Sophos Email Appliance Recommended Anti-Spam configuration

  • Article ID: 120802
  • Rating:
  • 3 customers rated this article 6.0 out of 6
  • Updated: 08 Apr 2014

Recommended Baseline Anti-Spam Configuration

This knowledge base article contains the recommended baseline configuration for detecting spam on an appliance.  The following headings below describe the default configuration and the settings in which you should at the minimum configure.

You can advance through this article by clicking on the section names below.

 

Configuration Anti-Spam Policy Rules

Inbound Policy:

The Email appliance has two default inbound Anti-Spam policy rules.  They are "High Spam" and "Medium Spam" which have different actions.  Messages that are classified as High are discarded and Medium ones are quarantined as shown below.

It is recommended to leave these settings as default.

  

Outbound Policy:

Along with the inbound policy there are an equivalent outbound policy rules that check for High Spam and Medium Spam.  However, on outbound rules the action is to quarantine the message rather than discard and quarantine.  It is also recommended to leave these as their default settings.

Sender / Recipient Selection:

Both the inbound and outbound policy rules have the ability to select what senders or recipients are exempt or not exempt from being tested.  By default all recipients are tested inbound, and all senders are tested outbound.

Select Users 

Leave the entries at their default if experiencing unexpected results.

NOTE:  Include only applies to the added recipients and/or senders, and Exclude only applies to added recipients and/or senders.

Filtering Options:

The Email Appliance has a feature that allows for messages to be blocked based on Sender Genotype. It is recommended to select the default settings as shown below.

Filtering Options 

NOTE:

If your appliance does not receive SMTP connections directly from the internet or is behind another relay you will need to change the service from "connection-level" blocking to "policy-level" blocking.

Bulk Message Rule:

Bulk messages are messages that are sent from email service providers that deliver solicited and unsolicited content. The bulk message rule will target all messages that are of bulk in nature. These are messages which users have opted to receive, not spam. It is recommended to take action on bulk messages and have individual users whitelist only those bulk messages they want delivered.

 

The bulk policy rule is found under the Additional Policy as an inbound rule type only.  It is recommend that the rule be created with an action of "tag and continue". This way users can still receive bulk mail messages, but those at the same time that didn't want them will know that these are bulk messages and not spam.

 

The opposite method would be quarantine the message as bulk and have each user maintain their personal list of approved bulk senders through the enduser quarantine interface.

Allow / Block Lists:

Administrators have the ability to globally allow and restrict senders and hosts. Allowed hosts/senders have a default action of deliver.

Allowed, Blocked Lists 

The Allow List identifies specific hosts and senders to be white-listed through the mail filter; therefore bypassing the Anti-Spam tests.

Allow Block Editor 

Entries in the lists must be in the following syntax.

Hosts:

IP Address, host, domain, or CIDR range

ie. 123.123.123.123, 123.123.0.0/10, host.example.com

Senders:

Domain or email address 

ie. @example.com, or user@example.com

NOTE:  Do not put domains into the hosts table for allow lists! This could potentially allow unwanted messages through.

If unwanted messages that appear to be spam in nature, review your allow lists to make sure that host or sender was not exempt from testing.

Per User Allow/Block Lists:

Administrators have the ability to allow users to edit their Allow/Block senders list from within the enduser quarantine interface.  These entries are not manageable by the admin in the administration interface.  Be sure to verify that if a spam message is received that the individual user did not allow that by entering in a domain or sender address in their personal list. 

SMTP Options:

The SMTP options page contains a tab called "Perimeter Protection", the default settings are to "Block mail from non-existent domains" and "Denial of service & directory harvest protection".

SMTP Options 

It is recommended to leave the settings as above.

Trusted Relays:

Trusted relays are hosts that connect the appliance to the internet.  These hosts are either gateways or forwarders or perhaps another email server passing messages to the appliance. 

 

Adding a trusted relay value will exclude that address from being queried in the spam score.  Only add trusted relays if mail is forwarded from a legitimate host/gateway in your network.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments