The Anti-Abuse section under the Security menu contains tools to help you prevent others from abusing or improperly using your email system to relay spam messages, use large amounts of bandwidth, connect to your server too frequently, and the like. There are eight items under the Anti-Abuse section: |
Relay Control - When a message arrives that is neither to nor from a local domain, SecurityGateway is being asked to deliver, or relay, the message on behalf of some third party. The settings on the Relay Control page govern who is allowed to do that. Relay Control also has options for designating whether or not the address passed during the SMTP MAIL or RCPT command must exist when it contains a local domain.
SMTP Authentication - This page governs the SMTP-AUTH options, which extend SMTP to include an authentication step. This effectively allows users to log in to the server when sending messages, thus ensuring that their identity is known and valid. SMTP Authentication allows you to skip many other security steps designed to catch spammers or other unauthorized users attempting to relay mail through your server by using a forged identity.
IP Shielding - The IP Shield is a list of domain names with associated IP addresses that will be checked during the SMTP MAIL FROM command. An SMTP connection claiming to be from someone at one of the listed domains will be honored only if the IP address of the sending server matches one of the permitted IP addresses listed for that domain.
Dynamic Screening - Using this feature, SecurityGateway can track the behavior of sending servers to identify suspicious activity and then respond accordingly. For example, with Dynamic Screening you can ban an IP address from future connections to your server once a specified number of "unknown recipient" errors occur during a mail session with that IP address. You can ban senders that connect to your server more than a specified number of times in a specified number of minutes, and you can also ban senders that fail authentication attempts more than a designated number of times. However, a Dynamic Screening ban is not permanent. The IP address is banned only for the number of minutes that you specify, and each IP address and the amount of time that has passed since its ban is listed.
Location Screening - This is a geographically based blocking system that you can use to block incoming connections from unauthorized regions of the world. SecurityGateway determines the country associated with the connecting IP address and then blocks that connection if it is from a restricted location. By default, Location Screening blocks only connections attempting to authenticate. This is useful, for example, when you have no users in a specific country but still wish to be able to receive mail from there. That way you would only block those attempting to log in to your server.
Tarpitting - Tarpitting makes it possible for you to deliberately slow down a connection once a specified number of RCPT commands have been received from a message's sender. This is to discourage spammers from trying to send unsolicited bulk email ("spam") to your domains. You can specify the number of RCPT commands allowed before tarpitting begins and the number of seconds to delay the connection each time a subsequent RCPT command is received from that host during the connection. The reasoning behind this technique is that if it takes spammers an inordinately long period of time to send each message to you then that will discourage them from trying to do so again in the future.
Bandwidth Throttling - This feature makes it possible for you to police the consumption of bandwidth used by SecurityGateway, both globally and for individual domains. Using Bandwidth Throttling you can control the rate at which each inbound and outbound SMTP session progresses. Further, you can exclude allowlisted senders, authenticated sessions, and your domain email servers from these restrictions.
Account Hijack Detection - The options on this screen can be used to detect a possibly hijacked account on your server and automatically prevent it from sending messages. For example, if a spammer somehow obtained an account's email address and password then this feature could prevent the spammer from using the account to send bulk junk e-mail through your system. You can designate a maximum number of messages that may be sent by an account in a given number of minutes, and optionally cause an account to be disabled if it reaches that limit.
QR Code Detection - QR phishing (also called "QRshing" or "Quishing") is a technique that cyber criminals or scammers sometimes use. They attach a fake QR code to a message in an attempt to get the message recipient to scan the code and then be taken to a site that will be used to harvest information from the person or perpetrate some other scam. Using the options on this page you can configure SecurityGateway to detect and take action if a QR code image is attached to a message.