SRX

Hi, I have configurated a SRX 240H2 (cluster configuration) with UTM anti-spam but this don´t working, the spam e-mail are not filter this is the current configuration:

jcamues@fw02> show configuration security utm feature-profile anti-spam
address-whitelist ip-white-list;
traceoptions {
flag all;
flag sbl;
}
sbl {
profile junos-as-defaults {
sbl-default-server;
spam-action block;
custom-tag-string ***SPAM***>;
}
}

jcamues@fw02> show configuration security utm utm-policy junos-av-wf-policy
anti-spam {
smtp-profile junos-as-defaults;
}

jcamues@fw02> show configuration security policies from-zone Internet to-zone LAN_Bogota
policy Rule13 {
description "Email a IP 186.28.228.210";
match {
source-address any;
destination-address Correo_CRDS_10.14.70.83;
application [ junos-mail HTTP_PROXY SMTP_AUTH junos-imap junos-imaps junos-pop3 junos-http junos-https SMTPS POP3S junos-dns-udp junos-smtp ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}
}
}
policy Rule14 {
description "Email a IP 190.66.21.35";
match {
source-address any;
destination-address Correo_CONSOL_10.14.70.20;
application [ junos-mail HTTP_PROXY SMTP_AUTH junos-imap junos-imaps junos-pop3 junos-http junos-https SMTPS POP3S junos-dns-udp junos-ssh junos-smtp ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}

jcamues@fw02> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 0 1 0 2016-03-29 19:00:00 COT
anti_spam_key_sbl 1 1 0 2016-03-29 19:00:00 COT
idp-sig 0 1 0 2016-03-29 19:00:00 COT
dynamic-vpn 1 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
appid-sig 0 1 0 2016-03-29 19:00:00 COT
wf_key_websense_ewf 1 1 0 2016-03-29 19:00:00 COT

{primary:node1}
jcamues@fw02> show security utm anti-spam statistics
node0:
--------------------------------------------------------------------------
UTM Anti Spam statistics:

Total connections: 1293
Denied connections: 45
Total greetings: 1219
Denied greetings: 0
Total e-mail scanned: 855
White list hit: 0
Black list hit: 0
Spam total: 0
Spam tagged: 0
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0

Statistics start time: 03/21/2015 19:56:11
Statistics for the last 10 days (permitted emails / spams):
day 1: 1/0

node1:
--------------------------------------------------------------------------
UTM Anti Spam statistics:

Total connections: 6377
Denied connections: 121
Total greetings: 6121
Denied greetings: 0
Total e-mail scanned: 4043
White list hit: 0
Black list hit: 0
Spam total: 0
Spam tagged: 0
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0

Statistics start time: 03/21/2015 19:53:26
Statistics for the last 10 days (permitted emails / spams):
day 1: 1/0
day 2: 3239/0

Please helpme 

Is the SMTP traffic delivered directly to you, or are you maybe using a trusted relay server in the cloud? If everything comes from a trusted server it might be a problem, I never tried.

Hi Screenie, I test if the  spam filter is working  sending   a test mail containing the following string of

characters

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

I send this test mail from an account outside of your network.

Hi

0) Is your junos-av-wf-policy referring to antispam profile? If not see this KB article

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17286

1) Are you aware that Antispam feature only works for SMTP traffic? Are you testing with SMTP (you should be filtering incoming connections to your mail server)?

2) You can try op mode command like

lab@jFF-A1> test security utm anti-spam profile junos-as-defaults test-string 223.255.178.58         
Anti-spam test result: 
Return SPAM, action Deny, reason Match sbl server blacklist

to check if antispam is able to connect to SBL server. I took the IP from the list of known spammers at 

http://www.juniper.net/security/auto/spam/

3) If it does not work post your complete config (except secrets) here.

PK, I have configured correctly  acoording the KB article (http://kb.juniper.net/InfoCenter/index?page=content&id=KB17286)

I was test the anti-spam profile :

jcamues@fw02> test security utm anti-spam profile junos-as-defaults test-string 223.255.178.58
node0:
--------------------------------------------------------------------------
Anti-spam test result:
Return SPAM, action Deny, reason Match sbl server blacklist

node1:
--------------------------------------------------------------------------
Anti-spam test result:
Return SPAM, action Deny, reason Match sbl server blacklist

I attached the config SRX if you see anything please tellme.

Attachment(s)

config_srx.txt   165 KB 1 version

Hi

Your config seems correct. Make sure your mail is coming in via SMTP, Antispam feature will not work for SMTPS (AFAIK).

And please watch for a private message from me.

Hi

Pk, I corrected the configuration file SRX :), thank you for check this 

This is the actual anti-spam statistics , ¿ why the counters spam is 0 ?

jcamues@fw02> show security utm anti-spam statistics
node0:
--------------------------------------------------------------------------
UTM Anti Spam statistics:

Total connections: 1297
Denied connections: 48
Total greetings: 1219
Denied greetings: 0
Total e-mail scanned: 855
White list hit: 0
Black list hit: 0
Spam total: 0
Spam tagged: 0
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0

Statistics start time: 03/21/2015 19:56:11
Statistics for the last 10 days (permitted emails / spams):
day 1: 1/0

node1:
--------------------------------------------------------------------------
UTM Anti Spam statistics:

Total connections: 10318
Denied connections: 160
Total greetings: 9942
Denied greetings: 0
Total e-mail scanned: 6525
White list hit: 0
Black list hit: 0
Spam total: 0
Spam tagged: 0
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0

Statistics start time: 03/21/2015 19:53:26
Statistics for the last 10 days (permitted emails / spams):
day 1: 1/0
day 2: 3239/0

Hi

According to your stats, you have thousands of emails scanned per day, and

none of them are marked as spam. Can all these emails really be non-spam?

(I doubt that). 

It it possible that all your mail comes from relay servers (e.g. ones in your

ip-white-list)? In this case SBL will filter by ip address of relay server

and spam will not be detected.

And, by the way, do you really have SMTP server behind the firewall?

Antispam will only work in this scenario. If those connections are SMTP sessions

from your users, again, scanning will be useless.

Hi, Pk thank you for taking your time to answer,  at this time ( since yesterday ) Im not receiving  spam emails  and the email server behind the SRX is SMTP

Best regards

Juan Guillermo

I should have thought of the encryption! Good thinking PK!