Business Support

English

X

Select your language:

Best Practices for Alleviating Spam in Norman Email Protection

Instructions


Please Note: This article assumes that Norman Email Protection (NEP) is the main entry point, enabling it to see the IP addresses of the external sending mail servers. It also assumes that you do not have a gateway in front of the NEP server, pre-filtering mail, as this would show mail as coming from the gateway IP address. 

Open the NEP Administration Console to configure the following settings:

Security- Properties- DNS Blacklists (DNSBL)

  1. Enable Perform a Lookup for the SMTP host in Real-Time Blacklist
  2. Click on DNSBL Servers and enter the following:
    • sbl-xbl.spamhaus.org
    • bl.spamcop.net
    • cbl.abuseat.org
    • Additional DSBLS

      Least Aggressive RBL Combination

      sbl.spamhaus.orgknown spam sources only
      cbl.abuseat.orgcomposite block list

       

      Moderately Aggressive RBL Combination

      sbl-xbl.spamhaus.orgcombination of sbl & xbl
      cbl.abuseat.orgcomposite block list
      dul.dnsbl.sorbs.netdynamic ranges
      bl.spamcop.netspamcop block list

       

      Very Aggressive RBLs

      zen.spamhaus.orgincludes sbl, xbl + pbl
      cbl.abuseat.orgcomposite block list
      dnsbl.sorbs.netfull sorbs zone
      bl.spamcop.netspamcop block list
  3. Ensure that Reject connection immediately if the host is blacklisted is not enabled
  4. Set the Cache values to 9000 (lookup results) and 240 (minutes)
  5. Click on IP exclusion and enter the IP address for all of your IP blocks
    For example: 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  6. Click Apply

    Warning: Using the Perform RBL Check after the mailbox authentication function keeps the connection open longer
    If you are not an ISP/xSP or you do not have dynamic IP range provisioning for your users, it may be better to reject the connection immediately.

Security- Properties- Connection Limits

  1. Enter 5 for the Maximum simultaneous connection rate allowed for the same IP
  2. Enter 5 for the Total number of simultaneous connections allowed from the same IP
  3. Click Apply

Security- Properties- Trusted Address List

  1. Under SMTP Security Trusted Address  click IP Address
  2. Enter the IP addresses for all of your IP blocks
    For example: 10.10.10.0/24, 10.10.20.0/20, 10.10.30.25, etc.
  3. Click Apply

    Note: These options tell NEP to do connection-level verification for messages originating from the specified IPs or IP blocks. It does not prevent content filtering, preventing only RBL checking or throttling by "Block Scan Attack" or "Connection Limits" from being applied to the specified addresses.

Security- Properties- SMTP Security

  1. Select Enable SMTP Authentication
  2. Enable the following:
    • Do not advertise SMTP AUTH for these
      • In the IP Address list, enter the following 2 items:
        !127.0.0.1 (the ! denotes not), and *.*.*.*
    • Force usage of fully qualified addresses in SMTP commands
    • Reject malformed addresses
    • Validate sender addresses:
      • Set the Cache Size to 9000 entries
      • Set Keep in cache for 240 minutes
  3. Click Apply

Security- Properties- Block Scan Attack

  1. Ensure that Enable Scan Atttack Blocking is checked
  2. Click on Slowdown the IP Connections
  3. Disable Force a slowdown on IP connections 
  4. Click Close
  5. Click on Block IP Addresses
  6. Block IP for 240 minutes
  7. Select the  After the number of invalid recipients reach field, and set the value to 3
  8. Click Close
  9. Set the Cache values to 9000 (lookup results) and 240 (minutes)
  10. Click Apply

Security- Properties- Sender Reputation (or Sender Validation & Accreditation in earlier versions)

  1. Enable Sender Reputation System (new in NEP 5.0)
  2. The recommendation is to quarantine messages with a 'bad' SRS reputation
  3. Results are updated every 5 minutes- This option protects you from newly detected spam waves and quickly details IPs that have been removed from botnets
  4. Enable SPF Support
  5. Click Apply
  6. An SPF record is not required for this feature
  7. Optionally, you can enable Perform a lookup for the SMTP host in DNS which is a reverse DNS lookup on IP address of the sending server to check if it has a reverse PTR record. Historically, enabling this option has caused more false-positives because many legitimate mail servers do not have reverse zones. Most spam originates from IP addresses that are used for dynamic IP allocation which do not have a reverse PTR record (ie. DSL or cable modem users with infected zombie machines). However, as spam increases, more companies are turning this feature on despite the risk. While enabling this feature can be a risk, it will considerably alleviate spam problems, thus we advise that you use this with caution. 

Spam- Preferences- Options

  1. Set the Spam Scanning Level to STRONG
  2. Click Apply

Spam-Preferences- SURBL (Spam Links)

  1. Select Enable SURBL
  2. Under SURBL Servers click multi.surbl.org
  3. Click Enable
  4. Click Add
  5. Add a new SURBL: ph.surbl.org (known phishing links)
  6. Click Enable
  7. Click Apply

System- Properties- Services

Stop and Restart the following:
  1. SMTPRS
  2. MODUSCAN

Important Safety Tip

It is important that you never whitelist your own domain at the global or user level. It is also important that the end-users never whitelist their own email addresses. This is because spammers are in the habit of forging your domain in the from field. Whitelisting yourself means that any email From yourself To yourself will be whitelisted if the spammer is smart enough to forge your domain in the header from field.

Note that version 5.0 will automatically check for and ignore self-whitelisted adresses to ensure that the content undergoes spam scanning, to prevent potential abuse of your system.

 

    Was this article helpful ?