 80-99% of all incomming connection - to give you an idea for one day thats only 100k connections accepted out of 700k

The less you accept the less you have to analyze in debth.

- Also would there be any other setting on the SMG so that it can check the email headers for the IP addresses without us having to do any major change on the infrastructure side?

You could use content rules to check some header infos, BUT

1. you have already accepted the mail - its stored on your side

2. standard features like global bad senders, conneciton classification, etc cant be used out of the box

Regards

Thomas

WOW,

That's big.

The SMG admin guide really doesn't contain much about deployment, or maybe i didn't find it yet.

Could you share some reading resource, links on the email "connnection ip" i can't seem to find much when i google for that term exactly.

Also you wrote "standard features like global bad senders, conneciton classification, etc cant be used out of the box" did you mean can here?

And If I do create content filtering rules can I create a policy which can scan the email header for the icoming IP and block it based on it's reputation?

Hi,

Dokumentation hints:

- "Where to position your Scanners", page 13 - https://support.symantec.com/en_US/article.DOC9108.html

- "Enabling reputation filtering", page 145 - https://support.symantec.com/en_US/article.DOC9109.html

- and "About blocking and allowing messages at connection time", page 148 same admin-doku

After reading these few pages you should know more about connection classification, rejects, global bad senders, etc.

All these come out of the box with smg, but to be usable the connection from the internet must terminate at smg.

After accepting the mail through any other solution or mail hop all these features cant be used.

Eg via content rules you cant lookup the global bad senders.

Content rules apply later, in parallel to anti-malware - at that time the sender of a mail got rid of his mail and you have to deal with it - no rejection anymore.

But i would say there are a lot of solution providers out there which can help you to fit your company needs.

Thomas

Thanks for the links.

I am not sure how feasible it is for us to change our current deployment.

From the info i have provided above can you tell me if this would be a config/setting change something like a NAT rule or would this be a physical cabling change. .(im a noob at email tech hence the noob questions). 

If you could share any other good links(as in general blogs and not just symantec help etc) to read up on all this i'd be glad to follow on those too.

Also would you be aware of this keyboard shortcut thing in SMG which puts you in some settings page in the administration tab?

Hi,

Could be eather way, physical and / or logically - but would recommend a sec analysis and take a look at the possible threats. what about ids, ips, ... net segmantation like dmz ...

Links - dont have any right away, any mailsec solution provider should have their one way - take a look at gartners study https://www.google.at/search?q=gartner+secure+email+gateway+2015

Most competetors, as symantec does can provide you schemes on how their product should / could be implemented.

But - in any way - this knowhow can be easily aquired by sec consulting specialists ;-)

Thomas