KB Article | Forcepoint Support

Notes & Warnings

Additional Problem and Search Terms:
Receiving a lot of spam, Assistance configuring rules, Unfiltered SPAM, Receiving SPAM,

Problem Description

How do I configure Websense Email Security to eliminate the most spam?

Resolution

Websense Email Security includes several tools that, when fully configured, eliminate almost all spam. This article describes how to configure those components for maximum effectiveness.

If you are using SurfControl E-mail Filter v5.5, please consider upgrading to Websense Email Security v6.1. It has more anti-spam capabilities and isolates more spam than previous versions. If upgrading isn't an option, please see article for configuration guidelines.

The primary tools for combating spam include:
 

  • Anti-Spam Agent
  • Reverse DNS Lookup
  • Reputation Service (RBL)
  • Whitelist
  • Blacklist
  • Sender Policy Framework (SPF)
  • Internet Threat Database
  • HTML Stripper

To get the best results, use all of these tools. Click a link to jump to that section.

When a fully configured installation allows spam through, it is likely because the spammer is using a new strategy. We encourage you to send a copy of that spam to Websense for analysis and possible inclusion in the Anti-Spam Agent database. To send a spam for analysis, follow the directions in this article.


Anti-Spam Agent (ASA)

Essential: ASA requires a subscription. When you register Websense Email Security or when you enable ASA updates in the Scheduler, you can activate a subscription. Provide the required information in the Registration screens. If you are running an evaluation copy, you can use ASA without a key during your 30-day evaluation period.

A complete description of the Anti-Spam Agent is located in chapter 6 of the Administrator's Guide.

ASA includes the following subcomponents. You can enable or disable any combination of these:

  • Digital Fingerprinting (DFP): Checks the digital fingerprint of an email against the Websense Anti-Spam DFP database.
  • Heuristics: Analyzes the email header and body (or just the header) to determine how closely the contents resemble spam.
  • LexiRules: Analyzes the email for word combinations and patterns that are common in spam.

Digital Fingerprinting is very accurate and returns virtually no false positives.

Heuristics and LexiRules assess the likelihood that an email is spam. It will sometimes block a legitimate email. For example, a marketing newsletter might share some characteristics with a spam email and trigger the rule.

For best results, use all ASA components.

ASA components are preconfigured in 2 default rules:

  1. The first rule enables only DFP. Email that triggers this rule is isolated in the Anti-Spam Agent-DFP folder. DFP is highly accurate; you can purge isolated messages after only a short holding period.
  2. The second default rule enables Heuristics and LexiRules. It is good at identifying new spam that has not yet been digitally fingerprinted. Email that triggers this rule is isolated in the Anti-Spam Agent folder. You should monitor this folder to determine if the rule tool is giving the desired results. You can adjust the Heuristics sensitivity level accordingly. Instructions are provided in the next section.

To change the ASA components settings in an existing ASA rule:

  1. In the list of rules in the Rules Administrator, click the ASA rule you want to change.
  2. In the Rules Palette, right-click the "if" element labeled "Message scan contains Anti-spam Agent content" and select Properties.
  3. Select the tab for the component you want to change.

Digital Fingerprinting (DFP) - Checks the digital fingerprint of an email against the Anti-Spam database. The Anti-Spam database classifies spam into 17 categories. You can decide the categories of content you want to allow or block.

To enable DFP:

  1. Select the Digital Fingerprinting tab and select Enable Digital Fingerprinting.
  2. Select the categories of spam to detect. The recommended setting is all categories.

Heuristics - Performs a series of tests that determine how closely an email resembles spam. You can set the sensitivity. The higher the sensitivity, the fewer spam-like traits an email needs to trigger the rule.

To enable Heuristics:

  1. Select the Heuristics tab and select Enable Heuristics.
  2. Use the slider to set a sensitivity level. The recommended setting is 3.

By default, the Heuristics tool scans the entire email. It is best to scan the whole message. See article 2341.

LexiRules - Performs tests that are similar to Heuristics, triggering if the email has spam-like traits.

To enable LexiRules, click on the LexiRules tab and select Enable LexiRules.

Essential: As with all rules, after creating or modifying a rule, you must save the changes and verify that the rule is enabled. Enabled rules are identified with a check in the adjacent box.

 

To create a new rule that includes the Anti-Spam Agent object:

ASA rules are constructed like any other rule.

  1. When you are ready to include the What object, drag the Anti-Spam Agent object into position. The Properties for Anti-Spam Agent dialog box is displayed.
  2. Select the Anti-Spam Agent components to be enabled.

 

Scheduling ASA definition updates:

Websense updates the ASA definitions very frequently. Websense recommends updating every 30 minutes to ensure you have the latest definitions.

To change the schedule, open the Scheduler, highlight the Anti-Spam Agent task, click Configure and adjust the update interval as needed. Click OK. If the Anti-Spam Agent task is not on the list, click Add item, select Anti-Spam Agent Update from the drop-down menu, set the update interval as needed, and click OK.

It is important to verify that update tasks are successfully completed, to minimize the amount of spam entering your system. To confirm that an ASA definition update is complete, click View Log in the Scheduler. Ensure that the most recent task completed and that the time stamp is current.

Important: Do not schedule update tasks to overlap.

 

Manually updating the ASA definitions:

 

If the ASA update fails, you may need to download the updates manually.

To check the status of an update, in the Scheduler click View Log.

To perform a manual update, go to http://asa.surfcontrol.com and follow the instructions.

If your product key can’t be registered or if the update failed to connect to the live update server, test the server's connection to the live update host by copying "st4update.surfcontrol.com" into a Web browser. If the connection is allowed, "The Live Update Server" is displayed in the browser window. Otherwise check to see if a proxy or firewall is blocking the connection.

 

Reverse DNS Lookup

By default, Reverse DNS Lookup is not enabled.

Reverse DNS Lookup verifies that email is coming from a legitimate sender by verifying that the domain name specified by the sending mail client (in the HELO/EHLO greeting) matches the domain name in its DNS record. For a complete, see the chapter 3 of the Administrator's Guide.

 

When a mail client requests a connection, the Receive Service performs a reverse DNS lookup on the sender's IP address to get its PTR record. The default timeout is 3 seconds. If the PTR record does not exist, or if the DNS record doesn't match the host name specified in the HELO/EHLO command, Websense Email Filter can take one of 3 actions:

  • Log Only - The mismatch is displayed in the Receive Service panel and the connection is accepted and email received.
  • Deny if no DNS record found - If no DNS record corresponds to the sender's IP address and the requestor fails to authenticate itself, the connection is terminated.
  • Deny if DNS record fails to match HELO string - If the domain name in the DNS record does not match the one given in the HELO/EHLO command, the Receive Service terminates the connection, unless the sender authenticates itself.

The strongest setting is Deny if DNS record fails to match HELO string.

Warning: Under either of the Deny settings, if a legitimate sender has a mis-configured DNS setting or no PTR record, their messages are denied. For this reason, Websense recommends setting Reverse DNS Lookup to Log Only.

To exempt a trusted sender, see below.

To enable Reverse DNS Lookup:

  1. In the Server Configuration console select the Reverse DNS Lookup function.
  2. Select Enable Reverse DNS lookup.
  3. Select the Log Only bullet.
  4. Select an action. Click OK.

Excluding a mail server from Reverse DNS Lookup:

It is an RFC recommendation, but not a requirement, that the HELO/EHLO command contain the fully-qualified domain name (FQDN) of the sending mail client. If you have chosen to deny the connection, you may find that legitimate email is blocked because the sending mail client does not use the FQDN in its HELO/EHLO command. To avoid blocking legitimate senders, exclude them from reverse DNS lookup.

To exclude a mail server from Reverse DNS Lookup:

  1. In the Server Configuration console select Reverse DNS Lookup.
  2. Click Exclude. The Exclusion from Client DNS Lookup dialog box is displayed.
  3. Click Add. The SMTP List Entry dialog box is displayed.
  4. Enter the IP address you want to exclude from Reverse DNS Lookup and click OK.

 

Reputation DNS Blacklist

This feature checks the IP address of the sender against the Websense Reputation service and/or checks the sender's True Source IP address against a list of spammers maintained by DNS Blacklist servers. You need to research and choose a DNS Blacklist server. For a complete description of Reverse DNS lookup, see chapter 3 of the Administrator's Guide.

When an IP address is found in the Websense Reputation service or a DNS Blacklist, Websense Email Security can either:

  • Log Only - The information that the connection came from a sender on the Reputation DNS Blacklist server is recorded in the Connection log and displayed in the Monitor. The connection is allowed and the email is processed.
  • Deny Connection: The connection is dropped and email from that sender is rejected.

To significantly reduce spam, enable this feature and select Deny Connection.

To enable the Websense Reputation service:

  1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
  2. Check the Activate Websense Reputation Service check box.

Checking TrueSource IP addresses against DNS Blacklist servers:

To enable checks of a sender's True Source IP address against 1 or more DNS Blacklist servers:

  1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
  2. Select Check IP addresses against Reputation/DNS Blacklist.
  3. To add a DNS Blacklist server, click Add… The SMTP List Entry dialog box is displayed.
  4. Enter the domain name of the DNS Blacklist server to use and click OK.

Excluding mail servers from Reputation DNS Blacklist server checking:

A legitimate organization can sometimes be wrongly placed on a Reputation DNS Blacklist server, for example if its domain name has been used by a spammer to send spoofed email. You can exclude legitimate IP addresses from Reputation DNS Blacklist server lookups.

To exclude a mail server from Reputation DNS Blacklist server lookups:

  1. In the Server Configuration console select Email Connection Management > Reputation/DNS Blacklist.
  2. Select Exclude… The Exclusions dialog box is displayed.
  3. Click Add… The SMTP List Entry dialog box is displayed.
  4. Enter the IP address to exclude from Reputation DNS Blacklist lookups. If you have set up Reverse DNS Lookup for a domain, you can enter that domain. Click OK.

 

 

Article Feedback



Thank you for the feedback and comments.