Version 5.2.
CONTENTS Notices............................................................................................................................................... i FINDING YOUR WAY AROUND ..................................................................................... 1 How RiskFilter works ......................................................................................................................... 2 Managing your messages with RiskFilter .....................................................
Help ................................................................................................................................................... 61 Admin Guide ........................................................................................................................ 61 Contact Support ................................................................................................................... 61 Firstboot Wizard ....................................................................
Querying the Message Report ............................................................................................. 110 Policy Report ..................................................................................................................................... 111 Querying the Policy Report .................................................................................................. 111 Virus Report............................................................................................
Update RiskFilter - E-mail .................................................................................................... 154 Key Points ......................................................................................................................................... 155 APPENDIX .............................................................................................................. 157 Using the Command Line Interface .....................................................................
Chapter 1 Finding your way around How RiskFilter works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 2 Load balancing with RiskFilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 4 Launching SurfControl RiskFilter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 6 Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 FINDING YOUR WAY AROUND How RiskFilter works HOW RISKFILTER WORKS Figure 1-1shows how a message is processed by RiskFilter: Figure 1-1 The RiskFilter filtering process MANAGING YOUR MESSAGES WITH RISKFILTER RiskFilter gives you access to several tools with which you can manage your E-mail messages: Table 1-1 RiskFilter Core Components Component What it does Queues Any isolated e-mails are moved to different queues (depending on See Queue Manager in the the type of message) for safe keeping.
FINDING YOUR WAY AROUND How RiskFilter works 1 Table 1-1 RiskFilter Core Components Component What it does Find out more Connection Control Limit the number of simultaneous connections made on your server. Determine whether to perform real-time blacklist checking. See Receive Settings > Connection Control in the System Settings chapter.
FINDING YOUR WAY AROUND 1 Load balancing with RiskFilter LOAD BALANCING WITH RISKFILTER You can deploy RiskFilter in a cluster and load-balance using MX records: 1 On the DNS server hosting your domain, create an MX record for each primary RiskFilter server using the same MX preference. 2 Give the failover server a higher number. This will give it a lower preference. Table 1-1 shows an example of MX preference assignments for load-balancing and failover using MX records.
FINDING YOUR WAY AROUND Load balancing with RiskFilter 1 A lower MX preference number gives higher priority than a lower one. In Figure 1-2, e-mail is sent in the following way: • E-mail sent to site A.com round-robins between mail exchangers 1, 2,and 3, because each RiskFilter appliance has the same MX preference of 5. • The same thing happens for e-mail sent to site B.com. If site A is down (e.g.
1 FINDING YOUR WAY AROUND Launching SurfControl RiskFilter LAUNCHING SURFCONTROL RISKFILTER SurfControl RiskFilter consists of two interfaces: • RiskFilter System Management Console • RiskFilter Management Console (Administrator) There is also a third interface available to users if you enable Personal E-mail Manager (PEM). This enables them to manage spam messages that have been isolated (See “Personal E-mail Manager” on page 48 for more details).
FINDING YOUR WAY AROUND Launching SurfControl RiskFilter 1 RISKFILTER MANAGEMENT CONSOLE (ADMINISTRATOR) The SurfControl RiskFilter Management Console is where you manage the RiskFilter software. You can use this interface to: • Manage user accounts and licensing. • Schedule updates to Anti-Virus and Anti-Spam agents. • Manage servers and connection issues. • Set up policies to manage how users send and receive e-mail. • Run reports on these users and their messages.
1 FINDING YOUR WAY AROUND Before you start BEFORE YOU START This Administrator’s guide assumes that you have completed the following steps: 1 Mounted the appliance using the supplied hardware set up guide. 2 Gathered the network information that is required for the configuration of the RiskFilter appliance. 3 Configured the RiskFilter appliance via your chosen connection, using the network information that you gathered earlier.
Chapter 2 System Settings The System Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 10 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 11 Receive Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 27 Send Settings. . . . . . . . . . . . . . . . . . . . .
2 SYSTEM SETTINGS The System Settings tab THE SYSTEM SETTINGS TAB This chapter explains how to use the System Settings tab to: • Configure the transport of e-mails. • Authenticate the senders and recipients of e-mails. TERMINOLOGY USED The following terminology is used in this chapter: • PEM – Personal E-mail Manager. Enables users to manage their own isolated messages. • User Directories – Provides RiskFilter with recipient address validation and end-user authentication.
SYSTEM SETTINGS General 2 GENERAL The General menu contains sub-menus that enable you to set up the delivering and receiving of e-mails. This includes specifying how RiskFilter should treat connections from other administrators, and where to send alert messages and notifications. CONFIGURATION These settings are added in the Configuration screen.
2 SYSTEM SETTINGS General Table 1 Other Settings Setting What it does SMTP greeting message The greeting message can indicate that the system is working correctly when you first start to set up the RiskFilter appliance using Hyper Terminal. An example of where this message appears would be: [root@smg10 conf]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
SYSTEM SETTINGS General 2 USER DIRECTORIES User Directories provide RiskFilter with recipient address validation and end-user authentication: • Address validation takes place when a message is received. • User authentication is used by end-users to log in and check their isolated messages. To add User Directories: 1 Select General > User Directories from the System Settings tab. 2 Click Add. 3 Select your Directory Type from the list of options.
2 2 SYSTEM SETTINGS General This will show a screen containing all of the details of the User Directory that you want to edit. The following example shows a Generic LDAP User Directory: Figure 2 - 5 Generic LDAP Server Information 3 Make changes to the User Directory by editing these details. 4 Click Submit to save the changes or click Reset to undo any changes that you have made.
SYSTEM SETTINGS General 2 Microsoft Active Directory This is the default server type. Microsoft Active Directory supports Address Group Import, User Authentication, User Aliases and Recipient Validation. To add a Microsoft Active Directory server: 1 Click Add in the User Directories screen. 2 Make sure that the default Microsoft Active Directory option is selected. 3 Click Next. The Microsoft Active Directory Server Information screen is displayed.
2 SYSTEM SETTINGS General – Enable Partial Address Caching – This is the default setting. Enter a value into the Maximum Cache Entry field to specify how many entries should be stored in the memory cache. The default is 10000. – Disable Address Caching - No addresses will be cached. • Cache timeout – When Cache All Addresses or Enable Partial Address Caching are enabled, addresses of all e-mails passing through RiskFilter are checked against the validation server.
SYSTEM SETTINGS General 2 Generic LDAP Generic LDAP supports Address Group Import, User Authentication, User Aliases and Recipient Validation. To add an Generic LDAP server: 1 Click Add in the User Directories screen. 2 Select Generic LDAP. 3 Click Next. The Generic LDAP screen is displayed. 4 Enter the following information: • Directory ID – The ID of the directory. This field is limited to 64 characters. • Server Address – The address of your LDAP server. • Port – The default is 389.
2 SYSTEM SETTINGS General Validation settings Variables which can be used for validation. These can be set when you are adding your LDAP server. Search Filter. There are three variables which can be used in the Search filter for validation: • %user% = the user name of the user to be validated • %domain% = the domain that this user belongs to • %email% = the e-mail address of this user LDAP will try to validate a message by checking with the LDAP server using this search, for example: jbloggs@mycom.
SYSTEM SETTINGS General • 2 Cache Setting – Select the option that corresponds to how you want to treat Address Caching: – Enable Partial Address Caching – This is the default setting. Enter a value into the Maximum Cache Entry field to specify how many entries should be stored in the memory cache. The default is 10000. – Disable Address Caching – No addresses will be cached.
2 SYSTEM SETTINGS General To add a local database: 1 Click Add in the User Directories screen. 2 Select Local Database. 3 Click Next. The Local Database Information screen is displayed: Figure 2 - 8 Local Database Information 4 Enter the following information: • Directory ID – The ID of the directory. This field is limited to 64 characters. • File Path – The path to the database. Enter the path or click Browse to navigate to it.
SYSTEM SETTINGS General 2 Adding addresses to a local database. You can add specific addresses from a user list by adding them manually. This can also be used if you have created your user directory before you created your user list and now want to add this list to the user directory. To add addresses manually: 1 Create your database and store it in a place accessible to RiskFilter. 2 In the User Directories screen select the User Directory you want to add the addresses to. 3 Click Edit.
2 7 SYSTEM SETTINGS General The Local Database - Add/Edit Address screen is displayed. Figure 2 - 11 Adding an address to the database 8 Enter the address that you want to add into the Address field. 9 If the database you are adding has a password then you need to enter this password into the Password field then confirm it. If the database does not have a password, you can leave these fields blank. 10 Click Submit. SECURE PROXY You can configure RiskFilter to act as a proxy server.
SYSTEM SETTINGS General 2 2 In the Total Simultaneous Connections field, enter the maximum number of connections that you want to be connected at any one time. The default setting is 200. 3 Select Enable POP3 Proxy. 4 Enter the following information: • Incoming POP3 Port – The port number. The default port number is 110. Select the Require Secure Channel (SSL) option if required. It is not selected by default.
2 SYSTEM SETTINGS General LOGS AND ARCHIVES SurfControl RiskFilter stores messages that have been isolated. Initially these messages will be stored in the default directory. If you want RiskFilter to store messages in a different place, you must change the default directories within the Logs and Archives screen. Figure 2 - 13 The Logs and Archives screen Setting up the storage directories You can set up directories to hold log files, spam messages etc. using the Directories screen.
SYSTEM SETTINGS General • 2 Archive level – Define whether or not to archive files and what type of messages to archive if archiving takes place: – Select None for no archiving. – Select All messages except then select the relevant check boxes if you want to archive, but do not want to save this type of message. 5 • Directory to store messages – Define where you want the archived messages to be stored by entering the path into the field.
2 SYSTEM SETTINGS General Importing Certificates A default certificate is supplied with RiskFilter but this will need to be renewed when it expires. The Import Certificate feature enables you add a new version to RiskFilter. You can also import a certificate that you have previously exported to a location on your network. or add a new certificate of your own.
SYSTEM SETTINGS Receive Settings 2 RECEIVE SETTINGS The Receive Settings menu contains all the sub-menus that are concerned with how mail is accepted before it is filtered. These settings specify how the mail should be treated when it is delivered to RiskFilter for processing. CONNECTION CONTROL Connection Control enables you to: • Limit the number of simultaneous connections made on your server. • Enable or disable Real-Time Blacklist checking.
2 SYSTEM SETTINGS Receive Settings RBL Real-Time Blacklist (RBL) checking verifies the validity of message senders. If a sender is listed on an RBL, they will be prevented from sending messages to your internal MTA. Reverse DNS enables you to make sure that e-mails sent to your RiskFilter server, are from legitimate domains. RiskFilter will stop them from sending e-mails to your internal MTA if reverse DNS fails (i.e. the sender is not from a legitimate domain).
SYSTEM SETTINGS Receive Settings 2 DIRECTORY ATTACK CONTROL Directory Attack is used by questionable sources to gain access to internal e-mail accounts. A directory attack not only occupies large amounts of system resource but also, through the acquisition of e-mail accounts, creates spam problems for e-mail end users. RiskFilter enables you to control directory attack to limit the maximum messages and connections coming from an IP address over a given time period.
2 SYSTEM SETTINGS Receive Settings RELAY CONTROL RiskFilter enables you to stop your e-mail system from being used as an open relay by spammers. Relay control limits the server to only relaying e-mails for specific domains. Use the Relay Control screen to control relaying to and from your system. Figure 2 - 17 The Relay Control screen Note: If you wish to define access to reports and logs by domain, you will first need to add these domains to this page.
SYSTEM SETTINGS Receive Settings 2 • Reject mail from senders when SPF softfails – When SPF checking finds that the senders domain does not match the published SPF policy and ends with a SoftFail, reject the mail. • Reject mail from senders when there is an SPF error – When SPF checking finds that the senders domain has published an erroneous SPF record, reject the mail. Note: These options appear when you select the Perform SPF checking against e-mail sender check box.
2 SYSTEM SETTINGS Receive Settings To import a list: 1 In the Relay Control screen, click Import. 2 In the dialog that follows, enter the path to the file or click Browse to navigate to it. 3 Click OK. Exporting a list of domains. You can create a list of domains which can be exported, then imported on to another appliance. To do this: 1 In the Relay screen, click the Export button. 2 Specify where you want the text file to be stored. 3 Click OK.
SYSTEM SETTINGS Receive Settings 2 RECIPIENT VALIDATION The Recipient E-mail Address Validation screen enables you to improve the performance of the RiskFilter gateway system. Receivers’ addresses are validated by user directories in order to prevent directory attack before inbound messages are received. Use the Recipient E-mail Address Validation screen to configure validation.
2 SYSTEM SETTINGS Receive Settings MESSAGE CONTROL You can limit the message size, data size per connection, number of messages per connection, and the number of recipients per message. Use the Message Control screen to do this: Figure 2 - 19 The Message Control screen 34 Administrator’s Guide SurfControl RiskFilter - E-mail V5.2.
SYSTEM SETTINGS Receive Settings 2 To configure message control: 1 Select Receive Settings > Message Control from the System Settings tab. 2 Select Limit message size and enter a maximum message size into the corresponding Maximum size (KB) field. This can prevent very large messages from using valuable bandwidth. 3 Select Limit data size per connection and enter a maximum amount of data into the corresponding Maximum data size (KB) field.
2 SYSTEM SETTINGS Receive Settings To configure exception control: 1 Select Receive Settings > Exception Control from the System Settings tab. 2 Choose a filter action from the When messages fail to be processed drop-down list box: • Deliver message – Deliver the message to the intended recipient. • Drop message – Delete the message without delivering it.
SYSTEM SETTINGS Receive Settings 2 7 Enter the subject that you want to be displayed when the notification is received, into the Subject field. For example: ‘Caution: Invalid e-mail message format’. 8 Enter the message that you want to be displayed in the Notification body into the Message Content pane. 9 Specify what you want to do with the original message: • Do not attach message – Send the notification without the original message.
2 SYSTEM SETTINGS Receive Settings Importing and exporting Lists If you already have a list of IP addresses that you want to block you can import this list to your blacklist. Conversely once you have this list in your blacklist List (perhaps because you have been adding them dynamically on a regular basis) you can export this ready-made list of IP addresses to another appliance.
SYSTEM SETTINGS Receive Settings 2 WHITE LIST Messages will bypass Anti-Spam checking if they come from addresses or domains, which are listed in the White List. Use the White List screen to configure your White List. : Figure 2 - 23 The White List screen Adding an IP or subnet address to the White List You can block either a single IP or a block of IPs by using the Subnet Mask: • Adding a single IP address such as 10.1.4.2 will allow messages from one IP address. • Adding a block such as 10.1.4.
2 SYSTEM SETTINGS Receive Settings above the section will change to match the amount of IPs that you have added, and you will see text stating that the update was successful. 4 If you want to import or export a list click Import or Export. This will show an Explorer dialog box from which you can import or export the list. 5 Enter a path to the White List file or use Browse to navigate to the file.
SYSTEM SETTINGS Send Settings 2 SEND SETTINGS The Send Settings menu provides sub-menus that enable you to specify how messages will be delivered when they are sent on to the user via RiskFilter E-mail. DOMAIN-BASED DELIVERY Domain-Based Delivery enables you to configure relay routing based on the domain of a recipient. It can also help you to configure the routing delivery methods for e-mail by resolving e-mail servers via DNS or forwarding to specified e-mail servers.
2 SYSTEM SETTINGS Send Settings Using TLS authentication (Transport Layer Security) If a message is sent via TLS then RiskFilter will be able to receive it, if STARTTLS Advertisement is enabled. However, if your mail server will only accept messages that are sent using TLS, then TLS must be enabled in RiskFilter in order for mail to be delivered to this server. See Certificate on page 25 for more information.
SYSTEM SETTINGS Send Settings 2 TRAFFIC CONTROL After completing the security verification for mail, RiskFilter will forward it to the e-mail server according to the route configuration. To protect e-mail systems from the impact of heavy traffic, Traffic Control is designed to limit the mail traffic sent to the e-mail system. Use the Traffic Control screen to do this.
2 SYSTEM SETTINGS Send Settings 2 Enter a time in minutes into the Retry interval’ field. This specifies how long the server should wait before attempting to deliver the message again. 3 Enter a time in minutes into the Maximum retry period field. Once this period of time is reached the server will stop trying to send the message. Enter a time in minutes into the Maximum retry period field.
SYSTEM SETTINGS User Management 2 USER MANAGEMENT Once you have completed the initial configuration of SurfControl RiskFilter there are other settings to implement that are vitally important to enable the product to work at its best. SurfControl recommends that you enhance RiskFilter’s security in the following ways: • Change the passwords to the Administrator accounts of the RiskFilter Console and RiskFilter Management Console.
2 SYSTEM SETTINGS User Management Changing the Administrator Account Password SurfControl recommends that you change the supplied default passwords as soon as possible to enhance the security of the SurfControl RiskFilter appliance. The RiskFilter E-mail Console administrator account password is changed within the Admin Account Management screen.
SYSTEM SETTINGS User Management 2 For each of the users you elect to carry out some of the administrative tasks within RiskFilter you need to: • Create an account for each user (administrator). • Add their appliance IP address as an authorized user. Once you have created an account for the administrator you can add the IP address of their machine to the RiskFilter console so that RiskFilter will recognize them as an authorized user.
2 SYSTEM SETTINGS User Management 4 Select Configuration from the General menu. 5 In the Trusted IP(s) field enter the IP addresses of all of the administrator’s machines that you want to be able to access the RiskFilter appliance. If you enter more than one, then each IP address must be separated by a semicolon. 6 Click Submit. Editing Administrator Accounts To edit the account once you have set it up: 1 Select Account Manager from the User Management menu.
SYSTEM SETTINGS User Management 2 The PEM screen is composed of three sections: • Digest Notification Schedule – Set the time that a message will be sent to a user to inform them that they have spam messages waiting to be actioned. • Digest Message Template – Set up this message to the exact format that you require. This is the message that the user will see in their Inbox to tell them that they have spam waiting to be actioned.
2 SYSTEM SETTINGS User Management • Description – This lists the product that is filtering spam messages. You can change the default title by entering your own details here. • Sender – The default setting is postmaster@$(domain). You can change this to something that more closely reflects your company set up, if necessary. Note: You must enter the e-mail address in a valid format. This address might not even exist, but it must be in the correct form: XXXX@XXX.XXX, without any spaces.
SYSTEM SETTINGS User Management 2 Adding users You can add users or lists of users to PEM. To add users: 1 Enter the user details of any user that you want to add to the Recipients List into the Enter recipient address: field. 2 Click Add. This will add them to the right-hand pane. If you want to remove any users from this list, select the user then click Remove. Exporting lists of users Lists of users can be exported for use with other features.
2 SYSTEM SETTINGS User Management END-USER CONTROL Authorized users can log in to PEM with their own account and password, validated by a ‘User Validation’ connection and, depending on the settings in the Users List pane, can manage their own Black and White lists. To use PEM, a User Validation connection with ‘Account Authentication’ must be set up for End-Users to manage their own Black/White Lists. Use the End User Control screen to set up End User Control.
SYSTEM SETTINGS User Management 2 5 Click Add. The item will be added to the list on the right. If you want to delete a domain or e-mail address in the group, select the relevant address from the list and click Remove. 6 Click Submit to put the new settings into effect or Reset if you want to cancel the modifications made to the current settings.
2 SYSTEM SETTINGS User Management 6 Choose the server that will provide the authentication for this user from the ‘Server’ drop-down list. 7 Click Add>>. This will add it to the list pane on the right. To remove a server, select it and click <
SYSTEM SETTINGS License & Updates 2 LICENSE & UPDATES To ensure that RiskFilter is filtering at its optimum level you must update it regularly. This can either be a manual update which updates the product (and it’s components) immediately, or you can specify a time and date for a regular (scheduled) update to take place. UPDATE NOW You can ask RiskFilter to update your Anti-Virus and Anti-Spam Agent definitions instantly in the Update Now screen.
2 SYSTEM SETTINGS License & Updates Updating your Anti-Spam Agent Definitions To update your Anti-Spam Agent definitions: 1 Select License & Updates > Update Now from the System Settings tab. 2 Click the Anti-Spam Agent Definitions link to expand the list. This screen shows details of: • Server – The name of the server where the Anti-Spam Agent is installed.
SYSTEM SETTINGS License & Updates 2 SCHEDULED UPDATE It is important to schedule updates to the Anti-Spam and Anti-Virus agents so that you can be sure of the maximum protection. The Anti-Spam database is updated three times a day so the level of protection you are receiving can change rapidly on a day to day basis. Setting up these updates as an automatic event will ensure that your databases never run the risk of being out of date. You can schedule updates in the Scheduled Update screen.
2 SYSTEM SETTINGS License & Updates Updating the Anti-Spam Agent To update the Anti-Spam Agent: 1 Select the Anti-Spam Agent Update check box. 2 Specify how often the update is to occur by choosing an interval from the Repeat Interval list box. By default this is set to Every hour. We recommend that you keep this setting to ensure you receive updates as soon as they are ready. If you set the repeat interval to Every Week, you need to specify the day of the week that you want the update to take place.
SYSTEM SETTINGS License & Updates 2 Viewing component licenses To view your component licenses: 1 Select License & Updates > License Status from the System Settings tab. 2 The License Status screen is displayed. You will see a list of licenses that are registered on this appliance. Click View by Component License to see all of the details of any licenses you have for these agents.
2 SYSTEM SETTINGS License & Updates LICENSE SERVER If you need to view the details of your license update server or specify an alternative one then you can do this in the License Server Configuration screen. Figure 2 - 39 The License Server Configuration screen The reason for this could be: • You want to use a different License Server to the default. • You use a proxy server to access the Internet so any license updates will have to be carried out via this computer.
SYSTEM SETTINGS Help 2 HELP The Help menu gives you access to tools that can help you solve problems with RiskFilter E-mail. ADMIN GUIDE A direct link to this guide. Selecting this menu will launch this RiskFilter Administrator’s Guide in pdf format. CONTACT SUPPORT You can fill in the Support screen and submit information to SurfControl Support so that they can help you with any aspect of the appliance that you are having difficulty with.
2 7 SYSTEM SETTINGS Help Select the relevant check boxes from the Attach list to send configuration files to Support: • Surfcontrol RiskFilter configuration – This gives a summary of the RiskFilter software configuration and includes: – RiskFilter E-Mail Version – Cluster Configuration – PEM Digest Configuration • System information – This includes information useful for restoring the customers environment on Support machines and includes: – Policy Manger and Filter Settings – System Settings – User Au
SYSTEM SETTINGS Key Points 2 KEY POINTS The following list is a summary of the main points covered in Chapter 2. Use this list as a quick reminder of what you can do within the System Settings tab: Q RiskFilter can notify the administrator by sending a message to a predefined address, when an event such as a service stopping occurs. Q User Directories provide RiskFilter with recipient address validation and end-user authentication.
2 SYSTEM SETTINGS Key Points Q You can block either a single IP or a block of IPs by using the Subnet Mask. Q If you already have a list of IP addresses that you want to block, you can import this list to your blacklist. Q A Dynamic White List can be auto-generated based on the e-mail process information defined by RiskFilter. This ensures that normal messages can proceed to their destination directly, without any Anti-Spam policy checking being performed on them.
Chapter 3 Policy Manager The Policy Manager tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 66 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 67 Address Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 69 Queue Manager. . . . . . . . . . . . . . . . . . . . . . .
3 POLICY MANAGER The Policy Manager tab THE POLICY MANAGER TAB This chapter explains how to use the Policy Manager tab to configure anything to do with the management of e-mail messages that pass through RiskFilter. By controlling who has policies applied to them and what these policies actually do, you can fine-tune your filtering to exactly match your company’s needs.
POLICY MANAGER Creating a Policy 3 CREATING A POLICY There are three steps to creating a policy: Step 1 - Defining users – Add the users, and groups of users, that you want to filter. Step 2 - Defining actions – Define what should be done with a message that triggers a filter. Step 3 - Defining the rules – Create filters to find messages of a specific type. You can filter virus/spam messages by adding one or more types of filter to the policy.
3 POLICY MANAGER Creating a Policy • Save to Isolate Message – Send the message to the isolated message store for further processing. • Save to Spam Message: – Send the message stopped by an Anti-Spam filter to the Spam Message store for further processing. • Save to Virus Message – Send the message stopped by an Anti-Virus filter to the Virus message store for further processing.
POLICY MANAGER Address Group 3 ADDRESS GROUP You can add one or more address group(s) to the address group list, and each address group can include a group of e-mail address lists. Addresses are added using the Address Group screen. Figure 3 - 4 The Address Group screen IMPORTING AND EXPORTING LISTS If you already have a list of domain or e-mail addresses to apply your policy to, you can import this list into Policy Manager and use it in your policy.
3 POLICY MANAGER Address Group • Enter *@ followed by the domain to have all users in that domain included in the list e.g.*@mydomain.com • Enter *@* to have all users included in the list regardless of their domain e.g.*@*.com 6 Click Add, the item will be added to the list on the right. To delete an e-mail address in the group, select the relevant address from the list on the right and click Remove. 7 If you want to import or export a list, click Import or Export.
POLICY MANAGER Queue Manager 3 QUEUE MANAGER When a message triggers a filter it can be sent to a queue, where it can be stored until you are ready to deal with it. Queue Manager enables you to manage the three supplied queues as well as any queue that you create. The default queues are: • Virus mail – This stores messages that have triggered the Anti-Virus filter. • Junk mail – This stores messages that have triggered the Anti-Spam filter.
3 POLICY MANAGER Queue Manager To add a Queue: 1 Select Queue Manager from the Policy Manager tab. 2 Click Add in the Queue Manager screen. 3 Enter a name for the Queue into the Queue Name field. 4 Enter a description of the Queue into the Description field. 5 Select Enable sending digest message and end user e-mail management if you want to use this feature. In the Directory to store messages field, enter the path to the new queue.
POLICY MANAGER Dictionary Manager 3 DICTIONARY MANAGER You can use the supplied SurfControl dictionaries or create your own using the Dictionary Manager. These then be used for the following: • Setting a threshold for a word within the Dictionary Threshold Filter for tracking how many times a particular word appears in a message. • Using dictionaries to select words for the Expression List in the Advanced Content Filter.
3 POLICY MANAGER Dictionary Manager Changing the value of words in the SurfControl Dictionaries You can change the value of a word or phrase to fine-tune your filtering. You may want to do this for the following reasons: • You find that messages containing a certain word are not being stopped. Increasing the value will mean that any messages containing this word will need to have fewer occurances before the filter triggers.
POLICY MANAGER Dictionary Manager 3 To remove a word or phrase: 1 Select Dictionary Manager > SurfControl Dictionaries from the Policy Manager tab. 2 Click the title of the dictionary that you are interested in. 3 Select the check box alongside the word or phrase that you want to remove. Note: Selecting the check box alongside a dictionary, rather than one of the words within it, then clicking Delete will delete the whole dictionary.
3 POLICY MANAGER Dictionary Manager 7 Click Add. 8 Enter the word or phrase you want to add into the Word or Phrase field. 9 Enter a phrase value into the Phrase Value field. Figure 3 - 11 Add a Word or Phrase or Phrase Value 10 Repeat steps 8 and 9 till you have added all of the words you require to the dictionary. 11 Click Submit to save the dictionary. IMPORTING DICTIONARIES Rather than creating a new dictionary, you can import a ready-made one from elsewhere.
POLICY MANAGER Dictionary Manager 3 By default, the appliance installs the English language dictionaries but you can add other language dictionaries using the Import-Export utility. Use the Import Dictionaries screen to import dictionaries. Figure 3 - 12 The Import Dictionaries screen To import a dictionary: 1 Download the SurfControl dictionary pack onto your system from www.surfcontrol.com 2 Select Dictionary Manager > Custom Dictionaries from the Policy Manager tab. 3 Click Import.
3 POLICY MANAGER Dictionary Manager Importing a unicode text file To import a text file: 1 Select Dictionary Manager > Custom Dictionaries from the Policy Manager tab. 2 Click Import. 3 Enter the path to the dictionary file you want to import into the Select file field. Alternatively, click Browse and navigate to the location of the dictionary file. 4 Select Import from a Unicode text file. 5 Enter a name for the dictionary into the Dictionary Name field.
POLICY MANAGER Global Policy 3 GLOBAL POLICY RiskFilter provides a global filtering Policy Manager. With this you can define filters, and the actions to be taken when these filters are triggered. Policy and filter configuration is carried out in the Policy Manager tab. Figure 3 - 13 The Policy Manager tab The Global Policy Filters screen is where you create and configure the filters that will be used with the global policy and any subsequent policies you create.
3 POLICY MANAGER Global Policy To create a sub-policy: 1 Select Global Policy from the Policy Manager tab. 2 Click Add. The Sub-policy Management screen is displayed. Figure 3 - 15 Enter the details of the new Sub-policy 3 Enter a name for your Sub-policy into the Sub-policy Name field. 4 Select Enable in the Sub-policy Status section. 5 Enter a brief Sub-policy description. 6 Click Next. The NewFilter Route screen is displayed.
POLICY MANAGER Global Policy 9 3 • Specify single sender address to all users of SurfControl.com domain: simon@SurfControl.com to *@SurfControl.com • Specify single sender address to all recipients: simon@SurfControl.com to * (* indicates any e-mail address). Select which list/s you want to be applied to the filter and click Submit. 10 If you want to add another route click Add Route. To delete a route select the check box to the left of the route and click Delete Route.
3 POLICY MANAGER Global Policy • Message Attachment Filter – Enables you to scan for maximum message size or specify the types of attachments that you want to filter. These include types of attachment, such as *.gif, *.mp3 files, and executable files, such as *.exe and *.dll files by file extension or MIME type. • Content Guardian – Provides maximum flexibility in filtering using SurfControl Content Dictionaries, with multiple filtering arguments.
POLICY MANAGER Global Policy 3 Creating a new filter To create a new filter: 1 In the Global Policy Filter List screen click Add. The Create New Filter screen is displayed. 2 Select the type of filter that you want to create. Details of the different types of filter available are covered in the following sections. 3 Click Next. 4 Fill in the properties for the filter that you want to create and click Submit.
3 8 9 POLICY MANAGER Global Policy • Treat encrypted files as infected – If a message is encrypted in a way that the anti-virus engine does not understand, it will be assumed to be infected and treated as such. The default setting is on. • Treat macros as infected – If a file contains macros, it will be treated as an infected file. This is off by default and is only available with the McAfee filter. • Heuristics Analysis – Used if an unknown virus is found. This is on by default.
POLICY MANAGER Global Policy 3 THE ANTI-SPAM AGENT FILTERS The Anti-Spam filters check messages to see if they are likely to be spam. • Anti-Spam Agent - DFP – Compares mail messages to known spam from different categories. • Anti-Spam Agent - Heuristics – Uses regular expressions to determine the likelihood that an e-mail message is actually Spam. • Anti-Spam Agent - LexiRules – Analyses words, phrases and patterns commonly found in spam to identify e-mail messages as possible spam.
3 POLICY MANAGER Global Policy Configuring the Anti-Spam Agent - Heuristics Filter The Anti-Spam Agent - Heuristics filter is configured in the Anti-Spam Agent Heuristics screen. Figure 3 - 21 The Anti-Spam - Heuristics screen To cofigure the Anti-Spam Agent - Heuristics filter: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters. The Global Policy Filter list screen is displayed. 3 Click Add. The Create New Filter screen is displayed. 4 Select Anti-Spam Agent - Heuristics.
POLICY MANAGER Global Policy 3 • High – Any message that could be spam will be stopped. Although this offers the most comprehensive protection, more messages will be stopped that are not spam. • Highest – Virtually all spam will be stopped but there could be quite a few false positives. With this setting it is advisable to check all spam before deleting, just in case. 10 Select Scan only message headers if you want RiskFilter to only scan the header, not the body of the message.
3 POLICY MANAGER Global Policy 5 Click Next. 6 Enter a name in to the Filter Name field. 7 This filter is enabled by default. Select the disable option if you want to switch it off. 8 If you want to make the filter so that it can be overwritten by a sub-policy change the Filter Permission setting to writable. The default is read-only. 9 Select Bypass Anti-Spam Agent scanning if message size is more than ... KB and set a maximum message size.
POLICY MANAGER Global Policy 3 Editing the Internet Threat Database Filter You can fine-tune either (or both) of the Internet Threat Database filter to your company’s filtering requirements. To edit the Internet Threat Database filter: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters.The Global Policy Filter list screen is displayed. 3 Click Add. The Create New Filter screen is displayed. 4 Select the Internet Threat Database Filter and click Next.
3 POLICY MANAGER Global Policy For example, if you have added two sub-policies, Incoming and Outgoing, you could create disclaimers for each of them: • Global Policy – ‘Innovation makes your life better’ • Incoming – ‘All messages have been scanned by RiskFilter’ • Outgoing – “Powered by RiskFilter” We recommend that you put the Standard Disclaimer filter at the end of the filter list in the Global Policy Filter List screen and that you do not include words in the message that are keywords for other
POLICY MANAGER Global Policy 3 GENERAL CONTENT FILTER The General Content Filter enables you to filter all incoming and outgoing messages passing through the RiskFilter. Figure 3 - 25 General Content Filter screen Editing the General Content Filter You can edit this filter to exactly match your company’s requirements. To edit the General Content filter: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters. The Global Policy Filter list screen is displayed. 3 Click Add .
3 POLICY MANAGER Global Policy ADVANCED CONTENT FILTER The Advanced Content Filter provides more complex checking of message header, message body and message attachments and supports the dynamic evaluation of keyword frequency to enhance flexibility. Figure 3 - 26 The Advanced Content Filter screen Editing the Advanced Content Filter You can edit this filter to exactly match your company’s requirements. To edit the Advanced Content filter: 1 Select Global Policy from the Policy Manager tab.
POLICY MANAGER Global Policy 3 Using the Expression List A valid keyword expression is composed of keywords and logical operators. You can enter keyword expressions by either typing them manually or choosing them from the Content dictionaries. The Content dictionaries also have about 20 categories with approximately 14,600 keywords. If you are going to be using keyword checks then you need to add them to the Expression List section. To configure Expression lists: 1 Click Add.
3 POLICY MANAGER Global Policy 5 Dictionary Category – the type of dictionary that you need to use is defined by the style of message you want to filter. 6 Select the logical operator that you want to use in this expression (see Using Logical Operators on page 94 for more details): • multiple selections – This filter will trigger if one of the selected keywords AND another selected keyword appear in the message. If only one of these words appears in the message the filter will not trigger.
POLICY MANAGER Global Policy 3 Examples showing the use of Operands The following examples show how operands can be inserted and how RiskFilter will use them to decide whether to trigger the action defined in the Advanced Content Filter: RiskFilter Gateway Innovation This expression matches content when “RiskFilter”, “Gateway” and “Innovation” are all present.
3 POLICY MANAGER Global Policy • RiskFilter innovation Solution • RiskFilter innovation • RiskFilter innovation Messaging Gateway • RiskFilter • RiskFilter Innovation Caution: Do not use operands in isolation, for example: . They must always accompany a word: for example, RiskFilter , or RiskFilter SurfControl. An error will be shown if an operand is entered without an accompanying word.
POLICY MANAGER Global Policy 3 Editing the Message Attachment Filter You can edit this filter to exactly match your company’s requirements. To edit the Message Attachment filter: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters. The Global Policy Filter list screen is displayed. 3 Click the Add .The Create New Filter screen is displayed. 4 Select the Message Attachment Filter and click Next. 5 Enter a new name into the field to change the name of this filter.
3 POLICY MANAGER Global Policy CONTENT GUARDIAN RiskFilter Content Guardian provides a more intelligent and flexible filtering method. The filtering criteria of Content Guardian consists of one or more filtering rule(s) which are made up of three parts: filtering target, matching condition, and filtering content. When matching conditions are met, the filter will trigger.
POLICY MANAGER Global Policy 9 • 2 of the items match • 3 of the items match • 4 of the items match • 5 of the items match 3 Each different filtering target has the appropriate matching condition(s).
3 7 POLICY MANAGER Global Policy Click Submit to save these new settings. Deleting a filtering rule You can delete a filtering rule that is no longer needed. To delete a filtering rule: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters. The Global Policy Filter list screen is displayed. 3 Click Add. The Create New Filter screen is displayed. 4 Select Content Guardian and click Next. 5 Select the check box alongside the rule that you want to delete.
POLICY MANAGER Global Policy 3 Configuring the Dictionary Threshold Filter To configure the Dictionary Threshold Filter you need to specify: • What kind of content you want the rule to detect. • Which parts of the e-mail message you want to scan for dictionary content. • The dictionary score required to trigger the rule. You can edit this filter to exactly match your company’s requirements. To edit the filter: 1 Select Global Policy from the Policy Manager tab. 2 Click Filters.
3 POLICY MANAGER Global Policy 11 Enter the Dictionary Threshold value for this filter into the Dictionary Threshold field. Figure 3 - 31 Enter the Dictionary Threshold value into the Select Threshold section 12 Set the action that will be taken if the filter is triggered. See Step 2 - Defining the action on page 67 for details on what these actions are. 13 Click Submit to save these new settings. 102 Administrator’s Guide SurfControl RiskFilter - E-mail V5.2.
POLICY MANAGER Key Points 3 KEY POINTS The following list is a summary of the main points covered in Chapter 3. Use this list as a quick reminder of what you can do within the Policy Manager tab: Q You can apply different filtering solutions to messages from specific address groups, according to different routing paths. Q There are three ways to add an e-mail address: Add the address/es manually, import the address/es from a file or import the address/es from an LDAP connection.
3 POLICY MANAGER Key Points Q With phrase value: – Increasing the value will increase filtering strength – Decreasing the value will decrease filtering strength Q Rather than creating a new dictionary, you can import a ready-made one from elsewhere.
Chapter 4 Reports & Logs The Reports and Logs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 106 Master Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 108 Message Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 110 Policy Report . . . . . . . . . . . . . . . . . . . . . . . . .
4 REPORTS & LOGS The Reports and Logs tab THE REPORTS AND LOGS TAB This chapter explains how to run detailed reports on messages. From these you can learn about such things as the system status and message statistics. Log records keep information on mail circulation, system traffic, scanning results and the operating results of filters triggered. RiskFilter collects statistics and updates them on a real-time basis.
REPORTS & LOGS The Reports and Logs tab 4 DASHBOARD RiskFilter enables you to query the status of all distributed RiskFilter servers, protected e-mail servers and LDAP servers via the dashboard on a real-time basis. At the same time, the dashboard presents a summary of statistical results for messages and connections in graphical format. Note: These statistics are for the past 7 days by default or yesterday, or the past 30 days.
4 REPORTS & LOGS Master Report MASTER REPORT The Master Report shows statistical results of all legitimate spam, virus and policy violation messages received and sent by RiskFilter. The results include the statistical results for all domains (in graphical format) and provide you with query functions. • To query the statistical report of the current date for all domains in real time, click Today’s Report.
REPORTS & LOGS Master Report 6 4 Click one of the following: • View Report – Logs are compounded every day at various intervals. Selecting View Report will show a report based on the last time one of these updates took place. • Today’s Report – Selecting Today’s Report will compute any existing log data immediately and show you Today’s report based on this information. The report should look something like this.
4 REPORTS & LOGS Message Report MESSAGE REPORT The Message Report includes information on the total number and size of all messages for all allowed messages going through RiskFilter. This includes inbound, outbound and messages that are sent both ways. The Message Report also automatically lists the top 10 users based on the number and size of allowed messages for inbound and outbound.
REPORTS & LOGS Policy Report 4 POLICY REPORT The Policy Report provides statistical information on any policy violation messages detected by any of the five filters: General Content Filter, Advanced Content Filter, Message Attachment Filter, Content Guardian and Dictionary Threshold Filter. RiskFilter automatically lists the top 10 policy violations and the number of corresponding messages stopped by these filters.
4 REPORTS & LOGS Virus Report VIRUS REPORT The Virus Report provides the statistical information on all messages containing viruses that have been scanned by the RiskFilter Anti-Virus engine. The system automatically lists the top 10 viruses and the number of virus messages scanned by the Anti-Virus engine.
REPORTS & LOGS Spam Report 4 SPAM REPORT The Spam Report provides statistical information on all spam messages caught by the Anti-Spam engine. RiskFilter automatically lists the top 10 spam recipients and the number of spam messages received by them.
4 REPORTS & LOGS Connection Report CONNECTION REPORT The Connection Report provides statistical information on connections made and released by RiskFilter. It includes connection data relating to real-time blacklist, block host, directory attack, reverse DNS lookup and connection limit, as well as attachment scanning, SPF and SMTP delay.
REPORTS & LOGS Connection Report 4 • RBL – How many of these connections were from blacklisted senders, listed in the RBL. This is set in System Settings> Receive Settings > Connection Control > RBL (Perform real-time black list (RBL) check). • Directory Attack – How many connections were categorized as directory attacks and dropped. This is set in System Settings > Receive Settings > Directory Attack.
4 REPORTS & LOGS System Report SYSTEM REPORT The System Report provides statistical information on the current status of RiskFilter, including detailed information on messages received, processed and delivered by the system to date and message queue usage. Figure 4 - 9 System Report • To Browse the Status of a Specific RiskFilter Server – Select the RiskFilter server that you want to view from the RiskFilter Server drop-down list box. Click Refresh.
REPORTS & LOGS Isolated Messages 4 ISOLATED MESSAGES Isolated Messages archives all messages isolated by RiskFilter. This enables you to perform a variety of tasks on the messages which include: query, delete, deliver, forward, reprocess or download and save specified messages. Figure 4 - 10 Querying Isolated Messages Report MANAGING ISOLATED MESSAGES To query an Isolated Messages report: 1 Select Isolated Messages from the Reports and Logs tab.
4 REPORTS & LOGS Isolated Messages 7 To view a message, click the subject. 8 Select the message that you want to process. 9 You can process any of the messages archived in the isolated messages queue in any of the ways shown below: • Delete – Delete the selected message. • Deliver – Deliver the selected message. • Reprocess – Release the selected message to the message queue for reprocessing.
REPORTS & LOGS Virus Messages 4 VIRUS MESSAGES Virus Messages archives all virus messages caught by RiskFilter. This enables you to perform a variety of tasks on the messages which include: query, delete, release, download, reprocess and forward specified messages. Figure 4 - 12 Querying Virus Messages MANAGING THE VIRUS MESSAGES To query your Virus Messages: 1 Select Virus Messages from the Reports and Logs tab. 2 Select the domain name you want to query from the Domain drop-down list box.
4 6 REPORTS & LOGS Virus Messages • Search with keywords such as Recipient and Sender. • Jump to a new page by specifying a page then clicking Go. To view a message click the hyper-linked subject. Figure 4 - 14 An Archived message 7 Select the message that you want to process. 8 You can process any of the messages archived in the virus messages queue in any of the ways shown below: • Delete – Delete the selected message. • Deliver – Deliver the selected message.
REPORTS & LOGS Spam Messages 4 SPAM MESSAGES Spam Messages archives all spam messages caught by RiskFilter. This enables you to perform a variety of tasks on the messages which include: query, delete, release, download, reprocess, add to a white list, specify as ‘not spam’ and forward specified messages. Figure 4 - 15 Querying Spam Messages Report MANAGING SPAM MESSAGES To manage your spam messages: 1 Select Spam Messages from the Reports and Logs tab.
4 6 REPORTS & LOGS Spam Messages To view a message click the subject. Figure 4 - 16 Viewing a Spam message 7 Select the message that you want to process. 8 You can process any of the messages archived in the virus messages queue in any of the ways shown below: • Delete – Delete the selected message. • Deliver – Deliver the selected message. • Reprocess – Release the selected message to the message queue for reprocessing.
REPORTS & LOGS Archived Messages 4 ARCHIVED MESSAGES Archived Messages archives all messages (including all virus, spam, policy violation and allowed messages) received by RiskFilter. This enables you to perform a variety of tasks on the messages. Figure 4 - 17 The Archived Messages screen MANAGING ARCHIVED MESSAGES Use the Archive Messages screen to query the database and manage messages of a particular type. To manage these messages: 1 Select Archived Messages from the Reports and Logs tab.
4 REPORTS & LOGS Archived Messages Export Messages You might want to download all the messages in the Archive, or just messages of a particular type, in order to perform particular actions on them. To export messages: 1 Select Archived Messages from the Reports and Logs tab. 2 Use this screen to specify the type of messages that you are interested in (see Managing Archived Messages on page 123). 3 Click Export Messages. You may see a message stating: ‘Downloading...
REPORTS & LOGS Archived Messages 4 Reprocess Messages Reprocessing messages enables you to resend all messages to the Archive folder. This would be useful in the event, for example, of a mail server failing and messages not being delivered. Clicking Reprocess Messages will resend all of the messages. You could also specify messages of a certain type then ask RiskFilter to resend all messages that match this criteria. To reprocess messages: 1 Select Archived Messages from the Reports and Logs tab.
4 REPORTS & LOGS Archived Messages 5 Refresh the current page display by clicking Check New Messages, or search with keywords such as Recipient, Sender, Subject and Policy. 6 Select the check box alongside the message that you want to process. Figure 4 - 19 Select the check box alongside the message 7 You can process any of the messages archived in the virus messages queue in any of the ways shown below: • Deliver – Deliver the selected message.
REPORTS & LOGS Deferred Messages 4 DEFERRED MESSAGES Deferred Messages is used to store all messages for later delivery, for example in the event of an e-mail server crashing. RiskFilter E-mail will enable you to query, delete, retry, download, empty and forward specified messages. Figure 4 - 20 Querying Deferred Messages QUERYING DEFERRED MESSAGES To query Deferred Messages: 1 Select Deferred Messages from the Reports and Logs tab.
4 5 REPORTS & LOGS Deferred Messages To view a message click the subject. Figure 4 - 22 An Archived message 6 Select the message that you want to process. Figure 4 - 23 Select the check box alongside the message 7 You can process all deferred messages as follows: • Delete – Delete the selected deferred message. • Retry – Try to redeliver the selected deferred message. • Empty – Remove all messages in the Deferred messages queue. • Download – Download the selected deferred message.
REPORTS & LOGS Key Points 4 KEY POINTS The following list is a summary of the main points covered in Chapter 4. Use this list as a quick reminder of what you can do within the Reports and Logs tab: Q RiskFilter enables you to query the status of all distributed RiskFilter servers, protected e-mail servers and LDAP servers via the Dashboard on a real-time basis. Q When the status of the RiskFilter server is shown as off-line, you can use the Dashboard to find out which service is experiencing problems.
4 REPORTS & LOGS Key Points Q Spam Messages archives all spam messages caught by RiskFilter. This enables you to perform a variety of tasks on the messages which include: query, delete, release, download, reprocess, add to a white list, specify as ‘not spam’ and forward specified messages. Q Archived Messages archives all messages (including all virus, spam, policy violation and allowed messages) received by RiskFilter. This enables you to perform a variety of tasks on the messages.
Chapter 5 RiskFilter System Management Console Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 132 The Webmin Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 134 The System Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 138 The RiskFilter Tab . . . . . . . .
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE Overview OVERVIEW The RiskFilter System Management Console enables you to configure the RiskFilter appliance and its interaction with the surrounding network. You can also use the RiskFilter System Management Console to manage this appliance’s interaction with the network, and to monitor system resources.
RISKFILTER SYSTEM MANAGEMENT CONSOLE Overview 5 ACCESSING THE RISKFILTER SYSTEM MANAGEMENT CONSOLE To open the RiskFilter System Management Console: 1 Open a web browser and enter: https://:10000/ where ‘ is the name or IP address of your RiskFilter appliance. 2 3 At the RiskFilter Management Console login page enter that username and password. The default username and password are: – Username = rfmngr – Password = $rfmngr$ Click Login.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The Webmin Tab THE WEBMIN TAB This chapter explains how to use the Webmin tab to manage the RiskFilter System Management console and its connections. WHAT CAN BE CONFIGURED IN THE WEBMIN TAB? The Webmin tab enables you to: • Generate reports on actions carried out by users within any of the modules, such as changing passwords, booting up/shutting down the computer or any configuration within the console.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The Webmin Tab 5 WEBMIN ACTIONS LOG Use the Webmin Actions Log to generate reports on actions carried out by users within any of the modules such as changing passwords, booting up and shutting down the computer and configuration issues. You can search for actions by specifying the user, the module and the time that actions took place: Figure 5 - 3 Specifying criteria Once you have specified the criteria you want to search for, click Search to start the search.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The Webmin Tab Language This is the language that titles, prompts etc will be displayed in within the RiskFilter appliance interfaces. To change the language. 1 Select Language from the Webmin Configuration screen. 2 Choose a language from the Display in Language drop-down list box. 3 Click Change Language to apply these settings. Ports and Addresses You can specify which IP addresses and port the RiskFilter System Management Console will bind to.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The Webmin Tab 5 Proxy Servers The RiskFilter System Management Console needs to connect to the Internet to operate correctly. If you use a proxy server to access web and FTP sites on the Internet you need to tell Webmin about these machines: Caution: Proxy Server authentication is not supported in this release of RiskFilter. • HTTP proxy – This is the proxy server used for HTTP server requests and should be in URL format. For example: http://hello.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab THE SYSTEM TAB This chapter explains how to use the System tab for operating system level configuration. You can also use this tab to monitor system processes and resources. WHAT CAN BE CONFIGURED IN THE SYSTEM TAB? The System tab enables you to: • Instantly reboot or shut down the system. • Change the password of the rfmngr account. • View real time and historic monitors of system usage.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab 5 BOOTUP AND SHUTDOWN Use the Bootup and Shutdown screen to immediately reboot or shut down the system by clicking the relevant button: Figure 5 - 6 The Bootup and Shutdown screen Note: As soon as you click either of these buttons, all users will be disconnected from the system and the RiskFilter appliance will stop processing mail. CHANGE PASSWORDS You can use the Change Password screen to change the password of the rfmngr account.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab MULTI GATEWAY POLICY ROUTING This module sets up dynamic routing to preserve ipv4 source addresses. Caution: This should only be used if you are using NAT on your mail servers to forward mail to RiskFilter. Multi Gateway Policy Routng enables you to override the default gateway setting in your routing table. Connections forwarded to RiskFilter will have their packets routed back through the source's configured gateway.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab 5 NETWORK CONFIGURATION The Network Configuration tab enables you to specify how the RiskFilter System Management Console server connects and interacts with the network: Figure 5 - 8 The Network Configuration screen Network Interfaces You can specify what network interfaces are activated at Boot Time in the Network Interfaces screen: Figure 5 - 9 The Network Interfaces screen • Interfaces Active Now – A list of interfaces that are currently up and ru
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab Multi-NIC configuration in RiskFilter You can use Webmin to set up a multi NIC environment. Once this is done, both IPs can be used to access the System Management console, the Management Console, the MTA and all other services. The following scenarios are possible. RiskFilter between two networks.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab 5 Figure 5 - 11 The Create Bootup Interface screen Caution: If the IP Address for the eth0 NIC is changed, you may lose connection to your RiskFilter Appliance. Routing and Gateways You can set the interface and Gateway that you want to act as your default within the Routing and Gateways screen: Figure 5 - 12 The Routing and Gateways screen SurfControl RiskFilter - E-mail V5.2.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab To configure routing and gateways: 1 Select Routing and Gateways from the Network Configuration tab. 2 For each route, choose the interface from the drop-down list box and enter the corresponding gateway’s IP address into the Gateway field. You can enter up to two default routes. 3 Specify whether you want the RiskFilter System Management Console server to act as a router. You can also specify static and local routes if necessary.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab 5 Host Addresses You can add new RiskFilter System Management Console hosts to the Host Addresses screen. To add hosts: 1 Select Host Addresses in the Network Configuration tab. 2 In the Host Addresses screen, select Add a new host address. Figure 5 - 15 Host Addresses 3 In the page that follows enter the IP address and name of your new RiskFilter System Management Console host. Figure 5 - 16 Create a Host Address 4 Click Create.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab RUNNING PROCESSES This screen tells you which processes are currently running, as well as when it first started up and the command used to run it: Figure 5 - 18 The Running Processes screen SYSTEM TIME The system time must be correct in order for licensing and updating to be trouble-free. To do this, the server must use the Time Protocol. Information about this protocol can be seen at: http://www.tf.nist.gov/service/its.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The System Tab 5 5 Click Sync system time. 6 Specify where the RiskFilter System Management Console server is located by choosing from the Current location list boxes in the Timezone section. 7 Click Change timezone to make the changes. Restart the RiskFilter appliance.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab THE RISKFILTER TAB This chapter explains how to use the RiskFilter tab to manage the configuration of services as well as backing up and updating of the software. WHAT CAN BE CONFIGURED IN THE RISKFILTER TAB? The RiskFilter tab enables you to: • Start, stop and restart RiskFilter. You can also see the status of the services. • Make copies of your RiskFilter configuration.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab 5 RISKFILTER SERVICES MANAGER Enables you to start, stop and restart RiskFilter. This screen also gives you the status of the following services: • Msoftsmg – The mail processor and SMTP server • Msoftadmin – The user interface • Msoftnp.dc – The document convertor (extracts text from .docs/.pdfs/.exl files) • Avagent.
5 4 RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab Click Apply Schedule. If you want to perform an immediate backup of your files, click Backup Now. View these files in the Backup Files on Appliance section: Figure 5 - 24 The Backup Files on Appliance section 5 Enter the path to the backup file into the field or click Browse to navigate to it. You can use this to restore your settings to the RiskFilter System Management Console server. 6 Click Restore.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab 5 Load balancing with RiskFilter Once you have configured your RiskFilter cluster, you can set up load balancing using MX records: 1 On the DNS server hosting your domain, create an MX record for each primary RiskFilter server using the same MX preference. 2 Give the failover server a higher number. This will give it a lower preference. Table 5-1 shows an example of MX preference assignments for load-balancing and failover using MX records.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab A lower MX preference number gives higher priority than a lower one. In Figure 5-25, e-mail is sent in the following way: • E-mail sent to site A.com round-robins between mail exchangers 1, 2,and 3, because each RiskFilter appliance has the same MX preference of 5. • The same thing happens for e-mail sent to site B.com. If site A is down (e.g.
RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab 5 RISKFILTER WEB ACCESS MANAGER The Web Access Manager manages two HTTP servers: Webmin and the Administrator Console. Access can be set to be by HTTP and HTTPS. To set up the access: 1 Select Web Access Manager in the RiskFilter tab. 2 Select Require HTTPS Access or Require HTTP Access in the Webmin HTTP Configuration section. 3 Click Apply.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE The RiskFilter Tab UPDATE RISKFILTER - E-MAIL This screen is where you can download the latest version of the RiskFilter software as you did when you first set up RiskFilter. There is more information about this facility in the Starter Guide. Figure 5 - 28 The Update RiskFilter-E-mail screen 154 Administrator’s Guide SurfControl RiskFilter - E-mail V5.2.
RISKFILTER SYSTEM MANAGEMENT CONSOLE Key Points 5 KEY POINTS The following list is a summary of the main points covered in Chapter 5.
5 RISKFILTER SYSTEM MANAGEMENT CONSOLE Key Points Q System and Server Status enables you to add monitoring of different types by enabling you to: – Set up watchdog scripts – These can monitor the system and notify the administrator of problems such as low disk space, low memory and dead processes. – Set up monitoring to run at certain times automatically – This can be useful to restart any dead processes or remove unnecessary files, to clean up disks.
Chapter 6 Appendix Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 158 Internet Threat Database Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 APPENDIX Using the Command Line Interface USING THE COMMAND LINE INTERFACE ‘rfmngr’ is a non-root Linux user on the RiskFilter appliance. It is created in all out-of-the-box RiskFilter appliances and has the default password “$rfmngr$”. For security reasons this password must be changed as soon as possible. To access the command line interface in order to use the utilities that it offers you need to log in as ‘rfmngr’.
APPENDIX Using the Command Line Interface 6 QTOOL.SH qtool.sh is the Receive Queue Management Utility and provides the command line management for the RiskFilter receive queue. Command: /opt/riskfilter/smg/bin/qtool.sh -h -l -d -e -i -c -h - launch help -l [filter clause] -d - delete messages -e [export path] -i -c - list messages in receiving queue - export messages - import messages to queue - clean queues Example 1 - cleaning queues Command:./qtool.
6 APPENDIX Using the Command Line Interface Queue Id = 4 SegmentOffset = 184259131 SegmentDataOffset = 184259155 Message Id = 3944800 Message Position: Queue Id = 4 SegmentOffset = 189968858 SegmentDataOffset = 189968882 Message Id = 3945000 Message Position: Queue Id = 4 SegmentOffset = 190975798 SegmentDataOffset = 190975822 Message Id = 3945200 Message Position: Example 3 - importing messages to the receive queue. You must stop the RiskFilter service before the import. Command: ./importmsg.
APPENDIX Using the Command Line Interface 6 # sudo /etc/init.d/smgd start A mysqld process already exists Starting Msoft smg: [ OK ] Starting Msoft admin: [ OK ] Example 4 - listing all messages in the receive queue. You can also list messages using a specified filter. Command: ./qtool.sh –l # ssh rfmngr@riskfiter-appliance # sudo /opt/riskfilter/smg/bin/qtool.sh –l Do you want to list message? (y/n): y message 2073 recieved at 2004/08/16 23:44:53 from ip 218.108.178.118 sender is love@zj.
6 APPENDIX Using the Command Line Interface # sudo /etc/init.d/smgd start A mysqld process already exists Starting Msoft smg: [ OK ] Starting Msoft admin: [ OK ] 162 Administrator’s Guide SurfControl RiskFilter - E-mail V5.2.
APPENDIX Using the Command Line Interface 6 UNINSTALL.SH You must run this command under ‘root’. This command uninstalls RiskFilter software and is located in / opt/riskfilter/smg/bin. It will remove features installed by InstallAnywhere but will not uninstall files and folders created after the installation. Example 6 - uninstalling the RiskFilter software [root@smg bin]# ./uninstall.
6 APPENDIX Using the Command Line Interface ...* * ************************* ************************* ************************* ************************ ...* * ************************* ************************* ************************* ************************ ...
APPENDIX Internet Threat Database Categories 6 INTERNET THREAT DATABASE CATEGORIES Table 1 shows a summary of the Internet Threat Database Categories: Table 1 Internet Theat Database Categories Category Summary Core / Liability Categories • • • • Adult Gambling Illegal Material Offensive Productivity Categories • • • • • • • • • • • • • Chain letters Games / interactive Novelty software Computing / Internet Health / medicine Personal / dating Entertainment Phishing / fraud Products / services Finan
6 APPENDIX Internet Threat Database Categories CORE / LIABILITY CATEGORIES Table 2 describes the Core/Liability categories. These are the categories that could result in legal or confidentiality issues should a user be accessing them.
APPENDIX Internet Threat Database Categories 6 PRODUCTIVITY CATEGORIES Table 3 describes the Productivity Categories. These are the categories that are not dangerous to company confidentiality or legality, but could result in loss of band-width and productivity should users be accessing them too often.
6 APPENDIX Internet Threat Database Categories Table 3 Productivity Categories Category Media Type Description Special Events • • • • Graphics Movies Sound Text • • Festive and Seasonal messages, files, promotions Messages pertaining to a current event that may be objectionable based on content, bandwidth, or negative impact on productivity such as a major sports event Other • Text • • • • • Items that do not fit into the above categories Job Search E-greeting cards and wishes Questionnaires,
INDEX A accept e-mail for relay from the following ips 30 actions if filter triggered 71 add/edit phrase 74 admin console locale 12 admin console session timeou 12 allow access list 28 archive level 25 avagent.
lexirules 83, 85, 87 license expiry date 56 limit data size per connection 35 load balancing 41 logical operators 94, 94, 94 M managed modules 47 management console 132 managing messages 46 master 150 master/slave cluster configuration 137 mcafee 83 message log 110 message statistics 106 microsoft active directory 15 modify subject 67 msoftadmin 149 msoftnp.
validation settings 18 view report 110 W watchdog scripts 147 webmin actions log 135 X x header 67 Z zip log files older than... 24 SurfControl RiskFilter - E-mail V5.2.
NOTICES Updates to the SurfControl documentation and software, as well as Support information are available at www.SurfControl.com/support. Copyright ©1998-2007 SurfControl plc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.
Sun RPC * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product * or program developed by the user.
VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of Daniel Veillard shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from him.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc.
* advertising or publicity pertaining to distribution of the software * without specific, written prior permission.
GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names (IDN) working group, used for internationalized domain names. The Java version is JNet-Tool.jar. Copyright (C) 2005 Ventruba This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
