The following settings help prevent spam, viruses, directory harvest attacks, and other
threats from entering your network. SurfControl recommends that you enable the following
pre-screening options as directed below.
Note: These features require that you deploy E-mail Filter upstream from an anti-virus or other receiving mail
server. In order to use the following features:
– The E-mail Filter server must receive e-mail directly from the Internet.
– Your firewall must be configured to allow e-mail directly to the E-mail Filter server.
Blacklist: A blacklist is an administrator-defined anti-spam tool that blocks e-mail from specified sources.
Use this area to enter or import domains or e-mail addresses of sources from whom you do not want to
receive e-mail. This is an effective way to block unwanted messages as soon as they enter E-mail Filter.
You can also provide exclusions to your blacklist. For example, if the domain xyz.com is on your blacklist,
but you still want to receive e-mail from firstname.lastname@example.org, you can enter email@example.com on the Exclusions
list and still receive e-mail from that user.
Reverse DNS Lookup: The Reverse DNS Lookup feature can help detect spoofed e-mail by confirming
that the sender’s PTR record matches the IP address included in the header.
SurfControl recommends that you enable this option and leave the default action of Log Only. This
allows you to take advantage of the Reverse DNS Lookup feature, but does not deny e-mail from sources
that may have mis-configured DNS settings or have no PTR record. The Log Only option generates a log
if there is a mismatch between the IP address and the domain name, but does not reject e-mail; this option
lets you keep track of e-mail sent from illegitimate addresses.
Realtime Blackhole List (RBL): This feature allows E-mail Filter to handshake with third-party “realtime
blackhole lists,” (RBLs) which are externally hosted lists of known spammers.
The Anti-Spam Agent and most other spam layers of E-mail Filter perform spam blocking in the Rules
service. If you use an RBL service and would like to eliminate a significant portion of spam before it enters
the Rules service, SurfControl recommends that you enable RBL lookups and set the action to Deny
When RBL lookups are enabled and set to Deny Connection, E-mail Filter checks the sending host’s IP
address against the RBL, verifying that the IP address is not on the spam list. If the IP address is on the
list, E-mail Filter drops the connection. If not, E-mail Filter continues to process the e-mail.
If you have enabled this option, you can enter domains, e-mail addresses, or IP addresses in the Exclusions
list. This list contains senders for whom you do not want to perform the RBL lookup.
Note: If you enter the IP address of the RBL server on either the RBL list or the RBL Exclusions list, you
must also enable Reverse DNS Lookup.
Directory Harvest Detection: This feature protects your network from directory harvest and phishing
attacks, and stops a significant amount of e-mail-based threats from entering your network. By integrating
with your LDAP server, the Directory Harvest Detection feature ensures that incoming e-mail is
addressed to users who are currently in your Active Directory structure.
SurfControl recommends that you enable this feature and leave the default action of Deny connections
from IP for: 24 hours. With this option enabled, if E-mail Filter detects a directory harvest attack
(defined by the number of invalid connections or addresses per hour), E-mail Filter blocks all e-mail from
that source for the next 24 hours.
Denial of Service Detection: This feature detects attempts to use all your system resources. SurfControl
recommends that you enable this feature, and increase the setting of 5 maximum incomplete sessions
from each IP per hour to 50.
At these default settings, E-mail Filter detects a denial of service attack if there are five incomplete sessions
from one IP address per hour. If E-mail Filter detects a denial of service attack, E-mail Filter blocks all
connections from that IP address for the next 24 hours.