How thorough is the M300's spam filter?

Good morning,
I was asked to find out how thorough the spam filter is on our M300. Does it just check a database or can it do more extensive determinations for spam. Some dedicated spam appliances can determine spoofed emails -- can WatchGuard spot those. Any help here would be greatly appreciated because I need to get a response to my manager -- we're in budget season.

Thanks,

Joe B

Answers

  • Review this:
    About spamBlocker
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/spamblocker/spam_about_c.html

    You can't configure RBL lists etc. as you can with some anti-spam products.
    It is a cloud based service which determines if the e-mail should be considered spam or not, based on a hash which is sent to the cloud server(s).

    See this for an overview:
    Spam Prevention
    https://www.watchguard.com/wgrd-products/security-services/spam-prevention

    Questionable e-mails can be sent to a Quarantine Server for later review.

    The spamBlocker service provider is Cyren.

    As I don't have an internal e-mail server, I can't comment on if it works well or not.
    Perhaps others who use spamBlocker will comment about their experiences.

  • Also, with the SMTP proxy - which you need to use to implement spamBlocker, you can block e-mails sent to your site with a From: of your domain, which will prevent some spoofed e-mails.

  • It works, in my opinion, above average. It misses new localised (I am from Australia) spam, but they are pretty responsive when you take the time to lodge a false negative report. However, the process of lodging these reports needs to be streamlined and automated, as the present manual process is time consuming and discouraging for people who don't have much free time.. To be honest, I only "find the time" when I have been severely annoyed by a persistent spammer..

    Adrian from Australia

  • @Bruce_Briggs said:
    Also, with the SMTP proxy - which you need to use to implement spamBlocker, you can block e-mails sent to your site with a From: of your domain, which will prevent some spoofed e-mails.

    Good morning Bruce,
    That won't work due to the number of internal emails we send here.

    Thanks,

    Joe B

  • @xxup said:
    It works, in my opinion, above average. It misses new localised (I am from Australia) spam, but they are pretty responsive when you take the time to lodge a false negative report. However, the process of lodging these reports needs to be streamlined and automated, as the present manual process is time consuming and discouraging for people who don't have much free time.. To be honest, I only "find the time" when I have been severely annoyed by a persistent spammer..

    Good morning xxup,

    We are getting a ton of spam. I am daily uploading spam to Cyren but I haven't noticed any lessening of the quantity of spam we get. Our finance manager once received a well crafted spear phishing attempt for ACH information supposedly from our GM. He deleted it but we did have another employee open an email from what she thought was an employee and we were hit with Locky. I was hoping WatchGuard had a more robust spam filtering option available to us.

    Thanks,

    Joe B

  • @Jobee1 said:

    @Bruce_Briggs said:
    Also, with the SMTP proxy - which you need to use to implement spamBlocker, you can block e-mails sent to your site with a From: of your domain, which will prevent some spoofed e-mails.

    Good morning Bruce,
    That won't work due to the number of internal emails we send here.

    Thanks,

    Joe B

    Joe,

    Yes, what Bruce recommended should work to prevent spoofed emails. When you send an email internally from an on-premise mail server, it does not go through the firewall's SMTP filter. Doing what Bruce stated blocks OUTSIDE senders from spoofing your domain. It always worked for me when I had onsite Exchange servers behind a Firebox SMTP proxy.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Joe,

    Yes, what Bruce recommended should work to prevent spoofed emails. When you send an email internally from an on-premise mail server, it does not go through the firewall's SMTP filter. Doing what Bruce stated blocks OUTSIDE senders from spoofing your domain. It always worked for me when I had onsite Exchange servers behind a Firebox SMTP proxy.

    Gregg

    OIC. This sounds like something that can help us.

    Thanks,

    Joe B

  • @Jobee1 said:

    @xxup said:
    It works, in my opinion, above average. It misses new localised (I am from Australia) spam, but they are pretty responsive when you take the time to lodge a false negative report. However, the process of lodging these reports needs to be streamlined and automated, as the present manual process is time consuming and discouraging for people who don't have much free time.. To be honest, I only "find the time" when I have been severely annoyed by a persistent spammer..

    Good morning xxup,

    We are getting a ton of spam. I am daily uploading spam to Cyren but I haven't noticed any lessening of the quantity of spam we get. Our finance manager once received a well crafted spear phishing attempt for ACH information supposedly from our GM. He deleted it but we did have another employee open an email from what she thought was an employee and we were hit with Locky. I was hoping WatchGuard had a more robust spam filtering option available to us.

    Thanks,

    Joe B

    Joe,

    Even if "...employee open an email from what she thought was an employee...", that employee never should have been able to download the Locky payload file, which I believe was just an EXE file download. You should be blocking executable file downloads (and PS1, VB, etc.) in FTP/HTTP/HTTPS traffic. That way, even if someone were to try to download an executable from any non-approved site, the download would get blocked.

    Try it with this random printer driver https://download.brother.com/welcome/dlf004709/DCP-330C-inst-win7-A2.EXE

    If you get the file offered for download, you should re-do your config to make it more secure.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • edited September 9

    Regarding your "Our finance manager once received a well crafted spear phishing attempt for ACH information supposedly from our GM" comment, those usually come in two versions. One is spoofing your domain, which Bruce's suggestion should stop, and the other is spoofing the display name, but using a completely unrelated domain name, or a domain name that looks similar, in an attempt to get a lazy reader to see the display name and proceed into the email.

    I know that some versions of Exchange will allow setting up mail transport rules, and in those rules, one can set up display name checking. Say an email comes in and displays as "Joe B JoeB@realdomain.com" in it. That's real and gets to pass. Another comes in as "Joe B JoeB@realldomain.com" and it gets dropped (or have a warning pre-pended) because of the close-but-faked domain name. I do this for all of my Office 365 setups, and they are Exchange 2016 or newer. I do it with a prepended warning in the message body.

    Gregg

    EDIT: My examples above are not showing what I typed. The email address examples should show in between <> symbols...less-than and greater-than, the way they show in Outlook.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Sure would be nice to know how to disable Markdown or whatever is changing certain characters in the posts

  • "...that employee never should have been able to download the Locky payload file, which I believe was just an EXE file download." >
    Gregg

    What I was told is that Locky was actually a malicious macro. Antivirus programs will probably start looking for stuff like that now.

    Joe B

  • Wow Bruce, this is the first time I've heard about the .exe file. I guess I never dug down deep enough to find this information. The truth is out there...

    Joe B

  • "Antivirus programs will probably start looking for stuff like that now." They have been looking for it for decades! Locky is quite old, first seen in February 2016, and a client of mine got one to his internal Exchange 2010 server right after it came out. Fortunately, his T30 (purchased one month earlier after a three-year sale attempt) had GAV strip the macro out of the attached Word doc, which saved his butt, but it still passed the email and the Word document. The next version of the T30 firmware completely stripped the attachment with the bad macro. He got protected from another variant a month after that, and then never complained about the price of the firewall again.

    A very common attack is a macro that downloads an EXE or PowerShell PS1 file, or JS, JSE, VB, VBE, VBS, HTA, ad nauseum, and those payloads then do the damage. BLOCK ALL OF THEM.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • I still run an in house mail server, and like any good security approach I use a mulit-tiered system for Spam control.
    All email is ran through our ISP's "mailgate" and filtered for Spam, viruses, SPF records .......... and the majority of junk is caught here.
    Secondly the Firebox scans for Spam, and since last reboot of the 70K emails we have received the Firebox caught another 1500 Spam emails,and another 2800 bulk emails, lastly my mail server scans for Spam.
    Which I think is great.
    That being said, just this morning I received an email telling me of an inheritance I will be getting if I just send some money :-)

    Not all systems are perfect.

    It's usually something simple.

Sign In to comment.