RtoDto.net
Network/Security/Programming

JNCIS-SEC [ Antispam ]

rtoodtoo jncis-sec May 7, 2011

SPAM is an unwanted message as everyone knows. When SRX detects a message deemed to be spam, it blocks the email message or tags it with a configured string.  You can use a 3rd party spam block list (SBL) or create your own (whitelist or blacklist)

 A) Server Based Antispam Filtering

Firewall performs SBL lookups through the DNS protocol. The lookups are against the IP address of the sender or the relaying server. Checks are done in the following order;

1) Local whitelist is checked. If there is a match no further check is done. If there is no match
2) Local blacklist is checked. If there is a match, no further check is done. If there is no match
3) SBL server is checked

Configuration

1) Creating a profile

[edit security]
root@host# set utm feature-profile anti-spam sbl profile sblprofile
[edit security]
root@host#
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile;
            }
        }
    }
}2) Enable SBL server lookup
[edit security]
root@host# set utm feature-profile anti-spam sbl profile sblprofile sbl-default-server
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile {
                    sbl-default-server;
                }
            }
        }
    }
}
TIP: SBL server is predefined on the device. If you are using only local lists you should disable it with no-sbl-default-server
 3) Configure the action to be taken when spam is detected
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile {
                    sbl-default-server;
                    spam-action block;
                }
            }
        }
    }
}4) Configure a custom string for identifying a message as spam
[edit security]
root@host# show | find utm
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile {
                    sbl-default-server;
                    spam-action block;
                    custom-tag-string ***SPAM***;
                }
            }
        }
    }
}

5) Configure a UTM policy for SMTP and link with sbl.

[edit security]
root@host# show | find utm
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile {
                    sbl-default-server;
                    spam-action block;
                    custom-tag-string ***SPAM***;
                }
            }
        }
    }
    utm-policy spampolicy {
        anti-spam {
            smtp-profile sblprofile;
        }
    }
}
6) Apply the UTM to the security policy you configure
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy utm-smtp-policy {
    match {
        source-address any;
        destination-address any;
        application junos-smtp;
    }
    then {
        permit {
            application-services {
                utm-policy spampolicy;
            }
        }
    }
}

Verification Commands

root@host> show security utm anti-spam statistics
 UTM Anti Spam statistics:
Total connections:     0
Denied connections:    0
Total greetings:       0
Denied greetings:      0
Total e-mail scanned:  0
White list hit:        0
Black list hit:        0
Spam total:            0
Spam tagged:           0
Spam dropped:          0
DNS errors:            0
Timeout errors:        0
Return errors:         0
Invalid parameter errors: 0
Statistics start time: 05/03/2011 14:06:36
root@host> show security utm anti-spam status
SBL Whitelist Server:
SBL Blacklist Server:
    server.juniper.net
DNS Server:
    Primary  :    1.1.1.1, Src Interface: ge-0/0/0
    Secondary:    2.2.2.2, Src Interface: ge-0/0/1
Ternary  :          8.8.8.8, Src Interface: fe-0/0/2

B) Local List Antispam filtering

[edit security]
root@host# show | find utm
utm {
    custom-objects {
     /* LOCAL SPAM LIST */
        url-pattern {
            blacklist {
                value [ 192.168.1.10 192.168.2.20 192.168.2.40 ];
            }
            whitelist {
                value [ 172.20.1.1 122.11.11.1 ];
            }
        }
    }
    feature-profile {
        anti-spam {
            address-whitelist whitelist;
            sbl {
                profile localprofile1 {
                    spam-action block;
                    custom-tag-string ***SPAM***;
                }
            }
        }
    }
    utm-policy spampolicy-local {
        anti-spam {
            smtp-profile localprofile1;
        }
    }
}APPLYING THE SPAM POLICY TO THE SECURITY POLICY

[edit security policies from-zone trust to-zone untrust]
root@host# show
policy spam-local-policy {
    match {
        source-address any;
        destination-address any;
        application junos-smtp;
    }
    then {
        permit {
            application-services {
                utm-policy spampolicy-local;
            }
        }
    }
}

SPAM Message Handling

There are two actions device can take when a spam is detected. It can either block or tag.
a) Blocking Detected Spam
1) At the connection level
        When SMTP sender is identified as a spam sender based on its IP address, SMTP connection is rejected and dropped and 554 error message is sent on behalf of the SMTP server.
     554 Transaction failed due to anti spam setting
    2) At the email level
         When a particular email sender is identified as spam sender based on its sender address, the email is rejected and en error
message is sent back to the sender.
     550 Requested action not taken: mailbox unavailable

b) Tagging Detected Spam

  Device can tag the sender if it is detected as a spammer. Two tagging can occur ;
     * Tagging the subject
* Tagging the header

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading