Solved: Blocking Porn / Adult Related Emails

wrightsreprints · ‎02-01-2016

We are receiving quite a bit of SPAM messages that content porn / adult related content. It is not simply URL so I do not believe URL filtering would help. We already mark questionable emails as MARKETING (which these are often tagged by) and then have fairly high percentages for allowed messages. I noticed when you are under load/save configuration files, there is a TEXT file for porn but I do not understand how that is used. I assume since it is a text file and not an XML file, it would not overwrite our configuration settings. Can anyone provide guidance on how to prevent these types of messages from entering through the IronPort. C160. So far I normally block by domain or IP address but that is not ideal. I know Spam Assassin offers keyword filtering so I am assuming the IronPort does as well?

Mathew Huynh · ‎02-03-2016

Hello Wright,

The Cisco esa does have feature to use keywords trap emails, this would be the use of content dictionaries and content filters.

GUI > mail policies > Dictionaries

You can load the inbuilt profanity or sexual content dictionary depending on requirements.

Then once loaded, create a content filter to filter message body and attachment against the content dictionary you deployed.

Then customise how many matches of the words are required for the filter to take action.

Regards

Matthew

View solution in original post

Ken Stieers · ‎02-10-2016

The other suggestions might help, but a more direct way is to use a content filter and use the included "profanity" and "sexual content" files.

First, import them as Dictionaries. In Mail Policies/Dictionaries, click on Import Dictionary, pick one of the files "profanity" or sexual_content, leave default weight at 1... Then do the other.

Once they're imported, by going to Mail Policies/Dictionaries and clicking on the names. Look through the terms and set any terms you don't want to flag on to a weight of zero (eg. we're a construction company, and don't want to flag on "erection"... )

Then create an incoming content filter that searches the body for stuff in the dictionary, and set a level that is "too many".

.

If you want to use both dictionaries, you have to do 2 conditions. Mine looks like this (note the drop down above the conditions that says "if one or more conditions match")

View solution in original post

Philip D'Ath · ‎02-02-2016

I think I would be tempted to change the default reputation threshold, to make the Ironport more sensitive to emails of a low reputation score.

Philip D'Ath · ‎02-02-2016

Go to "Mail Policies", "HAT Overview" to see what thresholds you currently have configured,

wrightsreprints · ‎02-02-2016

I am currently set with 88/70. I was able to figure out how to setup content dictionaries and created a policy that now scans all inbound messages based off of the sexual content TXT file included with the IronPort.

Mathew Huynh · ‎02-03-2016

Hello Wright,

The Cisco esa does have feature to use keywords trap emails, this would be the use of content dictionaries and content filters.

GUI > mail policies > Dictionaries

You can load the inbuilt profanity or sexual content dictionary depending on requirements.

Then once loaded, create a content filter to filter message body and attachment against the content dictionary you deployed.

Then customise how many matches of the words are required for the filter to take action.

Regards

Matthew

Greg Hopp · ‎02-09-2016

But Philip is on the right track; if you haven't already, use SBRS, Sender Base Reputation Score for your sender groups and tighten your thresholds.

For Accept, I'm set to +.50 to +10.0 anything less goes to SuspectList, and the bottom threshold of that isn't very low. Think .50 to -.40; everything else is BL'd.

Greg

Mathew Huynh · ‎02-09-2016

Hey Greg,

Building on this, if you have some trusted DNS RBLs you could add them for usage as well on the BLACKLIST if you want to aggressively stop some servers.

Regards,

Matthew

wrightsreprints · ‎02-10-2016

I do have two DNS list under BLACKLIST.

b.barracudacentral.org, zen.spamhaus.org

wrightsreprints · ‎02-10-2016

One other question. I notice using the included dictionaries, words that are part of a word is getting flag. Example: TWAT is inside of the word smartwatch. There are several others. Is there a way that I can tweak these some how with wildcards to acknowledge if the word not part of a word (as an example) I know there are some crazy wildcards for Spam Assassin for this type of request. Not sure about the Ironport.

Mathew Huynh · ‎02-10-2016

Hello Wright,

Ensure that you ticked the checkbox of match whole words in the dictionary to avoid this type of match.

Regards

Matthew

wrightsreprints · ‎02-10-2016

Awesome! That is what I needed. How the heck did I miss that option. :)

Mathew Huynh · ‎02-10-2016

Hey Wright,

Happy to help :)
There's also if you do not want to use the "Match Whole Words" you can add boundary (regex) to each term with \bWORD\b

Cheers,

Matthew

wrightsreprints · ‎02-10-2016

This is currently my HAT. Is this possible to weak? I am guessing these were the defaults when we first put this unit into production.

Mathew Huynh · ‎02-10-2016

Hello Wright,

I fully support your HAT (or the default values) and would only consider tweaking it if you've seen a trend of say -2 senders send quite a lot of spam or malicious emails then to make the BLACKLIST just that little bit more aggressive.

But unless you have a whole lot of data to see if there was a trend, sometimes setting it too aggressive can lead to a lot of false positive blocks, so both sides of the coin needs to be considered.

Regards,

Matthew

Ken Stieers · ‎02-10-2016

The other suggestions might help, but a more direct way is to use a content filter and use the included "profanity" and "sexual content" files.

First, import them as Dictionaries. In Mail Policies/Dictionaries, click on Import Dictionary, pick one of the files "profanity" or sexual_content, leave default weight at 1... Then do the other.

Once they're imported, by going to Mail Policies/Dictionaries and clicking on the names. Look through the terms and set any terms you don't want to flag on to a weight of zero (eg. we're a construction company, and don't want to flag on "erection"... )

Then create an incoming content filter that searches the body for stuff in the dictionary, and set a level that is "too many".

.

If you want to use both dictionaries, you have to do 2 conditions. Mine looks like this (note the drop down above the conditions that says "if one or more conditions match")