Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Configuring Spamscreen®
To configure Spamscreen you must have already configured the SMTP proxy. If you have not done this, go to the SMTP proxy configuration example first.
Make sure you have the latest strong encryption software for your Firebox downloaded and installed. To configure Spamscreen, you must have installed your license for it. In Setup>Licensed Features, it should show your key.
If you have a Firebox III the key will be in XXX-XX-XXXX format.
If you have a Firebox X, the key is obtained from the WatchGuard website after you register it for a certain Firebox. The key given to you has your Firebox serial number embedded in it as it will only work on your Firebox (the key in the diagram above will only work for the Firebox X with serial number 808200578ECC5).
If you just enter the Spamscreen key without registering it on the WatchGuard website and obtaining a feature key, it will not function. You will be able to enter it into policy manager and it will accept it, but after saving to the Firebox the key will be rejected and Spamscreen will not function.
If your key is installed click on Setup>Spamscreen. If your key is not installed, is incorrectly installed, or you are not using the latest software, Spamscreen will not be listed in the menu.
IMPORTANT UPDATE:
Before proceeding, ensure you have applied the Spamscreen 2.01 update which is available on the WatchGuard website in the software section. If you do not see this update available, make sure you have registered your Spamscreen key on the WatchGuard site.
(Note that if you have already applied the Spamscreen 2.0 update in the past, you do NOT need to install this version 2.01. The release version was changed due to a compatibility issue which was resolved. The change does not affect the update in any way.)
Follow the instructions in the release notes of the Spamscreen update to complete the Spamscreen rules update on your Firebox. Once the update is completed, continue with Spamscreen configuration below.
Spamscreen Configuration
Open your current policy in policy manager and select Setup>Spamscreen.
You will be shown the Spamscreen configuration dialog.
You should start by tagging email. Then you can let Spamscreen run for awhile and ask your users to forward you any email that is spam tagged that is not spam so you can find out why it was tagged and take action by putting it on the exceptions list in *@domain.com format or adjusting rules to allow it. After you feel comfortable with the setup you can switch to Deny mode.
Above is the recommended setup. Go through each setting and ensure it is setup as above. This will tag all email with a score so if an email is tagged, it will tell you why in the headers of the email, and a log entry will also go into traffic monitor.
Next click on the RBL lists.
RBL servers are places where reported spammer IP's are listed. Spamscreen will check the sending mail server IP address and if it is on one of these lists it will be tagged or rejected.
The RBL/DNS server is YOUR ISP's DNS server. This is where the Firebox will send requests to lookup the RBL list servers IP addresses. If you complete the Spamscreen setup and you see "query timeout to x.x.x.x" consistently in your traffic monitor then your ISP's DNS server is not responding or is not configured to reply to RBL queries. You can use 4.2.2.2 or 4.2.2.1 if needed for this setting.
Leave the MX record weight at the default of 2000 but it is recommended to change the RBL weight to a high number such as 5000. Email that is listed on a RBL blacklist is likely spam.
The RBL's listed above are not in the list by default but are recommended ones to use. Type in the following RBL servers and click the "Add" button for all of the servers below, then put a checkbox next to them in the "RBL lists" column.
bl.spamcop.net
cbl.abuseat.org
dnsbl.njabl.org
dnsbl.sorbs.net
rbl.jp
sbl.spamhaus.org
After completing this, select the "Rules list" tab.
Spamscreen comes with a default set of rules. You should not alter the default set, but it is recommended you visit http://www.spamscreen.org for more information on adding rules to the list to customize Spamscreen. Users have provided complete rule sets in text format. You can import these text format lists directly into your Spamscreen rules list if desired. WatchGuard support cannot assist with your custom rules or help you block specific emails. The tools and information is provided, but you will have to do the work.
Last is the Exceptions List. This tab is for adding domains which should be allowed no matter what. But don't use this as a dumping ground for email domains tagged as spam which are not unless you have no other way to allow it. If someone's email is tagged, find out why and fix it. This Exceptions list has a limit and if you exceed approximately 100 or so domains in this list it can cause Spamscreen to fail.
Now you can click OK but you are not finished. You still have to turn on Spamscreen.
Go to you Incoming SMTP proxy and click on the "Properties" tab, and then the "Incoming" button. You must enable Spamscreen here before it will start checking email.
Click the bottom two checkboxes to start checking incoming email.
Now you can click OK to the Incoming SMTP dialog here, and OK again on the Incoming-SMTP proxy and save the changes to the Firebox.
This completes Spamscreen setup.
As email comes in after saving these changes you will see it being checked as it comes in and listed in traffic monitor.
07/04/04 16:49 smtp-proxy[5014]: (spamscreen) Email received from
<spammer@yahoo.com>, identified as spam and denied
07/04/04 16:49 smtp-proxy[5014]: Results of spamscreen:
07/04/04 16:49 smtp-proxy[5014]: 2699 Subject starts with "Hello"
07/04/04 16:49 smtp-proxy[5014]: 2592 Subject includes "viagra"
07/04/04 16:49 smtp-proxy[5014]: 2000 Message-ID contains a dot
07/04/04 16:49 smtp-proxy[5014]: -2000 Message-ID contains common TLD
07/04/04 16:49 smtp-proxy[5014]: 40 SW-Subject contains single comma,
07/04/04 16:49 smtp-proxy[5014]: Score : 5331
07/04/04 16:49 smtp-proxy[5014]: Required: 1999
This shows the sender, and what the score is for the email. In this test email, the email scored 5331 and the limit is 1999 so it was denied.
Additional information about Spamscreen rules can be found at http://www.spamscreen.org and also at the links below from the WatchGuard site.
WFS 7.0's SpamScreen- a Corporate Spam Filtering Solution
