Anti-Spam

The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The Zyxel Device can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.

• Use the General screens ( Anti-Spam Profile) to turn anti-spam on or off and manage anti-spam policies.

• Use the Mail Scan screen ( The Mail Scan Screen) to enable and configure the mail scan functions.

• Use the Black/White List screens ( The Anti-Spam Black List Screen) to set up a black list to identify spam and a white list to identify legitimate e-mail.

• Use the DNSBL screens ( The DNSBL Screen) to have the Zyxel Device check e-mail against DNS Black Lists.

White List

Configure white list entries to identify legitimate e-mail. The white list entries have the Zyxel Device classify any e-mail that is from a specified sender or uses a specified header field and header value as being legitimate (see E-mail Headers for more on mail headers). The anti-spam feature checks an e-mail against the white list entries before doing any other anti-spam checking. If the e-mail matches a white list entry, the Zyxel Device classifies the e-mail as legitimate and does not perform any more anti-spam checking on that individual e-mail. A properly configured white list helps keep important e-mail from being incorrectly classified as spam. The white list can also increases the Zyxel Device’s anti-spam speed and efficiency by not having the Zyxel Device perform the full anti-spam checking process on legitimate e-mail.

Black List

Configure black list entries to identify spam. The black list entries have the Zyxel Device classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the Zyxel Device checks it against the black list entries. The Zyxel Device classifies an e-mail that matches a black list entry as spam and immediately takes the configured action for dealing with spam. If an e-mail matches a blacklist entry, the Zyxel Device does not perform any more anti-spam checking on that individual e-mail. A properly configured black list helps catch spam e-mail and increases the Zyxel Device’s anti-spam speed and efficiency.

SMTP and POP3

Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers. E-mail clients (also called e-mail applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many e-mail applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server).

The Zyxel Device’s anti-spam feature checks SMTP (TCP port 25) and POP3 (TCP port 110) e-mails by default. You can also specify custom SMTP and POP3 ports for the Zyxel Device to check.

E-mail Headers

Every email has a header and a body. The header is structured into fields and includes the addresses of the recipient and sender, the subject, and other information about the e-mail and its journey. The body is the actual message text and any attachments. You can have the Zyxel Device check for specific header fields with specific values.

E-mail programs usually only show you the To:, From:, Subject:, and Date: header fields but there are others such as Received: and Content-Type:. To see all of an e-mail’s header, you can select an e-mail in your e-mail program and look at its properties or details. For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body.

E-mail Header Buffer Size

The Zyxel Device has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the Zyxel Device only checks up to the first 5 K.

DNSBL

A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list. The Zyxel Device can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL.

Before You Begin

• Before using the Anti-Spam features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your Anti-Spam Service license.

• Configure your zones before you configure anti-spam.

Anti-Spam Profile

Use this screen to turn the anti-spam feature on or off and manage anti-spam policies. You can also select the action the Zyxel Device takes when the mail sessions threshold is reached.

Configuration > UTM Profile > Anti-Spam > Profile
Label	Description
General Settings
Action taken when mail sessions threshold is reached	An e-mail session is when an e-mail client and e-mail server (or two e-mail servers) connect through the Zyxel Device. Select how to handle concurrent e-mail sessions that exceed the maximum number of concurrent e-mail sessions that the anti-spam feature can handle. See the chapter of product specifications for the threshold. Select Forward Session to have the Zyxel Device allow the excess e-mail sessions without any spam filtering. Select Drop Session to have the Zyxel Device drop mail connections to stop the excess e-mail sessions. The e-mail client or server will have to re-attempt to send or receive e-mail later when the number of e-mail sessions is under the threshold.
Add	Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
References	Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen.
Priority	This is the index number of the anti-spam rule. Antis-spam rules are applied in turn.
Name	The name identifies the anti-spam rule.
Description	This is some optional extra information on the rule.
Scan Options	This shows which types (protocols) of traffic to scan for spam.
Reference	This shows how many objects are referenced in the rule.
Service
Service Status	This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license.
Service Type	This read-only field displays what kind of service registration you have for the anti-spam scanning. None displays if you have not successfully registered and activated the service. Standard displays if you have successfully registered the Zyxel Device and activated the service with your iCard’s PIN number. Trial displays if you have successfully registered the Zyxel Device and activated the trial service subscription.
Expiration Date	This field displays the date your service license expires.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Anti-Spam Profile Add or Edit Screen

Use this screen to configure an anti-spam policy that controls scan options, and the action to take on spam traffic.

Configuration > UTM Profile > Anti-Spam > Profile > Add
label	description
General Settings
Name	Enter a descriptive name for this anti-spam rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Description	Enter a description for the anti-spam rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.
Log	Select how the Zyxel Device is to log the event when the DNSBL times out or an e-mail matches the white list, black list, or DNSBL. no: Do not create a log. log: Create a log on the Zyxel Device. log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert.
Scan Options
Check White List	Select this check box to check e-mail against the white list. The Zyxel Device classifies e-mail that matches a white list entry as legitimate (not spam).
Check Black List	Select this check box to check e-mail against the black list. The Zyxel Device classifies e-mail that matches a black list entry as spam.
Check IP Reputation (SMTP Only)	Select this to use IP reputation to identify Spam or Unwanted Bulk Email by the sender’s IP address.
Check Mail Content	Select this to identify Spam Email by content, such as malicious content.
Check Virus Outbreak	Select this to scan emails for attached viruses.
Check DNSBL	Select this check box to check e-mail against the Zyxel Device’s configured DNSBL domains. The Zyxel Device classifies e-mail that matches a DNS black list as spam.
Actions for Spam Mail	Use this section to set how the Zyxel Device is to handle spam mail.
SMTP	Select how the Zyxel Device is to handle spam SMTP mail. Select drop to discard spam SMTP mail. Select forward to allow spam SMTP mail to go through. Select forward with tag to add a spam tag to an SMTP spam mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle spam POP3 mail. Select forward to allow spam POP3 mail to go through. Select forward with tag to add a spam tag to an POP3 spam mail’s mail subject and send it on to the destination.
OK	Click OK to save your changes.
Cancel	Click Cancel to exit this screen without saving your changes.

The Mail Scan Screen

Use this screen to enable and configure the Mail Scan functions. You must first enable the Mail Scan functions on this screen before selecting them in the Configuration > UTM Profile > Anti-Spam > Profile > Add/Edit screen.

Configuration > UTM Profile > Anti-Spam > Mail Scan
Label	Description
Sender Reputation
Enable Sender Reputation Checking (SMTP only)	Select this to have the Zyxel Device scan for spam e-mail by IP Reputation. Spam or Unwanted Bulk Email is determined by the sender’s IP address.
Mail Content Analysis
Enable Mail Content Analysis	Select this to identify Spam Email by content, such as malicious content.
Mail Content Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined to spam based on the mail content analysis. This tag is only added if the anti-spam policy is configured to forward spam mail with a spam tag.
Mail Content X-Header	Specify the name and value for the X-Header to be added when an email is determined to be spam by mail content.
Virus Outbreak Detection
Enable Virus Outbreak Detection	This scans emails for attached viruses.
Virus Outbreak Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that are determined have an attached viruses. This tag is only added if the anti-spam policy is configured to forward spam mail with a spam tag.
Virus Outbreak X-Header	Specify the name and value for the X-Header to be added when an email is determined to have an attached virus.
Query Timeout Settings
SMTP	Select how the Zyxel Device is to handle SMTP mail query timeout. Select drop to discard SMTP mail. Select forward to allow SMTP mail to go through. Select forward with tag to add a tag to an SMTP query timeout mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle POP3 mail query timeout. Select forward to allow POP3 mail to go through. Select forward with tag to add a tag to an POP3 query timeout mail’s mail subject and send it on to the destination.
Timeout Value	Set how long the Zyxel Device waits for a reply from the mail scan server. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Actions when Query Timeout field.
Timeout Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that the Zyxel Device forwards if queries to the mail scan servers time out.
Timeout X-Header	Specify the name and value for the X-Header to be added when queries to the mail scan servers time out.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Anti-Spam Black List Screen

Configure the black list to identify spam e-mail. You can create black list entries based on the sender’s or relay server’s IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.

Configuration > UTM Profile > Anti-Spam > Black/White List > Black List
Label	Description
General Settings
Enable Black List Checking	Select this check box to have the Zyxel Device treat e-mail that matches (an active) black list entry as spam.
Black List Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that match the Zyxel Device’s spam black list.
Black List X-Header	Specify the name and value for the X-Header to be added to e-mails that match the Zyxel Device’s spam black list.
Rule Summary
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
Type	This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or header.
Content	This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Anti-Spam Black or White List Add/Edit Screen

Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values.

Configuration > UTM Profile > Anti-Spam > Black/White List > Black/White List > Add
Label	Description
Enable Rule	Select this to have the Zyxel Device use this entry as part of the black or white list. To actually use the entry, you must also turn on the use of the list in the corresponding list screen, enable the anti-spam feature in the anti-spam general screen, and configure an anti-spam policy to use the list.
Type	Use this field to base the entry on the e-mail’s subject, source or relay IP address, source e-mail address, or header. Select Subject to have the Zyxel Device check e-mail for specific content in the subject line. Select IP Address to have the Zyxel Device check e-mail for a specific source or relay IP address. Select IPv6 Address to have the Zyxel Device check e-mail for a specific source or relay IPv6 address. Select E-Mail Address to have the Zyxel Device check e-mail for a specific source e-mail address or domain name. Select Mail Header to have the Zyxel Device check e-mail for specific header fields and values. Configure black list header entries to check for e-mail from bulk mail programs or with content commonly used in spam. Configure white list header entries to allow certain header values that identify the e-mail as being from a trusted source.
Mail Subject Keyword	This field displays when you select the Subject type. Enter up to 63 ASCII characters of text to check for in e-mail headers. Spaces are not allowed, although you could substitute a question mark (?). See Regular Expressions in Black or White List Entries for more details.
Sender or Mail Relay IP Address	This field displays when you select the IP Address type. Enter an IP address in dotted decimal notation.
Sender or Mail Relay IPv6 Address	This field displays when you select the IPv6 Address type. Enter an IPv6 address with prefix.
Netmask	This field displays when you select the IP type. Enter the subnet mask here, if applicable.
Sender E-Mail Address	This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII characters). See Regular Expressions in Black or White List Entries for more details.
Mail Header Field Name	This field displays when you select the Mail Header type. Type the name part of an e-mail header (the part that comes before the colon). Use up to 63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter “Received” here.
Field Value Keyword	This field displays when you select the Mail Header type. Type the value part of an e-mail header (the part that comes after the colon). Use up to 63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter the mail server’s domain here. See Regular Expressions in Black or White List Entries for more details.
OK	Click OK to save your changes.
Cancel	Click Cancel to exit this screen without saving your changes.

Regular Expressions in Black or White List Entries

The following applies for a black or white list entry based on an e-mail subject, e-mail address, or e-mail header value.

• Use a question mark (?) to let a single character vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on.

• You can also use a wildcard (*). For example, if you configure *def.com, any e-mail address that ends in def.com matches. So “mail.def.com” matches.

• The wildcard can be anywhere in the text string and you can use more than one wildcard. You cannot use two wildcards side by side, there must be other characters between them.

• The Zyxel Device checks the first header with the name you specified in the entry. So if the e-mail has more than one “Received” header, the Zyxel Device checks the first one.

The Anti-Spam White List Screen

Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values or specific subject text.

Configuration > UTM Profile > Anti-Spam > Black/White List > White List
Label	Description
General Settings
Enable White List Checking	Select this check box to have the Zyxel Device forward e-mail that matches (an active) white list entry without doing any more anti-spam checking on that individual e-mail.
White List X-Header	Specify the name and value for the X-Header to be added to e-mails that match the Zyxel Device’s spam white list.
Rule Summary
Add	Click this to create a new entry. See The Anti-Spam Black or White List Add/Edit Screen for details.
Edit	Select an entry and click this to be able to modify it. See The Anti-Spam Black or White List Add/Edit Screen for details.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
Type	This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header.
Content	This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The DNSBL Screen

Use this screen to configure the Zyxel Device to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).

Configuration > UTM Profile > Anti-Spam > DNSBL
Label	Description
Show Advanced Settings / Hide Advanced Settings	Click this button to display a greater or lesser number of configuration fields.
Enable DNS Black List (DNSBL) Checking	Select this to have the Zyxel Device check the sender and relay IP addresses in e-mail headers against the DNSBL servers maintained by the DNSBL domains listed in the Zyxel Device.
DNSBL Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of e-mails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device. This tag is only added if the anti-spam policy is configured to forward spam mail with a spam tag.
DSBNL X-Header	Specify the name and value for the X-Header to be added to e-mails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device.
Max. IPs Checking Per Mail	Set the maximum number of sender and relay server IP addresses in the mail header to check against the DNSBL domain servers.
IP Selection Per Mail	Select first N IPs to have the Zyxel Device start checking from the first IP address in the mail header. This is the IP of the sender or the first server that forwarded the mail. Select last N IPs to have the Zyxel Device start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail.
Query Timeout Setting
SMTP	Select how the Zyxel Device is to handle SMTP mail (mail going to an e-mail server) if the queries to the DNSBL domains time out. Select drop to discard SMTP mail. Select forward to allow SMTP mail to go through. Select forward with tag to add a DNSBL timeout tag to the mail subject of an SMTP mail and send it.
POP3	Select how the Zyxel Device is to handle POP3 mail (mail coming to an e-mail client) if the queries to the DNSBL domains time out. Select forward to allow POP3 mail to go through. Select forward with tag to add a DNSBL timeout tag to the mail subject of an POP3 mail and send it.
Timeout Value	Set how long the Zyxel Device waits for a reply from the DNSBL domains listed below. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Actions when Query Timeout field.
Timeout Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that the Zyxel Device forwards if queries to the DNSBL domains time out.
Timeout X-Header	Specify the name and value for the X-Header to be added to e-mails that the Zyxel Device forwards if queries to the DNSBL domains time out.
DNSBL Domain List
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
DNSBL Domain	This is the name of a domain that maintains DNSBL servers. Enter the domain that is maintaining a DNSBL.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

Anti-Spam Technical Reference

Here is more detailed anti-spam information.

DNSBL

• The Zyxel Device checks only public sender and relay IP addresses, it does not check private IP addresses.

• The Zyxel Device sends a separate query (DNS lookup) for each sender or relay IP address in the e-mail’s header to each of the Zyxel Device’s DNSBL domains at the same time.

• The DNSBL servers send replies as to whether or not each IP address matches an entry in their list. Each IP address has a separate reply.

• As long as the replies are indicating the IP addresses do not match entries on the DNSBL lists, the Zyxel Device waits until it receives at least one reply for each IP address.

• If the Zyxel Device receives a DNSBL reply that one of the IP addresses is in the DNSBL list, the Zyxel Device immediately classifies the e-mail as spam and takes the anti-spam policy’s configured action for spam. The Zyxel Device does not wait for any more DNSBL replies.

• If the Zyxel Device receives at least one non-spam reply for each of an e-mail’s routing IP addresses, the Zyxel Device immediately classifies the e-mail as legitimate and forwards it.

• Any further DNSBL replies that come after the Zyxel Device classifies an e-mail as spam or legitimate have no effect.

• The Zyxel Device records DNSBL responses for IP addresses in a cache for up to 72 hours. The Zyxel Device checks an e-mail’s sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache.

Here is an example of an e-mail classified as spam based on DNSBL replies.

1 The Zyxel Device receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address a.a.a.a. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address b.b.b.b.

2 DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam).

3 DNSBL C replies that IP address b.b.b.b matches an entry in its list.

4 The Zyxel Device immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies.

Here is an example of an e-mail classified as legitimate based on DNSBL replies.

1 The Zyxel Device receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address c.c.c.c. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address d.d.d.d.

2 DNSBL B replies that IP address d.d.d.d does not match any entries in its list (not spam).

3 DNSBL C replies that IP address c.c.c.c does not match any entries in its list (not spam).

4 Now that the Zyxel Device has received at least one non-spam reply for each of the e-mail’s routing IP addresses, the Zyxel Device immediately classifies the e-mail as legitimate and forwards it. The Zyxel Device does not wait for any more DNSBL replies.

If the Zyxel Device receives conflicting DNSBL replies for an e-mail routing IP address, the Zyxel Device classifies the e-mail as spam. Here is an example.

1 The Zyxel Device receives an e-mail that was sent from IP address a.b.c.d and relayed by an e-mail server at IP address w.x.y.z. The Zyxel Device sends a separate query to each of its DNSBL domains for IP address a.b.c.d. The Zyxel Device sends another separate query to each of its DNSBL domains for IP address w.x.y.z.

2 DNSBL A replies that IP address a.b.c.d does not match any entries in its list (not spam).

3 While waiting for a DNSBL reply about IP address w.x.y.z, the Zyxel Device receives a reply from DNSBL B saying IP address a.b.c.d is in its list.