47.2 Blocking Unwanted E-Mail from the Internet

The GroupWise Internet Agent includes the following features to help you protect your GroupWise system and users from unwanted e-mail:

47.2.1 Real-Time Blacklists

Many organizations, such as Mail Abuse Prevention System (MAPS*) and SpamCop*, provide lists of IP addresses that are known to be open relay hosts or spam hosts. If you want to use free blacklist services such as these, or if you subscribe to fee-based services, you can define the blacklist addresses for these services. The Internet Agent then uses the defined services to ensure that no messages are received from blacklisted hosts. The following sections provide information to help you define blacklist addresses and, if necessary, override a host address included in a blacklist.

Defining a Blacklist Address

  1. In ConsoleOne, right-click the Internet Agent object, then click Properties.

  2. Click Access Control > Blacklists to display the Blacklists page.

    Blacklists page

    The Blacklist Addresses list displays the addresses of all blacklists that the Internet Agent checks when it receives a message from another SMTP host. The Internet Agent checks the first blacklist and continues checking lists until the sending SMTP host’s IP address is found or all lists have been checked. If the sending SMTP host’s IP address is included on any of the blacklists, the message is rejected. If you have the Internet Agent’s logging level set to Verbose, the log file includes information about the rejected message and the referring blacklist.

    This list corresponds with the Internet Agent’s /rbl switch.

  3. Click Add to display the New Blacklist Address dialog box.

    New Blacklist Address dialog box

    The following list provides the names, Web sites, and blacklist addresses for two services that are free at the time of this release:

    Service

    Site

    Address

    Mail Abuse Prevention System (MAPS)

    www.mail-abuse.org

    blackholes.mail-abuse.org

    SpamCop

    www.spamcop.net

    bl.spamcop.net

  4. Type the blacklist address in the Address box, then click OK to add the address to the Blacklist Addresses list.

  5. If you have multiple blacklists in the Blacklist Addresses list, use the up-arrow and down-arrow to position the blacklists in the order you want them checked. The Internet Agent checks the blacklists in the order they are listed, from top to bottom.

  6. Click OK to save your changes.

Overriding a Blacklist

In some cases, a blacklist might contain a host from which you still want to receive messages. For example, goodhost.com has been accidentally added to a blacklist but you still want to receive messages from that host.

You can use the SMTP Incoming Exceptions list on a class of service to override a blacklist. For information about editing or creating a class of service, see Section 47.1.2, Creating a Class of Service.

47.2.2 Access Control Lists

If you want to block specific hosts yourself rather than use a blacklist (in other words, create your own blacklist), you can configure a class of service that prevents messages from those hosts. You do this on the Internet Agent object’s Access Control Settings page by editing the desired class of service to add the hosts to the Prevent Messages From exception list on the SMTP Incoming tab. For example, if you wanted to block all messages from badhost.com, you could edit the default class of service to add badhost.com to the list of prevented hosts.

You can also create a list of hosts that you always want to allow messages from, so you can create your own white list.

For information about editing or creating a class of service, see Section 47.1.2, Creating a Class of Service.

47.2.3 Blocked.txt File

ConsoleOne creates a blocked.txt file that includes all the hosts that have been added to the Prevent Messages From exceptions list for the default class of service (see Section 47.1, Controlling User Access to the Internet).

You can manually edit the blocked.txt file to add or remove hosts. To maintain consistency for your system, you can also copy the list to other Internet Agent installations.

To manually edit the blocked.txt file:

  1. Open the blocked.txt file in a text editor.

  2. Add the host addresses.

    The entry format is:

    address1
    address2
    address3
    

    where address is either a hostname or an IP address. You can block on any octet. For example:

    IP Address

    Blocks

    *.*.*.34

    Any IP address ending with 34

    172.16.*.34

    Any IP address starting with 172.16 and ending with 34

    172.16.10-34.*

    Any IP address starting with 172.16 and any octet from 10 to 34

    You can block on any segment of the hostname. For example:

    Hostname

    Blocks

    provo*.novell.com

    provo.novell.com provo1.novell.com provo2.novell.com

    *.novell.com

    gw.novell.com (but not novell.com itself)

    There is no limit to the number of IP addresses and hostnames that you can block in the blocked.txt file

  3. Save the file as blocked.txt.

47.2.4 Mailbomb (Spam) Protection

Multiple unsolicited messages (sometimes called a mailbomb or spam) from the Internet can potentially harm your GroupWise messaging environment. You can use the settings on the SMTP Security page to help protect your GroupWise system from malicious or accidental attacks.

To configure the SMTP security settings:

  1. In ConsoleOne, right-click the Internet Agent object, then click Properties.

  2. Click SMTP/MIME > Security Settings.

    SMTP/MIME Security Settings property page
  3. Fill in the fields:

    Reject Mail if Sender’s Identity Cannot be Verified: This setting lets you prevent messages if the sender’s host is not authentic.

    When this setting is turned on, the Internet Agent refuses messages from a smart host if a DNS reverse lookup shows that a PTR record does not exist for the IP address of the sender’s host.

    When this setting is turned off, the Internet Agent accepts messages from any host, but display a warning if the initiating host is not authentic.

    This setting corresponds with the Internet Agent’s /rejbs switch.

    Enable Mailbomb Protection: Mailbomb protection is turned off by default. You can turn it on by selecting this option.

    Mailbomb Threshold: When you enable Mailbomb protection, default values are defined in the threshold settings. The default settings are 30 messages received within 10 seconds. You can change the settings to establish an acceptable security level.

    Any group of messages that exceeds the specified threshold settings is entirely discarded. If you want to prevent future mailbombs from the mailbomb sender, identify the sender’s IP address (by looking at the Internet Agent’s console) and then modify the appropriate class of service to prevent mail being received from that IP address (Access Control > Settings). For more information, see Section 47.1.2, Creating a Class of Service.

    The time setting corresponds with the Internet Agent’s /mbtime switch. The message count setting corresponds with the /mbcount switch.

  4. Click OK to save the changes.

You can protect your system against mailbombs (spam). With mailbomb protection enabled, if the Internet Agent receives a certain number of messages (the default is 30) from the same host or IP address within a specific time interval (the default is 10 seconds), it discards the messages.

47.2.5 Customized Spam Identification

Before GroupWise 7, you could use the /xspam startup switch to flag messages for handling by the client Junk Mail Handling feature if they contained an x-spam-flag:yes in the MIME header. Starting in GroupWise 7, you can configure as many strings as needed to identify junk mail and you can use ConsoleOne to specify the strings.

  1. In ConsoleOne, right-click the Internet Agent, then click Properties.

  2. Click SMTP/MIME > Junk Mail.

    Junk Mail property page
  3. Select Flag Any Messages, then specify the strings in the text box.

    Anti-spam services use different indicators to mark potential spam. One might use a string of asterisks; the more asterisks, the greater the likelihood that the message is spam. Another might use a numerical value; the higher the number, the greater the likelihood that the message is spam. The following samples are taken from MIME headers of messages:

    X-Spam-Results: ***** X-Spam-Status: score=9

    Based on these samples, examples are provided below of lines that you could add to the list to handle the X-Spam tags found in the MIME headers of messages coming into your system.

    Example: X-Spam-Results: *****

    This line marks as spam any message whose MIME header contained an X-Spam-Results tag with five or more asterisks. Messages with X-Spam-Results tags with fewer than five asterisks are not marked as spam.

    Example: X-Spam-Status: Yes

    This line marks as spam any message whose MIME header contained the X-Spam-Status tag set to Yes, regardless of the score.

    Example: X-Spam-Status: score=9 X-Spam-Status: score=10

    These lines marks as spam any message whose MIME header has the X-Spam-Status tag set to Yes and had a score of 9 or 10. X-Spam-Status tags with scores less than 9 are not marked as spam.

    You can add as many lines as necessary to the list to handle whatever message tagging your anti-spam service uses.

  4. Click OK to save your list of strings.

The list is saved in the xspam.cfg file in the domain\wpgate\gwia directory. As described above, each line of the xspam.cfg file identifies an “X” header field that your anti-spam service is writing to the MIME header, along with the values that flag the message as spam. The Internet Agent examines the MIME header for any field listed in the xspam.cfg file. When a match occurs, the message is marked for handling by the GroupWise client Junk Mail Handling feature.

47.2.6 SMTP Host Authentication

The Internet Agent supports SMTP host authentication for both outbound and inbound message traffic.

Outbound Authentication

For outbound authentication to other SMTP hosts, the Internet Agent requires that the remote SMTP hosts support the AUTH LOGIN authentication method. To set up outbound authentication:

  1. Include the remote SMTP host’s domain name an authentication credentials in the gwauth.cfg file, located in the domain\wpgate\gwia directory. The format is:

    domain_name   authuser   authpassword
    

    For example:

    smtp.novell.com   remotehost   novell
    
  2. If you have multiple SMTP hosts that require authentication before they accept messages from your system, create an entry for each host. Make sure to include a hard return after the last entry.

  3. If you want to allow the Internet Agent to send messages only to SMTP hosts listed in the gwauth.cfg file, use the following startup switch:

    /forceoutboundauth
    

    With the /forceoutboundauth switch enabled, if a message is sent to an SMTP host not listed in the gwauth.cfg file, the sender receives an Undeliverable message.

Inbound Authentication

For inbound authentication from other SMTP hosts, you can use the /forceinboundauth startup switch to ensure that the Internet Agent accepts messages only from SMTP hosts that use the AUTH LOGIN authentication method to provide a valid GroupWise user ID and password. The remote SMTP hosts can use any valid GroupWise user ID and password. However, for security reasons, we recommend that you create a dedicated GroupWise user account for remote SMTP host authentication.

47.2.7 Unidentified Host Rejection

You can have the Internet Agent reject messages from unidentified sources. The Internet Agent refuses messages from a host if a DNS reverse lookup shows that a “PTR” record does not exist for the IP address of the sender’s host.

If you choose not to have the Internet Agent reject messages from unidentified hosts, it accepts messages from any host, but it displays a warning if the sender’s host is not authentic.

To configure the Internet Agent to reject messages from unidentified hosts:

  1. In ConsoleOne, right-click the Internet Agent object, then click Properties.

  2. Click SMTP/MIME > Security Settings to display the Security Settings page.

    Security Settings page
  3. Turn on the Reject Mail if Sender’s Identity Cannot Be Verified option.

    This setting corresponds with the Internet Agent’s /rejbs switch.

  4. Click OK to save your changes.