cyberoam anti spam implementation guide - docs.sophos.comdocs.sophos.com/nsg/cyberoam/version...

Cyberoam Central Console Administrator Guide

Cyberoam Central Console

Administrator Guide

Cyberoam Anti Spam Implementation Guide Version 10

Document version 1.0 – 10.6.6.042 - 24/11/2017

Cyberoam Anti Spam Implementation Guide

Page 1 of 43

Important Notice

Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but

is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam

Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.

You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam

UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of

Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters

Cyberoam House,

Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA. Tel: +91-79-66216666

Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


Page 2 of 43

Contents

Preface ............................................................................................................................ 3 Introduction..................................................................................................................... 5 Appliance Administrative Interfaces............................................................................... 6

Web Admin Console .................................................................................................................... 6 Command Line Interface (CLI) Console ...................................................................................... 7 Cyberoam Central Console (CCC) ............................................................................................... 7 Web Admin Console .................................................................................................................... 8

Web Admin Language ................................................................................................................ 8 Supported Browsers ................................................................................................................... 9 Login procedure ....................................................................................................................... 10 Log out procedure .................................................................................................................... 11 Menus and Pages..................................................................................................................... 12 Page ........................................................................................................................................ 14 Icon bar .................................................................................................................................... 15 List Navigation Controls ............................................................................................................ 16 Tool Tips .................................................................................................................................. 16 Status Bar ................................................................................................................................ 16 Common Operations................................................................................................................. 17

Spam ............................................................................................................................. 19 Cyberoam Gateway Anti Spam ..................................................................................... 20

Configuration ............................................................................................................................. 22 Address Group ......................................................................................................................... 25 Email Archiver .......................................................................................................................... 28

Spam Rules ................................................................................................................................ 30 Manage Spam Rules ................................................................................................................ 30

Quarantine .................................................................................................................................. 36 Quarantine Digest Settings ....................................................................................................... 37 Quarantine Area ....................................................................................................................... 40

Trusted Domain .......................................................................................................................... 42


Page 3 of 43

Preface

Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity.

Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform.

Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.

Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’ Gold logo provide Cyberoam the readiness to deliver on future security requirements.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

Note

• Default Web Admin Console username is ‘admin’ and password is ‘admin’

• Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access.


Page 4 of 43

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Cyberoam House

Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA.

Ahmedabad 380006

Gujarat, India.

Tel: +91-79-66216666


Cyberoam contact:

Technical support (Corporate Office): +91-79- 26400707

Email: [email protected]


Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




Page 5 of 43

Introduction

Welcome to Cyberoam’s – Anti Spam User guide.

This Guide provides information on how to configure Cyberoam Anti Spam solution and helps you manage and customize Cyberoam to meet your organization’s various requirements including restriction of spam mails, creation of groups and archiving Emails to control web as well as application access.

Anti Spam module is an add-on module which needs to be subscribed before use.

Note All the screen shots in this Guide have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances.


Page 6 of 43

Appliance Administrative

Interfaces

Appliance can be accessed and administered through:

1. Web Admin Console

2. Command Line Interface Console

3. Cyberoam Central Console

Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Web Admin Console configuration pages.

Appliance is shipped with two administrator accounts and four administrator profiles.

Administrator Type

Login Credentials Console Access Privileges

Super Administrator

admin/admin Web Admin Console CLI console

Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.

Default cyberoam/cyber Web Admin console only

Full privileges. It provides read-write permission for all the configuration pages of Web Admin console.

Note We recommend that you change the password of both the users immediately on deployment.

Web Admin Console

Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the Appliance.

You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection from any management computer using web browser:

1. HTTP login: http://<LAN IP Address of the Appliance>

2. HTTPS login: https://<LAN IP Address of the Appliance>

For more details, refer section Web Admin Console.


Page 7 of 43

Command Line Interface (CLI) Console

Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance component. The Appliance can be accessed remotely using the following connections:

1. Remote login Utility – TELNET login

To access Appliance from command prompt using remote login utility – Telnet, use command TELNET <LAN IP Address of the Appliance>. Use administrator password to login.

Note Default password of TELNET connection for CLI Console is “admin”.

2. SSH Client (Serial Console)

SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication.

Note Start SSH client and create new Connection with the following parameters: Host – <LAN IP Address of the Appliance> Username – admin Password – admin

Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version specific Console Guide available on http://docs.cyberoam.com/.

Cyberoam Central Console (CCC)

Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must:

1. Configure CCC Appliance in Cyberoam

2. Integrate Cyberoam Appliance with CCC using: Auto Discovery, Manually

Once you have added the Appliances and organized them into groups, you can configure single Appliance or groups of Appliances.

For more information, please refer CCC Administrator Guide.

http://docs.cyberoam.com/


Page 8 of 43

Web Admin Console

CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to configure and manage the Appliance.

You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the interfaces. Appliance when connected and powered up for the first time, it will have a following default Web Admin Console Access configuration for HTTP and HTTPS services.

Services Interface/Zones Default Port

HTTP LAN, WAN TCP Port 80

HTTPS WAN TCP Port 443

The administrator can update the default ports for HTTP and HTTPS services from System >

Administration > Settings.

Web Admin Language

The Web Admin Console supports multiple languages, but by default appears in English. To cater to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French languages are also supported. Administrator can choose the preferred GUI language at the time of logging on.

Listed elements of Web Admin Console will be displayed in the configured language:

• Dashboard Doclet contents

• Navigation menu

• Screen elements including field & button labels and tips

• Error messages


Page 9 of 43

Supported Browsers

You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection from any management computer using one of the following web browsers:

Browser Supported Version

Microsoft Internet Explorer Version 8+

Mozilla Firefox Version 3+

Google Chrome All versions

Safari 5.1.2(7534.52.7)+

Opera 15.0.1147.141+

The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-color.

The Administrator can also specify the description for firewall rule, various policies, services and various custom categories in any of the supported languages.

All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring the Appliance, the Appliance includes a detailed context-sensitive online help.


Page 10 of 43

Login procedure

The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off.

To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browser’s URL box. A dialog box appears prompting you to enter username and password.

Screen – Login Screen

Screen Element Description

Username

Enter user login name.

If you are logging on for the first time after installation, use the default username.

Password

Specify user account password.

Dots are the placeholders in the password field.

If you are logging on for the first time after installation with the default username, use the default password.

Language

Select the language. The available options are Chinese-Simplified, Chinese-Traditional, English, French, and Hindi.

Default – English

Log on to

To administer Cyberoam, select ‘Web Admin Console’

To view logs and reports, select “Reports”.

To login into your account, select “My Account”.

Login button Click to log on the Web Admin Console.

Screen – Login screen elements

The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast overview of all the important parameters of your Appliance.


Page 11 of 43

Log out procedure

To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.

To log off from the Appliance, click the button located at the top right of any of the Web Admin Console pages.


Page 12 of 43

Menus and Pages

The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the required tab.

The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click on

the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the down-

scroll icon , automatically scrolls the navigation bar up or down respectively.

The navigation menu includes following modules:

• System – System administration and configuration, firmware maintenance, backup - restore

• Objects – Configuration of various policies for hosts, services, schedules and file type

• Networks – Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS

• Identity – Configuration and management of User and user groups

• Firewall – Firewall Rule Management

• VPN – VPN and SSL VPN access configuration

• IPS – IPS policies and signature


Page 13 of 43

• Web Filter – Web filtering categories and policies configuration

• Application Filter – Application filtering categories and policies configuration

• WAF – Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG.

• IM – IM controls

• QoS – Policy management viz., surfing quota, QoS, access time, data transfer

• Anti Virus – Antivirus filtering policies configuration

• Anti Spam – Anti Spam filtering policies configuration

• Traffic Discovery – Traffic monitoring

• Logs & Reports – Logs and reports configuration

• Note

• Use F1 key for page-specific help.

• Use F10 key to return to Dashboard.

Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation

bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.


Page 14 of 43

Page

A typical page looks as shown in the below given image:

Screen – Page


Page 15 of 43

Icon bar

The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions like:

1. Dashboard – Click to view the Dashboard

2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance.

3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.

This feature is not available for CR15xxxx series of Appliances.

4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console.

5. Logout – Click to log off from the Web Admin Console.

6. More Options – Provides options for further assistance. The available options are as follows:

• Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and

puts your case right into the Technical Support queue.

• About Product – Opens the Appliance registration information page.

• Help – Opens the context – sensitive help page.

• Reset Dashboard – Resets the Dashboard to factory default settings.

• Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance

is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login.

By default, Lock functionality is disabled. Enable Admin Session Lock from System > Administration > Settings.

• Reboot Appliance – Reboots the Appliance.

• Shutdown Appliance – Shut downs the Appliance.


Page 16 of 43

List Navigation Controls

The Web Admin Console pages display information in the form of lists that are spread across the multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for moving through the list of pages with a large number of entries. It also includes an option to specify the number entries/records displayed per page.

Tool Tips

To view the additional configuration information use tool tip. Tool tip is provided for many

configurable fields. Move the pointer over the icon to view the brief configuration summary.

Status Bar

The Status bar at the bottom of the page displays the action status.


Page 17 of 43

Common Operations

Adding an Entity

You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of the configuration pages. Clicking this button either opens a new page or a pop-up window.

Editing an Entity

All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or the

Edit icon under the Manage column.

Deleting an Entity

You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.

To delete multiple entities, select individual entity and click the Delete button.

To delete all the entities, select in the heading column and click the Delete button.


Page 18 of 43

Sorting Lists

To organize a list spread over multiple pages, sort the list in ascending or descending order of a column attribute. You can sort a list by clicking a column heading.

• Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute.

• Descending Order icon in a column heading indicates that the list is sorted descending order of the column attribute.

Filtering Lists

To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria vary depending on a column data and can be a number or an IP address or part of an address, or any text string combination.

To create filter, click the Filter icon in a column heading. When a filter is applied to a column,

the Filter icon changes to .

Configuring Column Settings

By default on every page all columnar information is displayed but on certain pages where a large number of columnar information is available, all the columns cannot be displayed. It is also possible that some content may not be of use to everyone. Using column settings, you can configure to display only those numbers of columns which are important to you.

To configure column settings, click Select Column Settings and select the checkbox against the columns you want to display and clear the checkbox against the columns which you do not want to display. All the default columns are greyed and not selectable.


Page 19 of 43

Spam

Spam refers to electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited Email.

Spamming is to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. In other words, it is an inappropriate attempt to use a mailing list, or other networked communications facility as a broadcast medium by sending the same message to a large number of people who did not ask for it.

In addition to being a nuisance, it also eats up a lot of network bandwidth. Because the Internet is a public network, little can be done to prevent spam, just as it is impossible to prevent junk mail. However, the use of software filters in Email programs can be used to remove most spam sent through Email to certain extent.

With the number of computer users growing and the exchange of information via the Internet and Email increases in volume, spamming has become an almost everyday occurrence. Apart from network bandwidth, it also affects the employees productive as deletion of such mails is a huge task. Anti spam protection is therefore a priority for anyone who uses a computer.


Page 20 of 43

Cyberoam Gateway Anti

Spam

Cyberoam Gateway Anti Spam provides a powerful tool for scanning and detecting infection and Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP) traffic that passes through the appliance. Cyberoam Anti Spam as a part of unified solution along with Anti Virus and IPS (Intrusion Prevention System) provides real time virus scanning that protects all network nodes – workstations, files servers, mail system from known and unknown attacks by worms and viruses, Trojans, spyware, adware, spam, hackers and all other cyber threats.

Cyberoam detects spam mails based on:

• RBL (Real time Blackhole List)

• Mass distribution pattern using RPD (Recurrent Pattern Detection) technology for which Gateway Anti Spam module subscription is required. RPD technology responsible for proactively probing the Internet to gather information about massive spam outbreaks from the time they are launched. This technology is used to identify recurrent patterns that characterize massive spam outbreaks.

SMTP/S means both SMTP and SMTP over SSL. Entire configurations done will be applicable to both the traffic. Also, SMTP over SSL and SMTP/S terms are used interchangeably but they mean the same.

Cyberoam Gateway Anti Spam solution provides a powerful tool for scanning and detecting infection and Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP) traffic that passes through the appliance. It inspects all the inbound mails i.e., incoming Emails – SMTP/S, POP3, and IMAP traffic - before the messages are delivered to the receiver's mail box and all outbound mails i.e., outgoing Emails – SMTP/S traffic - sent by the user from an Email Client. Two separate policies and firewall rules must be configured for inbound and outbound mail traffic. If Spam is detected, depending on the policy and the rules set, action is taken on Email. On detecting a Spam in incoming traffic, Emails are processed and delivered to the recipient unaltered, reject and generate a notification on the message rejection, add or change subject or change the receiver. If Spam is detected in an outgoing SMTP/S traffic, Emails are rejected and generate a notification on the message rejection, dropped and a notification is generated or changes the receiver. Integration into existing network is easy as it is fully compatible with all the mail systems.

Note Outbound Anti Spam is a subscription based module.

Cyberoam Anti Spam allows to:

• Scan Email messages for spamming by protocols namely SMTP, SMTP over SSL, POP3, IMAP

• Monitor and proactively detect recurrent patterns in spam mails and combat multi-format – text, images, HTML etc. and multi-language threats

• Monitor mails received from Domain/IP Address

• Detect spam mails using RBLs. If Anti Spam module is not subscribed, Cyberoam will detect spam mails based on RBL only and not on recurrent patterns in mails.

• Accept/Reject messages based on message size and message header

• Customize protection of incoming and outgoing Email messages by defining scan policies


Page 21 of 43

• Set different actions for SMTP/S, POP and IMAP spam mails

• Configure action for individual Email Address

• Notify receivers about spam messages

• Configuration

• Spam Rules

• Quarantine

• Trusted Domain


Page 22 of 43

Configuration

Anti Spam Configuration allows configuring scanning rules for traffic – SMTP/S, POP, and IMAP defined on Address Groups or individual Emails Address or IP Address or RBLs. Administrator is notified for critical events via system warnings and Email notifications. The administrator can archive almost all the Emails coming into the organization and thereby keep a close watch over data leakage.

• Configuration

• Address Group

• Email Archiver

Configure restrictions on mails from Anti Spam > Configuration > Configuration.

Screen – Configure Parameters

Screen Elements Description

Bypass Spam Check For SMTP/S Authenticated Connections

Click “Bypass Spam check for SMTP/S Authenticated Connections” to bypass the Spam scanning of the authenticated traffic. If enabled, SMTP/S authenticated connections are bypassed from RBL and RPD based Spam checking. By default, it is disabled.

Verify Sender’s IP Reputation

Enable IP Reputation, if you want to verify the reputation of the sender IP Address. Cyberoam dynamically checks the sender IP Address and denies SMTP/S connection if IP Address is found to be responsible for sending spam mails or malicious contents. If enabled, specify action for confirmed Spam Emails and Probable Spam Emails.

• Accept – all the spam Emails are forwarded to the recipient after scanning as per the configuration

• Reject – all the spam mails are rejected and notification is displayed to the user.

• Drop – all the spam mails are dropped.

If both “Bypass Spam check for SMTP/S authenticated Connections” and “Verify Sender’s IP reputation” are


Page 23 of 43

enabled, for the authenticated connections, spam scanning based on RBL and RPD will be given the precedence.

SMTP/S Mails Greater Than Size

Specify maximum size (in KB) of the file to be scanned. Files exceeding this size received through SMTP/S will not be scanned. By default, SMTP/S mails exceeding 1024 KB in size are not scanned. Specify 0 to increase default file size restriction for scanning to 51200 KB i.e. files exceeding 51200 KB will not be scanned if 0 is configured.

Note For Cyberoam CR15i models: Specify 0 for default size restriction of 1024 KB i.e. files exceeding 1024 KB will not be scanned if 0 is configured.

SMTP/S Oversize Mail Action

Specify the action to be taken on oversize files i.e. Accept, Reject and Drop.

• Accept – all the oversize mails are forwarded to the recipient without scanning.

• Reject – all the oversize mails are rejected and notification is displayed to the user.

• Drop – all the oversize mails are dropped.

POP3 / IMAP Mails Greater Than Size

Specify maximum size (in KB) of the file to be scanned. Files exceeding this size received through POP / IMAP will not be scanned and forwarded to the recipient without scanning. By default, POP3/IMAP mails exceeding 1024 KB in size are not scanned. Specify 0 to increase default file size restriction for scanning to 10240 KB i.e. files exceeding 10240 KB will not be scanned if 0 is configured.

Note For Cyberoam CR15i models: Specify 0 for default size restriction of 1024 KB i.e. files exceeding 1024 KB will not be scanned if 0 is configured.

Header To Detect Recipient or POP3 / IMAP

Specify Header value to detect recipient for POP3 / IMAP.

Click Add icon to add headers and Remove icon to delete the header which is used for detecting the recipient’s address.


Page 24 of 43

Table – Configure Parameters screen elements


Page 25 of 43

Address Group

Address Group is the group of Email Addresses, IP Addresses, or RBLs. An address can be member of multiple groups. To make configuration simpler you can group addresses when applying policy. Policy applied on the address group is applicable on all the group members.

To make it easier to add Anti Spam rules, create groups of Email Addresses or IP Addresses, or RBLs and then add one Spam Rule to take action for all Address in the group. An Address can be member of multiple groups i.e. Address can be included in multiple Address Group.

Scanning rule can be defined for individual or group of

• Email Address or Domain

• IP Address

• RBL (Real time black hole List) (applicable only for the spam mails)

RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. This IP Addresses might also be used for spreading virus.

Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken.

Manage Address Group

To manage Address Groups, go to Anti Spam > Configuration > Address Group.

Screen – Manage Address Group


Add Button Add a new Address Group.

Name Name of the Address Group.

Type Type of Group: RBL, IP Address, Email Address/Domain.

Description Displays Address Group Description.

Import Icon Click to import the Address Groups.

Edit Icon Edit the Address Group.

Delete Button Delete the Address Group. Alternately, click the Delete icon against the address group to be deleted.

Table – Manage Address Group screen elements


Page 26 of 43

Import Email Address into an existing Address Group

Instead of adding addresses again in Cyberoam, if you already have address detail in a file, you can upload file. If the file has multiple addresses then each address must be on the new line. File with comma-separated address will give error at the uploading.

Click the Import Button to import CSV or text file. Select the complete path of information file.

Address Group Parameters

To add or edit an Address Group, go to Anti Spam > Configuration > Address Group.

Click Add Button to add a new group or Edit Icon to modify the details.

Screen – Add Address Group


Name Specify a name to identify the Group.

Group Type Select the Group Type. Available Options:

• RBL – RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken.

Specify Domain Name to be added as RBLs to the Address Group.


Page 27 of 43

• IPv4 Address – Specify IP Addresses or Network address that you want to group.

• Email Address / Domain – Specify Email Address or Domain Name to be added to the Address Group.

On selecting “Email Address/Domain” select the type of Address Group from the available options:

Available Options:

• Import – Select to browse and import a CSV file or a text file to add the Email Address/Domain to address group.

• Manual – Select to manually add the Email Address/Domain to address group.

Use Add button to add value to the list and to delete value to the list.

Description Provide description for Address Group.

Table – Add Address Group screen elements


Page 28 of 43

Email Archiver

If you want Administrator or any other person in the organization to know about incoming mails into the organization, you can specify Email Address to which you want to forward the copy of such mails.

By using Email Archiver, the administrator can archive almost all the Emails coming into the organization and thereby keep a close watch over data leakage. Emails of a specific recipient or a group of recipients can be archived using Email Archiver. Create multiple archivers to send a copy of Emails to more than one administrator.

Cyberoam can archive all Emails intended for a single or multiple recipients and can be forwarded

to the single administrator or multiple administrators from Anti Spam > Configuration > Email Archiver.

Screen – Manage Email Archives


Add Button Add a new Email Archive.

Name Email Archiver name.

Recipient Email Address of the recipient whose emails are archived.

Send Copy To Email Address to which the Email copy is sent. This option can be applied to SMTP protocol only.

Edit Icon Edit the Email Archiver.

Delete Button Delete the Email Archiver. Alternately, click the Delete icon against the Email Archiver to be deleted.

Table – Manage Email Archivers screen elements

Add Email Archiver

To add or edit Email Archiver, go to Anti Spam > Configuration > Email Archiver. Click the Add button to add an Email Archiver. To update the details, click on the Email Archiver or Edit

icon in the Manage column against the Archivers you want to modify.


Page 29 of 43

Screen – Add Email Archiver


Name Specify a name for the Email Archiver.

Recipient Select Email Address of the recipient whose Emails are to be archived.

You can also add a new Email Address or domain from the Email Archiver page itself.

Send Copy Of Email To Specify Email Address to which the Email copy is to be sent. This option can be applied to SMTP protocol only.

Table – Add Email Archiver screen elements


Page 30 of 43

Spam Rules

As soon as you subscribe Cyberoam Gateway Anti Spam, Spam Rules can be configured for particular sender and recipients.

Spam Rule defines what action is to be taken if the mail is identified as a spam and to which Email Address the copy of mail is to be sent. These rules can be applied directly to Email Addresses now and thus, traffic can be directly scanned for Spam mails.

To reduce the risk of losing the legitimate messages, spam quarantine repository - a storage location, provides administrators a way to automatically quarantine and remediate messages that are identified as spam.

This will help in managing spam and probable spam quarantined mails and you can take appropriate actions on such mails.

Detection of Spam attributes

Cyberoam uses content filtering and three RBLs - Real time Blackhole Lists – to check for the spam attributes in SMTP/S as well as POP3 / IMAP mails:

• Premium

• Standard

RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for Spam Relay.

Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken.

Manage Spam Rules

To manage Spam Rules, go to Anti Spam > Spam Rules > Spam Rules.

Screen – Manage Spam Rules


Name Displays name of the Spam Rule.

Sender Sender Email ID.

Recipient Recipient Email ID.

Rules Conditional Rule for restricting spam mails.


Page 31 of 43

Action

SMTP/S Conditions applied for the SMTP/S mails.

POP3/IMAP Conditions applied for the POP3 mails.

Table – Manage Spam Rules screen elements

Spam Rule Parameters

To add or edit a Spam Rule, go to Anti Spam > Spam Rules > Spam Rules. Click the Add

button to add a Spam Rule. To update the rules, click on the Spam Rule or Edit icon in the Manage column against the rule to be modified.

Note On subscribing Outbound Spam, parameter “Anti Spam Module Has Identified Mail As” is renamed as “Inbound Anti Spam Module Has Identified Mail As” is displayed.

Screen – Add Spam Rule


Name Specify a name for Anti Spam Rule.

Recipient Email Select Recipient Email Address. You can also add a list of Email Address using “Add Email Address” link.


Page 32 of 43

Sender Email Select Sender Email Address. You can also add a list of Email Address using ‘Add Email Address’ link.

IF Conditions

Anti Spam / Inbound Anti Spam Module Has Identified Mail As (Parameter “Inbound Anti Spam Module Has Identified Mail As” is displayed on Outbound Spam subscription)

All the Email messages that are received by the users those are in a network protected by Appliance are referred as Inbound. On configuring Appliance Inbound Spam, all the messages received by the users are scanned for spam and Email virus outbreak by the Appliance. Specified action will be taken if the Anti Spam module has identified the Inbound Email to be one of the following:

• Spam

• Probable Spam

• Virus Outbreak

• Probable Virus Outbreak You can set different actions for SMTP and POP mails.

Outbound Anti Spam Module Has Identified Mail As (Option available only on subscription)

Messages that are sent by the user from network protected by the Appliance to a remote user on other mail system are referred as Outbound. On configuring Appliance Outbound Spam, all the messages sent by the users are scanned before being delivered to other users on internet for spam and Email virus outbreak. Specified action will be taken if the Anti Spam module has identified the Outbound Email to be one of the following:

• Spam

• Probable Spam

• Virus Outbreak

• Probable Virus Outbreak

Note

• Outbound Spam is a subscription module.

• You can set different actions only for SMTP.

This feature is not available in Cyberoam Models - CRi series, CRwi series, CR10iNG, CR15i, CR15iNG, CR25i, CR25ia, CR35ia, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i and CR1500i.


Page 33 of 43

From IP Address Belongs To

Specified action will be taken if the mail sender IP Address matches the specified IP Address. You can set different actions for SMTP/S and POP mails.

Sender IP Address Blacklisted by RBL

Specified action will be taken if the sender is listed in the specified RBL Group. You can set different actions for SMTP/S and POP mails.

Message Size Is Specified action will be taken if the mail size matches the specified size. You can set different actions for SMTP/S and POP mails.

Select Message Header Specified action will be taken if the message header contains the specified text or is equal to the specified text. You can set different actions for SMTP/S and POP mails. You can scan message header for spam in: Subject – Specified action will be taken when the matching text is found in the headers configured as per the matching criteria. From – Specified action will be taken when the matching address is found in the headers configured as per the matching criteria. To – Specified action will be taken when the matching address is found in the headers configured as per the matching criteria. Others – Specified action will be taken when the matching text is found in the headers configured as per the matching criteria.

None Select ‘None’ when you want to create a rule between specific sender and recipient without any conditions. You can set actions for SMTP/S and POP3/IMAP mails only on the basis of sender and recipient.

Then

SMTP/S Action Select the Action to be taken for SMTP/S traffic. Available Options:

• Reject

• Drop

• Accept (only for Inbound Spam)

• Change Recipient

• Prefix Subject (only for Inbound Spam)

POP3/IMAP Action (Only for

Inbound Spam)

Select the Action to be taken for POP3 / IMAP traffic. Available Options:

• Accept

• Prefix Subject


Page 34 of 43

Table – Add Spam Rule screen elements


Page 35 of 43

Following actions can be taken on the mail identified as the SPAM, Probable SPAM, VIRUS OUTBREAK or Probable VIRUS OUTBREAK.

Protocol Action Meaning

SMTP/S Reject Mail is rejected and rejection notification is sent to the mail sender.

SMTP/S Drop Mail is rejected but rejection notification is not sent to the mail sender.

SMTP/S, POP3

Accept Mail is accepted and delivered to the intended receiver.

SMTP/S Change Recipient

Mail is accepted but is not delivered to the receiver for whom the message was originally sent. Mail is sent to the receiver specified in the spam policy.

SMTP/S, POP3

Prefix Subject Mail is accepted and delivered to the intended receiver but after tagging the subject line. Tagging content is specified in spam policy. You can customize subject tagging in such a way that the receiver knows that the mail is a spam mail. For Example Contents to be prefixed to the original subject: ‘Spam notification from Cyberoam – ‘ Original subject: ‘This is a test’ Receiver will receive mail with subject line as: ‘Spam notification from Cyberoam - This is a test’

SMTP/S Quarantine Mail is quarantined and can be viewed or downloaded from the Quarantine Area.

Table – Manage Actions screen elements


Page 36 of 43

Quarantine

Quarantine Digest is an Email and contains a list of quarantined messages filtered by Cyberoam and held in the user Quarantine Area. If configured, Cyberoam mails the Quarantine Digest as per the configured frequency to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action.

• Quarantine Digest Settings

• Quarantine Area

Note Entire Quarantine menu is not available for Cyberoam CR15i models.


Page 37 of 43

Quarantine Digest Settings

Digest service can be configured globally for all the users or for individual users.

User receives Quarantine Digest as per the configured frequency.

The Quarantine Digest provides following information for each quarantined message:

• Date and time: Date and time when message was received

• Sender: Email Address of the sender

• Recipient: Email Address of the receiver

• Subject: Subject of the message

To manage Spam Digest, go to Anti Spam > Quarantine > Quarantine Digest Settings. You can:

• Configure

• Change User’s Quarantine Digest Settings

• Manage User’s Quarantine Digest Settings

Configure Quarantine Digest

Screen – Spam Digest Settings


Quarantine Digest Settings (Spam Digest Settings will be applicable only after you subscribe for "Gateway Anti Spam" module.)

Enable Quarantine Digest

Enable Quarantine Digest to configure digest service for all the users.

Email Frequency Specify the Quarantine Digest mail frequency. Digest can be mailed every hour, every day at configured time or every week on the configured day and time.

From Email Address Specify Email Address from which the mail should be sent. Digest mail will be sent from the configured mail address.


Page 38 of 43

Display Name Specify mail sender name. Digest mail will be sent with the configured name.

Send Test Email Click “Send Test Email” button and provide Email Address to which the message is to be sent for Email Address verification i.e. Email Address is valid or not.

Reference “My Account IP”

Select Interface/Port IP from the ‘Reference “MyAccount” IP dropdown list. User My Account link in Digest mail will point to this IP Address. User can click the link to access his quarantined messages and take the required action. The users not falling under the specified Interface will have to access the quarantined mail directly from their MyAccount.

Allow Override Enable “Allow User To Override Digest Settings”; if you want each user to override the digest setting i.e. user can disable the digest service so that they do not receive the Quarantine Digest.

Change User’s Quarantine Digest Settings

Click “Change User’s Quarantine Digest Settings” button to change the digest setting of the individual users. It allows selecting group and updating the Quarantine Digest Setting of group members.

Table – Quarantine Digest screen elements


Page 39 of 43

Change User’s Quarantine Digest Settings

Click “Change User’s Quarantine Digest Settings” button to change the digest settings of the individual users. It opens a new page which allows you to search groups and users for updating the Quarantine Digest Settings of group members.

You can individually search for user and user groups.

Select the checkbox against the user to enable the Quarantine Digest. If enabled, configured Quarantine Digest Settings are applicable for the user.

Screen – Change User’s Spam Digest Settings

Manage User’s Quarantine Digest Settings


User Name Displays username.

Name Displays a name for the User.

Group Displays Group name.

Email Displays Email Address.

Edit Icon Edit Quarantine Digest. To save the modifications done for Email Address, click

Save icon and to cancel the modifications done click

Cancel icon .

Table – Manage Change User’s Spam Digest

Select the checkbox against the user to enable the Spam Digest. If enabled, configured Spam Digest Settings are applicable for the user.


Page 40 of 43

Quarantine Area

Under Quarantine Area, Quarantined Mails can be searched based on sender Email Address, receiver Email Address, and subject.

Use “Filter” section to search for mails from the list of Quarantined Mails. To view and release the

Quarantined Mails go to, Anti Spam > Quarantine > Quarantine Area.

Cyberoam reserves 5GB for Quarantine Area. Once the quarantine repository is full, older Emails are purged.

Screen – Manage Quarantine Mails


Filter Result

Start Date Select the starting date from Calendar by clicking on

Calendar icon

End Date Select the ending date from Calendar by clicking on

Calendar icon

Sender Specify a name for the Sender.

Receiver Specify a name for the Receiver.

Filter Click “Filter” to search mails from the list of Quarantined Mails.

Clear Click “Clear” to reset the details of Filter Result.

Subject Specify a Subject.

Sender Displays the Sender of the Mail.

Recipient Displays the Recipient of the Mail.

Subject Displays the Mail Subject.

Time Stamp Timestamp when the mail was received.

Rule Name Displays a Rule name based on which the Quarantine Mail is considered as Spam.

Release Icon Click on the Release Icon to move the mails from Quarantine Area to recipient’s inbox. Log color will change when the selected mail is released to the recipient’s inbox.

Table – Manage Quarantine Mails screen elements


Page 41 of 43

Release Quarantined Mails

Either Administrator or user himself can release the Quarantined Mails. Administrator can release the Quarantined Spam Mails from Quarantine Area while user can release from his ‘My Account’. Released Quarantined Mails are delivered to the intended recipient’s inbox.

Screen – Before Releasing Quarantine Mails

When the selected mail is released to the recipient’s inbox, the log color will change from Violet color to black color as shown in the Screen below.

Screen – After Releasing Quarantine Mails

Administrator can access Quarantine Area from Anti Spam > Quarantine > Quarantine

Area, while user can logon to My Account and access Quarantine Area from Quarantine Mails > Spam > Quarantine Emails.

If Quarantine Digest is configured, user will be mailed Digest everyday which consists of all the Quarantined Mails.


Page 42 of 43

Trusted Domain

Cyberoam also allows bypassing RBL scanning of mails from the certain domains. For this, you have to define the domains as the trusted domains. FQDN can also be configured as trusted domain.

To manage local domains, go to Anti Spam > Trusted Domain > Trusted Domain. You can:

• Add – Specify the Domain name and click the Add Button. Mails from the specified domains will not be scanned.

• Delete – Click the Delete icon in the Manage column against a Domain to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Domain. To

delete multiple domains, select them and click the Delete button.

Screen – Add/Remove Trusted Domain

View the list of Trusted Domains

Screen Element Description

Add Button Add a new Trusted Domain.

Domain Name Displays a name for the Trusted Domain.

Delete Button Delete the Trusted Domain.

cyberoam anti spam implementation guide - docs.sophos.comdocs.sophos.com/nsg/cyberoam/version...

Documents