Antigen Spam Manager for SMTP Gateways

  • Article

 

Applies to: Microsoft Antigen

The Antigen Spam Manager (ASM) provides sophisticated and robust spam detection and removal through the integration of the Cloudmark anti-spam engine. The Antigen Spam Manager also provides the following features:

  • Identify: tag message action upon detection to allow the routing of spam messages to Junk Mail folders.
  • Integration with Exchange 2003 anti-spam options.
  • ASM Junk Folder for Microsoft Office Outlook® users and the ability for Outlook users to create allowed senders lists and block lists (Exchange Server 2000 only). For information about using ASM Junk Folders, see Chapter 17 – Antigen Spam Manager overview in the Microsoft Antigen for Exchange User Guide.

Configuring the anti-spam scanning settings

ASM includes anti-spam settings that use the Cloudmark anti-spam engine to detect spam e-mail.

In Antigen Version 9 with Service Pack 2, the Cloudmark anti-spam engine was introduced as an improved anti-spam option. When performing a fresh installation of Antigen version 9 with Service Pack 2, Cloudmark is the anti-spam solution. To enable the Cloudmark engine for scanning, in the Antigen Administrator, click SETTINGS and then click Anti-Spam. In the Anti-Spam Settings pane, select the SMTP Scan Job and then select the Cloudmark Authority Engine check box. Next, configure the Action and whether to Send Notifications and Quarantine Files.

The action choices for the anti-spam scanning settings are as follows:

  • Skip: detect only—Spam is reported but no other action is taken on the message.
  • Purge: eliminate message—Deletes the entire message from your mail system. It cannot be recovered unless you selected to quarantine the message.
  • Identify: tag message—For details, see About the Identify: tag message action .

Configuring Cloudmark updates

Cloudmark distributes anti-spam signature updates directly to the Antigen server. This differs from the other scan engines, which receive signature updates directly from Microsoft. Cloudmark signature updates occur automatically throughout the day; they are not configurable in the Antigen Administrator.

However, administrators can schedule Antigen to check to see if Cloudmark has released an engine update. (An engine update refers to updating to a new version of a scan engine (which replaces the old version), whereas a signature update refers to new signatures being added to an existing scan engine.) Because engine updates occur much less frequently than signature updates, it is recommended that engine updates be scheduled to occur once daily during off hours. Historically, an engine update occurs once every several months but these occur as needed. In the Antigen Administrator, click SETTINGS, and then click Scanner Updates. Use the Scanner Update Settings pane to schedule Cloudmark engine updates. It is also recommended that you click the Update Now button before scanning.

The Cloudmark engine utilizes HTTPS (port 443) to verify the user license while signatures are updated via HTTP (port 80). This requires that the Antigen server has the ability to connect to the Internet and that both port 80 and port 443 are open on any firewall through which the Antigen server connects. Administrators can verify the connection to the Cloudmark servers by running the following commands on the Antigen server:

  • telnet cdn-microupdates.cloudmark.com 80
  • telnet lvc.cloudmark.com 443

If you are not connecting to the required ports, you must configure your firewall to allow these connections.

Note

Cloudmark uses the FSEContentScanner.exe process to receive signature updates. This uses approximately 80 MB initially, after which it uses an average of between 80 MB to 150 MB per 24-hour period, so that only a small amount of bandwidth is used every minute.

Warning

The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. As a workaround, configure the proxy server to allow the Antigen server through anonymously.

Managing Cloudmark updates with FSSMC or AEM

Support for distributing Cloudmark engine updates is available in FSSMC Version 10 Rollup 3. You must have this version installed in order to be able to administer your Cloudmark engine updates using FSSMC. Note that Cloudmark signature updates are not managed by FSSMC because they are distributed directly from the Cloudmark servers. Cloudmark is not supported in Antigen Enterprise Manager (AEM).

Submitting false positives and false negatives to Cloudmark

You can submit false positives and false negatives to Cloudmark for analysis. Information regarding target spam catch-rates, false positive and false negative rates, and other advantages of using the Cloudmark anti-spam solution can be found on the Cloudmark anti-spam Web site.

To submit false positive or false negative spam e-mails to Cloudmark, send the e-mail as an RFC 2822 attachment (.eml).  Do not send misclassified messages by using the Forward command; this strips them of essential header information and results in an invalid submission.

False positives (legitimate e-mail marked as spam by Cloudmark) should be sent to: Forefront-legit@submit.cloudmark.com

False negatives (spam not detected by Cloudmark) should be sent to: Forefront-spam@submit.cloudmark.com

To attach an e-mail message as an RFC 2822 attachment

  1. In Microsoft Outlook, create a new e-mail message.

  2. Address it to the appropriate address.

  3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.

Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam

To ensure that spam is being properly detected by the Cloudmark engine, you should verify that a GTUBE message is caught as spam. Similar to the EICAR antivirus test file, GTUBE provides a test by which you can verify that Cloudmark is detecting incoming spam. A GTUBE message should always be detected as spam by the Cloudmark engine.

Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

About the Identify: tag message action

When ASM is enabled, the Identify: tag message action is available for all filtering and anti-spam functions. This action enables administrators to select how they would like a suspect message to be tagged for later identification. You can choose from the following options:

Setting Description

Tag subject line

The text specified in the Tag Text dialog box is added to the subject line of the message. The Tag Text dialog box can be accessed by clicking the Tag Text button on the SMTP Scan Job Settings pane. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client.

Message Header

The text specified in the Tag Text dialog box is added to the MIME header. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client.

Set SCL property

Sets the SCL Rating on the message indicating whether Antigen determined the message to be spam. To use this action, you must select the Enable SCL Rating option in the General Options pane. Antigen always sets the SCL Rating to level 9. The Store Action Threshold in the SMTP Scan Job Settings work pane must also be set to 8 or lower. Using this setting allows Outlook to route suspected spam e-mail to the Outlook Junk Mail folder.

Move to ASM Junk Mail

Routes all messages that match a content filter or are identified as spam to the ASM Junk Mail folder in the user’s Outlook desktop.

Note

To use this action, you must select the Enable Junk Mail Folders option in the General Options pane (Exchange 2000 only).

Note

Multiple options may be checked for each filter.