How to tell if spamBlocker is working

How can I tell if spamBlocker is working? I've set it up via the wizard and checked to enable logging for reports under proxy actions and "send message" under spamBlocker actions.

Did this a few weeks ago. Watchguard Cloud doesn't show any reports, and under Services, "Spam" isn't listed at all.

The other subscription services I have enabled are properly sending reports to the Watchguard Cloud.

I've also been looking at the headers of incoming emails and I don't see any x-watchguard headers added.

I've got the spamBlocker set up with the IMAP-Proxy. I can see traffic being used in the IMAP-Proxy in Traffic Monitor. Doing search for "spam" in the Traffic Monitor shows nothing.

Any suggestions?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jkrudeen
    If you go to Firebox System Manager -> Subscription Services tab, or the Fireware WebUI go to Dashboard -> Subscription Services, there will be a section for spamblocker that shows # of messages processed, spam stopped, etc.

    If you're seeing zero for everything, you might be using a different protocol (for example, most Exchange traffic runs over MAPI, and you will need to explicitly set it up as IMAP.

    -James Carson
    WatchGuard Customer Support

  • Thanks for the prompt reply. Everything is showing as zero results under spamBlocker at that Dashboard > Subscription Services.

    Our email service is hosted by Rackspace and majority of our computers are running Outlook. When watching the Traffic Monitor, I see tons of IMAP using port 993. I've tried searching for SMTP and no activity shows up.

    We only run Macs and do not use an Exchange service with Rackspace.

    Any other advice on how to get the spamBlocker to actively monitor our incoming IMAP email?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jkrudeen
    You'll want to make sure you have an IMAP proxy polciy set up with spamblocker enabled. If you do have one of those, I'd suggest opening a support ticket with our support team, so they can look into why we may not be matching that policy.

    You can create a ticket by clicking the support center link at the top right of this page.

    -James Carson
    WatchGuard Customer Support

  • I click on the firewall policy "IMAP-Proxy" and under the Proxy action tab the action is assigned to "IMAP-Client.Standard.1" which was created by the spamBlocker wizard.

    Under that Proxy Action tab, then under the TLS tab it shows "Content Inspection Summary (Inspection: Off)". Is that correct?

    Under TLS Profile it is currently selected to use "TLS-Client.Standard". The other choice in the drop-down is "TLS-Client-HTTPS.Standard" Which one?

    Then under that the Action is "allow", should it be "inspect"?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jkrudeen
    If you're running TLS encrypted IMAP, the action should be inspect. However, your mail client/OS will need to trust the proxy authority certificate from the firewall as authorative (as it will re-sign the traffic.)

    You can export it from System -> Certificates on the firewall, and import it using the instructions here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html

    -James Carson
    WatchGuard Customer Support

  • edited October 2021

    We are not using TLS encrypted IMAP. I did try changing the action to inspect and sure enough the email client brought up a pop-up to trust the cert.

    So I'd prefer not going this route of TLS encryption.

    I don't think the spamblocker is properly running in the IMAP policy. Here's a sample from the traffic monitor:

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64768 993 Comcast ENS Comcast EDI ProxyAllow: IMAP content inspection (IMAP-proxy-00) proc_id="imap-proxy" rc="590" msg_id="22FF-0018" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64766 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 1061876952 win 65535" geo_dst="USA"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64767 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 2640719918 win 65535" geo_dst="USA"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64768 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 989435664 win 65535" geo_dst="USA"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64767 993 Comcast ENS Comcast EDI IMAP Request (IMAP-proxy-00) proc_id="imap-proxy" rc="544" msg_id="22FF-0000" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" sent_bytes="571" rcvd_bytes="4891" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64768 993 Comcast ENS Comcast EDI IMAP Request (IMAP-proxy-00) proc_id="imap-proxy" rc="544" msg_id="22FF-0000" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" sent_bytes="571" rcvd_bytes="4891" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64769 993 Comcast ENS Comcast EDI ProxyAllow: IMAP content inspection (IMAP-proxy-00) proc_id="imap-proxy" rc="590" msg_id="22FF-0018" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64770 993 Comcast ENS Comcast EDI ProxyAllow: IMAP content inspection (IMAP-proxy-00) proc_id="imap-proxy" rc="590" msg_id="22FF-0018" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64769 993 Comcast ENS Comcast EDI IMAP Request (IMAP-proxy-00) proc_id="imap-proxy" rc="544" msg_id="22FF-0000" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" sent_bytes="571" rcvd_bytes="4891" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:51 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64771 993 Comcast ENS Comcast EDI ProxyAllow: IMAP content inspection (IMAP-proxy-00) proc_id="imap-proxy" rc="590" msg_id="22FF-0018" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64769 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 1627696621 win 65535" geo_dst="USA"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64770 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 1592210068 win 65535" geo_dst="USA"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imaps/tcp 64771 993 Comcast ENS Comcast EDI Allowed 64 62 (IMAP-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="50.XXX.XXX.XXX" tcp_info="offset 11 S 1848525590 win 65535" geo_dst="USA"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64756 993 Comcast ENS Comcast EDI IMAP Request (IMAP-proxy-00) proc_id="imap-proxy" rc="544" msg_id="22FF-0000" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" sent_bytes="4310" rcvd_bytes="17431" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64772 993 Comcast ENS Comcast EDI ProxyAllow: IMAP content inspection (IMAP-proxy-00) proc_id="imap-proxy" rc="590" msg_id="22FF-0018" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    2021-10-11 15:44:52 Allow xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx imap/tcp 64763 993 Comcast ENS Comcast EDI IMAP Request (IMAP-proxy-00) proc_id="imap-proxy" rc="544" msg_id="22FF-0000" proxy_act="IMAP-Client.Standard.1" geo_dst="USA" sent_bytes="1510" rcvd_bytes="8405" tls_version="TLS_V12" content_inspection="no" tls_profile="TLS-Client.Standard"

    **Edited out IP addresses - James

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jkrudeen
    The traffic appears to be going through the IMAP proxy, so that's a good sign.

    -If you're running an older version of Fireware, you'll want to update to the latest version. Some older versions use an older engine that does not work anymore.

    See:
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpSHSAY&lang=en_US

    Aside from that, I can't really discern from these logs why it might not be working -- I'd really suggest a support case so one of our support reps can look more closely and help.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.