Sophos Email Appliance: Configuring the Sender Genotype Service

  • Article ID: 112944
  • Rating:
  • 2 customers rated this article 1.0 out of 6
  • Updated: 01 Mar 2013

The Sender Genotype Service is enabled on the Sophos Email Appliance by default. This service uses data from SophosLabs to determine whether the sending IP address has a bad reputation. Messages sent from IP addresses with a bad reputation will be rejected.

This feature can help block a large percentage of spam at the connection level based on the reputation of the sender IP address. Not only does this significantly reduce the amount of spam you receive, but also reduces the load on the appliance and your internal mail servers.

This article describes how to configure the Sender Genotype Service.

Known to apply to the following Sophos products and versions

Sophos Email Appliance


How to

Configure Sender Genotype Options

Log in to the Sophos Email Appliance, and select Configuration | Policy | Filtering Options.

Choose one of three options for this setting:

  • Enable connection-level blocking of mail from known bad senders (recommended) rejects messages from known bad senders as soon as the sender information from the TCP/IP connection is received. This option is recommended because it improves performance by blocking spam before it reaches more complex tests in the policy.
  • Enable policy-level blocking of mail from known bad senders rejects messages from known bad senders using a policy rule. This option is not as efficient as connection-level blocking because the entire message must be accepted by the appliance. When messages are blocked at the policy level, the action is logged for reporting.
  • Disable blocking of mail from known bad senders disables reputation filtering. When blocking of bad senders is disabled, messages identified as spam are quarantined rather than blocked.

It is strongly recommended that you do not disable the blocking of mail from known bad senders.

Note: If your network has trusted local SMTP relays that pass inbound messages to the Email Appliance, use policy-level blocking instead of connection-level blocking, and add the local inbound SMTP relays to the Trusted Relays list. Connection-level blocking will only work correctly if the Email Appliance receives messages directly from the internet.

Note: When configured in connection-level mode, the appliance will perform both a connection-level check and a policy-level check.

  • The Enable proactive IP connection control for blocking suspicious hosts option rejects messages originating from dynamic hosts, spambots, and suspicious hosts. Enabling this option allows the appliance to block spam from hosts that have not yet established a reputation, but which are very likely to be sending spam.

Configure your network for Sender Genotype Service

It is important to remember that the Sender Genotype Service MUST be scanning the Sender's IP address in order to be effective and prevent false positives.

The following configuration must be made to ensure we are scanning the Senders' IP address:

  1. If you use any upstream mail relays, you must use policy-level blocking. Connection-level blocking will not work correctly because the sender is not connecting directly.
  2. If you use any upstream mail relays, you must enter them as a trusted relay in Configuration | Routing | Trusted Relays. This makes them a 'known relay' and exempts them from IP blocking.
  3. If you wish to use connection-level blocking, you must ensure that your firewall does not modify or perform network address translation  (NAT) on the connecting IP address. The connection must appear to originate from the sender.
  4. Your firewall or upstream relays must leave the Received headers of messages intact. When using policy-level blocking, we scan the Received headers. You must ensure that IP addresses in this Received chain are not altered or masked.

Further Information

You can check the reputation of an IP address and request that the IP be re-classified by using our online tool here:

http://www.sophos.com/en-us/threat-center/ip-lookup.aspx

 

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments