Configure threshold settings to determine when InterScan™ Messaging Security Appliance (IMSA) starts blocking IP addresses for each the following email threats:
To configure spam blocking settings:
Choose IP Filtering > Rules from the menu. The Spam tab appears by default. If you are on a different tab, click the Spam tab.
To enable blocking for spam, select the Enable check box.
Configure the following:
Duration to monitor—The number of hours that IMSA monitors email traffic to see if the percentage of spam email messages exceeds the Threshold you set below.
Threshold—The maximum percentage of spam email messages that IMSA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%)—Type the maximum number of allowable email messages with spam threats (the numerator).
Total mails—Type the total number of spam email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example. You configure the following:
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that spam blocking is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives contain spam and the total number of messages exceeds 100.
Next to Triggering action, select one of the following:
Block temporarily—Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently—Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.
-----------------------
To configure virus blocking settings:
Choose IP Filtering > Rules from the menu.
Click the Virus tab.
To enable blocking for virus threats, select the Enable check box.
Configure the following:
Duration to monitor—The number of hours that IMSA monitors email traffic to see if the percentage of email messages with virus threats exceeds the Threshold you set below.
Threshold—The maximum percentage of email messages with virus threats that IMSA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%)—Type the maximum number of allowable email messages with virus threats (the numerator).
Total mails—Type the total number of virus email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example. You configure the following:
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that virus blocking is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives contain virus threats and the total number of messages exceeds 100.
Next to Triggering action, select one of the following:
Block temporarily—Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently—Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.
-----------------------
To configure DHA blocking settings:
Choose IP Filtering > Rules from the menu.
Click the DHA Attack tab.
To enable blocking for directory harvest attacks, select the Enable check box.
Configure the following:
Duration to monitor—The number of hours that IMSA monitors email traffic to see if the percentage of email messages signalling a DHA attack exceeds the Threshold you set below.
Threshold—The maximum percentage of email messages signalling a DHA attack that IMSA will allow during the value you set for Duration to monitor above. The threshold is a complex expression with the following:
Rate (%)—Type the maximum number of allowable email messages with DHA threats (the numerator).
Total mails—Type the total number of DHA email messages out of which the threshold percentage is calculated (the denominator).
Sent to more than—Type the maximum number of recipients allowed for the threshold value.
Non-existing recipients exceeds—Type the maximum number of nonexistent recipients allowed for the threshold value. DHA attacks often include randomly generated email addresses in the receiver list.
The LDAP service must be running to determine non-existing recipients.
Consider the following example. You configure the following:
Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5.
During each one-hour period that DHA blocking is active, IMSA starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.
|
|
Next to Triggering action, select one of the following:
Block temporarily—Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently—Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.
-----------------------
To configure bounced mail settings:
Choose IP Filtering > Rules from the menu.
Click the Bounced mail tab.
To enable blocking for bounced mail, select the Enable check box.
Configure the following:
Duration to monitor—The number of hours that IMSA monitors email traffic to see if the percentage of email messages signalling bounced mail exceeds the Threshold you set below.
Threshold—The maximum percentage of email messages signalling bounced mail that IMSA will allow during the value you set for Duration to monitor above. The threshold is a fraction with a numerator and denominator:
Rate (%)—Type the maximum number of allowable email messages signalling bounced mail (the numerator).
Total mails—Type the total number of bounced email messages out of which the threshold percentage is calculated (the denominator).
Consider the following example. You configure the following:
Duration to monitor: 1 hour at a rate of 20 out of 100
During each one-hour period that blocking for bounced mail is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives signal bounced mail and the total number of messages exceeds 100.
Next to Triggering action, select one of the following:
Block temporarily—Block email messages from the IP address and allow the upstream MTA to try again.
Block permanently—Never allow another email message from the IP address and do not allow the upstream MTA to try again.
Click Save.
Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.
-----------------------
See also: