KASPERSKY LAB Kaspersky Anti-Spam 2.
KASPERSKY ANTI-SPAM 2.0 ENTERPRISE EDITION / ISP EDITION Administrator’s Guide © Kaspersky Lab http://www.kaspersky.com © Ashmanov & Partners Ltd. http://www.ashmanov.
Contents CHAPTER 1. KASPERSKY ANTI-SPAM 2.0 ENTERPRISE EDITION / ISP EDITION ....................................................................................................................... 8 1.1. What's new in Kaspersky Anti-Spam 2.0 ........................................................... 10 1.2. Licensing policy ................................................................................................... 11 1.3. Hardware and software system requirements ...................................
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 4.4.1.2. Message evaluation............................................................................... 36 4.4.1.3. Reaction to spam................................................................................... 38 4.4.2. Setting up preinstalled filter profiles.............................................................. 39 4.4.2.1. Selecting default reaction to spam ........................................................ 40 4.4.2.2.
Contents 5 5.2.4.5. Creating new actions ............................................................................. 68 5.2.4.5.1. Options and settings of the change recipient action.............. 68 5.2.4.5.2. Options and settings of the change header action ................ 69 5.2.4.6. Editing actions........................................................................................ 71 5.2.4.7. Deleting actions......................................................................................
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A.1.3. System log (syslog) records detail levels .................................................... 95 A.2. The ap-mailfilter program (filtering process) command line parameters .......... 96 A.3. Client modules for mail systems......................................................................... 98 A.3.1. Interaction of the client modules with the filtering service........................... 98 A.3.2.
Contents 7 A.4.12. User’s sample spam message ................................................................ 123 A.4.13. Advanced filter settings file (settings.xml)................................................ 124 A.4.14. List of predefined categories (catlist.xml) ................................................ 124 A.5. Updater script configuration file ........................................................................ 125 A.6. Updater script command line switches............................
CHAPTER 1. KASPERSKY ANTISPAM 2.0 ENTERPRISE EDITION / ISP EDITION Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition is a software package that filters incoming e-mail messages in order to protect users against unsolicited bulk mailings or Spam. Kaspersky Anti-Spam filters incoming e-mail messages received via SMTP protocol before the messages are delivered to the user's mailbox.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 9 with caution to avoid false triggering. • absence of the sender’s server in the DNS; • matching of one of the message headers a regular expression stored by the program; • excessively large size of the message. For more details on e-mail message analysis, see para 4.3.1, page 26. Secondly, content filtering is used, i.e. the message content is analyzed (including the header Subject) and attached files.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Ashmanov & Partners is constantly working on the enhancement and updating of the linguistic data used for spam detection. To ensure most efficient spam protection, it is necessary to download the latest versions of these data using the updater script (see Chapter 6, page 89). We strongly recommend that you schedule automatic data updating from cron to start at least 4-6 times per day.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition • • 11 the feature used for labeling spam messages has become more convenient: the corresponding token is now added to the beginning of the Subject of the message.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition • traffic-based licensing (mail traffic filtered during a certain period of time); • based on the number of e-mail addresses processed. The latter type of licensing provides control over the use of Kaspersky Anti-Spam based on the number of e-mail addresses that the program processes during the license period.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 13 • A sealed envelope with the installation disk containing the program installation files; • User’s Guide; • License key file on the installation disk; • License agreement. Before you open the envelope with the installation disk, make sure that you have carefully read the License agreement. If you buy Kaspersky Anti-Spam online, you will download the installation file from the Kaspersky Lab website.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition • support on issues related to the installation, configuration and use of the product provided by phone or via e-mail; • information about new Kaspersky Lab products and about new computer viruses throughout the world (for Kaspersky Lab Ltd. newsletter subscribers). Kaspersky Lab does not provide support on issues related to the performance and the use of operating systems or other technologies. 1.6.
Kaspersky Anti-Spam 2.
CHAPTER 2. KASPERSKY ANTISPAM STRUCTURE AND ARCHITECTURE Since version 2.0, Kaspersky Anti-Spam is no longer a full-featured mail transport agent (MTA) able to receive, forward or deliver e-mail messages to the users' mailboxes. These functions are now performed by the server-based MTA system. Kaspersky Anti-Spam 2.0: 1. integrates into the mail system; 2. receives messages from this system; 3. checks messages for the presence of spam attributes; 4.
Kaspersky Anti-Spam Structure and Architecture INTERNET End users' mailboxes MAIL SYSTEM (MTA) KASPERSKY ANTI-SPAM Client Module FILTERING SERVER Filtering Service Automatic Internet update of the filtering database (sfupdates) Master process (ap-process-server) Data Licensing service (kas-license) Filtering database Filter profiles and local lists Filtering process (ap-mailfilter) Key file List of licensed mail addresses WebTuner Configuration scrip (ap-mft-config.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Irrespective of the peculiarities of a particular client module, the interaction between the client and the main module of Kaspersky Anti-Spam, filtering server, is implemented the same way, using internal data exchange protocol via a network or a local socket. The filtering server responses to the clients' requests, receives messages subject to processing from them and returns results back to the clients.
Kaspersky Anti-Spam Structure and Architecture 19 When the filtering process starts, it loads filter profiles (sets of filtering rules) and opens the filtering database (set of data used for the content analysis). After the connection to the client has been established, the filtering process receives the header and the body of the message from the client, analyzes them and returns the results back to the client.
CHAPTER 3. INSTALLING KASPERSKY ANTI-SPAM Before the installation of Kaspersky Anti-Spam, please carefully read this chapter as well as the readme-install file that may contain the latest recommendations on the program installation. 3.1. Preparing for the installation Before installing Kaspersky Anti-Spam: • make sure that your system meets all hardware and software requirements for the installation of Kaspersky Anti-Spam (see para 1.3, page 12); • make sure that you have a valid Kaspersky Ant-Spam 2.
Installing Kaspersky Anti-Spam 21 3.2. Installing applications included in the Kaspersky Anti-Spam software package The installation of Kaspersky Anti-Spam should be performed by the root user. Kaspersky Anti-Spam 2.0 is distributed: • as an rpm package for most versions of Linux OS (RedHat, SuSe, Mandrake, Fedora, ASP Linux, Alt Linux, etc.); • deb package for Debian Linux; • tgz package for FreeBSD OS; • tar.
Kaspersky Anti-Spam 2.
Installing Kaspersky Anti-Spam 23 3.4. Integrating Kaspersky AntiSpam into your mail system Integration of Kaspersky Anti-Spam into the mail system involves the installation of the client module in the mail system and modification of the mail system configuration files. These actions are performed automatically by the MTA configuration script or by the configuration script of the mail system installed.
CHAPTER 4. KASPERSKY ANTISPAM OPERATION AND FILTERING PHILOSOPHY 4.1. Configuring filtering settings Kaspersky Anti-Spam provides you with powerful tools for detecting spam in the incoming e-mail traffic. Actions with suspicious messages may range from most severe (rejection) to quite moderate (e.g., adding an extra header to the message for further processing by the e-mail program). The mail service administrator decides which actions should be applied to a particular spam type.
Kaspersky Anti-Spam Operation and Filtering Philosophy 25 data. The linguistic laboratory of Ashmanov & Partners JSC is constantly improving and updating this database, therefore it is necessary to download the database updates regularly in order to provide effective spam detection and processing. The updates are downloaded via the Internet by the updater script. We strongly recommend that you include this script into crontab. It is recommended to schedule it to start at least every hour.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 4.3.1. Address, headers and message size analysis Filtering rules may contain description of the following conditions (as well as their negations): • the IP address of the server from which a message was received (i.e. the relay server that sent the message) matches a specified address. • the IP address of the server from which a message was received is included in the specified list.
Kaspersky Anti-Spam Operation and Filtering Philosophy 27 black list (e.g. to check IP=202.103.129.8 via zone="blackholes.mailabuse.org" a request to DNS with the 8.129.103.202.blackholes.mailabuse.org domain name will be formed). E-mail recipient’s check is performed: • in common profiles – according to the full list of recipients. • In personal profiles – according to the list of those message recipients to whom this profile is applied.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Linguistic lab of Ashmanov & Partners JSC is constantly working on the enhancement and updating of the content filtering database. Therefore, it is recommended that you regularly update the database (see Chapter 6, page 89). System administrator can also add new spam message examples to the database (see para 5.2.6, page 82).
Kaspersky Anti-Spam Operation and Filtering Philosophy 29 Several actions can be described in a single rule, but if any of these actions are severe or moderately severe, then message processing by this rule (as well as by all other rules of the current profile) stops and no further actions will be performed. Actions within the same rule are arranged in strict order.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition • "Moderately severe" skip action – stop execution of all current filter profile rules and start execution of the next profile (if this is provided for by the profile execution procedure, see para 4.3.4, page 31). The skip action in a personal profile is equivalent to the accept action. • "Moderate" actions: • bounce – generate a message rejection notification to the sender’s mail server.
Kaspersky Anti-Spam Operation and Filtering Philosophy 31 The ${CATEGORY} operator can be used when specifying a new header value. This operator denotes the list of spam categories obtained based on the message text content analysis. For example, such list can be entered in the Keywords header. You can modify headers for all users using the common profile, and headers for users of a particular profile using the corresponding personal profile. 4.3.4.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition one of them can be enabled at the same time. Other profile rules are not executed. Selection of the personal profile, which executes at stage 3, is more complicated. This is done separately for each virtual copy (for each recipient, to be more exact). Using WebConfigurator the system administrator can create and enable any number of personal profiles in any order.
Kaspersky Anti-Spam Operation and Filtering Philosophy 33 Both above actions are moderate and message processing resumes after their execution. In this case the following actions will be applied to the modified message version6. Suppose that the change recipient action has been applied to a mail message and recipient x has been replaced with recipient y.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The last action – reject If the reject action is applied when executing the common profile, the message will be rejected at the SMTP-protocol level and error code 550 will be sent back to the originating server. The actions that could have preceded the reject action – generation of notification (bounce), changing of the header or of the recipient (change header, change recipient) – will be ignored.
Kaspersky Anti-Spam Operation and Filtering Philosophy 35 4.4. Preinstalled filter profiles Kaspersky Anti-Spam is installed on your computer with a set of preinstalled profiles that allow spam filtering to start immediately after the installation.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 4.4.1.1. Detection of spam attributes: analysis of message headers Formal spam attributes – "suspicious" headers and their combinations are detected at the first stage of message processing. A "hidden" common profile Analyze Message Headers, stored in the hidden/formal.xml file is used for this purpose.
Kaspersky Anti-Spam Operation and Filtering Philosophy • 37 Spam Detection Standard (no RBL & DNS check) (the detect-standard-norbl.xml file); • Spam Detection Soft (the detect-soft.xml file); • Spam Detection Soft (no RBL & DNS check) (the detect-soft-no-bl.xml file); • Spam Detection Hard (the detect-hard.xml file); • Spam Detection Hard (no RBL & DNS check) (the detect-hard-no-rbl.xml file).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The following specific headers are added to a message at the end of this stage: • X-SpamTest-Categories – header containing information on the content categories assigned to the message based on the content filtering results. • X-SpamTest-Status – header showing the final message status based on the results of all checks: SPAM, Probable Spam, Trusted, or Not Detected.
Kaspersky Anti-Spam Operation and Filtering Philosophy 39 • The Marking Spam - Keywords profile: delivers the message to the recipient and marks it with the Keywords header where the message status and/or assigned content categories are specified; • The Archiving Spam profile: forwards the message to the address specified in rule 1; • The Archiving/Rejecting Spam profile: rejects the message (reject) or forwards it to the address specified in rule 3 depending on the methods used to detect spam.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition We recommend starting with the profiles available, then modifying them or creating new ones, if necessary, using existing profiles as patterns. For example, you can set message processing conditions that will be applied to all users by default (see para 4.4.2.1, page 40), or define them for individual users (see 4.4.2.2, page 42). There is a provision for adjusting the severity level of mail traffic filtering (see 4.4.2.3, page 43).
Kaspersky Anti-Spam Operation and Filtering Philosophy • or the user is on the list specified in the Valid for Recipients List field; • or no recipients are specified. 41 Thus, the first active personal profile, where particular recipients are not specified, will be applied by default for all users left out by the previous active profiles. By default, spam messages are delivered to the recipients and marked in the Subject header.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition If you wish to "pass" all messages to all licensed users without restrictions and visible changes by default, • Make sure that the root: No Filtering profile is enabled and heads the list of personal profiles. • Apply this profile to all users: o Open the profile for editing; o Click the Properties button; o Select the Valid for Recipient(s) radio button and clear the corresponding text field.
Kaspersky Anti-Spam Operation and Filtering Philosophy 43 To specify the users to whom a personal profile is applied, • • Open the profile for editing, then click the Properties button. Enter user’s address (or users’ addresses) in the Valid for recipient(s) field, or • select a user list in the Valid for recipient list field after you have created it on the e-mails tab.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition If you want the filter to identify as many spam messages as possible, even at the cost of higher probability of false alarms, you may use the Spam Detection Hard profile. Finally, if you do not want to use the RBL services check (as well as the check for availability of the sending server in DNS), use one of the Spam Detection Standard/Soft/Hard (no RBL) profiles.
Kaspersky Anti-Spam Operation and Filtering Philosophy 45 X-SpamTest-Method – This header is assigned by the hidden common profile Analyze Message Headers or by the other common profiles in the messages where spam attributes have been detected. (In the course of further message processing these attributes may be considered as insufficient and the message receives the Not Detected or Trusted status).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition • Secondly, the X-SpamTest-Info headers may contain more detailed information on spam attributes detected in a message and recorded in the X-SpamTest-Method headers. A message may have several X-SpamTest-Info headers.
CHAPTER 5. CONFIGURING FILTERING PARAMETERS Kaspersky Anti-Spam provides mail server administrator with powerful and convenient tools for user protection from unwanted mail (spam). Filtering logic is not forced by the filter – the administrator is able to set it independently in accordance with his/her company’s policy and mail recipients’ requirements.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition For safety reasons, access to kas-thttpd is allowed by default only from the computer where the server is installed. If required, remote administration of Kaspersky Anti-Spam may be allowed. In order to do this: • Replace line host=127.0.0.1 with host=0.0.0.0 in file /usr/local/apmailfilter/etc/kas-thttpd.conf. • create new user and specify a password for accessing WebConfigurator using program /usr/local/ap-mailfilter/bin/kas-htpasswd.
Configuring Filtering Parameters • activate – activate selected profile (see para 5.2.1.2, page 50) • edit – edit the selected profile parameters (see 5.2.3, page 54) • delete – delete selected profile (see para 5.2.1.3, page 51) • and respectively. – move the selected profile one position up or down The list of profiles may not entirely fit the window. Use the scroll button to the right of the list. Figure 2. The Common tab 5.2.1.1.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Make sure that you set a value for the File parameter, otherwise an error message will be displayed and the profile will not be created! • 3. Name — profile name. Filename (without extension) is used as the profile name by default. You can enter a different profile name in the parameter field. Click the create button. After the profile is created, you will be offered to edit its parameters (for more details see 5.2.3, page 54). Figure 3.
Configuring Filtering Parameters 1. Select profile name from the list of existing common profiles (see Figure 2). 2. Click the activate button. The selected profile will be enabled. In this case the profile selected previously will be automatically deactivated. The active profile is marked by the (+) symbol in the profile list. 5.2.1.3. Deleting profiles To delete an existing profile: 1. Select the profile name you wish to delete from the list of existing common profiles (see Figure 2). 2.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 5.2.2. Working with personal profiles. The personal tab The personal tab includes a list of the existing personal profiles (see Figure 5) and a set of control buttons, namely: • new – create new profile (see para 5.2.2.1, page 52) • on/off – activate the selected profile (see para 5.2.2, page 52) • edit –edit the selected profile parameters (see para 5.2.
Configuring Filtering Parameters manually or select an address list from those formed on the e-mail tab (see para 5.2.5, page 73): Valid for recipient(s) — independently create an address (address list) for which this profile will be used. Specify the addresses in the parameter field manually, separating addresses by semicolons. E-mail addresses are created either in the user@domain or @domain format. The latter format includes any user of the domain specified.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A newly created profile remains inactive until you activate it. You can activate any number of personal profiles. Active profiles are marked by the (+) symbol in the profile list. To activate (deactivate) a personal profile: 1. Select the profile you wish to activate (deactivate) from the profile list. 2. Click the on/off button. 5.2.3.
Configuring Filtering Parameters • • • 55 – delete rule (see para 5.2.3.3, page 56) – move rule up or down one row in the table of rules (see para 5.2.3.4, page 56) rules list navigation buttons. Up to 5 filtering rules at a time can be displayed on the filter profile editing page. Use the arrow buttons below the table of rules to move to the next or previous set of rules. Figure 7. Creating/editing filter profile 5.2.3.1. Creating filtering rules In order to create a new filtering rule: 1.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 8. Creating new filtering rule 5.2.3.2. Switching to editing an existing rule To start editing an existing filtering rule: 1. Select the rule you wish to edit from the table. 2. Click the button to the right of the rule. See para 5.2.4, page 59 for more details about filtering rule editing. 5.2.3.3. Deleting existing rules In order to delete an existing filtering rule: 1. Select the rule you wish to delete from the table. 2.
Configuring Filtering Parameters The order of rules application is extremely important! Profiles differing from each other only in the order of rules applied may have completely different results when processing the same message. For example, suppose that a certain filter profile consists of two rules where rule A rejects messages from servers without a DNS-name (the action), and rule B receives messages from the servers included in the white list (the accept action).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The common profile type, as well as the filename of the file where its description is saved, cannot be changed. Figure 9. Editing common profile properties In addition, you can edit the field of application for personal profile (see Figure 10) using the Valid for recipient(s) or Valid for recipient list parameters (see para 5.2.2.1, page 52 for more details). Click the accept button to save the settings. Figure 10.
Configuring Filtering Parameters 59 5.2.3.6. Saving profiles Editing of filter profiles (as well as e-mail and IP address lists, etc.) is performed using copies of the configuration files (see para 5.2.8, page 87). Changes to these files are saved by clicking the accept button each time a filtering rule or parameter is edited. However this will not affect the filter operation before the new filter configuration, obtained as a result of editing, has been saved.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 11. Filtering rule editing The order of conditions does not matter since all of them must be met in order for the rule to be applied. The actions are executed according to the order in which they are displayed in the table (THEN DO) in the right part of the filtering rule editing window 7.
Configuring Filtering Parameters 61 Figure 12. Invalid conditions and actions 5.2.4.2. Setting new conditions In order to set up a new condition: 1. Select the condition type from the Add new condition drop-down list in the filtering rule editing window (see Figure 11). 2. Click the add button to the right of the drop-down list. 3. From the Add new condition window that will open (see for example Figure 13): • select the condition option (there are several options for each condition type).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 5.2.4.2.1. Conditions related to the IP address of the sending mail server The following conditions related to the IP address of the sending mail server are available (see Figure 13): Matches the following mask – IP address of the sending mail relay matches (or does not match) the address specified. Specify the mask in the corresponding field. Figure 13.
Configuring Filtering Parameters 63 Is equal to – Sender’s e-mail matches (or does not match) the address specified. Specify e-mail address in the parameter field. Is on local list – Sender’s e-mail is included (or not included) in the specified list. Select the name of the e-mail addresses list from the drop-down list. Figure 14. Conditions related to the sender’s e-mail 5.2.4.2.3.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 15. Conditions related to the recipient’s e-mail address 5.2.4.2.4. Conditions related to message headers The following message header-related conditions are available (see Figure 16): Name – Header name. Specify header name in the parameter field. Matches regular expression – A message has (or does not have) a header with a name specified in the Name field that matches a template entered in the matches regular expression field.
Configuring Filtering Parameters 65 Figure 16. Conditions related to message headers 5.2.4.2.5. Condition related to content filtering results The following condition related to content filtering results is available (see Figure 17): Incoming message falls into the following category – Message content is assigned (or not assigned) the specified content category. Select the category name from the drop-down list.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 17. Condition related to content filtering results 5.2.4.2.6. Condition related to message size The following condition related to message size is available (see Figure 18): Incoming message is larger than ... bytes – Total message size exceeds (or does not exceed) the specified limit. Specify the maximum message size (in bytes) in the parameter field. Figure 18.
Configuring Filtering Parameters 67 5.2.4.3. Editing conditions There are two ways to edit conditions: • change condition parameters without changing the condition type • change the condition type In order to edit a condition: 1. select the condition you wish to modify in the IF (Conditions) table in the Rule properties window (see Figure 11). 2. click the 3. if necessary, change the condition type in the Condition properties window (see Figure 19).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 5.2.4.4. Deleting conditions In order to delete an existing condition: 1. select the condition you wish to delete from the IF (Conditions) table of the Rule properties window (see Figure 11). 2. click the button to the right of the condition. 5.2.4.5. Creating new actions Possible action types and their options are described in section 4.3.3, page 28.
Configuring Filtering Parameters 69 Recipient's e-mail – recipient’s e-mail address. Specify address (or several addresses) in the parameter field, separating addresses by semicolons. Replace all – replace all recipients’ addresses with the address (address list) specified in the Recipient's e-mail field. Delete – delete the address (addresses) specified in the Recipient's email field from the recipients list.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The following macrovariables can be used during the replacement of the new header value. • ${CATEGORY} – a list of spam categories received after content analysis of a message text (for instance, this list can be saved to the Keywords header). • ${SMTP_FROM} – sender’s address, specified in SMTP-envelope. Figure 21. Adding the change header action Replace – replace the old header text with one specified in the New value field.
Configuring Filtering Parameters Create – create a header with the name specified in the Header field, and the text specified in the New value field, independently of the other existing headers with the same name within a message. A new header is added to the beginning of the header list. Delete – delete header with the specified name. The New value parameter is ignored in this action option. 5.2.4.6.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 22. Editing actions (one of the options) 5.2.4.7. Deleting actions You can delete a filtering rule action from the THEN DO (Actions) table of the Rule properties window (see Figure 11). To delete an existing action: 1. Select the action you wish to delete. 2. Click the button to the right of the action. 5.2.4.8. Saving rules The changes made when editing the filtering rule (i.e.
Configuring Filtering Parameters 73 To save (accept) the changes made to the filtering rule: Click the accept button in the Rule properties window (see Figure 11). The rule edit window opens every time you finish working with a condition or an action (when entering or editing is complete). In order to reject all changes made to the filtering rule after it has been opened for editing, 1. click the cancel button in the edit or condition/action addition window. 2.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The use of different address types during the filter setup is arranged identically, including even the address specification format. Therefore this description covers all types of addresses. 5.2.5.1. Viewing lists Every e-mail and IP address list, as well as the DNS-based RBL list, is saved in a separate xml file. You can browse the list of these files by opening the corresponding tab.
Configuring Filtering Parameters Figure 24. The IP addresses tab Figure 25. The DNS blacklists tab List editing on each tab is performed using the following buttons: • new – add new list (see para 5.2.5.2, page 76) • edit – edit parameters of the selected list (see para 5.2.5.3, page 77) • delete – delete selected list (see para 5.2.5.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The list may not entirely fit the window. Use the scroll bar to the right of the list to scroll up or down the list. 5.2.5.2. Creating new lists In order to create a new e-mail, IP address or DNS-based RBL list: 1. click the new button of the corresponding tab (see Figure 23 for the e-mails tab, Figure 24 for the ip addresses tab and Figure 25 for the dns blacklists tab). 2.
Configuring Filtering Parameters 5.2.5.3. Editing lists To start editing an existing e-mail, IP address, or DNS-based RBL list: 1. select the list whose parameters you wish to edit from the corresponding tab. 2. click the edit button. A list edit window will open (see Figure 27) where you can add, edit, and delete list elements (addresses, black lists). Figure 27. Editing separate lists (e.g., e-mail list) 5.2.5.3.1.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Possible e-mail address input formats: • user@domain • @domain The latter format includes any user of the specified domain. Possible IP address (network mask) input formats: • aaa.bbb.ccc.ddd • aaa.bbb.ccc.ddd/nn The aaa.bbb.ccc.ddd entry is equivalent to aaa.bbb.ccc.ddd/32. Figure 28. Adding new list entries (e.g., IP address) 5.2.5.3.2. Editing list entries In order to edit an e-mail, IP address or DNS-based RBL list entry: 1.
Configuring Filtering Parameters 79 2. click the edit button. 3. edit list item: correspondingly E-mail or IP address (network mask), or DNS-based black list in the window that will open (see Figure 29). 4. Click the accept button. Figure 29. Editing list entries (e.g., e-mail list) 5.2.5.3.3. Deleting list entries In order delete an entry from e-mail, IP address or DNS-based RBL list: 1. select the entry you wish to delete from the list editing window (see Figure 27). 2.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition To edit list parameters: 1. click the properties button in the list editing window (see Figure 27). 2. edit the following list parameters in the window that will open (see Figure 30): • Name – list name. Edit name in the name field. • Description – list description. Specify necessary information in this field. File name cannot be modified. 3. click the accept button. Figure 30. Editing list properties (e.g., IP address list) 5.2.5.4.
Configuring Filtering Parameters 3. 81 click the delete button again in the deletion confirmation window (see Figure 31). Figure 31. Deleting a list (e.g., IP address list) 5.2.5.5. Saving lists Similarly to the filter profiles, editing of the e-mail address, IP address, and DNSbased RBL lists is performed using copies of the configuration files. Changes are saved to these files after each time a list or a profile is edited.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 5.2.6. Working with sample spam messages WebConfigurator allows addition of sample spam messages to the content filtering database in order to avoid receiving same or similar messages, and also to edit and delete the added samples. Sample spam messages are managed via the samples tab (see Figure 32). Figure 32. The samples tab 5.2.6.1.
Configuring Filtering Parameters 3. 83 • Subject – sample message header. Enter sample message header in the parameter field. • Body – sample message text. Enter sample message text in the parameter field. Click the create button. Figure 33. Adding new sample messages 5.2.6.2. Editing sample messages To edit a sample message: 1. Select the message you wish to edit in the samples tab (see Figure 32).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 4. • Category – select from the drop-down list a category the message falls into. The message will immediately be moved to a new category. • Subject – edit message header. • Body – edit message text. Click the accept button. Figure 34. Editing sample messages 5.2.6.3. Deleting sample messages To delete a sample message: 1. Select the message in the samples tab (see Figure 32). 2. Click the delete button. 5.2.7.
Configuring Filtering Parameters Creating the list of licensed recipients is extremely important since incoming email messages for these particular users will be analyzed by the filter. Note that the total number of addresses must not exceed the number specified in the license. All the abovementioned settings are available in the settings tab (see Figure 35). A more detailed discussion of these settings is provided below. Figure 35. The settings tab 5.2.7.1.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 3. Click the accept button. Figure 36. Notifications editing window 5.2.7.2. Generating the list of licensed users Generating the list of licensed recipients is extremely important since incoming e-mail messages for these particular users will be analyzed by the filter. After the product installation the list remains empty. You will have to list the email addresses of users whose mail you would like to process.
Configuring Filtering Parameters 87 Figure 37. The list of licensed recipients’ addresses 5.2.8. Saving Filter configuration Copies of all necessary configuration files are created by WebConfigurator during the program operation and changes are saved to these copies. Configuration files themselves remain unchanged and the changes made can be reversed any time (before the files are saved). See below.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition In case of file copying or compiling failure, you will get a list of detected errors. The binary image of the configuration files in this case will not be overwritten, and the filter will continue using the existing (old) data. One of the possible reasons of failure when saving and compiling the configuration is the absence of the rights required to overwrite the files.
CHAPTER 6. UPDATING THE CONTENT FILTERING DATABASE The content filtering database, used for analyzing messages for spam, is updated by the updater script (sfupdates). The update can be performed from the following sources (for more details see para 6.1, page 90): • from the Internet. • from a network folder. Content filtering database update can be launched in one of the following ways (see para 6.2, page 90): • from the command line. • using the cron standard utility (scheduled program launch).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 6.1. Selecting the source of the content filtering database update The content filtering database update settings are stored in the updater script configuration file – /usr/local/ap-mailfilter/conf/src/updater.ini (see para A.5, page 125 for more details). You can change the database update source by editing the settings. By default, the updates are downloaded via the Internet from the Kaspersky Lab website (ftp://downloads1.kaspersky-labs.
Updating the Content Filtering Database 91 6.2.1. Scheduled launch Any distribution kit for any Unix-type operating system includes a standard scheduled program launch utility called cron. Using this utility you can setup automated content filtering database update via the Internet. It is recommended that the database updating be scheduled to start every hour. You can register the updater script execution in crontab for the root user or for the mailflt user on whose behalf the filter works.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 6.3. Viewing results By default, the results of the content filtering database updater script actions are sent to the console and saved to the system log (syslog). Only most important messages concerning the update mode, the updating process and its results are registered in the log.
APPENDIX A. ADDITIONAL INFORMATION ABOUT KASPERSKY ANTI-SPAM A.1. The ap-process-server program (master process) A.1.1. Starting and stopping the master process The ap-process-server program (master process) starts during the installation of Kaspersky Anti-Spam and at the server restart. For normal operation of Kaspersky Anti-Spam the master process must operate continuously.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A.1.2. The ap-process-server program configuration file The ap-process-server program configuration file includes the configuration parameters (keyword and the argument separated by a space, one for each line) and the comments.
Appendix A PidFile – full path to the pid file. The default value is: /var/tmp/ap-processserver.pid. LogLevel – a numeric value that determines the level of detail for records entered into the system log (syslog); see para A.1.3, page 95. The default value is: 3. SysLogFacility – facility parameter value, used for entering records in the system log. The default value is: mail. Listen – the address of a socket used to establish connection with the client.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Level Type of messages entered Priority 4 Messages notifying of the start completion of filtering processes. and info 5 Data on the resources consumption by the child processes. info A.2. The ap-mailfilter program (filtering process) command line parameters The ap-mailfilter program (filtering process) is launched by the master process.
Appendix A 97 Working with RBL –r – maximum allowable time for the execution of a single filtering rule, associated with calling DNS (checking against RBL services list, looking for a particular IP address in the DNS). The default value is: 6. –k – the level of detail when analyzing headers Received for extracting IP addresses (with the consequent check of such addresses against the RBL lists).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition –H – a randomization indicator for the filtering process work completion after receiving the SIGHUP signal. The default value is: 0. If the value of H is non-zero, then the filtering process completes upon the receipt of the signal with a random delay from 0 to H-1 seconds.
Appendix A • the master process monitors the running filtering processes (if required, the master process launches new processes) and establishes a connection between the client and a free filtering process; • when the connection has been obtained, the client submits the message for processing and receives the message processing results from the filtering process; • based on the processing results, the client modifies the message and returns it to the mail system.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Figure 38. The kas-milter program operation diagram A.3.2.2. The kas-milter program configuration file Parameters used for kas-milter operation are stored in configuration file /usr/local/ap-mailfilter/etc/kas-milter.conf. Example of kas-milter configuration file: SpamtestAddr tcp:127.0.0.1:2255 ConnectTimeout 10000 RWTimeout 30000 ClientAddr local:/usr/local/ap-mailfilter/run/kasmilter.sock PidFile /usr/local/ap-mailfilter/run/kas-milter.
Appendix A PidFile – name of the file from the pid process. OnError – error processing mode (unable to establish connection with the filtering process, waiting time exceeded when exchanging data, etc.) Allowable values: reject – return code 5xx (SMFIS_REJECT will be returned to Sendmail), tempfail (default value) – return code 4xx (SMFIS_TEMPFAIL), ignore – ignore error (SMFIS_CONTINUE), accept – accept message, ignore all other filters (SMFIS_ACCEPT).
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition If the program has been installed using the standard setup options, kas-pipe will be used for integration with the Postfix and the Exim mail systems. kas-pipe receives mail via SMTP/LMTP protocols using its standard receiving facility and returns the filtered messages via SMTP/LMTP/pipe.
Appendix A OutgoingAddr exec:/usr/sbin/sendmail -bs Domain antispam.localhost OnError accept MessageStoreMem 50 TempDir /var/tmp FilteringSizeLimit 500 MultipleMessagesAllowed Yes LogFacility MAIL LogLevel silent LogStderrToo No Description of the program's parameters: SpamtestAddr – the address of a socket used for communication and interaction with the filtering process. Format: tcp:host:port or unix:/path/to/socket.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition TempDir – intermediate data storage folder. If this parameter is not specified, the intermediate data will not be stored on the hard drive. FilteringSizeLimit – the maximum message size (in kilobytes) that can be passed to the filtering module. Larger messages will be passed on without filtering. If the value of this parameter is 0 (default value), then this limit will not be applied and all messages will be sent to the filtering module.
Appendix A 127.0.0.1:9026 inet n n n 20 spawn user=mailflt argv=/usr/local/ap-mailfilter/bin/kas-pipe -c /usr/local/ap-mailfilter/etc/kas-pipe-postfix.conf 127.0.0.1:9025 inet n n 25 smtpd -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The following changes must be made to /usr/local/etc/exim/exim.listen configuration file: 1. The value of the transport parameter will be changed to kas_lmtp in the routers for dnslookup и localuser sections routers dnslookup: driver = dnslookup domains = ! +local_domains transport = kas_lmtp ignore_target_hosts = 0.0.0.0 : 127.0.0.
Appendix A 2. make the following changes to file Local/Makefile: CFLAGS= -I/usr/local/ap-mailfilter/include EXTRALIBS_EXIM=-L/usr/local/ap-mailfilter/lib -lspamtest LOCAL_SCAN_SOURCE=Local/kas_exim.c LOCAL_SCAN_HAS_OPTIONS=yes 3. compile Exim. A.3.4.2. kas-exim configuration parameters The kas-exim program's operation parameters are specified in configuration file of the Exim mail system, for example: begin local_scan spamtest_address = tcp:193.124.130.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A.3.5. kas-qmail (client module for Qmail) A.3.5.1. kas-qmail operation The kas-qmail program is designed for the integration of Kaspersky Anti-Spam with the Qmail mail system. When working with kas-qmail, the program operates as follows: qmail-queue is replaced with kas-qmail and mail messages are transferred to the original qmailqueue after processing.
Appendix A FilteringSizeLimit 500 DefaultDomain localhost LogFacility MAIL LogLevel ERROR Parameters description: SpamtestAddr – the address of a socket used for the communication and interaction with the filtering process. Format: tcp:host:port or unix:/path/to/socket. ConnectTimeout – maximum allowable waiting time (in milliseconds) when establishing connection with the filtering process. RWTimeout – maximum allowable waiting time (in milliseconds) when exchanging data with the filtering process.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A.3.5.3. Configuring Qmail when using kas-qmail When integrating kas-qmail in the Qmail system: • the original qmail-queue file will be saved under a different name: mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmailqueue.
Appendix A Two techniques are used to avoid infinite looping: • kas-cgpro adds a special header to each message it has processed and later checks messages for such headers; • by default kas-cgpro processes only those messages that were received using SMTP protocol (see the AllTransports configuration parameter). A.3.6.2. The kas-cgpro configuration file The kas-cgpro program's operation parameters are specified in configuration file /usr/local/ap-mailfilter/etc/kas-cgpro.conf.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition LoopHeader – header added to the messages in order to avoid looping. AllTransports – allows/bans processing of mail messages received from all transports. Allowable values: Yes – process all mail messages, No (default values) – process only mail messages from the SMTP transport. FilteringSizeLimit – the maximum message size (in kilobytes) that can be passed to the filtering module. Larger messages will be passed on without filtering.
Appendix A 113 A.4. Configuration files Configuration xml-files are text files containing data description in the XML markup language. Configuration data are logically organized and divided in separate files. Configuration files are read and saved by the WebConfigurator program. A.4.1. Configuration files and their location in the file system Kaspersky Anti-Spam configuration files are located in the /usr/local/apmailfilter/conf/src folder (CONFSRC) and its subfolders.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition The following encodings are supported: • windows-1251 • koi8-r • iso-8859-5 • x-mac-cyrillic • ibm866 WebConfigurator saves files using koi8-r encoding. A.4.3. Filter profiles list (profiles.xml) The list of existing filter profiles, both common and personal, is contained in the profiles.xml file. The configuration file has the following structure: PAGE 115Appendix A 115 name – profile name shown by WebConfigurator in the profile list. This is the same name as the name contained in the profile description file. active – the attribute that defines whether or not this profile is active, using yes or no values. A.4.4. Set of e-mail addresses lists (emails.xml) A set of the existing e-mail addresses lists is contained in the emails.xml file. The configuration file has the following structure:
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition name – List name. This is the same name as the name contained in the file with the profile description. A.4.6. Set of DNS-based RBL service lists (dnsblacklists.xml) A set of existing DNS-based RBL service lists is contained in the dnsblacklists.xml file. The configuration file has the following structure: PAGE 117Appendix A The configuration file has the following structure: or or description or comments text, can be multiline Description of condition 1 Description of condition 2 ...
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition rcpt (possible in personal profile only) – List of recipients this profile is valid for. This list may be set in two formats: user1@domain[, user2@domain[, user3@otherdomain] ...] or @domain (implies any user of the specified domain). rcptlist (possible only in personal profile) – E-mail addresses list name (without path). It cannot be used along with rcpt. The Comment tag contains multiline free comment.
Appendix A address specified in format user@domain or @domain • Sender’s e-mail is included in the specified list: filename — file name (without path) from directory CONFSRC/emails.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 3. black hole – delete message (do not send it further) without generating a message to the sender: 4. skip – stop execution of all current filter profile rules and start execution of the next profile: 5. bounce – generate a notification of message rejection to the sender. 6.
Appendix A • add new header with a specified name and value (create): The ${CATEGORY} macrovariable can be used when specifying a new header value – a list of spam categories received by content analysis of a message text (for instance, this list can be saved to the Keywords header). A.4.8. E-mail addresses list E-mail address files are located in the CONFSRC/emails folder. The emails.xml file contains a list of these files.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition ... The IPList tag defines list properties: name – List name description – Free form comment (may be blank or not provided altogether) The IP tag sets the IP address. The mask attribute value may be specified in two formats: aaa.bbb.ccc.ddd/nn or aaa.bbb.ccc.ddd (equal to aaa.bbb.ccc.ddd/32). A.4.10. DNS-based RBL service list The files of DNS-based RBL services are located in the CONFSRC/dnsblacklists folder. The dnsblacklists.
Appendix A 123 A.4.11. List of sample spam messages for users (samples.xml) The samples.xml file contains a list of sample spam messages for users and has the following structure: ... The Sample tag attributes: file – name of the file with the sample (without the path to it), automatically generated by WebConfigurator when a new sample is added.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition A.4.13. Advanced filter settings file (settings.xml). The settings.xml file contains message texts used by the Filter during execution of the bounce and reject actions. The configuration file has the following structure: .... A.4.14. List of predefined categories (catlist.xml) Configuration file catlist.
Appendix A 125 A.5. Updater script configuration file The content filtering database updater script settings are stored in configuration file /usr/local/ap-mailfilter/conf/src/updater.ini. The above file contains the following parameters: METHOD –the content filtering database updates source. By default the updates are downloaded via the Internet, that corresponds to the download parameter value. To update the database from the local area network folder set the parameter to copy.
APPENDIX B. KASPERSKY LAB Founded in 1997, Kaspersky Lab has become a recognized leader in information security technologies. It produces a wide range of data security software and delivers high-performance, comprehensive solutions to protect computers and networks against all types of malicious programs, unsolicited and unwanted email messages, and hacker attacks. Kaspersky Lab is an international company.
Appendix B B.1. Other Kaspersky Lab products Kaspersky Anti-Virus® Personal ® Kaspersky Anti-Virus Personal protects home computers running Windows 98/ME, 2000/NT/XP from all types of known viruses, including Riskware. The program constantly checks all possible sources of virus penetration, such as email, Internet, floppy disks, CDs, etc. Unknown viruses are efficiently detected and processed by a unique heuristic data analysis system.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition analyzer efficiently detects even unknown viruses. Kaspersky Anti-Virus® Personal includes many interface enhancements, making it easier than ever to use the program.
Appendix B and from databases. This software package includes an optimal combination of the following anti-virus tools: • anti-virus scanner to scan the data stored on both the PDA and extension card on demand; • anti-virus monitor to intercept viruses in files that are either copied from other handhelds or are transferred using HotSync™ technology.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition Kaspersky® Corporate Suite delivers a reliable, high-performance protection system that is fully compatible with the specific needs of your network configuration. Kaspersky® Corporate Suite provides comprehensive anti-virus protection for: • Workstations running Windows 98/ME, Windows NT/2000/XP, and Linux; • File and application servers running Windows NT 4.
Appendix B Kaspersky® Anti-Spam Personal software package is a powerful tool that ensures detection of spam in the flow of e-mail messages incoming via POP3 and IMAP4 protocol (only for Microsoft Outlook). The filtering process involves the analysis of all attributes of the letter (sender's and recipient's addresses and headers), content filtration (analysis of the content of the letter, including the Subject and attached files), as well as unique linguistic and heuristic algorithms.
APPENDIX C. ASHMANOV & PARTNERS LTD Message filtering technology, which is the basis of Spam Filter operation, has been developed by the company Ashmanov & Partners. Ashmanov & Partners Ltd. is one of the leading Russian developers of semantic text analysis, automated text classification, and other machine intelligence methods. Development of full-text search systems and linguistic information systems is among the other activities of Ashmanov & Partners.
APPENDIX D. INDEX A I accept ....................................30, 32, 35 actions applied to messages.............. 26 actions with messages .................29, 70 address lists ...................................... 75 Ashmanov & Partners .................. 9, 29 installation disk ................................ 12 B L License Agreement........................... 13 P personal filter profiles........... 26, 33, 53 black hole ......................................... 35 bounce ....................
