Email Security

Overview

The email security feature can mark or discard spam (unsolicited commercial or junk email). Use the white list to identify legitimate email. Use the black list to identify spam email. The Zyxel Device can also check email against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.

What You Need to Know

White List

Configure white list entries to identify legitimate email. The white list entries have the Zyxel Device classify any email that is from a specified sender or uses a specified header field and header value as being legitimate (see Email Headers for more on mail headers). The email security feature checks an email against the white list entries before doing any other email security checking. If the email matches a white list entry, the Zyxel Device classifies the email as legitimate and does not perform any more email security checking on that individual email. A properly configured white list helps keep important email from being incorrectly classified as spam. The white list can also increases the Zyxel Device’s email security speed and efficiency by not having the Zyxel Device perform the full email security checking process on legitimate email.

Black List

Configure black list entries to identify spam. The black list entries have the Zyxel Device classify any email that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an email does not match any of the white list entries, the Zyxel Device checks it against the black list entries. The Zyxel Device classifies an email that matches a black list entry as spam and immediately takes the configured action for dealing with spam. If an email matches a blacklist entry, the Zyxel Device does not perform any more email security checking on that individual email. A properly configured black list helps catch spam email and increases the Zyxel Device’s email security speed and efficiency.

SMTP and POP3

Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of email messages between servers. Email clients (also called email applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve email. Email clients also generally use SMTP to send messages to a mail server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many email applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server).

The Zyxel Device’s email security feature checks SMTP (TCP port 25) and POP3 (TCP port 110) emails by default. You can also specify custom SMTP and POP3 ports for the Zyxel Device to check.

Email Headers

Every email has a header and a body. The header is structured into fields and includes the addresses of the recipient and sender, the subject, and other information about the email and its journey. The body is the actual message text and any attachments. You can have the Zyxel Device check for specific header fields with specific values.

Email programs usually only show you the To:, From:, Subject:, and Date: header fields but there are others such as Received: and Content-Type:. To see all of an email’s header, you can select an email in your email program and look at its properties or details. For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the email’s header. Click Message Source to see the source for the entire mail including both the header and the body.

Email Header Buffer Size

The Zyxel Device has a 5 K buffer for an individual email header. If an email’s header is longer than 5 K, the Zyxel Device only checks up to the first 5 K.

DNSBL

A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list. The Zyxel Device can check the routing addresses of email against DNSBLs and classify an email as spam if it was sent or forwarded by a computer with an IP address in the DNSBL.

Before You Begin

• Before using the email security features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your email security Service license.

• Configure your zones before you configure email security.

The Email Security Screen

Use this screen to turn the email security feature on or off and manage email security policies. You can also select the action the Zyxel Device takes when the mail sessions threshold is reached.

Click the Email Security icon for more information on the Zyxel Device’s security features.

The following table describes the labels in this screen.

Configuration > Security Service > Email Security
Label	Description
General Settings
Enable	Select this check box to activate the settings in this section.
Check White List	Select this check box to check email against the white list. The Zyxel Device classifies email that matches a white list entry as legitimate (not spam).
Check Black List	Select this check box to check email against the black list. The Zyxel Device classifies email that matches a black list entry as spam.
Black List Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that match the Zyxel Device’s spam black list.
Check Malicious Mail	Select this to identify spam email by content, such as malicious content.
Malicious Mail Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that are determined to spam based on the mail content analysis. This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
Check DNSBL	Select this check box to check email against the Zyxel Device’s configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
DNSBL Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device. This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
DNSBL Domain List
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
DNSBL Domain	This is the name of a domain that maintains DNSBL servers. Enter the domain that is maintaining a DNSBL.
Actions for Spam Mail	Use this section to set how the Zyxel Device is to handle spam mail.
SMTP	Select how the Zyxel Device is to handle spam SMTP mail. Select drop to discard spam SMTP mail. Select forward to allow spam SMTP mail to go through. Select forward with tag to add a spam tag to an SMTP spam mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle spam POP3 mail. Select forward to allow spam POP3 mail to go through. Select forward with tag to add a spam tag to an POP3 spam mail’s mail subject and send it on to the destination.
Log	Select whether to have the ZyXEL device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Action taken when mail sessions threshold is reached	An email session is when an email client and email server (or two email servers) connect through the Zyxel Device. Select how to handle concurrent email sessions that exceed the maximum number of concurrent email sessions that the email security feature can handle. See the chapter of product specifications for the threshold. Select Forward Session to have the Zyxel Device allow the excess email sessions without any spam filtering. Select Drop Session to have the Zyxel Device drop mail connections to stop the excess email sessions. The email client or server will have to re-attempt to send or receive email later when the number of email sessions is under the threshold.
Query Timeout Settings
SMTP	Select how the Zyxel Device is to handle SMTP mail query timeout. Select drop to discard SMTP mail. Select forward to allow SMTP mail to go through. Select forward with tag to add a tag to an SMTP query timeout mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle POP3 mail query timeout. Select forward to allow POP3 mail to go through. Select forward with tag to add a tag to an POP3 query timeout mail’s mail subject and send it on to the destination.
Timeout Value	Set how long the Zyxel Device waits for a reply from the mail scan server. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Actions when Query Timeout field.
Timeout Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the Zyxel Device forwards if queries to the mail scan servers time out.
Timeout X-Header	Specify the name and value for the X-Header to be added when queries to the mail scan servers time out.
DNSBL Settings
Max. IPs Checking Per Mail	Set the maximum number of sender and relay server IP addresses in the mail header to check against the DNSBL domain servers.
IP Selection Per Mail	Select first N IPs to have the Zyxel Device start checking from the first IP address in the mail header. This is the IP of the sender or the first server that forwarded the mail. Select last N IPs to have the Zyxel Device start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Black List / White List Screen

Configure the black list to identify spam email. You can create black list entries based on the sender’s or relay server’s IP address or email address. You can also create entries that check for particular email header fields with specific values or specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.

The following table describes the labels in this screen.

Configuration > Security Service > Email Security > Black/White List
Label	Description
Rule Summary
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
Type	This field displays whether the entry is based on the email’s subject, source or relay IP address, source email address, or header.
Content	This field displays the subject content, source or relay IP address, source email address, or header value for which the entry checks.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

The Black or White List Add/Edit Screen

Use this screen to configure an email security black list entry to identify spam email. You can create entries based on specific subject text, or the sender’s or relay’s IP address or email address. You can also create entries that check for particular header fields and values.

The following table describes the labels in this screen.

Configuration > Security Service > Email Security > Black/White List > Black/White List > Add
Label	Description
Enable Rule	Select this to have the Zyxel Device use this entry as part of the black or white list. To actually use the entry, you must also turn on the use of the list in the corresponding list screen, enable the email security feature in the email security general screen, and configure an email security policy to use the list.
Type	Use this field to base the entry on the email’s subject, source or relay IP address, source email address, or header. Select Subject to have the Zyxel Device check email for specific content in the subject line. Select IP Address to have the Zyxel Device check email for a specific source or relay IP address. Select IPv6 Address to have the Zyxel Device check email for a specific source or relay IPv6 address. Select E-Mail Address to have the Zyxel Device check email for a specific source email address or domain name. Select Mail Header to have the Zyxel Device check email for specific header fields and values. Configure black list header entries to check for email from bulk mail programs or with content commonly used in spam. Configure white list header entries to allow certain header values that identify the email as being from a trusted source.
Mail Subject Keyword	This field displays when you select the Subject type. Enter up to 63 ASCII characters of text to check for in email headers. Spaces are not allowed, although you could substitute a question mark (?). See Regular Expressions in Black or White List Entries for more details.
Sender or Mail Relay IP Address	This field displays when you select the IP Address type. Enter an IP address in dotted decimal notation.
Sender or Mail Relay IPv6 Address	This field displays when you select the IPv6 Address type. Enter an IPv6 address with prefix.
Netmask	This field displays when you select the IP type. Enter the subnet mask here, if applicable.
Sender E-Mail Address	This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII characters). See Regular Expressions in Black or White List Entries for more details.
Mail Header Field Name	This field displays when you select the Mail Header type. Type the name part of an email header (the part that comes before the colon). Use up to 63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter “Received” here.
Field Value Keyword	This field displays when you select the Mail Header type. Type the value part of an email header (the part that comes after the colon). Use up to 63 ASCII characters. For example, if you want the entry to check the “Received:” header for a specific mail server’s domain, enter the mail server’s domain here. See Regular Expressions in Black or White List Entries for more details.
OK	Click OK to save your changes.
Cancel	Click Cancel to exit this screen without saving your changes.

Regular Expressions in Black or White List Entries

The following applies for a black or white list entry based on an email subject, email address, or email header value.

• Use a question mark (?) to let a single character vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on.

• You can also use a wildcard (*). For example, if you configure *def.com, any email address that ends in def.com matches. So “mail.def.com” matches.

• The wildcard can be anywhere in the text string and you can use more than one wildcard. You cannot use two wildcards side by side, there must be other characters between them.

• The Zyxel Device checks the first header with the name you specified in the entry. So if the email has more than one “Received” header, the Zyxel Device checks the first one.

Email Security Profile

To use multiple profiles for this feature, run the following commands in the Zyxel Device Command Line Interface (CLI).

Router# configure terminal

Router(config)# secure-policy-style advance

Router(config)# show secure-policy-style status

secure-policy-style: advance

After you run these command, go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.

After you log in again, you will see the new profile screen for this feature.

The following table describes the labels in this screen.


Label	Description
Add	Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove	Select an entry and click Remove to delete the selected entry.
#	This field is a sequential value showing the number of the profile. The profile order is not important.
Name	This displays the name of the profile created.
Description	This displays the description of the profile.
Scan Options	This displays which lists are checked for email security: White List (WL), Black List (BL), Malicious Mail, DNSBL.

Add or Edit Email Security Profile

Click Add to create a new entry or select an existing entry and click Edit to open the following screen where you can create or modify the entry’s settings.

The following table describes the labels in this screen.

Configuration > Security Service > Email Security
Label	Description
General Settings
Name	Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012
Description	Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.
Log	Select whether to have the ZyXEL device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Scan Options
Check White List	Select this check box to check email against the white list. The Zyxel Device classifies email that matches a white list entry as legitimate (not spam).
Check Black List	Select this check box to check email against the black list. The Zyxel Device classifies email that matches a black list entry as spam.
Check Malicious Mail	Select this to identify spam email by content, such as malicious content.
Check DNSBL	Select this check box to check email against the Zyxel Device’s configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
Actions for Spam Mail	Use this section to set how the Zyxel Device is to handle spam mail.
SMTP	Select how the Zyxel Device is to handle spam SMTP mail. Select drop to discard spam SMTP mail. Select forward to allow spam SMTP mail to go through. Select forward with tag to add a spam tag to an SMTP spam mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle spam POP3 mail. Select forward to allow spam POP3 mail to go through. Select forward with tag to add a spam tag to an POP3 spam mail’s mail subject and send it on to the destination.
OK	Click OK to save your changes back to the Zyxel Device.
Cancel	Click Cancel to exit this screen without saving.

Link a Profile

To link a profile to a policy, go to the Configuration > Security Policy > Policy Control screen, select a policy, and then click Edit. In the Edit Policy screen under Profile, select which profile you want to use for each security service.

The Email Security Advance Screen

The Configuration > Security Service > Email Security screen changes when using profiles.

The following table describes the labels in this screen.

Configuration > Security Service > Email Security Advance
Label	Description
General Settings
Enable	Select this check box to activate the settings in this section.
Inspect all traffic, setting:	Select this to have all traffic inspected by the default_profile. You cannot rename or delete the default_profile profile, but you can edit it by clicking the link here.
Inspect by policy	If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Security Policy > Policy Control.
Enable Malicious Mail	Select this to identify spam email by content, such as malicious content.
Malicious Mail Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that are determined to spam based on the mail content analysis. This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
Enable DNSBL	Select this check box to check email against the Zyxel Device’s configured DNSBL domains. The Zyxel Device classifies email that matches a DNS black list as spam.
DNSBL Spam Tag	Enter a message or label (up to 15 ASCII characters) to add to the beginning of the mail subject of emails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the Zyxel Device. This tag is only added if the email security policy is configured to forward spam mail with a spam tag.
DNSBL Domain List
Add	Click this to create a new entry.
Edit	Select an entry and click this to be able to modify it.
Remove	Select an entry and click this to delete it.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Status	The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
#	This is the entry’s index number in the list.
DNSBL Domain	This is the name of a domain that maintains DNSBL servers. Enter the domain that is maintaining a DNSBL.
Action
Action taken when mail sessions threshold is reached	An email session is when an email client and email server (or two email servers) connect through the Zyxel Device. Select how to handle concurrent email sessions that exceed the maximum number of concurrent email sessions that the email security feature can handle. See the chapter of product specifications for the threshold. Select Forward Session to have the Zyxel Device allow the excess email sessions without any spam filtering. Select Drop Session to have the Zyxel Device drop mail connections to stop the excess email sessions. The email client or server will have to re-attempt to send or receive email later when the number of email sessions is under the threshold.
Query Timeout Settings
SMTP	Select how the Zyxel Device is to handle SMTP mail query timeout. Select drop to discard SMTP mail. Select forward to allow SMTP mail to go through. Select forward with tag to add a tag to an SMTP query timeout mail’s mail subject and send it on to the destination.
POP3	Select how the Zyxel Device is to handle POP3 mail query timeout. Select forward to allow POP3 mail to go through. Select forward with tag to add a tag to an POP3 query timeout mail’s mail subject and send it on to the destination.
Timeout Value	Set how long the Zyxel Device waits for a reply from the mail scan server. If there is no reply before this time period expires, the Zyxel Device takes the action defined in the relevant Actions when Query Timeout field.
Timeout Tag	Enter a message or label (up to 15 ASCII characters) to add to the mail subject of emails that the Zyxel Device forwards if queries to the mail scan servers time out.
Timeout X-Header	Specify the name and value for the X-Header to be added when queries to the mail scan servers time out.
DNSBL Settings
Max. IPs Checking Per Mail	Set the maximum number of sender and relay server IP addresses in the mail header to check against the DNSBL domain servers.
IP Selection Per Mail	Select first N IPs to have the Zyxel Device start checking from the first IP address in the mail header. This is the IP of the sender or the first server that forwarded the mail. Select last N IPs to have the Zyxel Device start checking from the last IP address in the mail header. This is the IP of the last server that forwarded the mail.
Apply	Click Apply to save your changes back to the Zyxel Device.
Reset	Click Reset to return the screen to its last-saved settings.

Remove Profiles

To remove profiles and revert to the default general security policy style, you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security.

Note: All profiles that you created will be removed from Security Policy > Policy Control.

Run the following commands in the Zyxel Device Command Line Interface (CLI).

Router# configure terminal

Router(config)# secure-policy-style general

Router(config)# show secure-policy-style status

secure-policy-style: general

Wait a minute and then go to the feature screen again in the web configurator. You will be prompted to log out and then log in again.

After you log in again, you will not see the profile screen for this feature.