Configuring IP Profiler Settings

Configure threshold settings to determine when InterScan™ Messaging Security Appliance (IMSA) starts blocking IP addresses for each the following email threats:

Spam (click here for instructions)

To configure spam blocking settings:

  1. Choose IP Filtering > Rules from the menu. The Spam tab appears by default. If you are on a different tab, click the Spam tab.

  2. To enable blocking for spam, select the Enable check box.

  3. Configure the following:

Consider the following example. You configure the following:

Duration to monitor: 1 hour at a rate of 20 out of 100

During each one-hour period that spam blocking is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives contain spam and the total number of messages exceeds 100.

  1. Next to Triggering action, select one of the following:

  2. Click Save.

Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.

-----------------------

 

Viruses (click here for instructions)

To configure virus blocking settings:

  1. Choose IP Filtering > Rules from the menu.

  2. Click the Virus tab.

  3. To enable blocking for virus threats, select the Enable check box.

  4. Configure the following:

Consider the following example. You configure the following:

Duration to monitor: 1 hour at a rate of 20 out of 100

During each one-hour period that virus blocking is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives contain virus threats and the total number of messages exceeds 100.

  1. Next to Triggering action, select one of the following:

  1. Click Save.

Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.

-----------------------

DHA attacks (click here for instructions)

To configure DHA blocking settings:

  1. Choose IP Filtering > Rules from the menu.

  2. Click the DHA Attack tab.

  3. To enable blocking for directory harvest attacks, select the Enable check box.

  4. Configure the following:

The LDAP service must be running to determine non-existing recipients.

Consider the following example. You configure the following:

Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5.

During each one-hour period that DHA blocking is active, IMSA starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.

 

  • Technically, the LDAP server is not a must-have. The DHA rule of IMSA 7.0 can also obtain the DHA results returned from Postfix, which in turn passes these results to FoxProxy through the LDAP server or other means. FoxProxy then analyzes the results to determine if they are DHA attacks.

  • LDAP server is only one of the means by which Postfix checks if a user's mailbox exists.

 

  1. Next to Triggering action, select one of the following:

  1. Click Save.

Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.

-----------------------

Bounced mail (click here for instructions)

To configure bounced mail settings:

  1. Choose IP Filtering > Rules from the menu.

  2. Click the Bounced mail tab.

  3. To enable blocking for bounced mail, select the Enable check box.

  4. Configure the following:

Consider the following example. You configure the following:

Duration to monitor: 1 hour at a rate of 20 out of 100

During each one-hour period that blocking for bounced mail is active, IMSA starts blocking IP addresses when more than 20% of the messages it receives signal bounced mail and the total number of messages exceeds 100.

  1. Next to Triggering action, select one of the following:

  1. Click Save.

Trend Micro suggests keeping the default values, which provide an adequate level of protection. To restore the default values, click Restore Defaults.

-----------------------

 

See also: