SMF Imp Guide 630

Symantec Message Filter 6.
3 Implementation Guide
powered by Brightmail
Symantec Message Filter 6.3 Implementation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 6.3
Legal Notice
Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Brightmail, the Brightmail logo, BLOC, BrightSig, The Anti-Spam Leader, Probe Network, and Norton Anti-Virus are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:
Product release level
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com
Contents
Technical Support ............................................................................................... 4 Chapter 1 Introducing Symantec Message Filter ............................ 15

About Symantec Message Filter ...................................................... What's new in Symantec Message Filter ........................................... Components of Symantec Message Filter .......................................... How Symantec Message Filter works ............................................... What you can do with Symantec Message Filter ................................. Where to get more information about Symantec Message Filter ............ 15 16 17 19 20 24
Chapter 2
Planning for installation .................................................... 27

About deploying Symantec Message Filter ........................................ About deploying at the gateway layer ........................................ About deploying at the post gateway layer .................................. About deploying at the email server ........................................... About deploying the Client and the Server .................................. About planning for disk space storage needs ..................................... About estimating storage needs for the Quarantine ...................... About estimating storage needs for extended reporting ................. Configuring firewall settings .......................................................... Configuring firewall port connections for a standard deployment model ............................................................................ About required ports .................................................................... About using this product with other filtering products ....................... About adjusting MX records for Symantec Message Filter software ............................................................................... About access by the Server to perimeter information .......................... 27 28 31 32 33 34 34 36 38 38 40 41 42 43
Chapter 3
Installing Symantec Message Filter ................................. 45

Before you install ......................................................................... Creating required accounts and directories ................................. Before you install the Control Center ......................................... System requirements .................................................................... Installing Symantec Message Filter on Linux and Solaris ..................... 45 47 49 51 54
Contents
Installing on Linux and Solaris with the GUI installer ................... Installing on Linux and Solaris at the command line ..................... Installing Symantec Message Filter on Windows ................................ Migrating to Symantec Message Filter ............................................. Post-installation tasks .................................................................. Verifying Scanner installation .................................................. About verifying Control Center installation ................................ About removing.stop files ........................................................ Starting the Scanner ............................................................... Configuring the MTA to work with the Mail Filter API (Milter) ........................................................................... Testing to ensure filtering works properly .................................. About timeout values for MTA that are integrated with Symantec Message Filter ................................................................. Uninstalling Symantec Message Filter .............................................
55 60 66 71 72 73 74 75 75 76 77 80 83
Chapter 4
Configuring the Control Center ........................................ 87

About the Control Center ............................................................... 87 Accommodating more than 10,000 users per group policy ............. 88 Logging onto the Control Center ............................................... 89 Logging off of the Control Center .............................................. 90 Changing the location of the Control Center on a Scanner .............. 90 Viewing and modifying advanced configuration attributes .................. 91 About advanced configuration attributes .................................... 92 Working with MySQL database ..................................................... 107 Tuning MySQL and Tomcat for large numbers of users ................ 108 Checking the status of the MySQL database ............................... 110 Repairing the MySQL database ................................................ 110 Changing your MySQL password ............................................. 113 Determining your MySQL password ......................................... 115 Checking the MySQL installation version .................................. 116 Adding the Symantec Message Filter database to MySQL ............. 117 Configuring the Control Center to access MySQL remotely ........... 118 About backing up MySQL data ................................................ 119
Chapter 5
Optimizing Symantec Message Filter ............................ 123

Managing your system, for service providers ................................... About the Sender Reputation Service ....................................... About selecting the optimal rule set to optimize performance .................................................................. Implementing custom rule sets ............................................... Using Keep Alive .................................................................. 123 123 131 131 131
Contents
Optimizing performance on Solaris SPARC ..................................... Optimizing performance with Java Message Service .................... Optimizing performance on Linux ................................................. Optimizing performance on Windows ............................................ Considerations for tuning the Control Center .................................. About enhancing performance for outbound email ........................... Configuration tips to reduce outbound spam ............................. About the factors that affect performance ....................................... Hardware components that affect performance ......................... Environmental factors that affect performance .......................... About the Symantec Message Filter settings that affect performance ..................................................................
132 134 135 135 135 136 136 138 138 139 139
Chapter 6
Configuring Symantec Message Filter without the Control Center .............................................................. 143
About configuring settings without using the Control Center .............. Setting up Scanner services on Linux and Solaris ....................... Setting up Scanner services on Windows .................................. Registering the Scanner on Windows ....................................... About configuration file elements .................................................. About the Installation section ....................................................... About the Services section ........................................................... About the Spam Service Type ................................................. About the Virus Services Type ................................................ About the Custom Service Type ............................................... About the Consent Service Type .............................................. About the Language Service Type ............................................ About the Reinsert Service Type ............................................. About the Programs section ......................................................... About the Filter program ....................................................... About the Client program ....................................................... About the Server program ...................................................... About the Conduit program .................................................... About the LiveUpdate program ............................................... About the AntiVirus Cleaner program ...................................... About the Harvester program ................................................. About the Engine section ............................................................. About bmiCheckReputation .................................................... About the Policies section ............................................................ Sample policy ...................................................................... Managing logs for stand-alone Scanners ......................................... About the log level element .................................................... 144 144 146 146 147 147 150 151 157 160 161 171 172 173 174 175 177 178 182 187 192 193 197 198 202 205 205
10
Contents
About the log period element .................................................. About the periodUnits element ............................................... About the numberRetained element ......................................... About managing statistics for stand-alone Scanners ......................... About conduit rule updates .......................................................... About LiveUpdate rule updates .....................................................
206 206 206 207 209 209
Chapter 7
Configuring Java Messaging Server to integrate with Symantec Message Filter .................................. 211
About integrating the Sun Java Messaging Server MTA with Symantec Message Filter ..................................................................... Installation overview ............................................................ Configuring Messaging Server for Symantec Message Filter ............... Configuring a multi-node deployment ...................................... About enabling the tracker for Messaging Server ....................... Using the Control Center with Messaging Server .............................. Troubleshooting issues with Messaging Server integration ................ 211 211 213 218 218 219 220
Chapter 8
Configuring Sendmail to integrate with Symantec Message Filter .............................................................. 223

About integrating Sendmail ......................................................... Understanding the filter address and optional settings ...................... About configuring Sendmail Switch to work with Symantec Message Filter .................................................................................. Configuring Sendmail for Symantec Message Filter with sendmail.cf ......................................................................... About configuring Sendmail for Symantec Message Filter with M4 ..................................................................................... About using the runner and cron ................................................... About managing Scanner components with cron ........................ Understanding automatic library paths .................................... About managing Scanner components with the runner ............... Starting the runner ............................................................... About stopping the runner (and all Scanner jobs) ....................... Testing the runner ................................................................ About monitoring job statuses ................................................ About stopping and starting jobs ............................................. About the runner configuration file ......................................... 223 224 225 226 227 228 228 228 229 230 230 231 232 233 233
Contents
11
Chapter 9
Using group policies ......................................................... 241

About group policies ................................................................... 241 Creating group policies ................................................................ 243 Working with group policies ......................................................... 244
Chapter 10
Quarantining spam messages ........................................ 249

About the quarantine .................................................................. About LDAP compatibility for the Quarantine ................................. Configuring the Quarantine for other LDAP servers .................... Configuring the Quarantine for Active Directory ........................ Configuring the Quarantine for iPlanet/Sun ONE/Java Directory Server .......................................................................... About the Quarantine page ........................................................... Administrator Quarantine page details ..................................... Differences between the administrator and end user Quarantine pages ........................................................................... What administrators can do in the Quarantine ................................. Accessing the Quarantine ...................................................... What administrators can do within a spam message ................... About searching messages ..................................................... Working with messages in the Quarantine for end users .................... Accessing the Quarantine ...................................................... About the message list page ................................................... Message Details page ............................................................ Searching messages .............................................................. Configuring the Quarantine .......................................................... Delivering messages to the Quarantine ..................................... Configuring the Quarantine for administrator-only access ........... About configuring the end user and distribution list notification digests .......................................................................... Configuring recipients for misidentified messages ...................... About the delete unresolved email setting ................................. Setting the Quarantine message retention period ....................... Configuring the number of messages to appear per page .............. Configuring the logon help ..................................................... Specifying the Quarantine SMTP IP address .............................. Configuring the Quarantine port for incoming SMTP email .......... Specifying the Quarantine message and size thresholds .............. Administering the Quarantine ...................................................... Starting and stopping the Quarantine ...................................... Checking the Quarantine postmaster mailbox ............................ About checking the Quarantine error log .................................. 249 249 250 253 258 261 263 263 264 264 264 266 269 269 269 271 272 274 275 275 276 281 281 282 282 282 283 284 284 285 285 287 288
12
Contents
About backing up the Quarantine message database ................... 289 Troubleshooting the Quarantine ............................................. 289
Chapter 11
Creating reports ................................................................. 295

About reports ............................................................................ About available reports ......................................................... About the report data ............................................................ Setting the retention period for reporting data .......................... Selecting the data to track ...................................................... Working with reports .................................................................. Running reports ................................................................... Saving reports ..................................................................... Printing reports ................................................................... Scheduling, editing, or deleting reports .................................... Report generation error ............................................................... 295 295 298 300 300 301 301 302 302 303 305
Chapter 12
Using filters to protect your environment and block unwanted mail ............................................................. 307
About Symantec Message Filter filters ............................................ About specifying senders to permit or block ................................... How Symantec Message Filter identifies senders and connections ................................................................... About the Allowed Senders List and the Blocked Senders List .............................................................................. Use case scenarios to allow or block senders .............................. Adding senders to the Blocked Senders List ............................... Adding senders to the Allowed Senders List ............................... Deleting senders from senders' lists ......................................... Editing senders in senders' lists .............................................. Enabling or disabling senders in senders' lists ........................... Importing sender information into a senders list ........................ Exporting sender information from senders lists ....................... Selecting reputation services to use ......................................... About filtering for spam .............................................................. Adjusting spam scoring ........................................................ Rejecting spam at the gateway ................................................ Scanning email text attachments ............................................ Increasing the speed for processing messages ............................ About filtering for viruses ............................................................ Configuring antivirus filter settings ......................................... About custom filters ................................................................... Creating conditions in custom filters ........................................ 307 308 309 311 313 313 315 316 316 317 317 319 319 320 320 321 322 323 324 325 325 327
Contents
13
Guidelines for creating conditions ........................................... Creating custom filters .......................................................... Editing custom filters ............................................................ Deleting custom filters .......................................................... Specifying the order in which filters are evaluated ..................... Enabling and disabling custom filters ...................................... Importing a Sieve-coded custom filters file ................................ Sample custom filters ............................................................
331 331 333 333 333 334 334 334
Chapter 13
Keeping your product up-to-date ................................... 339

About updating virus definitions ................................................... About LiveUpdate ................................................................. About Rapid Release virus definitions ...................................... Obtaining the virus definition updates ........................................... Obtaining definitions when a new or emerging threat is discovered ........................................................................... Setting a local mirror of the LiveUpdate server ................................ 339 340 342 342 344 344
Chapter 14
Managing Symantec Message Filter Scanners, hosts, and components .............................................. 347
About Scanners, hosts, and components ......................................... Managing the Symantec Message Filter Scanners ............................. Adding a Scanner ................................................................. Testing a Scanner ................................................................. Editing a Scanner ................................................................. Enabling and disabling a Scanner ............................................ Deleting a Scanner ................................................................ Viewing the status of Scanners and components ........................ Starting and stopping Symantec Message Filter Scanners and components .................................................................. Adding administrators ................................................................ Specifying the insertion host ........................................................ Specifying internal mail hosts ...................................................... About registering your Scanner license .......................................... 347 348 348 350 350 351 351 351 352 352 354 355 357
Chapter 15
Monitoring the Symantec Message Filter status and events ............................................................................. 361
About monitoring the system status .............................................. Working with Logs ..................................................................... Modifying Log settings .......................................................... Viewing and saving logs ......................................................... 361 362 364 365
14
Contents
Configuring the syslog.conf file for Syslog facilities settings ........................................................................ About tracking messages with the SMTP message ID .................. Setting up event-based alerts ........................................................ Checking the versions of Symantec Message Filter components ..........
366 368 368 369
Appendix A
Creating filters by coding in Sieve ................................. 371

About creating filters in Sieve ....................................................... Working with manually edited Sieve filters file ................................ Sieve implementation details ........................................................ Sieve filters file location ........................................................ Supported Sieve commands .................................................... Sieve Action commands ......................................................... Sieve test commands ............................................................. Sample Sieve scripts ................................................................... Intercept adult content .......................................................... Set a size limit on inbound mail ............................................... Intercept chain letters ........................................................... Intercept a particular virus .................................................... Intercept greeting cards ........................................................ Intercept senders that are based on the HELO domain ................. 371 372 372 373 373 374 374 378 379 381 381 381 382 382
Appendix B
Editing virus notification messages .............................. 383

About virus notification messages ................................................. 383 About customizing the cleaner notification file ............................... 383 About the cleaner notification file listing ........................................ 385
Index ................................................................................................................... 393
Chapter
Introducing Symantec Message Filter

This chapter includes the following topics:

About Symantec Message Filter What's new in Symantec Message Filter Components of Symantec Message Filter How Symantec Message Filter works What you can do with Symantec Message Filter Where to get more information about Symantec Message Filter
About Symantec Message Filter

Symantec Message Filter (formerly branded as Symantec Brightmail AntiSpam) provides an easy-to-deploy, comprehensive email security solution that protects your customers and your network. It detects and repairs viruses. It also identifies and blocks unwanted email before it can inconvenience your users and overwhelm your network. The product is centralized and automated. It is scalable and can be customized to fit your organization's specific needs. Symantec Message Filter runs with your existing email server or groupware server. Symantec Message Filter includes the following filters that you can customize:

Antispam filters Antivirus definitions Content filters Allowed senders and blocked senders filters
16
Introducing Symantec Message Filter What's new in Symantec Message Filter
You can deploy Symantec Message Filter in different configurations to best suit the size of your needs. You can configure settings through the Control Center or you can use the command line. See Components of Symantec Message Filter on page 17. See How Symantec Message Filter works on page 19. See What you can do with Symantec Message Filter on page 20. See Where to get more information about Symantec Message Filter on page 24.
What's new in Symantec Message Filter

Table 1-1 describes the new features in this release of Symantec Message Filter. Table 1-1 Feature
Support for Windows Server 2008
New features Description

Symantec Message Filter now supports both 32-bit and 64-bit versions of Windows Server 2008. See System requirements on page 51.
Separate setup You can now install Scanner and Control Center separately on files for Scanner Windows platform with the following files: and Control Center scanner_install_x86_win.exe

scanner_install_x64_win.exe bcc_install_win.exe
See Installing Symantec Message Filter on Windows on page 66.
Note: The Scanner is now a 64-bit application and the Control Center
continues to be a 32-bit application. Tracker v3 Tracker v3 enhances the effectiveness of Symantec Message Filter. After a message is scanned, Tracker contains information about the various set of rules and the relevant timestamps that Symantec Message Filter invokes on a message.
Message Audit Log Symantec Message Filter provides a message auditing component that (MAL) lets you save the message audit logs with bmserver logs or system logs. See Working with Logs on page 362.
Introducing Symantec Message Filter Components of Symantec Message Filter
17
Table 1-1 Feature

LiveUpdate
New features (continued) Description

Symantec Message Filter LiveUpdate automatically downloads virus definitions from Symantec Security Response to the Scanner. Brightmail Engine of the Scanner uses this information to identify known security threats. See About LiveUpdate rule updates on page 209.
Components of Symantec Message Filter

Table 1-2 lists the components of Symantec Message Filter. Table 1-2 Component Components of Symantec Message Filter Description
Symantec Message The Symantec Message Filter Scanner processes the email that is Filter Scanner based on the configuration options that you specify. The Symantec Message Filter Scanner contains the following subcomponents:

Symantec Message Filter Agent Symantec Message Filter Client Symantec Message Filter Server Symantec Message Filter Conduit Symantec Message Filter LiveUpdate
Symantec Message On each Scanner, the agent communicates with the Control Center to Filter Agent receive configuration information and transmit logs and performance statistics. Symantec Message The Client is a communications channel between the MTA and the Filter Client Symantec Message Filter Server. You can use multiple clients, and each client can communicate with multiple Symantec Message Filter Servers. The Symantec Message Filter Client balances the load between Symantec Message Filter Servers. Symantec Message The Symantec Message Filter Server filters messages for classification Filter Server with a variety of scanning technologies. The classification or verdict is then returned to the Symantec Message Filter Client for subsequent delivery action. Symantec Message The Symantec Message Filter Conduit obtains updated antispam filters Filter Conduit from Symantec and notifies each Server to use the updated filters.
18
Introducing Symantec Message Filter Components of Symantec Message Filter
Table 1-2 Component
Components of Symantec Message Filter (continued) Description
Symantec Message Symantec Message Filter LiveUpdate automatically downloads virus Filter LiveUpdate definitions from Symantec Security Response to the Scanner. This information is used by the Scanner's Brightmail Engine to identify known security threats. Symantec Message The Symantec Message Filter Control Center is a Web-based graphical Filter Control user interface. The Control Center communicates with the Symantec Center Message Filter Agent on each of your Symantec Message Filter Scanners. You can install the Control Center and the Scanner on the same computer if you have a small environment. Symantec Message In environments with less than 10,000 users, you can use this optional Filter Quarantine component to provide temporary storage and release of spam messages. You can configure the Spam Quarantine to permit access only to administrators. You can also configure the Symantec Message Filter Quarantine to permit access to individual user quarantines based on LDAP information from an LDAP source in your environment. Third-party software You need the following third-party software if you intend to use the Symantec Message Filter Control Center: MySQL database The MySQL database stores all of your Symantec Message Filter configuration information, as well as Symantec Message Filter Quarantine configuration and email messages. Tomcat Web Server Symantec Message Filter communicates configuration information to each Symantec Message Filter through an XML file. The Java-based Tomcat Web Server hosts the Web functions for the Control Center and the quarantine.
Symantec provides these third-party software components. You install them when you install the Control Center.
See About Symantec Message Filter on page 15. See How Symantec Message Filter works on page 19. See What you can do with Symantec Message Filter on page 20. See Where to get more information about Symantec Message Filter on page 24.
Introducing Symantec Message Filter How Symantec Message Filter works
19
How Symantec Message Filter works

The Mail Transfer Agent, which is integrated with the Symantec Message Filter Client, receives inbound email. The Client sends the message to the Server for evaluation and scanning. The Symantec Message Filter Server filters messages for classification with a variety of scanning technologies. The Server scans the message to determine the following conditions:
If the sender of the message is in the allowed senders list or the blocked senders list If the message is scannable If the message is spam or suspected spam If the message contains viruses If the message contains content filtering violations
The Server returns its verdict to the Client. The Client processes the message according to the settings that you configure. Symantec Message Filter Conduit connects to Symantec Brightmail Logistics and Operations Center (BLOC) to determine whether updated antispam filters are available. If the filters are available, the Conduit retrieves the updated antispam filters through a secure HTTP file transfer. LiveUpdate connects to Symantec LiveUpdate server to determine whether updated antivirus definitions are available. If the definitions are available, the LiveUpdate retrieves the updated antivirus definitions through a secure HTTP file transfer. After the Conduit and LiveUpdate authenticate the antispam filters and antivirus definitions, they distribute the updated filters and definitions to your servers and notify your servers to begin using the updated filters and definitions. The Control Center is not a part of but is integrated with the Scanner. You can use the Control Center to configure settings for the Scanner and set up and manage the Quarantine for your end users. Figure 1-1 shows how Symantec Message Filter integrates with your system.
20
Introducing Symantec Message Filter What you can do with Symantec Message Filter
Figure 1-1
How Symantec Message Filter works
See About Symantec Message Filter on page 15. See Components of Symantec Message Filter on page 17. See What you can do with Symantec Message Filter on page 20. See Where to get more information about Symantec Message Filter on page 24.
What you can do with Symantec Message Filter

Table 1-3 describes what you can do with Symantec Message Filter.
21
Table 1-3 Task

Create group policies
Symantec Message Filter tasks Description

You can specify the groups of users that are based on email addresses or domain names. You can configure group policies to set identical options for all users or to specify different actions for different groups of users. For each group, you can specify email filtering actions for different categories of email. And for each category, you can specify different filtering options. See About group policies on page 241.
Detect spam
Spam is unsolicited bulk email, most often advertising messages for a product or service. It wastes productivity, time, and network bandwidth. You can define which messages are spam, suspected spam, or not spam based on the scores that Symantec Message Filter assigns to messages. You can also configure how to dispose of spam and suspected spam messages. See About filtering for spam on page 320.
Detect viruses
Symantec Message Filter detects viruses with Symantec antivirus definitions and engines. You can configure Symantec Message Filter to repair infected messages, if possible. You can also specify how you want Symantec Message Filter to dispose of the messages that contain viruses. See About filtering for viruses on page 324.
Stop mass-mailer worm attacks
A mass-mailer worm or virus can exploit security vulnerabilities and spread by sending copies of itself by email through the Internet or a network. For example, a single mass-mailer worm can infect one computer in an organization. Then it can spread by sending copies of itself through email to everyone in the company's global address book. You can specify how you want Symantec Message Filter to dispose of the mass-mailer messages. See About group policies on page 241.
Dispose of unwanted encrypted email
A file that cannot be scanned can put your network at risk if it contains a virus. Infected files can be intentionally encrypted so that they cannot be scanned. You can configure how you want Symantec Message Filter to process encrypted container files to protect your network from threats. See About group policies on page 241.
22
Table 1-3 Task

Establish file processing limits
Symantec Message Filter tasks (continued) Description

Symantec Message Filter must be able to decompose and scan a container file to detect viruses. An unscannable container file that contains a virus can pose a risk to your network. An unscannable container file is one that exceeds a scanning limit, is a partial container file, or generates a scanning error. You can specify how you want Symantec Message Filter to process the container files that cannot be scanned. See Configuring antivirus filter settings on page 325.
Filter content
You can create the filters that are unique to your organization to filter for specific content in email messages. Create custom content filters with the custom filters editor or through a sieve filters file. See About Symantec Message Filter filters on page 307. See About creating filters in Sieve on page 371.
Block unwanted email
When you block email from unwanted senders, you reduce the volume of email that is scanned and reduce spam and potential malicious attacks. You can specify a list of senders that you want Symantec Message Filter to automatically block. You can also use third party blocked senders lists. See About specifying senders to permit or block on page 308.
Let trusted email bypass scanning
Another method that you can use to reduce scanning resources is to permit trusted senders to bypass scanning for spam and content filtering. You can specify trusted senders in an Allowed Senders List. You can also use third party allowed senders lists. Messages from allowed senders automatically bypass scanning for spam and content filtering.
Note: Symantec Message Filter scans all messages for viruses when
virus detection is enabled, including messages from trusted senders. See About specifying senders to permit or block on page 308.
23
Table 1-3 Task

Quarantine spam messages for review
Symantec Message Filter tasks (continued) Description

Symantec Message Filter contains a Spam Quarantine. You can configure the Java-based Quarantine for either administrator-only or end-user access. In administrator-only mode, administrators can take the following actions: Review quarantined messages to determine whether each message is spam and should be deleted. Determine if a message is misidentified and should be released to the recipient's inbox. Review all of the messages that are sent to the email addresses that are not valid in the environment
In end-user mode, an end user can access only the messages that are sent to their email address. See About the quarantine on page 249. Update antispam filters and antivirus definitions Symantec Message Filter relies on continually updated filters to effectively filter messages. Symantec Message Filter receives filter updates through the Conduit and LiveUpdate. Conduit downloads antispam filters and LiveUpdate downloads antivirus definitions. These are the components that run on each scanner that contains a Symantec Message Filter server. Conduit and LiveUpdate poll the secure Web sites to check for updated filters. If new filters and definitions are available, they retrieve the updated filters and definitions through a secure HTTP file transfer. After they authenticate the filters and definitions, they notify the Symantec Message Filter servers to begin using the updated filters and definitions. See About conduit rule updates on page 209. See About LiveUpdate rule updates on page 209. Receive notifications of outbreaks Symantec Message Filter helps you manage outbreaks quickly and effectively by setting outbreak rules. Email notifications alert you when an outbreak is detected. See Setting up event-based alerts on page 368.
See About Symantec Message Filter on page 15. See Components of Symantec Message Filter on page 17. See How Symantec Message Filter works on page 19.
24
Introducing Symantec Message Filter Where to get more information about Symantec Message Filter
See Where to get more information about Symantec Message Filter on page 24.
Where to get more information about Symantec Message Filter

Symantec Message Filter includes context-sensitive Help topics that you can access through the Control Center for each page. The documentation set for this release of Symantec Message Filter includes the following:

Symantec Message Filter Implementation Guide Symantec Message Filter Software Development Kit Development Guide Symantec Message Filter Getting Started Guide Symantec Message Filter Release Notes
To find documentation about Symantec Message Filter, on the Internet, go to the following URL: http://www.symantec.com/business/support/overview.jsp?pid=51879 The following online resources are also available on the Symantec Web site for more information about your product:
Provides access to the technical support www.symantec.com/business/support/index.jsp Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about https://licensing.symantec.com/acctmgmt/index.jsp registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats www.symantec.com/business/solutions/index.jsp www.symantec.com/business/security_response/ index.jsp
See About Symantec Message Filter on page 15. See Components of Symantec Message Filter on page 17.
25
See How Symantec Message Filter works on page 19. See What you can do with Symantec Message Filter on page 20.
26
Chapter
Planning for installation


About deploying Symantec Message Filter About planning for disk space storage needs Configuring firewall settings About required ports About using this product with other filtering products About adjusting MX records for Symantec Message Filter software About access by the Server to perimeter information
About deploying Symantec Message Filter

You can deploy Symantec Message Filter in any of the following configurations:
At the gateway See About deploying at the gateway layer on page 28. At the post-gateway See About deploying at the post gateway layer on page 31. At the email server See About deploying at the email server on page 32.
The type of deployment configuration that you choose depends on the following conditions:

The size of your environment The number of servers that you plan to use Your environment configuration
28
Planning for installation About deploying Symantec Message Filter
Another deployment consideration is whether to install the Scanner and the Control Center on the same computer or separate computers. Make this decision according to the size of your configuration and best practices for enhancing server performance. See About deploying the Client and the Server on page 33. Before you install Symantec Message Filter, ensure that you have read and understand the advantages and requirements necessary for each deployment scenario. Also, ensure that your environment meets the minimum system requirements. See System requirements on page 51.
About deploying at the gateway layer

Some organizations prefer to have secure gateways with no other services running. In these environments, all other services (including antispam services) run behind the first gateway layer. In this deployment configuration, Symantec Message Filter resides at the outermost gateway layer. This layer contains the gateway MTA, which processes inbound mail and relays it to other relay layers or to the user-facing message store layer.
About the advantages of deploying at the gateway level

The advantages of deploying Symantec Message Filter at the gateway are as follows:
Detects spam at the point of Because spam originates from the outside world, the gateway entry is the logical, effective place to deploy the server. Saves resources When you deploy Symantec Message Filter closer to the gateway, you can minimize mail processing and storage requirements. Spam is removed from the email stream, which reduces network bandwidth. When you deploy the product at the gateway, the Scanner can determine an early verdict on the IP address before the entire message is received. If the message is blocked, the MTA does not need to continue through the remainder of the calls, thereby reducing scanning resources.
Lets you enable the early verdict feature
About the basic deployment

Figure 2-1 shows the basic deployment scenario in which there is no firewall.
29
Figure 2-1
Basic deployment
About deploying behind a firewall

Figure 2-2 shows Symantec Message Filter deployed behind the firewall. On all configured server computers, configure port 443 to permit outbound connections to the BLOC. Figure 2-2 Behind the firewall
About deploying in a demilitarized zone

In this scenario, Symantec Message Filter is deployed behind a double layer of firewalls or in a demilitarized zone (DMZ). Figure 2-3 illustrates a typical DMZ configuration.
30
Figure 2-3
In a demilitarized zone
About deploying for high availability and performance

You can configure Symantec Message Filter for high availability and performance. Symantec Message Filter is licensed on a per-user- as opposed to per-server-basis. Therefore, you can install the software on as many servers as is necessary to handle your needs. The Client supports round robin load balancing and fails over to secondary servers or tertiary servers for redundancy. The filtering daemon is multi-threaded, so it makes optimal use of multi-CPU systems. High availability deployments typically use two Symantec Message Filter Servers. Some customers that use dedicated systems have numerous MTAs (with the Symantec Message Filter Client installed). All of these MTAs point at a pair of Symantec Message Filter Servers. To provide redundancy, the Symantec Message Filter Client configuration includes the IP addresses of both available Symantec Message Filter Servers.
31
Figure 2-4
High availability scenario
About deploying at the post gateway layer

In this deployment method, MTAs at the gateway layer accept mail from the Internet. Then they relay unfiltered mail to the MTA that is integrated with Symantec Message Filter software. The Server filters mail from the gateway layer and relays mail to other MTAs downstream.
About considerations for deploying at the post gateway layer

Some considerations for deploying Symantec Message Filter at the post gateway layer are as follows:
You must set up SMTP/Sendmail, IIS SMTP, or an MTA with a Symantec Message Filter integration to relay mail. If you run other applications (such as antivirus software) on this computer, ensure that there are enough resources to support Symantec Message Filter software.
About the advantages of deploying at the post-gateway layer

Some advantages of deploying Symantec Message Filter at the post-gateway layer are as follows:
32
Reduced downtime
From an architecture perspective, this method often requires the least amount of downtime. Administrators can build the system, test it, and then put it into production. Multiple services is an efficient way to deploy Symantec Message Filter in a multi-layer scenario on one box. For example, you can run antispam, antivirus, and other services on one physical computer.
Multiple services on one computer
Figure 2-5
Post-gateway deployment
About deploying at the email server

In this deployment method, Symantec Message Filter Server integrates directly with the internal mail server at the last node in any relay chain. If you run multiple mail servers, you might have to install multiple instances of Symantec Message Filter Servers.
About the advantages of deploying at the email server

The advantages of deploying Symantec Message Filter at the email server are as follows:
Integrated solution This option is ideal for smaller organizations that cannot deploy new servers. If you run Microsoft Exchange as your internal mail server, this option requires no configuration changes to SMTP.
Plug-and-play
33
About deploying the Client and the Server

Symantec Message Filter software can be deployed in a variety of computing environments, from single computer setups to distributed client-server configurations. In each case, the Symantec Message Filter Client integration communicates with the MTA using standard libraries. As messages flow through the mail server, the Client calls the Server. The Server checks individual messages against antispam filters, antivirus definitions, and other filters that you configure. Depending on the verdict that the Server returns and the Server and the configuration options that you configure, the mail may be handled differently. Table 2-1 summarizes the configurations in general terms. Table 2-1 Configuration scenarios with the Client/MTA integration and the Server Advantages Notes
Scenario
Single MTA and Saves hardware costs because the MTA The MTA must not use a Symantec Message and the Server reside on the same large quantity of CPU cycles. Filter Server on computer. one computer MTAs tend to be inbound and outbound. By comparison, the Server is CPU-intensive, so the two programs use different software resources. However, if the Server saves spam to disk or performs virus processing, it is inbound and outbound, too. Single MTA and Symantec Message Filter Server on separate computers Advantages of installing the MTA and This configuration is an the Server on separate computers are adequate solution for most as follows: small to medium-sized enterprises. Requires minimal or no change to an MTA server Provides scalability As mail throughput increases, you can add processors or memory to the Server to suit your needs. Provides flexibility The MTA server and the Server can run on separate platforms.
34
Planning for installation About planning for disk space storage needs
Table 2-1
Configuration scenarios with the Client/MTA integration and the Server (continued) Advantages Notes
Scenario
Multiple MTAs and Symantec Message Filter Servers
Advantages of installing multiple MTAs See About deploying for and the Server are as follows: high availability and performance on page 30. Provides maximum scalability

Offers full failover and redundancy
Provides built in round robin load balancing Allows for easy implementation of a virtual IP (VIP), which enables scalable load balancing Provides flexibility since the MTA server and the Server can run on separate platforms
Most of this information is applicable to all MTAs. Consult your Symantec representative to determine which scenario best meets your needs. If your environment has a high volume of traffic, consider using Symantec Brightmail Traffic Shaper. This network device allocates reduced bandwidth to MTAs that deliver spam. The load on your MTAs is reduced without introducing false positive risks. For more information about Symantec Brightmail Traffic Shaper, contact your Symantec sales representative.
About planning for disk space storage needs

The system requirements for Symantec Message Filter describe the minimum system requirements that you need for available disk space. However, you should also consider your organization's plans for using the Quarantine and the Log. The way that you intend to use these features impacts the amount of disk space that you need to reserve. See System requirements on page 51.
About estimating storage needs for the Quarantine

Because the Quarantine stores copies of filtered messages, the size of the Quarantine can become large. Many variables influence the storage that is required for quarantined messages. These variables include which message dispositions you choose to quarantine, your overall message volume, your spam percentage, and so on.
35
Consider phasing in your Quarantine deployment after Symantec Message Filter is operational for some time. Figure 2-6 suggests a time line. Figure 2-6 Suggested Quarantine deployment timeline
If you do not want to delay your Quarantine deployment, first examine your existing mail logs. Then make some estimates about the percentage of spam that your organization receives. Storage estimates are based on a survey of enterprise customers with average spam volume of about 50% of filtered mail. Table 2-2 provides a baseline for estimated storage requirements for the Quarantine. Table 2-2 Number of users
1-1000 1001-10,000
Estimated storage requirements for the Quarantine Disk space that is required per month before the Quarantine is purged (in GB)
2 20
Configure the Quarantine thresholds to control the amount of disk space that quarantined messages use. You can also decrease the number of days before Symantec Message Filter deletes quarantined messages to reduce the required amount of disk space. However, a shorter retention period increases the chance that users may have messages deleted before they have been checked. You should configure the Quarantine to use an LDAP server backend to delete mail for unresolved email addresses. Otherwise, sidelined dictionary-based spam can greatly increase the size of your database.
36
See Setting the Quarantine message retention period on page 282. See About LDAP compatibility for the Quarantine on page 249.
About estimating storage needs for extended reporting

You can generate reports according to the information that Symantec Message Filter logs. Symantec Message Filter maintains statistics for your site in the MySQL database. This data is the basis for standard reports that indicate total spam filtered and total virus filtered (if applicable). You can also track the following data:

Sender domains Senders Sender HELO domains Sender IP connections Recipient domains Recipients
See Setting the retention period for reporting data on page 300. See Selecting the data to track on page 300. Table 2-3 describes the storage impacts of each data storage type. Table 2-3 Potential storage impacts of report data storage types Spammers Description, storage impact, and example are capable of falsifying
Yes This data storage type is the domain that sends the message. Because spammers can forge this information, many unique sender domains can be received each hour. Example: symantecexample.com
Email Estimated envelope storage data storage impact type

Sender domains High
37
Table 2-3
Potential storage impacts of report data storage types (continued) Spammers Description, storage impact, and example are capable of falsifying
Yes This data storage type is the message sender user name. Sender domains information is also stored if the Senders check box is selected on the Reports Settings page. Because spammers can forge this information, many unique sender user names can be received each hour. Example: ana9a5b3c@symantecexample.com

Senders High
Sender HELO domains
High
Yes
This data storage type is the sending domain listed in the HELO/EHLO SMTP command. Because spammers can forge this information, many unique sender user names can be received each hour. Also, if users at your company receive a lot of messages from outside your company, many unique sender HELO domains can be received each hour. Example: symantecexample.com
Sender IP connections
High
Rarely
This data storage type is the IP address of the SMTP client that has contacted the local MTA. If users at your company receive a lot of messages from outside your company, many unique sender HELO domains can be received each hour. Example: 172.16.0.0
38
Planning for installation Configuring firewall settings
Table 2-3
Potential storage impacts of report data storage types (continued) Spammers Description, storage impact, and example are capable of falsifying
No This data storage type is the domain that is the message. Unless your mail server receives email for more than approximately five domains, the impact of selecting this data storage type is likely to be low. Example: symantecexample.com

Recipient domains Low
Recipients
Medium to high
No
This data storage type is the message recipient user name. Recipient domains information is also stored if the Recipients check box is selected on the Reports Settings page. The storage impact depends on the number of users at your company. Impacts also depend on whether this data storage type is selected in combination with another data storage type. Example: jdoe@symantecexample.com
Configuring firewall settings

After you install Symantec Messaging Filter, you must configure your firewall to allow port connections for specific servers within your corporate network. This section describes the port connections you must configure for a standard deployment model.
Configuring firewall port connections for a standard deployment model

Figure 2-7 illustrates a corporate network based on the standard deployment model that most organizations use. In this model, the Symantec Messaging Filter resides behind a single firewall. If you use this model, you must configure your firewall to allow port connections from your Gateway MTA server so that it can
Planning for installation Configuring firewall settings
39
access other servers over the Internet, such as the Symantec Global Threat Center and the Symantec LiveUpdate. Figure 2-7 Sample Standard Deployment Model
Workstation 2
1 Gateway MTA SMF Scanner 5
3 4 Corporate Firewall Internet
Internal MTAs
LDAP Server
Table 2-4 lists the port numbers that are required for the standard deployment model. Table 2-4 Firewall Port Connection Requirements for Standard Deployment Model Description
Inbound connection from SMF scanner to internal MTAs to relay email messages
Connection
1
Ports
25
Outbound connection from 41080 internal workstation to SMF web interface
40
Planning for installation About required ports
Table 2-4
Firewall Port Connection Requirements for Standard Deployment Model (continued) Description
Inbound connection from Internet from incoming email messages to Gateway MTA
Connection
3
Ports
25
Outbound connection from 443 SMF scanner to Internet for rule downloads and updates Inbound connection to Internal LDAP server from SMF scanner for LDAP queries 389
About required ports

Table 2-5 list of the ports that are required for Symantec Message Filter. Table 2-5 Purpose
Access to name service Access to time service Access to the computer
Default ports Application layer protocol

DNS
Transport layer protocol

UDP (TCP)
Default port
53
NTP
UDP
123
SSH
TCP
22
Access to the Control HTTP Center Access to the Control HTTPS Center (secured) Outbound access to the Internet Outbound access to Conduit HTTP
TCP
80
TCP
443
TCP
80
HTTPS
TCP
443
Planning for installation About using this product with other filtering products
41
Table 2-5 Purpose
Default ports (continued) Application layer protocol

HTTP
Transport layer protocol

TCP
Default port
80
Outbound access to LiveUpdate MTA to Scanner (bidirectional)
not applicable
TCP
41000
Control Center to the not applicable Scanner
TCP
41002
About using this product with other filtering products

Symantec Message Filter evaluates headers as part of the filtering process. Its ability to accurately identify spam depends on having access to messages in their original form. Although MTAs or the products that add X-headers do not significantly affect filtering, your effectiveness is greater if you use unaltered message headers. Avoid placing Symantec Message Filter behind other filtering products (such as content filtering) or MTAs. They can alter or remove pre-existing message headers or modify the message body. Some smaller organizations do not have dedicated gateway servers or a gateway layer. Instead, they deploy gateway servers and internal mail servers on the same computers. The best practice to add antivirus protection to Symantec Message Filter software is to deploy the antivirus filtering feature. See About filtering for viruses on page 324. If you use a third-party antivirus product that has its own MTA, you may need to make the following adjustments:
Ensure that Windows SMTP or Sendmail listens on port 25 and relays to an alternate port, such as port 26. Deploy the third-party antivirus product on another computer as a separate hop in the architecture of your inbound mail flow.
If you choose to use a file system antivirus solution on the same computer as this product, ensure that the antivirus solution does not scan the following directories:

The temporary directory The Symantec Message Filter working file directory and all of its subdirectories
42
Planning for installation About adjusting MX records for Symantec Message Filter software
The IIS mail spool directories on Windows (when you use the default SMTP virtual server) The MySQL directory
If your antivirus solution uses the Windows SMTP service, you do not need to make any changes.
About adjusting MX records for Symantec Message Filter software

When you implement Symantec Message Filter with a separate email relay in front of your primary MTA, change the DNS mail exchange (MX) records. The records must point incoming messages to the new server that Symantec Message Filter scans. The new server should have a lower MX number (a higher priority) than the previous MTA. If you list the Symantec-filtered MTA as a higher weighted MX record in addition to the existing MX record, a spammer can look up the previous MTA's MX record. This configuration lets the spammer send spam directly to the old server and bypass your spam filtering. Send test messages through Symantec Message Filter and verify that the messages arrive at the target inbox before you re-direct your MX records. See Testing to ensure filtering works properly on page 77. To prevent spammers from circumventing the new spam-filtering servers, you should do one of the following tasks:

Remove the previous MTA's MX record from DNS. Block off the MTA from the Internet using a firewall. Modify the firewall's network address translation (NAT) tables to route external IP addresses to internal non-routable IP addresses. You can then map from the old server to the new Symantec Message Filter-protected server. Use another method to protect the MTA.
When you name the new Symantec Message Filter-filtered MTA, ensure that the name that you choose does not imply its function. For example, poor choices would include: antispam.symantecexample.com, brightmail.symantecexample.com, or bas.symantecexample.com.
Planning for installation About access by the Server to perimeter information
43
About access by the Server to perimeter information

You can deploy Symantec Message Filter in communication with an MTA that is at the gateway or with an internal MTA. If you use an internal MTA, you must specify your internal ranges for IP based reputation to work. See Specifying internal mail hosts on page 355.
44
Planning for installation About access by the Server to perimeter information
Chapter
Installing Symantec Message Filter


Before you install System requirements Installing Symantec Message Filter on Linux and Solaris Installing Symantec Message Filter on Windows Migrating to Symantec Message Filter Post-installation tasks Uninstalling Symantec Message Filter
Before you install

Installation of Symantec Message Filter consists of the following components:
46
Installing Symantec Message Filter Before you install
Scanner
The Symantec Message Filter Scanner processes email according to the configuration options that you specify. The Symantec Message Filter Scanner contains the following subcomponents:

Symantec Message Filter Client Symantec Message Filter Server
You can specify during installation if you want to install either or both subcomponents. A complete installation installs both components. A custom installation lets you specify which component you want to install. See About configuring settings without using the Control Center on page 144. Control Center The Symantec Message Filter Control Center is a Web-based graphical user interface. The Control Center communicates with the Symantec Message Filter Agent on each of your Symantec Message Filter Scanners. See About the Control Center on page 87. See Adding a Scanner on page 348. The Control Center requires a Web application server. The Tomcat application server is bundled with the installation. Tomcat and WebLogic are the only Web application servers that are certified to work with the Control Center. See About the Control Center on page 87.
See Components of Symantec Message Filter on page 17. If you intend to install the Scanner and the Control Center on the same computer, it does not matter in what order you install them. The documentation assumes that you install the Scanner before you install the Control Center. The installer supports changing the location of the installation directory, However, the directory must already exist before you begin installation. The installer program does not support creating a new folder during installation. If you upgrade, the installer reinstalls your existing software in the same location as the previous version. If current versions of MySQL and Tomcat exist, they are not reinstalled. See Migrating to Symantec Message Filter on page 71. If you install the Server component of the Scanner, the installer prompts you to register the product. Symantec Message Filter requires multiple licenses for full functionality. One license activates scanning, while the other license updates rules. During installation, you can only install one license. You can install the additional license after installation is complete. If you upgrade from Symantec
47
Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x and have a license already registered, you do not need to re-register your license. See About registering your Scanner license on page 357. Tasks that you should perform before you install Symantec Message Filter are as follows (if they apply to your configuration):
Read the information about planning for installation. See About deploying Symantec Message Filter on page 27.
Ensure that your organization uses static IP addresses. Symantec Message Filter does not support the use of dynamically assigned IP addresses.
Create the required accounts and directories for the Symantec Message Filter Scanner. See Creating required accounts and directories on page 47.
If you upgrade from a previous version of Symantec Message Filter, review the information on migration. Pay particular attention to the information about the requirement to upgrade your Scanners before you upgrade the Control Center. See Migrating to Symantec Message Filter on page 71.
Ensure that the computers on which you plan to install Symantec Message Filter components meet the minimum system requirements. See System requirements on page 51.
Obtain your license from Symantec and know the file location. See About registering your Scanner license on page 357.
Creating required accounts and directories

The Scanner runs as the mailwall user in the bmi group. Before you install the Scanner, you must create the bmi group and the mailwall user in the bmi group. The mailwall user and bmi group should not be removed or modified. After you create the mailwall user and bmi group, create a mail alias for the mailwall account. The alias lets the administrator read the email that is sent to the mailwall user. For more information about how to create a mail alias, see your mail application documentation. You must also create a user for the MySQL database if you intend to install the Control Center and the Quarantine.
48
You do not need to create any special accounts or directories if you use Windows. To create the required account and directory on Solaris
If you are not logged on as the root user, type the following commands:
$ su Password: your_root_password
To install a new version of Symantec Message Filter, type the following commands:
mkdir /opt/symantec cd /opt/symantec mkdir sbas groupadd bmi groupadd avdefs groupadd mysql useradd -c "MySQL user" -g mysql mysql useradd -c "dummy user for Brightmail" \ -d </opt/symantec/sbas/Scanner> \ -m -g bmi -G bmi,avdefs mailwall
To upgrade from a previous version of Symantec Message Filter, type the following commands:
groupadd avdefs usermod -G avdefs mailwall
Where </opt/symantec> is your installation directory location. If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. The comment "dummy user for Brightmail" lets other administrators who use this Solaris computer know why the mailwall user exists.
49
To create the required account and directory on Linux
To install a new version of Symantec Message Filter, type the following commands:
$ su Password: your_root_password groupadd -r bmi groupadd -r avdefs useradd -c "dummy user for Brightmail" -d \ </opt/symantec/sbas/Scanner> -m -r \ -g bmi -G bmi,avdefs mailwall groupadd -r mysql useradd -c "MySQL user" -r -g mysql mysql
To upgrade from a previous version of Symantec Message Filter, type the following commands:
groupadd -r avdefs usermod -G avdefs mailwall
Where </opt/symantec/sbas/Scanner> is your installation directory location. The location that is specified in this command is the default location. If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. The -r flag (Red Hat Enterprise Linux only) places the specified user or group into a specific range of account IDs used for system accounts. The comment "dummy user for Brightmail" lets other administrators who use the computer know why the mailwall user exists.
Before you install the Control Center

The Control Center is a Web-based cross-platform configuration and administration center that is built in Java. Each Symantec Message Filter installation has one Control Center, which also houses the Quarantine and its supporting software. You can configure and monitor all of your Scanners from the Control Center. This section describes the environment that is needed to install the Control Center.
About the automatic startup

Table 3-1 describes the processes that make up the Control Center.
50
Table 3-1
Control Center processes and services
Process Name in Service name in Description UNIX Windows

java Tomcat Tomcat Java servlet container Serves the pages that make up the Control Center. mysqld MySql MySQL server Processes requests to retrieve and store data in the MySQL database, such as Scanner configuration data or quarantined spam messages.
The installer configures MySQL and Tomcat (if installed) processes to start automatically when the computer is turned on. If you launch the product immediately after installation, these processes may require 15-60 seconds to begin. On Linux and Solaris, the processes that make up the Control Center are configured to run as daemons. Startup scripts are installed in /etc/init.d and links are created in the appropriate /etc/rc* directory. On Windows, the services that make up the Control Center are configured to a startup type of "Automatic."
About port availability through TCP/IP

Table 3-2 lists the ports that the Control Center uses. Table 3-2 Port number
41025
Control Center ports Purpose

The Scanner sends spam email to this port through the SMTP email protocol. User and administrator Web browsers connect to Symantec software on this port by default. During installation, you can configure the system to use a different port. If you configure the Control Center to use a different Web application server than Tomcat, the Web access port is most likely different. For example, the port that WebLogic uses is 7001. If the installer installs Tomcat, Tomcat is configured with a self-signed SSL certificate on a secondary port. Tomcat uses the following URL address: https://localhost:41443/brightmail
41080
41443
Installing Symantec Message Filter System requirements
51
Other computers on your network should be able to access these ports, such as the computer on which you install the Scanner.
System requirements
Table 3-3 lists the system requirements for Solaris. Table 3-3 Requirement
Platform
Solaris system requirements Description

Solaris 10/9/8
Note: Symantec Message Filter is only supported on English

operating systems. Processor RAM Disk space Mail transfer agent UltraSPARC 1 GB 1 GB Any of the following:

Sendmail 8.12.11 or later Sendmail Switch 3.1 or later Sun Java Messaging Server 6.x or later
Sun Java Messaging Server 7.x update 3 and update 4 for 64-bit systems Message Systems Internet browser Firefox 1.5 or later
Table 3-4 lists the system requirements for Linux. Table 3-4 Requirement
Platform
Linux system requirements Description

Any of the following:

RedHat ES 4/5 RedHat AS 4/5

operating systems. Processor Intel Pentium or compatible III or IV processor
52
Table 3-4 Requirement

RAM Disk space
Linux system requirements (continued) Description

1 GB 1 GB Any of the following:

Mail transfer agent
Sendmail 8.12.11 or later Sendmail Switch 3.1 or later Postfix Message Systems
Internet browser
Firefox 1.5 or later
Table 3-5 lists the system requirements for Windows. Table 3-5 Requirement
Platform
Windows system requirements Description

Any of the following: Windows Server 2003 (SP 1) Standard Edition or Enterprise Edition 32-bit and 64-bit systems Windows Server 2008 Standard Edition or Enterprise Edition 32-bit and 64-bit systems Windows Server 2008 R2 Standard Edition or Enterprise Edition 64-bit system

operating systems. Processor RAM Disk space Mail transfer agent Intel Pentium or compatible III or IV processor 1 GB 1 GB You must have all of the following services:

Microsoft Internet Information Services (IIS) Windows SMTP service
Internet browser Java Runtime Environment
Internet Explorer 7.0 or later 32-bit JRE 1.5 or later
Table 3-6 lists the system requirements for the Control Center.
53

Platform
Control Center system requirements Description

The Control Center, which is a 32-bit application, can be installed on any of the following platforms: Server 2003 (SP 1) Standard Edition or Enterprise Edition 32-bit and 64-bit systems Windows Server 2008 Standard Edition or Enterprise Edition 32-bit and 64-bit systems Windows Server 2008 R2 Standard Edition or Enterprise Edition 64-bit system Red Hat Enterprise Linux AS 4/5
Red Hat Enterprise Linux ES 4/5 For Linux installations, the installer requires the compat-libstdc++ library. The compat-libstdc++ library is available on your Red Hat distribution CD. Solaris 10/9/8

operating systems. Processor Linux and Windows:
Intel Pentium or compatible III or IV processor
Solaris:
UltraSPARC processor
RAM Disk space Mail transfer agent
1 GB 1 GB You must have all of the following services:

Microsoft Internet Information Services (IIS) Windows SMTP service
Internet browser
Any of the following:

Internet Explorer 6.0 or later Netscape 7.1 or later If your computer already has Netscape 7.1 and you plan to use Netscape 7.1, you must download and install a new copy of Netscape 7.1. You can export the Symantec Message Filter reports correctly only with the latest available copies of Netscape 7.1.
54
Installing Symantec Message Filter Installing Symantec Message Filter on Linux and Solaris

LDAP
Control Center system requirements (continued) Description

Unless you configure the Quarantine for administrator-only access, the Quarantine requires an LDAP server. The LDAP server authenticates users as they log on to access their quarantined messages and lets the Quarantine expand user mail aliases. The following LDAP servers are compatible with the Quarantine:

Active Directory (all versions) Netscape/iPlanet Directory Server 4.2 and 5.1 Sun ONE Directory Server 5.2
You should be familiar with the particular LDAP schema that your company uses.
Installing Symantec Message Filter on Linux and Solaris

Table 3-7 describes the ways that you can invoke the installer to install Symantec Message Filter on Linux or Solaris. Table 3-7 Method
Command line
Installer invocation methods Command

install
Description
The installer prompts are presented in the terminal window in which you started the installer. See Installing on Linux and Solaris at the command line on page 60.
Graphical user interface (GUI)
install -i awt
The installer prompts are presented through X Windows. To use this GUI installation, X Windows must be installed and configured correctly on your system. See Installing on Linux and Solaris with the GUI installer on page 55.
55
Table 3-7 Method

Silent
Installer invocation methods (continued) Command

install -i silent
Description
The installation occurs with all of the default settings (there are no prompts). The Control Center is installed, including Tomcat and MySQL. If you upgrade or reinstall the product, you can use the silent mode. The silent installation requires use of default locations for the software and logs. See To prepare for installation on page 61. Invoke the installer with silent mode with the following command: $ su root -c ./install -i silent Password: your_root_password This method is not described further in this documentation.
The prompts for the command line and GUI installation are essentially the same. During installation, you can return to the previous question (go back) or quit at any time. The installer can reinstall your current software and preserve existing configuration and other data that is stored after initial installation. The installer reinstalls your existing software in the same location as the previous version. If current versions of MySQL and Tomcat exist, they are not reinstalled. All Control Center binaries are updated except for the MySQL and Tomcat files. Note: If you use Red Hat Enterprise Linux, the installer requires the presence of the compat-libstdc++ library. If this library is not on your computer, the installer prompt you to install the library before you install the Scanner. The compat-libstdc++ library is available on your Red Hat distribution CD for Red Hat Enterprise Linux or on the Red Hat Web site.
Installing on Linux and Solaris with the GUI installer

An installation script has been prepared for Linux and Solaris installations. This section describes how to use the GUI installer to install Symantec Message Filter software. To use the GUI installation, X Windows must be installed and configured correctly on your computer.
56
The installation script ensures access to the correct libraries for Linux and Solaris installations and provides the appropriate Java Runtime Environment for the installer. The installer also does the following tasks:
Sets the permissions for the installation directory to give access to the user mailwall Creates the Runner configuration file, runner.cfg Adds a line for the AntiVirus Cleaner to the crontab of user mailwall
The installer also installs the Scanner script, which lets you start, stop, or restart the Scanner. This script is located in the following location: /etc/init.d. Before you begin with installation, ensure that you have completed all of the preinstallation steps and that your computer meets the system requirements. Also ensure that you install all the latest patches for your operating system. See Before you install on page 45. See System requirements on page 51. To install the Scanner, perform the following steps:
Locate the installer .tgz file, and then uncompress and untar the file. See To prepare for installation on page 56.
Initiate the GUI installer. See To install the Scanner with the GUI installer on page 58.
To perform the Control Center installation, see To install the Control Center on Linux and Solaris with the GUI installer. After you complete the installation, perform the post-installation tasks. See Post-installation tasks on page 72. To prepare for installation
Do one of the following to navigate to the installation script:
57
From a product CD
Do all of the following steps: Insert the CD that contains the Symantec Message Filter software into the CD-ROM drive. The CD mounts automatically to /cdrom/smf_630 on Solaris systems. If you use Linux, mount the CD-ROM.
$ mount /dev/cdrom cp /mnt/cdrom/SMF*.tgz The mount command can fail if you have modified /etc/fstab.
Change to the appropriate directory for your CD-ROM. $ cd operating_system
Copy the appropriate .tgz file for your operating system to your computer.
From a downloaded file
Locate the .tgz file that you have downloaded on your computer.
2 3
Change to the directory on your computer where you copied the tgz file. Type the following command to uncompress and untar the distribution file:
Solaris Solaris $ gunzip -c SMF_630_sparc_solaris.tgz | tar xf -
Linux
Linux $ tar -zxvf SMF_630_x86_linux.tgz
Locate the following file: /root/<location where you saved the .tgz file>/SMF_630/install
58
To install the Scanner with the GUI installer
As root user, type the following command to run the installer:

./install -i awt
Do one of the following tasks:

If the installation begins automatically Proceed to the next step.
If you are prompted to select Type 1 to install the Scanner and press Enter. an installation If you have the binary for the Control Center in the same directory as Scanner binary, you are prompted to select an installation.
3 4 5
On the Introduction pane, click Next. Read the license agreement, click I accept the terms of the License Agreement, and then click Next. Specify a log directory, and then click Next. You can change the default log location to syslog or stderr.
In the Brightmail Control Center Computer pane, select one of the following options to specify where you will install the Control Center:
This computer Select this option if you intend to install the Scanner and the Control Center on the same computer. Select this option to specify another computer on which you intend to install the Control Center, and then type the IP address of the computer.
Computer at IP address
On the Temporary Folder for LiveUpdate pane, select the folder and click Next. If you select any folder other than the default (/tmp) folder, the specified folder must have full permissions for avdefs group and other groups.
In the Choose Installation Type pane, select one of the following:

Complete installation Brightmail Server only Brightmail Client only
59
Click Next. file or browse to the location and select your Symantec license file. Your license file is an .slf file that you receive from Symantec's Enterprise Licensing System (ELS) when you purchased the product. If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, you do not need to re-register your licenses.
10 On the Brightmail Scanner Registration pane, type the location of your license
11 If your site requires a proxy server for HTTPS access, check Use Proxy and
then type your proxy server port and password.
12 Click Register. 13 When you receive the message that registration was successful, click Next. 14 When installation is complete, click Done.
To install the Control Center on Linux and Solaris with the GUI installer
As root user, type the following command to run the installer:

./install -i awt

If you are prompted to select Type 2 to install the Control Center and press Enter. an installation If you have the binary for the Control Center in the same directory as Scanner binary, you are prompted to select an installation.
3 4 5
On the Introduction pane, click Next. Read the license agreement, click I accept the terms of the License Agreement, and then click Next. Click Next to choose the default folder for the Control Center or click Choose to select a different folder for Control Center. If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.x, this pane does not appear. The Control Center files are automatically installed in the same location as your 6.0.5/6.1.x/6.2.x Control Center files.
On the Web Application Server pane, do one of the following tasks:
60
To install Tomcat
Do all of the following steps:

Click Install included copy of Tomcat. Click Next.
If you want to use a port address other than a default, type it in the Tomcat port number box. Click Next. To use your own Web application server Do all of the following steps:

Click Use my own Web Application server. Click Next.
In the Application port number box, type the port address of the Web application server that you intend to use. Click Next.
On the Pre-Installation Summary pane, review the information and do one of the following tasks:
Click Previous. Select this option to return to a previous setup page to make changes. Select this option to proceed with installation.
Click Install.
When installation is complete, click Done.
Installing on Linux and Solaris at the command line

Before you begin with installation, ensure that you have completed all of the preinstallation steps and that your computer meets the system requirements. Also ensure that you install all the latest patches for your operating system. See Before you install on page 45. See System requirements on page 51. To install the Scanner, perform the following steps:
Locate the installer .tgz file, and then uncompress and untar the file. See To prepare for installation on page 61.
Initiate the installer from the command line See To install the Scanner on Linux and Solaris at the command line on page 62.
To install the Control Center, perform the following steps:
61
See To install the Control Center on Linux and Solaris at the command line on page 65. After you complete the installation, perform the post-installation tasks. See Post-installation tasks on page 72. To prepare for installation
Do one of the following to navigate to the installation script:

From the product CD Do all of the following steps: Insert the CD that contains the Symantec Message Filter software into the CD-ROM drive. The CD mounts automatically to /cdrom/smf_630 on Solaris systems. If you use Linux, mount the CD-ROM.
$ mount /dev/cdrom $ cd /mnt/cdrom The mount command can fail if you have modified /etc/fstab.
Change to the appropriate directory for your CD-ROM. $ cd operating_system
Copy the appropriate .tgz file for your operating system to your computer.
From a downloaded file
Locate the .tgz file that you have downloaded on your computer.
2 3
Change to the directory on your computer where you copied the tgz file. Type the following command to uncompress and untar the distribution file:
Solaris Linux $ tar -zxvf SMF_630_sparc_solaris.tgz
$ tar -zxvf SMF_630_x86_linux.tgz
Locate the following file: /root/<location where you saved the .tgz file>/SMF_630/install
62
To install the Scanner on Linux and Solaris at the command line
As root user, type the following command to start the installer:

./install

If you are prompted to select Type 1 to install the Scanner and press Enter. an installation If you have the binary for the Control Center in the same directory as Scanner binary, you are prompted to select an installation.
3 4 5
After you read the introduction text, press Enter. Read the License Agreement, and type 1 to accept and press Enter. At the Choose Install Folder prompt, do one of the following:
To select the default installation folder To select a different installation folder Press Enter.
Type a folder location, and then press Enter. Do not insert any spaces in the directory file path name. Spaces in the directory file path name can cause the installation to fail.
If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, you are not prompted for the installation directory location. The existing installation is upgraded to the Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1x/6.2x directory location. Setting the location of the installation directory to a remotely mounted partition is unsupported. If you attempt to, the installer issues a warning and prompts you to set it to a local partition.
63
At the Choose Log Folder prompt, do one of the following:

To select the default folder To select a different folder Press Enter. Type a folder location, and then press Enter. Do not insert any spaces in the directory file path name. Spaces in the directory file path name can cause the installation to fail.
The Log folder is the directory where notifications and errors are stored.
At the Specify Brightmail Control Center prompt, select one of the following options to specify where you will install the Control Center:
1 This computer Select this option if you intend to install the Scanner and the Control Center on the same computer. 2 Computer at IP address Select this option to specify another computer on which you intend to install the Control Center, and then type the IP address of the computer.
At the Specify JLU temp directory location prompt, type the directory location and press Enter. If you specify any directory location other than the default (/tmp) location, the specified directory must have full permissions for avdefs group and other groups.
At the Choose Installation Type prompt, specify one of the following installation types:
Complete Installation Installs all components of the Scanner. This is the default setting. Brightmail Server only Brightmail Client only Installs only the server components of the Scanner. Installs only the Client. You do not need to register a Scanner if you install the client only.
If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, choose the same components that are currently configured on your version of the Scanner.
64
10 At the Pre-Installation Summary prompt, review your installation options

and press Enter to continue.
11 At the Brightmail Server Address prompt, type the IP address for the Server
to which you want to connect this client. This prompt only appears when you perform a client-only installation. The Server does not need to already be installed.
12 Press Enter to install the product. 13 At the Registration prompt, select one of the following options and then press
Enter:
1 Select this option to register the Scanner if any of the following conditions apply: This installation is the initial installation of the product. This installation is an upgrade and you do not have a valid license file already registered.
Select this option if this installation is an upgrade from and you already have registered a valid license file. Proceed to step 16.
14 Type the location of the license file and press Enter.

Your license file is an .slf file that you receive from Symantec's Enterprise Licensing System (ELS) when you purchased the product.
15 Specify whether you use an HTTPS proxy. 16 Press Enter to exit the installer.
65
To install the Control Center on Linux and Solaris at the command line
As root user, type the following command to start the installer:

./install

If you are prompted to select Type 2 to install the Control Center and press Enter. an installation If you have the binary for the Control Center in the same directory as Scanner binary, you are prompted to select an installation.
3 4 5
After you read the introduction text, press Enter. Read the License Agreement, and type 1 to accept and press Enter. At the Choose Install Folder prompt, do one of the following:
To select the default installation folder To select a different installation folder Press Enter.
Type a folder location, and then press Enter. Do not insert any spaces in the directory file path name. Spaces in the directory file path name can cause the installation to fail.
If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, you are not prompted for the installation directory location. The existing installation is upgraded to the Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x directory location. Setting the location of the installation directory to a remotely mounted partition is unsupported. If you attempt to, the installer issues a warning and prompts you to set it to a local partition.
At the Web Application Server prompt, select one of the following options:
66
Installing Symantec Message Filter Installing Symantec Message Filter on Windows
To install Tomcat

Type 1. Press Enter.
If you want to use a port address other than a default, type it in the Tomcat port number box. Press Enter. To use your own Web application server Do all of the following steps:

Type 2. Press Enter.
In the Application port number box, type the port address of the Web application server that you intend to use. Press Enter.
7 8
At the Pre-Installation Summary prompt, review the information, and then press Enter. When installation is complete, press Enter.
Installing Symantec Message Filter on Windows

You must have the Windows SMTP Service installed on your computer to install the Scanner. The Client requires the Windows SMTP Service to block spam. The Windows SMTP Service is part of Exchange Server 2003/Server 2007. Before you begin with installation, ensure that you have completed all of the preinstallation steps and that your computer meets the system requirements. Also ensure that you install all the latest patches for your operating system. See Before you install on page 45. See System requirements on page 51. To install the Scanner, perform the following steps:
Start the installer. See To install the Scanner on page 67.
Select the type of installation that you want to perform. See To perform a complete installation on page 68. See To perform a custom installation on page 68.
67
Initiate the installation. See To complete the Scanner installation setup on page 69.
Register the Scanner. See To register the Scanner on page 69.
To install the Control Center, perform the following steps:
See To install the Control Center on Windows on page 70.
After you complete the installation, perform the post-installation tasks. See Post-installation tasks on page 72. To install the Scanner
1 2
Close all open applications before you install the Scanner. Do one of the following to navigate to and launch the scanner_install_x86_win.exe or the scanner_install_x64_win.exe file:
From the product CD-ROM Insert the Symantec software distribution CD-ROM in your computer's CD-ROM drive. If the installer does not run automatically, open the Windows folder on the CD with Windows Explorer. On a 32-bit system, double-click scanner_install_x86_win.exe. On a 64-bit system, double-click scanner_install_x64_win.exe. From a downloaded zip file Unzip the zip file. On a 32-bit system, double-click scanner_install_x86_win.exe. On a 64-bit system, double-click scanner_install_x64_win.exe.
3 4 5
If you receive the Open File - Security Warning, click Run to proceed with the installation. On the Welcome window, click Next. Read the license agreement, click I accept the terms of this license agreement, and click Next.
68
To perform a complete installation
In the Setup Type window, click Next. The Complete setup is the default option.
On the SMTP Virtual Server window, click the drop-down menu to select the SMTP virtual server where you want scanning enabled, and then click Next. Proceed to To complete the Scanner installation setup.
To perform a custom installation
1 2 3 4
In the Setup Type window, click Custom, and then click Next. On the Custom Setup window, click the drop-down menu beside each component to specify whether you want to install the component. Click Space to determine if your computer has sufficient available disk space to install the components that you have selected. Click Change to specify a different drive or folder for installation, browse to the destination folder that you want to use, and click OK. If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, this pane does not appear. The Scanner files are automatically installed in the same location as your Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x Scanner files. See Migrating to Symantec Message Filter on page 71.
5 6
Click Next. If you install the Client, select an SMTP virtual server from the drop-down list, and then click Next. This pane does not appear if you are performing a Server only installation.
If you install only the Client, type the IP address for the Server to which you want to connect to this Client. The Server does not need to already be installed. This pane does not appear if you have installed the Server.
69
To complete the Scanner installation setup
In the Brightmail Control Center Computer window, select one of the following options to specify where you will install the Control Center:
This computer Select this option if you intend to install the Scanner and the Control Center on the same computer. Select this option to specify another computer on which you intend to install the Control Center, and then type the IP address of the computer.
Computer at IP address
2 3
On the Temporary Folder for LiveUpdate window, select the folder and click Next. On the Ready to Install the Program window, click Install. Click Back to change or review your settings.
To register the Scanner
On the Brightmail Registration Wizard window, click Next. The registration wizard does not appear if a valid license is already registered. Proceed to step 5.
Type the location of your license file or browse to the location and select your Symantec license file (.slf), and then click Next. Your license file is an .slf file that you receive from Symantec's Enterprise Licensing System (ELS) when you purchased the product.
3 4 5
If your site requires a proxy server for HTTPS access, click Proxy Settings to specify the proxy server. Click Finish to exit the Registration Wizard. To complete the installation, click Finish.
70
To install the Control Center on Windows
1 2
Close all open applications before you install the Control Center. Do one of the following to navigate to and launch the bcc_install_win.exe file:
From the product CD-ROM Insert the Symantec software distribution CD-ROM in your computer's CD-ROM drive. If the installer does not run automatically, open the Windows folder on the CD with Windows Explorer and double-click bcc_install_win.exe. From a downloaded zip file Unzip the zip file. Double-click bcc_install_win.exe.
3 4 5 6
If you receive the Open File - Security Warning, click Run to proceed with the installation. Click Next. Read the license agreement, click I accept the terms of the License Agreement, and then click Next. Click Next to choose the default folder for the Control Center or click Choose to select a different folder for Control Center. If you upgrade from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x, this pane does not appear. The Control Center files are automatically installed in the same location as your Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message Filter version 6.1.x/6.2.x Control Center files.
On the Web Application Server window, do one of the following tasks:

To install Tomcat Do all of the following steps:

Click Install included copy of Tomcat. Click Next.
If you want to use a port address other than a default, type it in the Tomcat port number box. Click Next.
Installing Symantec Message Filter Migrating to Symantec Message Filter
71
To use your own Web application server

Click Use my own Web Application server. Click Next.
In the Application port number box, type the port address of the Web application server that you intend to use. Click Next.
On the MySQL Install Folder window, click Next to accept the default location for MySQL or type a new installation folder location. The default location for MySQL is C:\mysql. Symantec does not recommend that you install MySQL on a networked drive because it impacts the performance of the Control Center. If you do install MySQL on a networked drive, you must perform post-installation configurations to let services run on the networked drive. Ensure that you understand Windows permissions before you perform this task.
On the Pre-Installation Summary window, review the information and do one of the following tasks:
Click Previous. Select this option to return to a previous setup page to make changes. Select this option to proceed with installation.
Click Install.
10 When installation is complete, click Done.
Migrating to Symantec Message Filter

Symantec Message Filter supports upgrades from Symantec Brightmail AntiSpam version 6.0.5 or Symantec Brightmail Message FIlter version 6.1.x/6.2.x. Issues that you should be aware of before you migrate to this version are as follows:
Upgrade your Scanners first You must upgrade all of your Scanners before you upgrade the Control Center. See Post-installation tasks on page 72. Files are reinstalled in the same location The installer reinstalls the software in the same location as the previous version. If current versions of MySQL and Tomcat exist, they are not reinstalled. Except for the MySQL and Tomcat files, all Control Center binaries are updated.
72
Installing Symantec Message Filter Post-installation tasks
Choose the same installation When the installer prompts you to choose the installation type type, your choice must be the same as your previous configuration. No need to re-register your license If you use Linux or Solaris, you are prompted to register the license. This prompt occurs even if you have a valid license installed. You do not need to re-register your license. If you use Windows, the installer detects that you have a valid license registered, and you are not prompted to register one. The password is reset After you finish the upgrade, the password for the admin user is reset to symantec.
Quarantine data is migrated Quarantine data is migrated automatically if the installer automatically detects a previous version of the Quarantine on the computer. Stop Tomcat before you install Before you start a Linux or Solaris installation, stop Tomcat. As root, use the following command to stop Tomcat: /etc/init.d/tomcat4 stop
Post-installation tasks
Table 3-8 describes the post-installation tasks that you should perform after you install Symantec Message Filter. Table 3-8 Task
Verify that the Scanner is installed. Verify that the Control Center is installed.
Post-installation tasks Details and reference for more information

See Verifying Scanner installation on page 73. See About verifying Control Center installation on page 74.
For the Linux and Solaris platforms, See About removing.stop files on page 75. remove specific.stop files before you run Symantec Message Filter processes. Start the Scanner. Start the Scanner before you can add it to the Control Center. See Starting the Scanner on page 75.
73
Table 3-8 Task
Post-installation tasks (continued) Details and reference for more information

You must add a Scanner the first time that you access the Control Center. Before you add the scanner, ensure that you have started the scanner. See Starting the Scanner on page 75. See Adding a Scanner on page 348.
Add a Scanner to the Control Center.
Register the license for your Scanner See About registering your Scanner license if you did not do so during installation on page 357. or if you have additional licenses. If you use Postfix or Sendmail, configure the Milter API. Before you use Symantec Message Filter, test the filtering options to ensure they work properly. See Configuring the MTA to work with the Mail Filter API (Milter) on page 76. See Testing to ensure filtering works properly on page 77.
If your internal servers relay outbound This task is particularly important if those servers email through Symantec Message are the probe partners that relay email through Filter, add those servers to the Allowed an outbound scanner. Senders list. See Adding senders to the Allowed Senders List on page 315. Configure the product to optimize performance. See Optimizing performance on Solaris SPARC on page 132. See Optimizing performance on Linux on page 135. See Optimizing performance on Windows on page 135.
Verifying Scanner installation

After you complete the Scanner installation, verify that it installed.
74
To verify Scanner installation on Linux and Solaris
View the installation log file located in the following location: /opt/symantec/sbas/Scanner If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. This file is a plain text file, viewable with a text editor such vi. The first page contains a summary of the successful actions and any warnings, and nonfatal and fatal errors. The rest of the file has details about the installer's actions.
To verify Scanner installation on Windows
On the Windows Start menu, click Settings > Control Panel > Add/ Remove Programs. If the Scanner was properly installed, "Brightmail Scanner" appears in the list of programs.
From the Control Panel, double-click Administrative Tools > Services. If only the Client is installed, only the Agent appears in the list of services. If the Server is installed, Brightmail Server, Brightmail Conduit, Brightmail LiveUpdate, Brightmail SMTP Harvester, and Brightmail Virus Cleaner also appear. The Client is not a process in Windows. It runs as part of the Windows SMTP service.
About verifying Control Center installation

You can check the log file that the installer creates to ensure that the Control Center is installed. The log file can verify the installation or diagnose any problems that you encounter when you install the Control Center. The installation log file is different than the runtime log file, BrightmailLog.log. The installation log file, called Brightmail_Control_Center_InstallLog.log, is located in the following location:
Linux and Solaris /opt/symantec/sbas/ControlCenter
Note: If you use a non-default installation directory

location, replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows C:\Program Files\Symantec\SBAS\ControlCenter
75
This file is a plain text file, viewable with a text editor such as Notepad or vi. The first page contains a summary of the successful actions, warnings, and nonfatal and fatal errors. The rest of the file has details about the installer's actions.
About removing.stop files

By default, after you install Symantec Message Filter on Linux or Solaris, the installer creates the following stop files:

bmifilter.stop bmserver.stop conduit.stop harvester.stop jlu-controller.stop
You must delete these files manually for these processes to run. These files are installed in the following location: <installation folder>/Scanner/jobs/<subfolders>
Starting the Scanner

Before you can add a Scanner to the Control Center, you must start it. After you add the Scanner to the Control Center, you can start and stop the Scanner and its components from the Control Center. See Starting and stopping Symantec Message Filter Scanners and components on page 352. To start the Scanner on Linux and Solaris
1 2
Log on as root. Type the following command:

/etc/init.d/mailwall start
To start the Scanner on Windows
1 2 3
On the Windows Start menu, click Administrative Tools > Services. In the Name column, right-click on Brightmail Server and select Start. Close the Services window.
76
Configuring the MTA to work with the Mail Filter API (Milter)
Your installation must have support enabled for the Mail Filter API (Milter). Milter is necessary to support external mail filters, such as Symantec Message Filter. If you use Postfix or Sendmail, you must configure them to work with Milter.
Configuring the Milter protocol for Postfix

Symantec Message Filter supports Postfix 2.4 or later. To integrate Symantec Message Filter to a Postfix installation, modify the Postfix configuration file. The Postfix configuration file should specify the following information about the Milter protocol:

The name of the Milter application's listening socket The Milter protocol version that Postfix should use
For more information about the Milter protocol, on the Internet, go to the following URL: http://www.postfix.org/MILTER_README.html#smtp-only-milters To configure the Milter protocol for Postfix
Open the following file in a text editor application: /etc/postfix/main.cf file
Add the following lines:

smtpd_milters = inet:<ip address>:<port> milter_protocol = 2
<where ip address> is the IP address is the host where the Scanner is installed and <port> is the valid port. The default port is 41001.
Save and close the file.
Configuring the Milter protocol for Sendmail

Verify if the Milter protocol is supported. If not, follow the procedures To verify if you have Milter support enabled. These steps add the necessary lines to the build configuration file in the Sendmail directory and build a new version of Sendmail. If you have problems when you build and configure Sendmail, on the Internet, go to the following URL: https://www.milter.org/developers/installation
77
If you do not have the Sendmail source, you can find it on the Sendmail Web site. On the Internet, go to the following URL: http://www.sendmail.org See About integrating Sendmail on page 223. To verify if you have Milter support enabled
Type the following command:

/usr/lib/sendmail -bt -d0 < /dev/null
If you see a reference to MILTER, then your Sendmail installation has the required Milter support, and you can skip this section. To compile Sendmail 8.12 to use external mail filters
1 2
Log on as root. Change to your base Sendmail directory and open the build configuration file (located at devtools/Site/site.config.m4). You can create this file if it does not exist.
Add the following line:

APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
Save your changes to the build configuration file.
In the Sendmail directory, type the following to build Sendmail 8.12 with the new settings:
sh Build -c
To verify external filter support, type the following:

/usr/lib/sendmail -bt -d0 < /dev/null
Testing to ensure filtering works properly

The following are sample tests by which you can verify that Symantec Message Filter filters your email as expected. Use these tests as models for additional tests you might want to perform periodically.
Verifying the normal delivery of legitimate mail

You can verify whether the MTA works properly with the Client to deliver legitimate mail.
78
To verify normal delivery of legitimate mail
1 2
Send an email with the subject line "Normal Delivery Test" to a user. Verify that the test message arrives correctly in the normal delivery location on your local host.
Verifying spam filtering

This test assumes that you use default installation settings for spam message handling. To verify spam filter
Create a POP3 account on an email client, such as Outlook Express. For the SMTP Server setting on this account, specify the IP address of the computer on which you have installed and started the Scanner.
2 3 4
Compose an email message and address it to an account on the computer that runs the Scanner. Give the message a subject that is easy to find, such as "Test Spam Message." To classify the message as spam, include the following URL on a line by itself in the message body: http://www.example.com/url-1.blocked/
5 6
Send the message. Check the email account to which you sent the message. You should find a message with the same subject prefixed by the word [Spam].
7 8
Send a message that is not spam to the same account. After several minutes pass, in the Control Center, click Status > Overview. The Total Spam Messages counter on the Summary page increases by one if filtering works properly.
Testing antivirus filtering

You can verify that antivirus filtering works correctly by sending a test message that contains a pseudo-infected virus. This pseudo-infected virus is not a real virus.
79
To test antivirus filtering
1 2
Create an email message and address it to a test account. Attach a virus test file, such as eicar.com to the email. To locate a virus test file, on the Internet, go to the following URL: http://www.eicar.org/
Send the message. The test message should be forwarded to the following folder: C:\Program Files\Brightmail\AVSpool
4 5
Verify that at least two files exist in the AVSpool directory: filename and filename.recipients, where filename is any valid file name. Check the mailbox for the test account to verify receipt of the test message with the added cleaner message text.
Verifying spam messages are forwarded to the Quarantine

You can view spam messages when you log into the Control Center as an administrator if the following conditions occur:

You configure the product to forward spam messages to the Quarantine Both the Control Center and at least one Scanner is running
You might experience a slight delay until the first spam message arrives, depending on the amount of spam that your organization receives. You must configure the Scanner to forward spam messages to the Quarantine. By default, Symantec Message Filter inserts [Spam] in the subject line of spam messages. It then delivers the message to the user's inbox rather than the Quarantine. You can configure the following Symantec Message Filter message categories to forward messages to the Quarantine:

Spam Suspected spam Messages from blocked senders Messages that contain company-specific content (as defined by you) Messages that are unscannable for viruses
You can choose to have all, some, or none of these message types forwarded to the Quarantine.
80
The Quarantine only supports the ISO-Latin-1 character set. If messages are processed into the Quarantine database in other character sets, any non-compliant characters may not be readable. To set up delivery of messages to Quarantine
1 2 3 4 5
In the Control Center, click the Settings tab, and then click Group Policies. Under Groups, click the appropriate group, such as Default. Click Edit. Under AntiSpam Actions, set the filtering action to Quarantine the Message for the wanted message types. Click Save.
To send a message that is classified as spam
1 2 3
Through an email client, open an email that is addressed to an account that is configured to forward spam to the Quarantine. Give the message a subject that is easy to find, such as Test Spam Message. To classify the message as spam, include the following URL on a line by itself: http://www.example.com/url-1.blocked/
4 5 6
Send the message. Log on to the Control Center as an administrator and click the Quarantine tab. Select the Administrator Messages List page and search for a message with the subject Test Spam Message.
About timeout values for MTA that are integrated with Symantec Message Filter
Symantec recommends that you configure the MTAs where Symantec Message Filter is installed to limit the types of email connections that the MTA accepts. This configuration enables you to harden the MTA against various forms of spam attack in addition to let the MTA conserve processing power and resources. An MTA can work more efficiently when the timeout values are fine-tuned or configured for a particular environment. These timeout values prevent the MTA and Symantec Message Filter from accepting and processing invalid messages. However, if the values are reduced too much, the MTA can reject even valid messages. Symantec recommends that you test and configure the MTA timeouts based on your network environment and local server resource limitations. Ensure that the
81
MTA timeout values suit your business requirements for email delivery speed and spam hygiene. See Example of configuring sendmail timeout values on page 81. See Microsoft Internet Information Services (IIS) SMTP timeout values on page 82. See Sun Java Messaging Server MTA timeout values on page 82.
Example of configuring sendmail timeout values

Following examples show a default sendmail configuration as compared to a tuned sendmail configuration. The tuned configuration is designed to drop any message that takes over five minutes to process. By default, the sendmail configuration file is located in the /etc/mail/sendmail.cf directory. The default values of sendmail.cf file are listed as follows:
# timeouts (many of these) #O Timeout.initial=5m O Timeout.connect=1m #O Timeout.aconnect=0s #O Timeout.iconnect=5m #O Timeout.helo=5m #O Timeout.mail=10m #O Timeout.rcpt=1h #O Timeout.datainit=5m #O Timeout.datablock=1h #O Timeout.datafinal=1h #O Timeout.rset=5m #O Timeout.quit=2m #O Timeout.misc=2m #O Timeout.command=1h O Timeout.ident=0 #O Timeout.fileopen=60s #O Timeout.control=2m
Note: Some of the values in the sendmail.cf file are for an hour or more. The tuned sendmail.cf configuration file is as follows:
82
# timeouts (many of these) #O Timeout.initial=5m O Timeout.connect=1m #O Timeout.aconnect=0s #O Timeout.iconnect=5m #O Timeout.helo=5m #O Timeout.mail=10m O Timeout.rcpt=5m #O Timeout.datainit=5m O Timeout.datablock=5m O Timeout.datafinal=5m #O Timeout.rset=5m #O Timeout.quit=2m #O Timeout.misc=2m O Timeout.command=5m O Timeout.ident=0 #O Timeout.fileopen=60s #O Timeout.control=2m
Note: The values of timeout.command, timeout.datablock, timeout.rcpt, and timeout.datafinal are changed to five minutes. For information on configuring the sendmail MTA with timeouts, see http://www.sendmail.org/~ca/email/doc8.12/op-sh-4.html See About timeout values for MTA that are integrated with Symantec Message Filter on page 80.
Microsoft Internet Information Services (IIS) SMTP timeout values

For information on configuring IIS SMTP timeout values, see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/ Library/IIS/31a2f39c-4d59-4cba-905c-60e7af657e49.mspx?mfr=true. See About timeout values for MTA that are integrated with Symantec Message Filter on page 80.
Sun Java Messaging Server MTA timeout values

For information on configuring Sun Java Messaging Server MTA timeout values, see http://download.oracle.com/docs/cd/E19566-01/819-4428/6n6j4267r/index.html.
Installing Symantec Message Filter Uninstalling Symantec Message Filter
83
See About timeout values for MTA that are integrated with Symantec Message Filter on page 80.
Uninstalling Symantec Message Filter

Uninstall Symantec Message Filter based on the operating system that you use as follows:
Linux and Solaris You can uninstall the software with the command line or the GUI installer. See To uninstall the Scanner from Linux and Solaris at the command line on page 83. See To uninstall the Control Center from Linux and Solaris at the command line on page 84. See To uninstall the Scanner from Linux and Solaris with the GUI installer on page 84. See To uninstall the Control Center from Linux and Solaris with the GUI installer on page 85. Windows Use the Windows Add/Remove Programs utility to uninstall the product. See To uninstall the Scanner from Windows on page 85. See To uninstall the Control Center from Windows on page 85.
When you uninstall Symantec Message Filter, the uninstaller utility removes the files and directories that were initially installed with the installation script. However, the files that were modified since installation are not removed. When uninstallation is complete, the uninstaller utility provides a list of the directories and files that were not removed. If you do not intend to reinstall the product, you can remove these files manually. You must uninstall the Scanner separately from the Control Center. To uninstall the Scanner from Linux and Solaris at the command line
1 2
Log on as the root user. Type the following command to stop the Scanner:
/etc/init.d/mailwall stop
84
Type the following command to uninstall the Scanner:

/opt/symantec/sbas/Scanner/uninstall.sh Password: <your_root_password>
If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint.
At the confirmation prompt, press Enter to continue.
To uninstall the Control Center from Linux and Solaris at the command line
Type the following command:

$ su root -c /opt/symantec/sbas/ControlCenter/uninstall.sh Password: <your_root_password>
If you use a non-default installation directory location, replace /opt/symantec/sbas/ControlCenter with /$loadpoint.
At the confirmation prompt, press Enter to continue.
To uninstall the Scanner from Linux and Solaris with the GUI installer
1 2
Log on as the root user. Type the following command to stop the Scanner:
/etc/init.d/mailwall stop

$ su root -c /opt/symantec/sbas/Scanner/uninstall.sh -i awt Password: <your_root_password>
If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint.
4 5
Click Uninstall. Click Done.
85
To uninstall the Control Center from Linux and Solaris with the GUI installer

$ su root -c /opt/symantec/sbas/ControlCenter/ UninstallerData/Uninstall_Brightmail_Control_Center -i awt Password: <your_root_password>
If you use a non-default installation directory location, replace /opt/symantec/sbas/ControlCenter with /$loadpoint.
2 3
Click Uninstall. Click Done.
To uninstall the Scanner from Windows
1 2 3 4 5
On the Windows Start menu, click Administrative Tools > Services. In the Name column, right-click Brightmail Scanner and click Stop. Close the Services window. On the Windows Start menu, click Programs > Symantec Message Filter > Uninstall Brightmail Scanner. In the confirmation dialog box, click Yes.
To uninstall the Control Center from Windows
On the Windows Start menu, click Programs > Symantec Message Filter > Uninstall Brightmail Control Center. A DOS window appears and prompts you to confirm uninstallation.
2 3 4
Type Y and press Enter . On the Uninstall Brightmail Control Center pane, click Uninstall to start the uninstallation process. When uninstallation is complete, click Done.
86
Chapter
Configuring the Control Center


About the Control Center Viewing and modifying advanced configuration attributes Working with MySQL database
About the Control Center

You can use the Control Center to do the following tasks:

Start and stop servers View logs and reports Set configuration options Consolidate statistics, report data, and logs
Symantec Message Filter is scalable from small sites of fewer than a hundred users to sites that serve tens of thousands of users. However, the Control Center can typically only manage sites with up to approximately 100,000 users. If your site is too large for the Control Center, you can run the product in a stand-alone configuration. See About configuring settings without using the Control Center on page 144. To help you decide whether your site is too big for the Control Center, consider the following factors:
The Quarantine can only accommodate up to 30,000 users.
88
Configuring the Control Center About the Control Center
Setting log levels too high can have a major impact if your site has more than 10,000 users. At the highest level (debug), several hundred database rows can be added for each processed message. See About planning for disk space storage needs on page 34. Extensive reporting through the Control Center can have a major impact. If you use per-sender or per-recipient reports, at least one database row is added for each message. The maximum number of entries in a Group Policy Members list is approximately 10,000. If you require more than 10,000 list entries, you need to modify MySQL (and possibly Tomcat) configuration values to support additional entries. This limitation refers to the number of entries in the Group Policy Members list, not the number of users at your company. See Working with MySQL database on page 107. See About group policies on page 241.
See Considerations for tuning the Control Center on page 135.
Accommodating more than 10,000 users per group policy

The default memory settings of MySQL impose the limit in which the Symantec Message Filter database is stored. By default, Symantec Message Filter supports 10,000 users per Group Policy. In addition to MySQL settings, an increase in Tomcat memory may also be required. Table 4-1 provides the default locations for the MySQL and Tomcat files. Table 4-1 Platform
Linux and Solaris
MySQL and Tomcat file locations MySQL

/opt/symantec/sbas/ ControlCenter/MySQLIf
Tomcat
/opt/symantec/sbas/ ControlCenter/Tomcat
Note: you use a non-default

installation directory location, replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows c:\mysql
Note: If you use a non-default

installation directory location, replace /opt/symantec/sbas/ControlCenter with /$loadpoint. c:\Program Files\Symantec\SBAS\ ControlCenter\Tomcat\jakartatomcat-4.1.27
89
Logging onto the Control Center

When you log onto the Control Center, make sure you type your user name and password in the correct case. Note the difference between kris, Kris, and KRIS. If you see an error message similar to the following, you have attempted to log on as an administrator without sufficient privileges to add a Scanner:
The system configuration is incomplete. An administrator with full privileges must add a Scanner first.
Only non-administrative users can log into the Control Center with their LDAP credentials. Ensure that you configure LDAP when you initially install and configure the Control Center. See About LDAP compatibility for the Quarantine on page 249. You must add a Scanner in the Control Center to access the rest of the Control Center pages. Only an administrator with full privileges can add a Scanner. To enable access for administrators without full privileges, log on as an administrator with full privileges and configure a Scanner. See Adding a Scanner on page 348. To log onto the Control Center
In a Web browser, go to the following URL: http://<host:port>/brightmail/index.jsp where <host:port> is the computer on which you installed the Control Center and the port number that you assigned. The default port number is 41080.
In the Login box, do one of the following:

If you are a new administrative user If you have an account on an iPlanet, Sun ONE, or Java Directory Server If you have an Active Directory account Type admin.
Type your full email address (for example, jdoe@symantecexample.com).
Type your user name (for example, kris).
90
In the Password box, do one of the following:

If you are a new administrative user If you have an account on an iPlanet, Sun ONE, or Java Directory Server If you have an Active Directory account Type the default password. Contact your system administrator if you do not know the password. Type the password that you normally use to log on to your system.
Type the password that you normally use to log on to your system. Then select the LDAP server that you use to verify your credentials.
Click Login.
Logging off of the Control Center

To secure the Control Center, log off when you are finished making changes. You are automatically logged off if you do not use the Control Center for a certain period (usually 30 minutes). If that happens, log on again. To log off of the Control Center
1 2
Click the Log Out icon in the upper right corner of the current page. For security purposes, close your browser window to clear your browser's memory.
Changing the location of the Control Center on a Scanner

You can move your Control Center installation to a different computer. If the IP address stays the same and the MySQL tables are backed up and can be restored, no special configuration steps are required. If you must change the IP address, change the Agent configuration file on all of your Scanners. This change lets the new Control Center communicate with your Scanners.
Configuring the Control Center Viewing and modifying advanced configuration attributes
91
To change the location of the Control Center on a Scanner
In a text editor, open the following file on the Scanner:

Linux and Solaris Default directory: /opt/symantec/sbas/Scanner/etc/agentconfig.xml
Note: If you use a non-default installation directory location,

replace /opt/symantec/sbas/Scanner with /$loadpoint. Windows C:\Program Files\Symantec\sbas\Scanner\Config\agentconfig.xml
Find the following section in the agentconfig.xml file:

<allowedIPs> <allowedIP>10.10.18.91</allowedIP> </allowedIPs>
Change the value of allowedIP to the new IP address for the Control Center. You can specify multiple IP addresses with multiple <allowedIP> tags. In each <allowedIP> tag, you can use either of the following notations: Single host: 128.113.213.4 CIDR: 198.0.0.0/8 (equivalent to 198.0.0.0/255.0.0.0) Before you specify multiple IP addresses, make sure that you understand the security implications for your network.
Viewing and modifying advanced configuration attributes

Warning: Symantec recommends that you do not change any advanced configuration attribute values, except under the direction of Symantec Support. Changes to these values can result in unexpected behavior and can severely affect system performance and the effectiveness of filtering. To view or modify an advanced configuration attribute
1 2
In the Control Center, click the Settings tab. To access the Advanced Attributes page, hold down the right Shift key while simultaneously pressing the a key.
92
Fill out the following fields as appropriate:

Host From the drop-down list, select the Scanner to configure. You can ignore this field if you want all of your changes to apply to all hosts. Check this box if you want all of your changes to apply to all hosts. Enter the new value for the attribute in the appropriate text box. If you want this change to apply to all hosts, check the check box to the left of the configuration attribute. Enter the new value to be used for the attribute.
Check all
Attribute
Value
Change as many attributes and values for one or all hosts as you want before you continue the next step.
Click Save to commit your changes.
About advanced configuration attributes

The types of advanced attributes are as follows:

Host-Specific attributes Global attributes
The types of global attributes are as follows:

SMTP Listener Rule set Client-side opt-in
Host-specific attributes
You can change the values for attributes in this section for a single Scanner or for all of the Scanners in your network, as follows:
If you change the value for one or more host-specific attributes and the boxes to the left of those attributes are not checked, your changes affect only the Scanner that you specify in the Host field at the top of the page. If the boxes to the left of the attributes are checked when you save your changes, your changes affect all Scanners in your configuration. You can use the Check all box to simultaneously check all of the checkboxes.
Filter client transaction timeout in seconds
93
Number of seconds the Client waits for a response from the Server before it times out and logs an error. For example, the default value is 0 and indicates that the timeout is not in effectthe Client waits indefinitely for a response from the Server. A value of 20 indicates that the Client waits 20 seconds for a response from the Server. If the Client has only received a partial response or no response in 20 seconds, it times out. Then it writes an error to the log file. If the Client gets a full response from the Server within 20 seconds, then the Client proceeds as normal. Example: 20 Default: 0 Filter client connection timeout in seconds The amount of time in seconds that the Client waits before it gives up on the connection attempt. Set a non-zero value for this attribute if the Client hangs when attempting connections. The proper setting varies depending on network topology, particularly on the proximity of the Client and Server, as well as on network load. A suggested initial value is 5 seconds. After setting an initial value, observe performance and adjust as needed. A value of 0 disables the timeout. If you set this attribute to a number greater than 0, the Client creates a nonblocking socket. It then polls for a connection until the specified number of seconds have passed. Default: 0 Filter client number of persistent connections The number of connections with each Server that is maintained in an open state during message processing. Also sets the maximum number of connections possible with each Server. If this value is not present in the configuration file, the default value is used. Unless you have some specific reason for providing a value, it should not be modified. Default: 512 Filter client delay communication initialization The client function, bmiInitSystem, of the SDK opens a single connection to each Server that is listed in the client configuration file. This function is normally the right thing to do. However, in certain circumstances this behavior causes more connections to be opened than necessary if more than one Server is configured. An example of such a circumstance is when the client is integrated into an MTA which processes mail by forking and then calling the bmiInitSystem function. When this configuration option is set to true, it delays the establishment of connections until bmiInitMessage is called. Default: false
94
Send mail connection If you use Sendmail, the listening socket for your Sendmail connection. The socket address that you provide here must match a corresponding address in the sendmail.cf configuration file. See Configuring Sendmail for Symantec Message Filter with sendmail.cf on page 226. To create the socket, you must specify a port number. The general form is [type:]type_specific_data. Type can be unix or local. Regular expression module maximum total headers length Provides the maximum number of bytes in all message headers that the regular expressions module examines. Messages that exceed this limit are considered to be part of a denial-of-service attack and are automatically considered spam. Default: 32768 Regular expression module gray threshold Provides the gray threshold for all message headers that the regular expressions module examines. Messages that exceed this threshold are not considered part of a denial-of-service attack. But the messages might warrant special treatment as considered appropriate by the customer, such as to be sent to the Quarantine for review. SpamSig module gray threshold A gray verdict may indicate that a message contains spam characteristics. However, those characters might not be enough to be deemed as spam by Symantec but are enough to warrant special treatment. For example, the messages can be sent to the Quarantine for review. A gray verdict is the sum of the weights of the rules that fired (w) between the gray (g) and spam (s) thresholds: w in [g, s] Checked DNSBL received headers Enables or disables a lookup of the IP addresses in the RECEIVED: line headers of a message, using the Third-Party Blacklist Services. A value of TRUE enables DNS lookup. A value of false disables it. Note: Setting this value to true can impose a significant performance penalty and is not recommended. Default: false
95
Maximum queue size for the Brightmail Server in bytes The Server can buffer transactions. Transaction buffering is valuable when more messages come into the server than it can handle. Set this value to equal the highest number of messages your computer can process simultaneously. Default: 2048 Minimum size of message data store in bytes The Server creates a message data store for each message that it processes. The message data store uses the number of bytes of RAM specified by this attribute. Set this value to be larger than the typical message size in your mail system. The minimum size that is specified is allocated for each message, even if a message is one byte in size. Setting too high a value increases the size of the Server in memory. Setting too low a value causes the Server to write to disk more often, as many messages exceeds the initial size. Default: 64 Maximum number of Brightmail Server connections Determines the maximum number of connections the Server accepts from all Clients. Note: By default, this value is determined dynamically when the computer is started. Changing this value is not recommended. Maximum bmserver service threads Configures the number of service threads that are active on a Server. Service threads are the threads that do the actual filtering of a message. The more I/O the engine is configured to do, the more extra threads can be used. Increase this value only on systems with four or more CPUs. The recommended tuning is the number of CPUs on the computer multiplied by 2, plus 1. For example, on a computer powered by Intel based processors with four CPUs, the recommended setting is 9, as (4 2) + 1 = 9. On the computers that run Solaris with Sun Coolthreads, the recommendation is 1 thread per Cool Thread. Default: 32 Keep alive Maintain idle client-server connections. Default: true Spam hunter urlhash limit
96
Specifies the maximum size for which the Spamhunter Module examines large messages using only URLhash rules. These filters are fast regardless of the message size. This attribute has the following possible values:
0 A value of 0 disables this feature. The Spamhunter Module does not examine messages larger than the value that the rule set header identifies (currently 130,000). A positive integer causes the Spamhunter Module to examine messages with bodies smaller than that integer. For example, a setting of 204800 results in the Spamhunter Module examining messages with bodies up to 200K in size. A value of -1 causes the Spamhunter Module to examine any message, regardless of size.
Positive integer less than 2000000000
-1
If the attribute is null, the default value applies. The performance penalty of decomposing large MIME messages increases linearly with the size of the message. If you are concerned with system performance or have a system that runs under very heavy load, you may want to set a smaller value. You can set a value of 0 to disable the feature. Default: 0 Harvester interval Length of time the Harvester waits during normal processing. The Harvester processes a batch of 2000 messages then waits the specified number of seconds before it processes the next batch. Default: 60 Harvester SMTP timeout Time in miliseconds after which the Harvester closes a connection to an SMTP server that does not respond. Default: 60000 Harvester spool width The width of the directory structure that is created under the spool directory. Default: 8 Harvester spool depth The depth of the directory structure that is created under the spool directory. Default: 0 Harvester threads
97
Number of threads for Harvester to make available for connections to the SMTP Server(s). Default: 5 AV module reinsertion time window Maximum allowed time, in seconds, between when the AntiVirus Cleaner begins to process a message and when that message is passed to the MTA for delivery. If this time is exceeded, the message is scanned again. Default: 600 AV Cleaner threads The number of threads that the Cleaner runs. Default: 5 AV Cleaner spool width The width of the directory structure that is created under the AV Cleaner spool directory. Default: 8 AV Cleaner spool depth The depth of the directory structure that is created under the AV Cleaner spool directory. Default: 0 Maximum file size that is allowed for AV Scanning in Cleaner Maximum file size, in bytes, beyond which the system consults the boolean flag that specifies whether or not large files are to be deleted. The recommended value is at least 10 megabytes. Set this value to be equal to or larger than the maximum file size your system expects for any legitimate message. Default: 104857600 AV Cleaner maximum scan time Maximum time the AV Cleaner spends cleaning a message before it times out. If the timeout occurs, the cleaner reverts the message back to its original form (discarding any cleaning that has happened so far on the message). It then delivers the message with a notification that it cannot be cleaned. Default: 600 Interval to send statistics to BLOC Number of minutes to wait before statistics are sent to Symantec Brightmail Logistics Center.
98
Note: Do not change this value without consulting Symantec Support. Default: 10 Clean Conduit statistics files older than Sets the number of days that mc_stats files are retained on the computers that process messages but are not attached to the Control Center. These files are available for the Agent to process them when the Control Center is again available. Default: 3 Syslog Typing ON in this text box causes all log information to go to the syslog facility on UNIX. On Linux or Solaris, all logs that are specified on the Log Settings page are directed to /var/log/maillog, and on Windows to the Event Viewer. On Linux or Solaris, a change to ON takes affect only after the Server is stopped and restarted. You can only perform this task from the Status page. Note: Setting Syslog to ON causes the controls that are available from the Logs tab to be ineffective. Any changes that made on the Logs tab do not take affect. Default: off Worm list If a message contains a virus that has a name that matches one in the list, the message is tagged with a disposition of worm. This feature lets you discard worms without further virus processing. If a message contains a worm that does not match a name in this list, Symantec handles the message as a normal (non-worm) virus-infected message. The names that you supply on this attribute are case insensitive. Each name in the list is compared against all possible words in the name of the virus as returned by Symantec. A word is any sequence of characters that is delimited by non-alphanumeric characters or by the beginning or ending of the virus name string. For example, the following list shows all the words in the virus name W32.Klez.E@mm:

W32 Klez E mm
99
W32.Klez Klez.E E@MM W32.Klez.E Klez.E@MM W32.Klez.E@MM
You can define a worm name of E which would catch all the E variations of viruses. Default: Yaha Bugbear Hybris Magistr Sobig Mimail Cult Dumaru Fastpass module table size This attribute is the capacity, in number of IP addresses, of the Fastpass table. A portion of this capacity (1/4th of the value specified) is reserved for the IP addresses that are granted passes (pass table). The remainder of the capacity is for the IP addresses that have not yet been granted passes (trial table). Valid range: [1, MAXUINT] Default: 250000 Fastpass module initial sampling rate This attribute is the nominal sampling rate that is used when a pass is first issued. For instance, a value of 8 would result in nominally sampling 1 message out of 8. The nominal sampling rate is adjusted to determine an actual sampling rate that is based on the number of antispam modules that are enabled. For instance, if 4 antispam modules are enabled, the actual sampling rate is 1 out of 2 messages, with each message sampled being processed by 1 of the 4 modules. If the nominal sampling rate is less than the number of modules, each message from an IP address that has a pass is sampled by one of the modules. As additional legitimate messages are received from an IP address, the nominal sampling rate is adjusted so that fewer messages are sampled. There is an upper limit of 5 times the initial sampling rate (see the exception below). In other words, with the initial sampling rate specified of 8, the nominal sampling rate would gradually change as additional legitimate messages are processed until eventually the nominal rate of sampling is 1 message out of 40. If the value of "entry sampling rate" is 1, then the sampling rate does not increase with additional messages. This function can be used to eliminate the randomized behavior that would otherwise occur to facilitate the unit test cases and regression test cases that require identical behavior across multiple runs. Valid range: [1, MAXUINT]
100
Default: 5 Fastpass module entry sampling rate This attribute specifies the likelihood that an IP address that is not currently in the trial table or the pass table, from which a legitimate message is received, is entered into the trial table. A value of 1 results in every IP address from every legitimate message to be entered into the IP table. A larger value results in an IP address having only a 1 in <n> chance of being entered into the table each time a legitimate message from that IP address is received. For instance, specifying the entry rate as 5 would result in a 1 in 5 chance that an IP is entered into the IP table. A value of 1 ensures that IP addresses are entered into the trial table the first time a legitimate message from the IP address is received. It also results in using a fixed sampling rate. That is, the value of the "initial sampling rate" that is specified is used as the sampling rate regardless of the number of legitimate messages that are received. Valid range: [1, MAXUINT] Default: 3 Fastpass module legit messages required This attribute is the number of legitimate messages which must be received from an IP address (ignoring any messages before the IP address is entered into the IP address table) before an IP is granted a pass. Valid range: [1, MAXUINT] Default: 12 Fastpass module ignore gray This attribute controls whether or not Fastpass considers a message with a "gray" disposition to be legitimate. Enabling this option causes messages with gray dispositions to be treated as legitimate. The effect is that Fastpass is able to have a greater reduction in antispam processing than it otherwise would. But the tradeoff is that the messages that would otherwise have a gray disposition may be treated as if there was no disposition returned for them. If an IP address does not have a pass, this setting does not affect the action that is taken on the messages that get a "gray" disposition. Default: false Fastpass bounce string list This attribute specifies a series of strings that may indicate a message is a "bounce." A bounce is a message that is automatically-generated. If any bounce string that is specified occurs (in unencoded form) within either the "subject" or "from"
101
header, then the message is treated as a bounce. The message is excluded from Fastpass processing. This comparison is case-insensitive. Regardless of the bounce strings that are defined, any message that contains an "auto-submitted" header is treated as a bounce. Default: mailer-daemon postmaster autoreply auto-reply Fastpass ignore /24 CIDR block Use this attribute to cause Fastpass to drop all entries from the table in the entire /24 block when a spam message is received from an address which is in either the pass table or the trial table. Default: true Rule-based extraction normalization Rules-based extraction lets Symantec deliver new message extraction techniques to your mailwalls as they arise in the field. This function lets Symantec extract new, identifiable features from spam messages, whether they are URLs, telephone numbers, or similar transient information. With rule-based extraction enabled, data can be incorporated into your antispam rules in minutes rather than waiting for a patch or new product release. By default, RBEN is enabled to maximize product effectiveness. If performance consistency is more of a concern for you than effectiveness, you can consider disabling this feature. Default: true Enable advanced image processing This settings lets you disable any spamhunter rules that access the image evaluation library. When these rules are enabled, there is a performance cost. However, at the current, low overall image spam percentage rates, the impact to negligible. Default: false Enable tracker compression When you enable this option, Symantec Message Filter compresses the tracker content. Default: default Enable tracker signing When you enable this option, the tracker gets the signature that ensures that the tracker has not been tampered with. Default: true Revert to legacy message tracking IDs
102
When you enable this option, Symantec Message Filter reverts to the legacy message tracking IDs. These IDs are encoded strings. When they are decoded, they list only the rules that are triggered during message scanning. This option is disabled by default and should be enabled only when directed by a Symantec support representative. Note: Reverting to legacy message tracking IDs limits your Symantec support for false positive and false negative submissions.
Global attributes
The following is a list of attributes that affect all defined Scanners. Reinsertion key Shows the key that is used to allow email reinsertion. The reinsertion key cannot be changed. Custom MTA integration Controls whether the Control Center is expected to monitor the Client or only Servers. The recommended value is false for Sendmail and Windows IIS/Exchange, and true for all other MTAs. Default: false SMTP listener server threads Specifies the number of threads to be allocated to the Quarantine SMTP listener. Default: 10 Maximum LDAP connections Specifies the maximum number of LDAP connections in the pool. Default: 30 Minimum LDAP connections Specifies the minimum number of LDAP connections in the pool. Default: 5 LDAP cache TTL Shows the maximum amount of time (given in seconds) that an LDAP item can be cached. The default is 1 day. Default: 86400 LDAP cache size Provides the maximum size of the LDAP cache (in bytes).
103
Default: 10240 (10 MB) Retrieve logs every Sets the interval, in minutes, for the Control Center to retrieve logs. Default: 5 Retrieve statistics every Sets the interval, in minutes, for the Control Center to retrieve statistics. Default: 6 Retrieve status and rule updates every Sets the interval, in minutes, for the Control Center to retrieve rule updates. Default: 7 Spam expunger start time Time at which the expunger begins to remove spam from the Quarantine. Default: 01:00:00 Spam expunger run frequency Frequency interval at which the expunger is to run and check for messages in the Quarantine for deletion. Default: 1 hour Spam notification start time Time at which the Notifier begins sending notifications to appropriate email addresses that new spam messages are in their quarantine. Default: 04:00:00 Spam notification run frequency Frequency interval at which Quarantine is to run the Notifier to notify recipients of new spam messages in the Quarantine. Default: 1 day Spam notification URL The URL which is embedded in the spam notification messages that users can click to access their spam quarantine. Default: http://local_machine_name:41080/brightmail Log expunger start time Time at which the Log expunger is invoked. Default: 02:00:00
104
Log expunger run frequency Frequency interval at which the Log expunger executes. Default: 1 day Report expunger start time Time at which the Report expunger executes. Default: 03:00:00 Report expunger run frequency Frequency interval at which the Report expunger executes. Default: 1 hour
SMTP listener attribute

Re-Initialize the SMTP listener Click the option to re-initialize the Quarantine SMTP Listener.
Rule set attributes

Antispam rule set attribute Choose one of the following:
Server Provider Full rule set This rule set provides the following features:

Includes the "predictive" rules for spam detection Provides more effectiveness for certain types of spam attacks Requires more CPU resources Results in a low, false positive rate
This is the default setting. Service Provider Express rule set This rule set provides the following features:

Primarily based on signatures for known and active spam attacks Excellent message-per-second throughput and CPU stability Low false positive rate Best for minimizing hardware costs
105
Enterprise Full rule set
This rule set provides the following features:

Blocks the additional adult-type spam messages Appropriate for business users
Provides the similar performance and effectiveness as the "Service Provider Full" rule set Low false positive rate
Best choice for corporate email environments
Custom rule set
In some rare cases, Symantec Security Response may make a custom rule set available. See Implementing custom rule sets on page 131.
Antivirus rule set attribute Choose one of the following:

Platinum Antivirus definitions that Symantec LiveUpdate delivers and guarantees to be safe for use. These definitions are available approximately once per week. This availability cycle is accelerated if Class3+ virus updates become available. Antivirus definitions reflecting the very latest definitions available as often as once per hour.
Rapid Release (default)
URL rules attribute Use rule set selection as the primary mechanism to adjust processing levels. Only adjust this setting with specific direction from Symantec Support. Choose one of the following:
Enable urlHash only (best performance) Enable urlHash and regex only (more effective) Enable all rules (most effective) Enables the URL hash testing feature from the Spamhunter module but does not include heuristics testing. This setting is the most efficient but can be less effective. Enables the hash and URL regular expression scanning in the Spamhunter module. This setting is more effective but somewhat less efficient. Enables all module scanning types within the Spamhunter module including hash and URL regular expression scanning.
Client-Side opt-in attribute

Use client-side opt-in
106
Determines whether the Server should expect opt-in information from the client. For some implementations, such as those with a customized user database, it is helpful to have a customized client that can perform authentication lookup. Check this box if you want to use client-side opt-in validation. Certain MTAs have the ability to set this data (for example, the Sun MTA). This attribute should be left unchecked unless you use one of these MTAs.
Allow Action to override Destination attribute

Allow Action to override Destination Determines whether the Server should handle group policy action or pass action information to the client. Enable this option in the Control Center if you want group policies to be affected in the bmiconfig.xml file for the specific client capable of handling actions themselves. In the bmiconfig.xml file, this option can be managed through the allowActionsToOverrideDestination attribute for the server. The Allow Action to override Destination attribute does not depend on the Use client-side opt-in attribute. Following are the actions handled by this attribute:

Modify the message: Add the X-Header Modify the message: Prepend to the Subject Modify the message: Append to the Subject Deliver the message to the recipient's Spam folder Language identification Whitelist the message
For example: The action for a spam message is Deliver the message to the recipient's Spam folder and the Allow Action to override Destination option is OFF. The following disposition appears in the bmiconfig.xml file:
<disposition name='spam'> <destination> </destination> <action name='folder' type='bmispool'> <path width='8' depth='0'>F:\Program Files\Symantec\ SBAS\Scanner\BmiSpool\spam </path> <modify> <headers> <add>X-bmifolder: 1</add>
Configuring the Control Center Working with MySQL database
107
</headers> </modify> <server host='127.0.0.1' port='25'/> </action> </disposition>
For the same action, if the Allow Action to override Destination option is ON. The following disposition appears in the bmiconfig.xml file:
<disposition name="spam"><destination>X-bmifolder: 1 </destination> </disposition>
Notice that this disposition enables the group policies to be affected from the client.
Working with MySQL database

When you install the Control Center, MySQL database and Tomcat are also installed on your computer. Tomcat is the webserver that hosts Control Center, and MySQL is the database that Control Center uses. You may need to configure these applications as per your requirement. Table 4-2 lists the tasks to configure and maintain these applications. Table 4-2 Action Tasks to configure MySQL database and Tomcat Description
Configure MySQL and Configure MySQL and Tomcat to increase the number of Tomcat for large numbers of users that policy can support. users. See Tuning MySQL and Tomcat for large numbers of users on page 108. Check the status of the MySQL database. Check the status of the MySQL database if you cannot log into the Control Center or the Quarantine. See Checking the status of the MySQL database on page 110. Repair the MySQL database. Repair the database if the MySQL database check results in an error message. See Repairing the MySQL database on page 110.
108
Table 4-2 Action
Tasks to configure MySQL database and Tomcat (continued) Description

Change the password that is randomly generated when you install MySQL. See Changing your MySQL password on page 113.
Change your MySQL password.
Determine your MySQL password.
Know your MySQL password to perform the backup and restore functions. See Determining your MySQL password on page 115.
Check the MySQL installation version.
Check the MySQL version that is installed on your computer. The Control Center supports MySQL version 4.0.16. See Checking the MySQL installation version on page 116.
Add the Symantec Message Filter database to MySQL.
Add the Symantec Message Filter database to MySQL. You do not need to follow these steps if you used the installer to install MySQL on the same computer as Tomcat. See Adding the Symantec Message Filter database to MySQL on page 117.
Configure the Control Center Configure the Control Center to access MySQL on a separate to access MySQL remotely. computer if you use the Tomcat application server. See Configuring the Control Center to access MySQL remotely on page 118.
Tuning MySQL and Tomcat for large numbers of users

Some ways to increase the number of users a policy can support are as follows:
Increase the MySQL BLOB size. You can increase the MySQL BLOB size and take no other action for a minimal increase in members. Any significant increase can result in Tomcat memory overload. In most cases, you should perform all of the items in this list together. The default value is 1 MB. Change the MAX_MSG_ SIZE_ALLOWED setting in the settings_quarantine table. Do this task through the SQL command.
109
Increase available Tomcat memory.
To do this task, increase the value of the environment variable, JAVA_OPTS.
To increase the MySQL BLOB size
Open the following MySQL options file in a text editor:

Linux and Solaris Windows /etc/my.cnf c:\Windows
Add or modify the following line to modify the max_allowed_packet memory value of MySQL:
max_allowed_packet=16M
Restart the MySQL service.
To change the MAX_MSG_SIZE_ALLOWED setting in the settings_quarantine table
Logon to the MySQL client using the following command:

mysql --user=brightmailuser --password=PASSWORD -host=127.0.0.1 brightmail
Run the following command:

update settings_quarantine set value=2 where name='MAX_MSG_SIZE_ALLOWED';
To increase the available memory for Tomcat on Windows
1 2 3 4 5
Right-click My Computer. Click Properties. Click on the Advanced tab. Click Environment. Under system variables, increase the value of the environment variable, JAVA_OPTS.
110
To increase the available memory for Tomcat on Linux or Solaris
Open the following script in a text editor: /etc/init.d/tomcat4
Increase the value of the following line as needed:

JAVA_OPTS="-Xmx384"
Checking the status of the MySQL database

If you cannot log into the Control Center or the Quarantine, check the status of your MySQL database, especially if the hardware the MySQL database runs on was improperly turned off. The brightmail_check_db scripts run mysqlcheck to repair tables if necessary. The brightmail_check_db.sh is in following default location:
Linux or Solaris Windows USER_INSTALL_DIR/MySQL/mysql*/scripts MYQSL_INSTALL_DIR\scripts
To check the status of the MySQL database
Do one of the following to run the scripts:

Linux or Solaris Run the following script: % cd USER_INSTALL_DIR/MySQL/mysql*/scripts % ./brightmail_check_db.sh
Windows
Run the following command from the command line: cd MYSQL_INSTALL_DIR\scripts brightmail_check_db.bat
Repairing the MySQL database

Symantec Support may ask you to check the status of the MySQL database. If the check results in an error message, repair the database. You must know the MySQL password to check or repair the database. See Determining your MySQL password on page 115.
111
To repair the MySQL database on Windows
1 2
On the Windows taskbar, click Start > Run. In the Open box, type the following text: cmd.exe
3 4
Press Enter. At the command prompt, type the following:

mysqlcheck --user=brightmailuser --host=127.0.0.1 -password=<password> brightmail --auto-repair > check.txt C:\Program Files\Symantec\SMSSMTP\MySQL\Bin>mysqlcheck -user=brightmailuser --host=127.0.0.1 --password=PASSWORD brightmail --auto-repair > check.txt
This command repairs the corrupted tables and places the results in the file check.txt. The amount of time it takes to get results depends on the size of the MySQL database. The larger the database, the longer the time.
5 6
Press Enter. After the MySQL check finishes, type the following command to see the results:
notepad check.txt
All tables should have the message of "OK" or "Table is already up-to-date" next to them. If they do not, you must repair them manually.
To repair a specific table, log onto MySQL with the following command:
mysql --host=127.0.0.1 --user=brightmailuser -password=<password> brightmail
At the prompt, type the following command:

repair table <tablename>
where <tablename> is the name of the corrupted table. After the repair finishes, a table appears. Check and ensure that the status field contains the words "OK." Repeat the command for each corrupted table.
Close the command prompt.
112
To repair the MySQL database on Linux
1 2
Open a command prompt. At the prompt, type the following command to change to the MySQL directory:
cd /opt/symantec/sbas/ControlCenter/MySQL/ Mysql-pro-4.0.16 -pc-linux-i686/bin cd /opt/Symantec/SMSSMTP/mysql/bin
If your MySQL installation is in a different location, use that path.
If the status check returns an error, type the following command:

./mysqlcheck --host=127.0.0.1 --user=brightmailuser -password=<password> brightmail --auto-repair > check.txt
This repairs the corrupted tables and places the results in the file check.txt. The amount of time it takes to get results depends on the size of the MySQL database. The larger the database, the longer the time.
After the MySQL check finishes, type the following command to see the results:
vi check.txt
All tables should display the message "OK" or "Table is already up-to-date" next to them. If they do not, you must repair them manually.
To repair a specific table, log onto MySQL with the following command:
./mysql --host=127.0.0.1 --user=brightmailuser -password=<password> brightmail
At the prompt, type the following:

where <tablename> is the name of the corrupted table. After the repair of the table finishes, a table appears. Check that the status field contains the word "OK."
Repeat the command for each corrupted table.
113
To repair the MySQL database on Solaris
1 2
Open a command prompt. At the prompt, type the following command to change to the MySQL directory:
cd /opt/symantec/sbas/ControlCenter/mysql-pro-4.0.16sun-solaris2.8-sparc/bin cd /opt/Symantec/SMSSMTP/mysql/bin
If your MySQL installation is in a different location, use that path.
If the status check returns an error, type the following command:

./mysqlcheck --host=127.0.0.1 --user=brightmailuser -password=<password> brightmail --auto-repair > check.txt
This repairs the corrupted tables and places the results in the file check.txt. The time to put the results in the file depends on the size of the MySQL database. The larger the database, the longer the time.
After the MySQL check finishes, type the following command to see the results:
vi check.txt
All tables should have the message of "OK" or "Table is already up-to-date" next to them. If they do not, you must repair them manually.
To repair a specific table, log onto MySQL using the following command:
./mysql --host=127.0.0.1 --user=brightmailuser -password=<password> brightmail
At the prompt, type the following command:

where <tablename> is the name of the corrupted table. After the repair finishes, a table appears. Check that the status field contains the word "OK."
Repeat the command for each corrupted table.
Changing your MySQL password

Symantec Message Filter uses a user account called brightmailuser. The password for that account is a randomly generated password that is created when you install MySQL.
114
To change the password for the MySQL database after installation
Do the following to turn off Tomcat on the computer that runs the Control Center:
Linux and Solaris Windows Type: sudo /etc/init.d/tomcat4 stop
Open the Services Management console, find the Tomcat service, and click Stop.
Open a console window (Solaris and Linux) as root or the Command Prompt (Windows) as an administrator and navigate to the MySQL installation directory. The default directory location is as follows:
Solaris cd /opt/symantec/sbas/ControlCenter/MySQL/ mysql-pro-4.0.16-sun-solaris2.8-sparc/bin/

replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Linux cd /opt/symantec/sbas/ControlCenter/MySQL/ mysql-pro-4.0.16-pc-linux-i686/bin/

replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows cd C:\mysql\bin
Do the following to open the MySQL client with the password that you looked up:
Linux and Solaris ./mysql --user=brightmailuser --password=<password> --host=127.0.0.1 mysql --user=brightmailuser --password=<password>
Windows
Run the following command and change NEW_PASSWORD to a new password:

UPDATE mysql.user SET Password=<password>('NEW_PASSWORD') WHERE User='brightmailuser' LIMIT 1;
115
Run the following command before you log off of the MySQL Client:
flush privileges;
If you omit this step, the Tomcat server cannot log into the MySQL server with the new password until the MySQL server restarts.
Open the following file in a text editor:

Linux and Solaris Windows $CATALINA_HOME/conf/server.xml $CATALINA_HOME\conf\server.xml
Locate the following section under the /brightmail Context.

 <parameter> <name>username</name> <value>brightmailuser</value> </parameter> <parameter> <name>password</name> <value>password</value> </parameter>
8 9
Change the password in <value>password</value> to your new password. Save and exit from the server.xml file.
10 Start Tomcat.
Determining your MySQL password

You must know your MySQL password to perform the backup and restore functions.
116
To determine your MySQL password
Do one of the following:

Linux or Solaris Windows Log on as root and open a console window. Log on as an administrator and open the command prompt.
Run the following command to locate your Tomcat installation directory:

Linux or Solaris Windows grep "CATALINA_HOME=" /etc/init.d/tomcat4
set CATALINA_HOME
Open the following file with a text editor:

Linux or Solaris Windows $CATALINA_HOME/conf/server.xml
$CATALINA_HOME\conf\server.xml
Locate the following section under /brightmail:

 <parameter> <name>username</name> <value>brightmailuser</value> </parameter> <parameter> <name>password</name> <value>password</value> </parameter>
Note the password in following line:

<value>password</value>.
Close the file.
Checking the MySQL installation version

The Control Center supports MySQL version 4.0.16.
117
To check the MySQL version
Open a console window (Solaris/Linux) as root or the Command Prompt (Windows) as an administrator and navigate to your MySQL installation directory. The default directory location is as follows:
Linux and Solaris /opt/symantec/sbas/ControlCenter/MySQL

replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows c:\mysql
Type the following command to run MySQL:

mysqld -V
Adding the Symantec Message Filter database to MySQL

The .sql files that this procedure uses are located in the following default directories on the computer in which the Control Center is installed:
Linux and Solaris Windows /opt/brightmail/ControlCenter/brightmail_mysql_files/ C:\Program Files\brightmail\ControlCenter\brightmail_mysql_files\
You do not need to follow these steps if you used the installer to install MySQL on the same computer as Tomcat. To add the Symantec Message Filter database to MySQL
Copy the following files to the computer where MySQL is installed:

Linux and Solaris /opt/symantec/sbas/ControlCenter/MySQL

replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows c:\mysql
Make sure the MySQL daemon or service is started.
118
Connect to the MySQL server with the appropriate command for your operating system, as follows:
Linux and Solaris Log on as root or use sudo when you run the mysql command. Type the following command: # /opt/brightmail/ControlCenter/MySQL/mysql-proversion-platform/ bin/mysql --user=brightmailuser --password=PASSWORD --host=127.0.0.1
Windows
Open a command prompt by clicking Start, clicking Run, typing cmd, and clicking OK. Type the following command at the command prompt: C:\> c:\mysql\bin\mysql --user=admin --password =<password>
Type the following commands:

mysql> source path-to-files/brightmail_create_db.sql mysql> source path-to-files/brightmail_create_tables.sql mysql> source path-to-files/brightmail_load_data.sql
Type the following command to disconnect from the MySQL server:

mysql> quit Bye
Configuring the Control Center to access MySQL remotely

You can configure the Control Center to access MySQL on a separate computer if you use the Tomcat application server. If MySQL is installed on a separate computer from the Control Center, additional configuration is required. Ensure that your environment meets the following criteria:
You have an existing installation of MySQL. The Control Center database schema can co-exist with other database schemas on the existing MySQL installation. However, the network must have adequate bandwidth. The computer must have adequate hard disk space for the information that is stored in the Symantec Message Filter database. Database information includes quarantined spam messages, configuration information, log files, and statistics. See About planning for disk space storage needs on page 34.
119
When you This option causes the installer to install the additional files that are installed the needed to configure your existing MySQL installation to work with Control Center, the Control Center. you did not install MySQL.
Perform the following steps on the computer where the Control Center is installed. These steps apply to all of the supported platforms. To configure the Control Center to access MySQL remotely
1 2
Stop Tomcat. Open the following file in a text editor:

Linux and Solaris /opt/symantec/sbas/ControlCenter/tomcat/jakarta-tomcatversion/conf/server.xml

replace /opt/symantec/sbas/ControlCenter with /$loadpoint. Windows C:\Program Files\Symantec\SBAS\ControlCenter\tomcat\jakarta -tomcat-version\conf\server.xml
Locate the following line in the server.xml file:

<value>jdbc:mysql://localhost:3306/ brightmail?autoReconnect=true</value>
Change localhost to the fully qualified domain name or IP address of the computer where MySQL is installed. If necessary, change 3306 to the port number. Save and exit the file. Restart Tomcat. To verify that the Control Center and MySQL can communicate, log into the Control Center. See Logging onto the Control Center on page 89.
5 6 7
About backing up MySQL data

The types of data that Symantec Message Filter stores in the MySQL database are as follows:
Configuration data for your system
120
Logs Reports Quarantine messages (if you install and use the Quarantine)
You can back up these data types together or separately with MySQL. It may take some time to back up the data if you have a large number of messages in your Quarantine. Backups can be done while the Symantec Message Filter software runs. MySQL must be running when you perform backups. For complete instructions on how to perform backups of MySQL data, see the MySQL documentation. Table 4-3 lists the MySQL commands that are suggested for your use. Table 4-3 Task
To save the configuration tables
MySQL backup and restore commands Command

mysqldump --user=brightmailuser -password=PASSWORD --opt brightmail admin_user black_white_sender host settings_alert settings_consent settings_ldap settings_log settings_quarantine settings_report settings_scheduled_reports settings_smtp_filter_host settings_smtp_mngnt_host settings_system sieve_condition sieve_import sieve_rule status status_rule --host=127.0.0.1 > configuration.sql
mysql --user=brightmailuser --password=PASSWORD To restore brightmail --host=127.0.0.1 < configuration.sql configuration tables from backup To save the reports tables mysqldump --user=brightmailuser -password=PASSWORD --opt brightmail report_alias report_domain report_ip_address report_summary settings_report settings_scheduled_reports -host=127.0.0.1 > report.sql
To restore the reports tables from backup
mysql --user=brightmailuser --password=PASSWORD brightmail --host=127.0.0.1 < report.sql
121
Table 4-3 Task

To back up logs data only
MySQL backup and restore commands (continued) Command

In general, there is no reason to store older logs. For troubleshooting purposes, the logs that are not set to Information (which provides the most detail) have limited utility, especially if you need assistance from Symantec Support. View and save current logs as needed on the Logs tab and set the appropriate retention period for logging data. If you choose to back up files in the logs database that is stored on the Control Center, you can use the mysqldump commands that are contained in this table. See Viewing and saving logs on page 365.
To save the logs tables
mysqldump --user=brightmailuser -password=PASSWORD --opt brightmail log log_component log_marker log_severity log_summary settings_log --host=127.0.0.1 > log.sql
To restore the logs mysql --user=brightmailuser --password=PASSWORD tables from backup brightmail --host=127.0.0.1 < log.sql mysqldump --user=brightmailuser To save Quarantine tables --password=PASSWORD --opt brightmail user user_spam_message spam_message spam_message_summary spam_message_release_audit settings_quarantine settings_ldap --host=127.0.0.1 > quarantine.sql
mysql --user=brightmailuser --password=PASSWORD To restore Quarantine tables brightmail --host=127.0.0.1 < quarantine.sql from backup To save the database To restore the database from backup mysqldump --user=brightmailuser --password=PASSWORD --opt brightmail --host=127.0.0.1 > brightmail.sql
mysql --user=brightmailuser --password=PASSWORD brightmail --host=127.0.0.1 < brightmail.sql
122
Chapter
Optimizing Symantec Message Filter


Managing your system, for service providers Optimizing performance on Solaris SPARC Optimizing performance on Linux Optimizing performance on Windows Considerations for tuning the Control Center About enhancing performance for outbound email About the factors that affect performance
Managing your system, for service providers

This section provides recommendations specific to service providers. It provides suggestions for how you can tune Symantec Message Filter to make it more effective for your unique environment.
About the Sender Reputation Service

The Sender Reputation Service is the name for a set of downloadable IP address lists that you can use to block SMTP connections from known spam IP addresses or allow SMTP connections from known reputable IP addresses. You can import the lists into your zone files on your DNS servers. You can also deploy the lists at your firewalls, mail transfer agents, or routers.
124
Optimizing Symantec Message Filter Managing your system, for service providers
Symantec monitors hundreds of thousands of email sources to determine how much email is sent from these addresses is legitimate and how much is spam. By evaluating the sender according to dimensions such as mail volume, the percentage of spam sent, and a variety of vulnerabilities, the Sender Reputation Service creates a reputation profile for a given IP address. Email from these email sources can then be blocked or allowed based on the reputation value of the source that Symantec determines. The Sender Reputation Service currently includes the following classification lists of IP addresses, which are continuously compiled and updated:
Open Proxy List IP addresses that are open proxies. When this option is enabled, the flow of spam through open proxy servers is blocked. This method is the preferred conduit for spammers. Safe List IP addresses from which almost no outgoing email is spam. These email sources have sent a large amount of mail for a considerable period and have not had any messages marked as spam by Symantec. This list lets legitimate mail to flow through to recipients immediately, bypassing further filtering. Suspect List IP addresses from which almost all of the outgoing email is spam. These email sources have sent a minimum amount of email and have a very high percentage of that mail marked as spam by Symantec. The suspect list combines Open Proxy List (OPL) entries and includes a rating for spam potential for each listed IP address, which is shown as a percentage. Administrators can set up scripts to configure and select the number of IP addresses that they want to block and the percentage rating beyond which they do not want to accept potential spam.
Benefits of the Sender Reputation Service

The Sender Reputation Service provides the following benefits to users:
Better resource utilization When you block spam at the gateway according to its IP address, you reduce the amount of email that your downstream servers process and store. This method reduces the amount of hardware that is needed at your site to handle email.
More effective and Because the message source (connecting IP address) is hard for accurate spam spammers or forge, source-based filtering is a powerful way to filter filtering email. The lists are entirely data driven. Organizations cannot pay or petition to be added to or removed from this list. To ensure accuracy, the lists are updated as frequently as every hour.
125
Built-in quality assurance
Symantec applies many measures and processes to ensure that the lists are as accurate as possible. For example, when Symantec compiles the Safe List, IP addresses whose owners are changing are automatically eliminated.
About using the suspect list

Table 5-1 contains aggregated Suspect List data compiled each day for over two weeks. It represents a snapshot in time of the amount of spam that various suspect IP addresses generate and details the percentage of spam that produced by subsets of those IP addresses. Table 5-1 Summary data for suspect IPs
Spam potential rating (% Incremental unique IPs Cumulative volume of spam spam from suspect IP) with this rating blocked
100% 99% 98% 97% 96% 95% 94% 93% 92% 91% Total 3123 5166 3200 1924 1374 1071 885 770 658 600 19,321 4% 20% 29% 34% 37% 40% 42% 45% 47% 49% 51%
The top three rows contain the IP addresses that would be considered suspect in conservative implementations of the Sender Reputation Service, with potential spam ratings of 98% to 100%. The Spam Potential Ratings of less than 98% indi-cate the expanded suspect IP data that you can use if you want a more aggres-sive approach when using the Sender Reputation Service. Use the expanded entries in the Suspect List to balance your tolerances for potential false positives with more aggressive blocking of suspicious IP addresses. Consider the following model approaches:
126
Conservative approach
For example, an administrator can choose to employ a very conservative policy block the IP addresses for which the mail traffic includes 98% or greater spam. In this case, as summarized in the top three rows of the table, the Sender Reputation Service would block the IP addresses that generate over 29% of spam (or 49 million messages) in a given day. An administrator can choose to block IP addresses for which the mail traffic includes 90% or greater spam. This policy in turn would block the IP addresses generating over 51% of a total day's spam (or 87 million messages).
Aggressive approach
About the Suspect list format description

To support such a range of IP addresses, the Sender Reputation Service includes an additional downloadable file. The file, brs.txt, is a composite file that merges the Open Proxy List and Suspect list data. Each line of the file has seven values. A dot or a comma separates each value. A few examples of the entries in the brs.txt file is as follows:
4.23.196.162,090,0,3,903,1129529331,1129663927 4.26.19.39,99,1,2,0,0,1101061226 4.26.248.241,95,1,2,0,0,1102488267 4.27.246.239,090,1,3,0,1129587611,1108446973
Table 5-2 describes the values that are used on each line of the brs.txt file. Table 5-2 Position
1 2
Format of Suspect List Description

The IP address this entry describes. The potential spam rating for the IP address. The suspect spam list only includes the IP addresses that have a rating of 90% or higher. The range of applicable entries is between 090 and 100.
Indicates whether the IP is included in the Open Proxy List. A value of 1 indicates the IP is included in the Open Proxy List.
The SMTP status of the given IP address. If the status is unknown, the status is 0. If the IP listens on port 25, the status is 1. If there are no listener on port 25, the status is 2. If the test timed out, the status is 3.
127
Table 5-2 Position

5
Format of Suspect List (continued) Description

The number of messages from this IP that Symantec has seen in the past 24 hours. The time (UNIX timestamp format) that the IP address was last tested (a value of 0 means never). The last time (UNIX timestamp format) that a Symantec customer received mail from this IP address (0 means not in the past 24 hours).
You can use a Perl script to prune the brs.txt file to the spam percentage that is best suites your implementation.
Considerations for the Suspect IP address list

You should balance the following factors when you determine the threshold after which IP addresses are blocked:

False positives Message processing throughput
More aggressive definitions for blocked IP addresses can greatly reduce the number of messages that are processed in a day. Aggressive blocking policies reduce the load on both the antispam filters and the MTA. However, the more aggressive the blocking policy, the higher the risk of yielding false positives. The appropriate setting is a function of your message throughput needs and your concern level regarding false positives.
About suspect list formats

Symantec supplies the Open Proxy List, Safe List, and Suspect List in the following formats:
Plain text A plain text file with one IP address per line. See About the Suspect list format description on page 126. CIDR A plain text file with one IP address in CIDR notation per line. Currently, all CIDR addresses in the lists end with /32. Each address denotes one IP address.
128
About downloading the lists

Symantec recommends that you write a script to download and install the lists that you want. The script downloads the appropriate files from URLs. It also supplies a user name and password that is available from a Symantec Support. The files and URLs are as follows:
Open Proxy List

http://brs.brightmail.com/opl.txt http://brs.brightmail.com/opl.cidr
Safe IP List (One IP http://brs.brightmail.com/safeip.txt address per line) http://brs.brightmail.com/safeip.cidr Suspect IP List http://brs.brightmail.com/suspectip.txt (Legacy format; http://brs.brightmail.com/suspectip.cidr One IP address per line) Composite suspect http://brs.brightmail.com/brs.txt IP/OPL List (BRS 2.0)
For example, your script can use the GNU wget utility to automatically download the lists that you need. The following sample wget command downloads the plain text format composite suspect IP and Open Proxy List from Symantec, provided that the file size is different from the file on the local disk, in effect, when a new version of the file is detected.
$ wget -cq --http-user=user --http-passwd=passwrd http://brs.brightmail.com/brs.txt
where $user and $password are your user name and password. Since the lists change every hour, run a similar script every 30 minutes to check whether an updated file is available. When an updated file is detected, the wget script downloads the full file. If you want to download more than a single list, you can put the URLs into their own file and use the --input-file=url_file.txt option of wget. After you download the files that you want, your script should deploy the files to the appropriate network location. See About deploying the lists on page 129.
129
About deploying the lists

Deploy the lists where it makes the most sense given your network architecture as follows:
DNS server zone files The most common deployment strategy is to convert the IP addresses to zone files and import the file through zone transfer into a local DNS server cluster for real-time blacklists (for example, spamhaus data feed synchronized to a local LAN DNS). However, it may have negative performance impacts with a remote server (for example, shared spamhaus public server over the Internet). You might find it easier to deploy the lists in the gateway MTAs with reject and allow features. Another place to deploy the lists is at your routers or firewalls. If your device supports importing an Access Control List (ACL), deploy lists at your routers or firewalls to block email traffic with no impact on your MTAs.
MTA
Routers or firewalls
You do not need to make any changes to your Symantec software installation to use the lists.
Addressing end user and mailer concerns

The Sender Reputation Service, particularly the new Suspect List, gives you the power to block more connections according to the quality of email source. Table 5-3 provides some guidance on how to deal with the customer service and the help desk situations that may arise due to increased blocking. Table 5-3 Situation Solutions for increased blocking issues Solution
A user feels In some cases, legitimate mail that is sent from an IP address which legitimate email generates a significant percentage of spam is blocked. Also note that was not delivered. the sites that let users forward their unfiltered email to external accounts may have their servers look like they are a spam-sending source. You need to balance the benefit of reduced bandwidth and resource costs with your tolerance for false positives. Increase the threshold for extended Suspect Spam list as appropriate. Explain to the user that the blocking decision was made based on the amount of spam that comes from the senders email server.
130
Table 5-3 Situation

A bulk mailer complains about being unable to send mail to one of your customers.
Solutions for increased blocking issues (continued) Solution

Explain to the bulk mailer that servers and IP addresses are placed on the lists that are based on objective analysis of email traffic from those servers. If the Sender Reputation Service identifies a server as being a spam source, the only way to remove it from the list is to ensure that the server ceases to disseminate spam. If a mail server that is considered to be a spam source by the Sender Reputation Service does not send unwanted messages for a given time period, that mail server's profile is updated accordingly when the lists are next generated. Given that the Sender Reputation Service is data- driven based on sending patterns, it is not a Symantec practice to manually place or remove IP addresses to or from the lists. Do not encourage bulk mailers to contact Symantec for remediation through Symantec Support. When responding to mailers, stress that they should adhere to generally accepted best practices to avoid having their mail filtered as spam such as the following: All mailing list members must be added by verified opt-in (double opt-in). Users must have options to opt-out of information sharing.
A bulk mailer wants to contact Symantec for removal.
All email must be RFC-compliant. For more information about how RFC pertains to email, on the Internet, go to the following URL: http://www.rfc-editor.org The privacy policy must be visible before sign-up.
All email servers that connect to Symantec customer mail servers must be secured to prevent unauthorized use (may not be an open proxy or open relay). Communications must be clear and not attempt to disguise content or origin. All addresses receiving more than five hard bounces from the customer mailer daemon must be removed.
Adhering to the preceding guidelines does not guarantee the omission of any email source from the Suspect List. However, it should decrease the incidence of email that is misidentified as spam (a precursor for an email server's inclusion on the Open Proxy Lists or the Suspect List). A bulk mailer wants to be manually placed on the Safe List. Symantec generates the Safe IP address list according to its analysis of email traffic and its automated review of email sources on the Internet. Organizations or companies cannot petition to be manually placed on the Safe List.
131
About selecting the optimal rule set to optimize performance

Selecting the right rule set is an important step in optimizing performance. For high load or hardware limited environments, the Service Provider Express rule set delivers effective spam detection at reduced hardware requirements. The default rule set is Server Provider Full. See Rule set attributes on page 104.
Implementing custom rule sets

In almost all cases, the standard antispam rule sets that Symantec provides meet the needs of our customers. In some cases, Symantec Security Response may make available a custom rule set available to a customer. To implement a custom rule set
Access the advanced configuration Web page in the Control Center with the generalized URL of: http://host:port/brightmail/settings/advanced/editAdvancedSettings.do The host and port are the host and port on which the Control Center serves Web pages. In most cases, use the following address to access the Web page: http://localhost:41080/brightmail/settings/advanced/editAdvancedSettings.do Once you are connected, a page appears with a series of choices.
2 3
Under Filters, under Antispam filters, click Custom filters (uncommon). In the field next to Custom filters (uncommon), type the URL that Symantec Support gives you. For example: https://aztec.brightmail.com/custom. The URL must be entered without a trailing slash.
Click Save.
Using Keep Alive

You can use Keep Alive to maintain idle client-server connections. Alternatively, you can leave the configuration file unaltered and inherit your operating system's default behavior for Keep Alive.
132
Optimizing Symantec Message Filter Optimizing performance on Solaris SPARC
To configure Keep Alive through the bmi file
1 2
Using a text editor, go to the bmserver section of the bmiconfig.xml file. Add the following lines to the bmserver section:
<keepAlive enabled="true" /> to turn on keep alive for connections <keepAlive enabled= "false" > to turn off keep alive
To configure Keep Alive through the Advanced Settings
Access the advanced configuration Web page in the Control Center with the generalized URL of: http://host:port/brightmail/settings/advanced/editAdvancedSettings.do The host and port are the host and port on which the Control Center serves Web pages. In most cases, use the following address to access the Web page: http://localhost:41080/brightmail/settings/advanced/editAdvancedSettings.do Once you are connected, a page appears with a series of choices.
2 3
Enter a value of true in the Keep Alive field. Click Save.
Optimizing performance on Solaris SPARC

The multi-threaded capabilities of the UltraSPARC T1 and T2 processors with CoolThreads provide fast and efficient message processing. The UltraSPARC T Series processors consist of a number of cores each on which reside multiple hardware threads giving you a total number of logical processors. For example, the T1000 has a T1 processor with 8 cores and 4 hardware threads per core for a grand total of 32 logical processors. The Solaris operating system reports 32 CPUs on the computer. 8 cores * 4 hardware threads = 32 logical processors The number of service threads should be equal to the number of logical processors on the computer (the number of CPUs reported by Solaris). For details on these capabilities including benchmark data, on the Internet, go to the following URL: http://www.sun.com/blueprints/1006/820-0132.html Software tuning for Symantec Message Filter is required to maximize message processing and includes the following tasks:
133
Increasing service The maxServiceThreads attribute limits the maximum number of threads threads that can exist at one time. The default value is 32. Increasing the value increases the speed in which messages are processed due to the multi-threaded capability of the T2000. Integrating Mtmalloc is a version of the standard UNIX malloc memory allocation Multi-Threaded library that is especially tuned for multi-threaded programs. The malloc (mtmalloc) Solaris OS mtmalloc library is tuned to minimize lock contention resulting in a lower probability that a thread is suspended while it waits to obtain a lock within the memory allocation library. To enable mtmalloc, you must change the LD_PRELOAD environment variable to point to the mtmalloc shared library. You can also use alternative mallocs. The mtmalloc libraries are faster than the standard malloc library. These libraries come at the cost of higher virtual memory usage and in addition to VM fragmentation. The higher virtual memory usage can eventually lead to a heap exhaustion on a server. Ensure that you periodically restart the bmserver process to avoid issues. For more information, visit the Sun Web site.
For information on increasing the number of available service threads in the bmiconfig file, see http://www.sun.com/third-party/global/symantec/collateral/ BrightmailBluePrintJune2009.pdf. To increase the number of available service threads through the Control Center
1 2 3
In the Control Center, click the Settings tab. To access the Advanced Attributes page, hold down the right Shift key while simultaneously pressing the a key. Under Host-Specific attributes, in the Maximum bmserver service threads field, type the maximum number of service threads. The default value is 32.
Click Save.
134
To use the Solaris OS mtmalloc library
Using any standard text editor, open the file brightmail-env. By default, this file is located as follows: /opt/symantec/sbas/Scanner/etc/brightmail-env If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint.
Add the following lines: LD_PRELOAD=libmtmalloc.so export LD_PRELOAD
Save brightmail-env.
To use the Solaris OS libumem library
Using any standard text editor, open the file brightmail-env. By default, this file is located as follows: /opt/symantec/sbas/Scanner/etc/brightmail-env If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint.
Add the following lines: LD_PRELOAD=libumem.so export LD_PRELOAD
Save brightmail-env.
Optimizing performance with Java Message Service

You can increase the number of threads to take advantage of Cool threads hardware and feed the high number of threads in AS scanner. You can also use the memory queue to simulate high performance SAN storage (not suitable for production use since the queue fails on power outages). For more information about how to optimize performance for Java Message Service, on the Internet, go to the following URLs:

http://docs.sun.com/app/docs/coll/1312.2 http://www.sun.com/blueprints/0806/819-7663.pdf http://docs.sun.com/source/819-3714/index.html#wp35446 http://www.sun.com/blueprints/1006/820-0132.html
Optimizing Symantec Message Filter Optimizing performance on Linux
135
To increase the number of threads
Open the following file in a text editor: data/opt/SUNWmsgsr/config/imta.cnf
Change the following values: MIN_PROCS=8 MAX_PROCS=32
Save and close the imta.cnf file.
To simulate high performance SAN storage
Open the following file in a text editor: /data/opt/SUNWmsgsr/config/imta_tailor
Modify the following value: IMTA_QUEUE=/var/run/queue/
Save and close the imta_tailor file.
Optimizing performance on Linux

The number of service threads should be equal to two (2) times the number of logical processors on the computer (the number of CPUs reported by Linux).
Optimizing performance on Windows

The number of service threads should be equal to two (2) times the number of logical processors on the computer (the number of CPUs reported by Windows).
Considerations for tuning the Control Center

Consider the following items for optimal Control Center configuration:
Number of Scanners The number of Scanners from which the Control Center collects logging and statistics data can affect the Control Center's performance. As you add Scanners to a Control Center, monitor the Control Center's performance to ensure that it does not degrade to unacceptable levels. More verbose log levels result in more log data that the Control Center must consolidate over the network. Consider keeping log levels relatively low (WARNING or lower) unless you are troubleshooting. You can also expunge logs more frequently (perhaps daily).
Log level
136
Optimizing Symantec Message Filter About enhancing performance for outbound email
Scheduled reports Schedule reports for times when utilization is low. Report data storage Store limited amounts of report data, and purge report data often. For optimum savings, leave the optional report data categories unchecked. You can run reports without storing any extra data. The per recipients reports are particularly likely to take a lot of hard disk space. In cases where the Control Center host is also a busy Scanner host, the Scanner and Control Center must share the resources of a single computer, which may affect performance. Consider running the Control Center and Scanner on separate computers. The more messages that are placed in the Quarantine, the larger the database, and the more processing required. Delete spam to reduce the maximum size of the Quarantine database. Limit spam retention time or only quarantine suspect spam.
Role of Control Center host
Number of messages that are expected per day into Quarantine
Number of end More connections to end users result in more overhead for the system. users logging into the Quarantine interface HTTPS use Secure HTTP connections are encrypted. Encrypting and decrypting the data in both directions for each connection is secure but is also more CPU intensive than HTTP. Also, the larger your HTTPS key size, the more CPU cycles it may consume. Enabling LDAP synchronization can improve system performance because messages to non-existent users do not enter the mail stream.
LDAP synchronization
About enhancing performance for outbound email

Symantec Message Filter is not an MTA, but rather a filtering product that integrates with existing MTAs. If you do not have a need to filter outbound mail, you can save processing overhead and not filter outbound mail. To disable outbound mail filtering, adjust your MX records and smarthost configurations to ensure that outbound mail does not go through the same Symantec Message Filter-filtered SMTP server. For more information about how to configure outbound scanning to fit your organization's specific needs, contact your Symantec sales representative.
Configuration tips to reduce outbound spam

Outbound spam affects the delivery of legitimate mail, tarnishes brand reputation, and imposes unnecessary costs. One of the key enablers for outbound spam is the
Optimizing Symantec Message Filter About enhancing performance for outbound email
137
proliferation of botnets. Botnets are vast networks of compromised "zombie" computers that collectively send out huge quantities of spam and other email threats. By controlling a botnet, a malicious sender can disseminate vast quantities of spam, engage in identity theft, and infect computers with spyware. You can control a botnet when you funnel traffic through the legitimate email servers that service providers manage. Table 5-4 lists suggested Symantec Message Filter configurations that you can make to the configuration file (bmiconfig.xml) to enhance outbound scanning. Note: These modifications fall outside the scope of supported customer operations. Any changes that are described in Table 5-4 should only be made with the assistance of your technical account manager or Symantec Support. Table 5-4 Task Suggested configurations for outbound scanning Description
Change the default Change the default rule set to Service Provider Express. rule set. This rule set provides the following features:

Primarily based on signatures for known and active spam attacks Excellent message-per-second throughput and CPU stability Low false positive rate Best for minimizing hardware costs
See Rule set attributes on page 104. Create distinct Symantec Message Filter installations should have separate configuration files configuration files for inbound and outbound filtering to allow for for inbound and separate tuning. outbound filtering. Disable inbound-focused filtering technologies. To avoid the risk of false positives for outbound filtering, disable the following technologies when you scan outbound email: Consent service (libpermit) See libpermit on page 167. Header rules within the Heuristics module (also known as the Spamhunter module) See About the Virus Services Type on page 157. Fastpass See libfastpass on page 161.
Disable suspect thresholds.
Disable any suspect or gray thresholds for outbound filtering. See About the Consent Service Type on page 161.
138
Optimizing Symantec Message Filter About the factors that affect performance
About the factors that affect performance

Many factors can affect the performance of Symantec Message Filter. This section provides guidelines regarding those factors and suggestions that may improve performance. When you evaluate your hardware needs, tailor your messaging environment for the MTA and your mail flow, rather than for Symantec Message Filter. Overall performance involves several factors. Some factors depend on the configuration options and deployment options that you choose. Others depend on external factors, such as the percentage of your organization's email that is spam.
Hardware components that affect performance

The components that make up the system affect its performance. Increase performance by increasing the physical make-up of your system. If you run the Control Center and Scanner on different computers, consider the following recommendations:
Scanners need less disk storage but powerful CPUs and memory, especially if antivirus scanning is enabled. The Control Center likely needs much more disk space (depending on the volume of logging, reporting, and quarantined messages retained). It should also have a much higher sustained I/O throughput capacity than what is specified for Scanners.
Consider the following recommendations for the computers that run Symantec software:
Network Use switched 100 Mb/s fast Ethernet or gigabit network connections between the Control Center and each Scanner. Increase the number and speed of CPUs per server. We recommend dual Intel Xeon processors if your email traffic rate suggests the need. Track memory usage and increase RAM as necessary to minimize or avoid disk swapping. Tomcat can use as much as 600 MB of RAM when it completes certain tasks. MySQL can also use a large amount of RAM. Use a fast RAID or attached disk array to improve MySQL database performance. The Control Center uses MySQL.
CPU (speed and type) RAM (speed and type)
Disk type and I/O speeds
139
Environmental factors that affect performance

Environmental factors affect the performance of the system. These factors include the usage patterns of your particular deployment. Collect the following information about your environment to understand typical information:
MTA version Ensure that you have the most up-to-date version of your MTA that Symantec supports. Different MTAs may perform differently with the product due to integration differences and configuration differences. Determine if end users' email clients connect to the MTA for outgoing SMTP connections. This configuration can cause additional overhead because it swells local disk queues with email destined for the remote email servers that may not immediately accept new email. Larger queues on disk result in reduced MTA performance. Ideally, you should configure inbound and outbound mail streams to work on separate computers. Determine the performance of the MTA that sends inbound email to your MTA, and the performance of your gateway and internal MTAs and message store.
Outgoing SMTP connections
External and internal MTA performance
The characteristics of messages that are sent and received can affect performance. Key parameters to identify are as follows:

Average message size Number of messages with attachments Average attachment size Types of attachments Percentage of spam in the email traffic Percentage of virus-infected messages in the email traffic Types of end users (ISP or enterprise)
About the Symantec Message Filter settings that affect performance

The following settings can affect Symantec Message Filter performance:
140
Filtering components
The following filtering components can affect system performance: Outgoing versus incoming filtering Filtering outgoing messages causes additional overhead. Custom filters
Infrequently, custom filters may affect performance. Monitor the system after introducing them. Antivirus scanning Monitor performance and consider lowering the maximum scanning depth and maximum attachment size to improve it. Although the impact varies by deployment, antivirus scanning can decrease performance by up to 25% or more. Consider performing virus scanning after spam filtering. The load that the antivirus scanner processes is reduced by filtering out spam first. However you can only use this technique if you do not use the Quarantine. If you use the Quarantine, this method prevents end users from receiving their spam email. As a result, your end users cannot determine whether the messages in their Quarantine are legitimate, ham, or spam. Group policies If a message has more than one recipient and each message has a different policy, then the message may need to be bifurcated (split into two or more messages) for modification before delivery. The bifurcated messages that result from many group policies may degrade performance. Use group policies as necessary but be aware that a high number of policies can affect performance.
141
Control Center
The Control Center is used to start and stop servers, view logs and reports, set configuration options, and consolidate statistics, report data, and logs. Consider the following regarding its configuration: Number of Scanners The number of Scanners responsible for collecting logging and statistics data can affect performance. As you add Scanners to a Control Center, monitor it to ensure that it is not negatively affected. Log level The higher the log levels, the more data the Control Center must consolidate over the network. The larger the MySQL database becomes. Consider keeping log levels relatively low unless you are troubleshooting. You can also set logs to be purged more frequently. Scheduled reports Schedule reports for times when utilization is low. MySQL I/O MySQL requires significant amount of disk I/O to maintain acceptable performance. Ensure you have an adequate disk I/O subsystem to handle existing and projected capacity.
Quarantine and LDAP
Consider the following Quarantine and LDAP performance implications: Number of messages that are expected per day into Quarantine The more messages that are placed in the Quarantine, the larger the database, and the more processing required. Reduce the maximum size of the Quarantine database when you delete spam or reduce spam retention time. Number of end users logging into the Quarantine More connections to end users results in more overhead for the system. LDAP server throughput LDAP lookups for message recipients against a limited capacity LDAP server severely impairs Quarantine performance. Ensure you have adequate capacity on your LDAP server. Message queues When the Control Center is heavily loaded, the Quarantine's SMTP server may slow down. Remote spam spool directories on the Scanner can back up. When this event occurs, some legitimate mail messages may be delayed. Ensure adequate hardware resources on the Control Center server to prevent delayed messages.
Table 5-5 lists some additional factors about performance that you should consider before you install the product.
142
Table 5-5 Factor
Factors that impact performance Questions to ask Performance/effectiveness implications

Filtering is primarily CPU-dependent. But statistics, logging, the Conduit, and antivirus filtering (if deployed) can cause moderate disk I/O. Assess the current server load if Symantec Message Filter is deployed on an existing server. If Symantec Message Filter is deployed after other filters, there is lower mail volume and processing requirements for Symantec Brightmail software.
Characteristics of What is the processor speed? the computer that How much memory is runs Symantec available? Message Filter What is the current load on the computer? Are there spare CPU cycles?
Mail flow
How much mail does the Server receive? What is the average number of messages per second? What is the peak message traffic? What is the average size of mail messages?

Spam flow
What is the estimated percentage of spam in the overall mail flow (20%, 50%, 70%)?
Smaller amounts of spam result in lower performance because legitimate messages must pass all filtering tests.
Optional features
Will antivirus filtering be All of these optional features running? decrease performance. Will you create custom rules?

Will you be spooling messages to disk?
Shared versus dedicated
Will the Server be on a For maximum performance, dedicated computer? employ a dedicated Server. Will the Client and Server run on the same computer?
Chapter
Configuring Symantec Message Filter without the Control Center


About configuring settings without using the Control Center About configuration file elements About the Installation section About the Services section About the Programs section About the Engine section About the Policies section Managing logs for stand-alone Scanners About managing statistics for stand-alone Scanners About conduit rule updates About LiveUpdate rule updates
144
Configuring Symantec Message Filter without the Control Center About configuring settings without using the Control Center
About configuring settings without using the Control Center

Most deployments use the Web-based Control Center interface to manage their Scanners. However, you can manage your Scanners without using the Control Center. You might want to manage your scanners without a Control Center if you use a third-party management software or your site has a large number of users or a high email flow. Note: Once installation and registration are complete, do not install any other software or follow any test or other procedures. To configure and manage services on Linux and Solaris, use a shell script. By default, this shell script is located in the following directory: /opt/symantec/sbas/Scanner/sbin/controller.sh Note: If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. To configure and manage services on Windows, use the Windows Services tool. See Setting up Scanner services on Windows on page 146.
Setting up Scanner services on Linux and Solaris

The controller.sh tool has the following syntax:
controller.sh <action> <component>
where <component> is a service within Symantec Message Filter and <action> is a request for status or for change to the specified component. The following components are available:
bmserver bmifilter conduit harvester cleaner The Server, which the Runner controls The Filter (Sendmail only), which the Runner controls The Conduit, which the Runner controls The Harvester, which the Runner controls The AntiVirus Cleaner, which the cron controls
145
bmagent jlu-controller
The Agent, which the Runner controls The LiveUpdate, which the Runner controls
The following actions are available:

start Have a component begin processing. If the specified component is already processing, nothing is done. Have a component stop processing. If the specified component is not processing, nothing is done. The next time the Runner restarts, allow a service to begin processing. The next time the Runner restarts, prevent a service from beginning to process. Once disabled, a service cannot be initiated with start until enabled. Sends a message instructing the process to reload its configuration or, in the case of LiveUpdate and Conduit, to also load new rules. Upon successful completion, controller.sh returns 0, otherwise a non-zero value is returned. In the case of the AntiVirus Cleaner, new configuration data cannot be kicked immediately. It is pushed for loading the next time the Cleaner starts.
enable disable
kick
Note: Source $LOADPOINT/etc/brightmail-env before you run kick.

The LOADPOINT is the directory into which you installed the product. isenabled Tests to see if the given component is enabled. If the service is enabled, a value of 0 is returned. Otherwise, a value of 1 is returned. Determines if a service is running. If the service is running, a value of 0 is returned. Otherwise, a value of 1 is returned.
isactive
Note: On Linux and Solaris, the AntiVirus Cleaner actions are identical for start and enable and for stop and disable. The action is identical because cron makes no differentiation between each pair of states. See About removing.stop files on page 75. To set up Scanner services on Linux or Solaris
1 2
Log on to the Scanner host as user mailwall. Type the following command to start the runner:
/etc/init.d/mailwall start
146
Type the following command to stop and disable the Agent.

controller.sh stop bmagent controller.sh disable bmagent
The Agent is used only with the Control Center.
If you do not use Sendmail as the MTA, stop and disable the Filter.
controller.sh stop bmifilter controller.sh disable bmifilter
Setting up Scanner services on Windows

You can control all Windows Scanner services through the Windows Services console. To set up Scanner services on Windows
1 2
On the Windows Menu, click Start, then Administrative Tools, then Services. Type the following command to stop and disable the Agent. The Agent is only used with the Control Center.
3 4
Enable the Server, the LiveUpdate, the Conduit, the Harvester, and the AntiVirus Cleaner within Windows Services. In the properties for each service, set it to start automatically whenever Windows is started. For each service, right-click the service, click Properties, and change Startup Type from Manual to Automatic. Start the Server, Conduit, the Harvester, and the AntiVirus Cleaner.
Registering the Scanner on Windows

Before your Windows Scanner processes messages, you must enable communication between it and the IIS SMTP server. To register the Scanner on Windows
At the Windows command line, type the following commands:

REG ADD HKLM\Software\Brightmail\Sink /v Enabled /d 1 /f REG ADD HKLM\Software\Brightmail\Sink /v Reload /d 2 /f
After each of the commands, the system should return:

The operation completed successfully.
Configuring Symantec Message Filter without the Control Center About configuration file elements
147
About configuration file elements

The configuration file contains the element settings that the Scanner uses for configuration. When you use a Scanner in stand-alone mode, you can edit the configuration file to modify its behavior. You can find the configuration file in the following location:
Linux and Solaris /opt/symantec/sbas/Scanner/etc/bmiconfig.xml
Note: If you use a non-default installation directory location, replace

/opt/symantec/sbas/Scanner with /$loadpoint. Windows \Program Files\Symantec\SBAS\Scanner\Config\bmiconfig.xml
When you use the Control Center, this file is created through entries in the database that are maintained within the Control Center. This chapter contains details and example values for each section (object) in the bmiconfig.xml file so that you can edit this file by hand. Note: You should make a backup copy of the bmiconfig.xml file before you make any modifications. The configuration file is formatted in UTF-8, but all data in the file must be maintained in standard ASCII. Data within the file is written in XML.
About the Installation section

The <installation></installation> section contains a set of configuration elements that apply to all other major sections of bmiconfig.xml. The following is an example from a Windows installation. It varies slightly depending on the operating system that you use:
<installation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bmi="http://brightmail.com/bmiconfig.xsd" os=windows arch=x86 version="9.0.0.1">
Table 6-1 lists the Installation section valid elements and their values.
148
Configuring Symantec Message Filter without the Control Center About the Installation section
Table 6-1 Element

totalProfiling
Valid Installation section elements Description

Tracks the performance of each module and records CPU usage levels for each message in a stat file. The entry in the stat file consists of the total CPU time for message processing (that is, from the time the message enters the system to the time the message exits). The elements usertime and systemtime are added in the <MSG> node. These elements break down the message processing time down into CPU user time and CPU system time. The Conduit reads the per message stat files and creates a stat package that it sends to BLOC. A "profiling" element is added in the module node to enable individual module level profiling. It has a default value of "true." A value of "false" disables the detailed profile output in the stat. Module level detail profiling is outputted for each enabled module. So if only totalProfiling is enabled, there is no separate entry in the stat file. An example of the profiling element is as follows: <module xsi:type='bodyhashModuleType' name='libbh' enabled='true' critical='false' profiling='false'> <url>https://aztec.brightmail.com/rules2/hashes</url> </module> An example of the engine stats file format is as follows: <MSG ip="192.168.0.1" etime="1205757004" latency="16604" bytes="42395" usertime="1112345" systemtime="154321" helo="DoeDevImage" from="jdoe@symantecexample.com"> <mod name=libbh usertime="12345" systemtime="54321" /> <mod name=libregex usertime="23451" systemtime="43215" /> ... (N number of profiled enabled modules, N=0 to max loaded modules)<VERD disp="spam" rules="13252657,157052173,157030121"> <RCPT addr="john_doe@symantecexample.com" /> </VERD> </MSG> An example of the totalProfiling element in the bmiconfig.xml file is as follows: <totalProfiling>true</totalProfiling>
Configuring Symantec Message Filter without the Control Center About the Installation section
149
Table 6-1 Element

productName
Valid Installation section elements (continued) Description

Hard-coded value. Do not change. Default: SMF (headless mode) or SMF + BCC
productVersion loadpoint
Hard-coded value. Do not change. Directory that represents the base location that is assigned to Symantec Message Filter software. You select the loadpoint during product installation. This location is stored in the $LOADPOINT variable. Linux and Solaris: /opt/symantec/sbas/Scanner

/opt/symantec/sbas/Scanner with /$loadpoint. Windows default: C:\Program Files\Symantec\SBAS\Scanner logdir Directory where log files are placed. Log files contain both errors and general information on system activity. Linux and Solaris default: /var/log/brightmail Windows default: \Program Files\Symantec\SBAS\Scanner\logs spooldir Directory in which spool information is located. Within this directory are directories for Harvester and Virus Cleaner messages. Linux and Solaris default: /var/spool/brightmail Windows default: \Program Files\Symantec\SBAS\Scanner\BmiSpool statsdir Directory in which the Scanner deposits statistics files. You select the statistics directory during product installation. This location is stored in the $STATSDIR variable. Statistics are logged initially per message in an XML format. The Scanner writes this information to a statistics log file named bmi_eng_stats. Periodically, the file is renamed to engine_stats.xxx.xml, where xxx is a unique timestamp, which can be picked up by the Conduit. If you use the Control Center, statistics are stored in the Control Center for each attached Scanner. Linux and Solaris: /opt/symantec/sbas/Scanner/stats

/opt/symantec/sbas/Scanner with /$loadpoint. Windows default: \Program Files\Symantec\SBAS\Scanner\Stats
150
Configuring Symantec Message Filter without the Control Center About the Services section
Table 6-1 Element

configdir
Valid Installation section elements (continued) Description

Directory that contains configuration files. This directory includes the bmiconfig.xml file as well as certificate files, and virus notifications. Linux and Solaris: /opt/symantec/sbas/Scanner/etc

/opt/symantec/sbas/Scanner with /$loadpoint. Windows default: \Program Files\Symantec\SBAS\Scanner\Config reinsertionkey Key that is used to secure the reinsertion system. If you use the Control Center, this key is automatically generated during Control Center installation. If you do not use the Control Center, you must create your own reinsertion key. A reinsertion key can contain any number of characters and must be valid UTF-8 and valid XML. You should create a new insertion key rather than use the value that is shown in the example or the default value that is included in bmiconfig.xml. Use the same key across all Scanners. Example: <reinsertionkey>hva\*Xgzis}nol#uU_{, </reinsertionkey>
About the Services section

The <services></services> section contains the following service type descriptions:
Spam Antivirus service that filters messages according to antivirus modules and policies. See About the Spam Service Type on page 151. Virus Custom rules filtering service that filters messages according to customer-created Sieve rules and in conformance to modules and policies. See About the Virus Services Type on page 157. Custom Custom rules filtering service that filters messages according to customer-created Gatekeeper rules and in conformance to modules and policies. See About the Custom Service Type on page 160.
151
Consent
Whitelist and blacklist service that filters messages according to Symantec-supplied and user-supplied whitelists and blacklists. See About the Consent Service Type on page 161.
Language
Linguistic analyzer service that identifies the language of a message. See About the Language Service Type on page 171.
Reinsert
Required service that prevents the messages that the product generates (such as alerts and reports) from being scanned. It also prevents the messages that have already been filtered by the software from being filtered again and potentially causing a mail loop. See About the Reinsert Service Type on page 172.
About the Spam Service Type

By default, the Spam Service Type is named spam, is enabled, and has not expired. Default:
<service xsi:type="spamServiceType" name="spam" enabled="true" expired="false">
Available Spam Service Type modules generally contain the following definitions:
type name enabled critical Provides a specified type for the module. Provides a specific name for the module. Specifies whether the module is active. Valid values are true and false. Indicates whether the module is mission-critical. Valid values are true and false. If true, the module is considered mission-critical and when not in operation, messages are automatically rejected. If false, the messages that the module cannot process stay in the flow of email. profiling url Indicates each module's message processing profiling. Web address used by modules to retrieve information by which they process messages.
The Spam Service modules are as follows:
libbh See libbh on page 152.
152
libintsig See libintsig on page 152. libstatsig See libstatsig on page 152. libspamsig See libspamsig on page 153. libregexfilter See libregexfilter on page 153. libspamhunter See libspamhunter on page 154.
libbh
After installation, libbh has a defined type, name, enable status, critical status, and URL definition as shown in the default values. Default:
<module xsi:type="bodyhashModuleType" name="libbh" enabled="true" critical="false"> <url ruleName="hashes> https://aztec.brightmail.com/rules2full/hashes </url> </module>
libintsig
This module is the 8-bit version of the intsigModuleType module. Default:
<module xsi:type="intsigModuleType"name="libintsig" enabled="true" critical="false"> <url ruleName="intsigs>https://aztec.brightmail.com/rules2full/ intsigs</url> </module>
libstatsig
After installation, libstatsig has a defined type, name, enable status, critical status, and URL definition as shown in the default values. Default:
153
<module xsi:type="statsigModuleType" name="libstatsig" enabled="true" critical="false" profiling="false"> <url ruleName="statsigs">https://aztec.brightmail.com/rules2full /statsigs</url> </module>
libspamsig
After installation, libspamsig has a defined type, name, enable status, critical status, and URL definition as shown in the default values. Default:
<module xsi:type="spamsigModuleType" name="libspamsig" enabled="true" critical="false"> <url ruleName="spamsigs> https://aztec.brightmail.com/rules2full /spamsigs</url> </module>
libregexfilter
This spam module manages header rules using regular expressions (regexModuleType module). Default:
<module xsi:type="regexModuleType"name="libregexfilter" enabled="true" critical="false"> <url ruleName="blrm">https://aztec.brightmail.com/rules2full/ blrm</url> <maxTotalHeadersLength>32768</maxTotalHeadersLength> <RHK enabled="true"/> </module>
Table 6-2 describes the libregexfilter valid elements and their values
154
Table 6-2 Element
Valid libregexfilter elements Description
maxTotalHeaders Maximum length, in bytes, of headers that libregexfilter examines. Length libregexfilter returns a spam disposition for any message with headers that exceed this limit. Each occurrence is logged at the NOTICE level. The default of 32 KB is the same as the built-in limit that Sendmail imposes. Sendmail and Postfix impose header length limits on incoming messages. Other MTAs have no limit restrictions on message header length. For installations using an MTA other than Sendmail or Postfix, maxTotalHeadersLength prevents a large number of messages with exceedingly large headers from causing mail to back up. Default: <maxTotalHeadersLength>32768</ maxTotalHeadersLength>
RHK
Regex Hash Key acceleration is a technique for improving performance of the programs that need to evaluate a large number of regexes against the same text. Default: <RHK enabled="true" />
libspamhunter
After installation, libspamhunter has values that are shown as follows. Default:
<module xsi:type="spamhunterModuleType" name="libspamhunter" enabled="true" critical="false" profiling="false"> <url ruleName="spamhunter">https://aztec.brightmail.com/ rules2full/spamhunter</url> <grayFactor>80</grayFactor> <urlhashLimit>0</urlhashLimit> <imageEvalRules enabled="false"/>  <acceptedLanguages> <language></language> </acceptedLanguages> <ruleTypes/> <RHK enabled="true" /> <RBE enabled="true"/>
155
<scanAttachments enabled="false"/> </module>
Table 6-3 describes the libspamhunter valid elements and their values. Table 6-3 Element
grayFactor
Valid libspamhunter elements Description

Specifies the lowest score that you want to be classified with a gray (suspected spam) verdict. A suspect spam message is a message that shows many characteristics of spam. However, Symantec is not 100% confident the message is, in fact, spam. When you enable suspect spam and set the threshold by which it is classified, you define how lenient you want to be on the messages that have these spam characteristics. Values for grayFactor in the Control Center range from 25 through 89, which represents values of 28 through 99 in the configuration file. To disable suspect spam verdicts entirely, set this value to 100. The lower the value, the broader is the potential scope for suspected spam messages. The grayFactor element represents the lowest score at which a message can be considered suspected spam. The default value for grayFactor is 80. Note that the value that you specify for the grayFactor differs from the value that you specify in the Control Center. To calculate the value of the grayFactor element to the Control Center, use a divider of 0.9. For example, the default grayFactor value of 80 appears as 72 in the Control Center "Select a Suspected Spam Threshold between 25 and 89" setting. Default: <grayFactor>80</grayFactor>
urlhashLimit
Sets a range of message sizes in bytes. If a message size falls within this range, urlHash rules are fired, which are fast regardless of message size. The default value of 0 allows for urlHash rules to be fired on all messages up to the maximum message size, which has a default value of 130 KB. To enable urlHash rules to fire on messages of larger sizes, set the value to an appropriately large number greater than 130 KB. To enable urlHash rule firing on all messages regardless of size, set this value to -1. Default: <urlhashLimit>0</urlhashLimit>
156
Table 6-3 Element
Valid libspamhunter elements (continued) Description
acceptedLanguages This element is no longer used. Use language services instead. See About the Language Service Type on page 171. ruleTypes Lists each valid rule type. The following rule types are supported and enabled by default:

urlhash url_regex header_regex body_regex lang_header_regex lang_body_regex bodysig iprange
The iprange rule type checks if the connecting IP address or any IP address that is found in the RECEIVED: headers matches the range in the rule. The rule types that implement heuristics for this module are header_regex, body_regex, lang_header_regex, and lang_body_regex. Heuristics and the url_regex rule types use the most CPU resources. Performance improves if you disable them. However, disabling them can lead to a loss in filter effectiveness. To disable a rule type, remove its line from the configuration file. When no rule types are specified, all rule types are active. RHK Regex Hash Key acceleration is a technique for improving performance of the programs that need to evaluate a large number of regexes against the same text. Default: <RHK enabled="true" />
157
Table 6-3 Element

RBE
Valid libspamhunter elements (continued) Description

Rule-based extraction (RBE) lets Symantec deliver new message extraction techniques to your mailwalls as they arise in the field. This element lets Symantec extract new, identifiable features from spam messages, whether they are URLs, telephone numbers, or similar transient information. Rule-based extraction lets data be incorporated into your antispam rules in minutes, rather than waiting for a patch or new product release. By default, RBE is enabled to maximize product effectiveness. If performance consistency is more of a concern than effectiveness, you can disable this feature in bmiconfig.xml. Default: <RBE enabled="true" />
About the Virus Services Type

By default, the Virus Service Type is named virus, is enabled, and has not expired. Default:
<service xsi:type="virusServiceType" name="virus" enabled="true" expired="false">
The Virus Service Type contains the libantivirus module, which generally contains characteristics such as name and type.
libantivirus
The default setting is as follows. Default:
<module xsi:type="avModuleType" name="libantivirus" enabled="true" critical="false" profiling="false">
Table 6-4 describes the libantivirus valid elements and their values.
158
Table 6-4 Element

heuristicLevel
Valid libantivirus elements Description

Heuristic level for the antivirus scanning engine, also known as Bloodhound. The heuristic level determines the way in which viruses are flagged. The heuristic level can be one of the following:

0 - No heuristics 1 - Lowest level 2 - Medium level 3 - Highest level
Default: <heuristicLevel>2</heuristicLevel> This value must match the heuristic value for the AntiVirus Cleaner. See About the AntiVirus Cleaner program on page 187. reinsertionLeeway Maximum allowed time, in seconds, between when the Cleaner begins to process a message and when that message is passed on to the MTA for delivery. If this time is exceeded, the message is scanned again. Default: <reinsertionLeeway>600</reinsertionLeeway>
maxContained FileBytes
Maximum file size, in bytes, beyond which the system consults the policy for large file handling. The recommended value is 1 MB. This value is to be equal to or larger than the maximum file size that your environment expects for any message. Default: <maxContainedFileBytes>10485760</ maxContainedFileBytes>
159
Table 6-4 Element

worms
Valid libantivirus elements (continued) Description

A list of worms against which message attachments are checked. The enabled attribute modifies each worm definition with values of true or false. The default configuration defines the worms as follows:

Yaha Bugbear Hybris Magistr Sobig Mimail Cult Dumaru
maxArchiveScan Depth
Maximum number of containers through which message scanning occurs before the message is considered unscannable. Valid values are between 1 and 50. Default: <maxArchiveScanDepth>20</maxArchiveScanDepth>
160
Table 6-4 Element

Symantec decomposer
Valid libantivirus elements (continued) Description

This element contains the definitions that are related to Symantec decomposer. The following settings are used in Symantec decomposer definitions: fileSystemSize Specifies the limit on the size of the in-memory file system that the Symantec decomposer uses. If this limit is exceeded, files are written to disk and scanned there, rather than in memory. fileSizeThreshold Specifies the size of individual files within the in-memory file system that the Symantec decomposer uses. If this limit is exceeded, files are written to disk and scanned there, rather than in memory. symEngine symEngine specifies the engines that the Symantec decomposer uses. symOption For the specific engines that require them, specifies the option settings that the Symantec decomposer uses.
The following options are selected by default: dec_option_enable_mime_engine Allows for the processing of MIME type message dec_option_enable_uue_engine Allows for the processing of UUEncoded message dec_option_enable_binhex_engine Allows for the processing of binhex encoded messages maxArchiveScan Time This element is the value, in seconds, to spend processing containers through which message scanning occurs before the message is processed as unscannable. Valid values are any positive value in seconds. Default: <maxArchiveScanTime>60</maxArchiveScanTime>
About the Custom Service Type

By default, this service type is named custom, is enabled, and has not expired. Default:
161
<service xsi:type="customServiceType" name="custom" enabled="true" expired="false">
The Custom Service Type contains the libsieve module.
libsieve
You can use the sieveModuleType to create the custom rules that are based on the sieve language.
<module xsi:type="sieveModuleType" name="libsieve" enabled="true" profiling="false"> <ruleFile>C:\Program Files\Symantec\SBAS\Scanner\Config\ sieve_script.txt</ruleFile> </module>
About the Consent Service Type

By default, the Consent Service Type is named consent, is enabled, and has not expired. Default:
<service xsi:type="consentServiceType" name="consent" enabled="true" expired="false"> <url> https://aztec.brightmail.com/rules2/permit_rules </url>
The Consent Service Type contains the following modules:
libfastpass See libfastpass on page 161. libpermit See libpermit on page 167.
Similar to the consent service type, these modules contain characteristics such as name and type.
libfastpass
Fastpass improves mailwall performance by skipping a subset of antispam filters for logical connection addresses with a demonstrated history of sending no spam messages. A "pass" is granted to a message source if that source has sent a specified number of consecutive, sampled legitimate messages (25 by default). Once a source has received a pass, the amount of antispam processing that is applied to messages from that source decreases. The number of messages that are permitted to bypass antispam filtering increases as more and more legitimate
162
email comes from the source. Fastpass reduces the processing time that is required for messages from legitimate sources. If a message source that has a pass subsequently sends a spam message that is sampled, the pass is immediately revoked. A full antispam analysis is performed on all messages from that source. The source remains eligible to receive another pass, however, by once again meeting all the criteria that is specified in the module configuration. You can configure the following options within the libfastpass module:

The number of legitimate messages that are required to receive a pass The number of messages that can bypass once a pass is received The sliding scale that is used to increase the number of messages that can bypass
The libfastpass module uses a memory-resident table to store and categorize the message source IP addresses are granted a pass and those that are currently being evaluated for a possible pass. Fastpass takes some time to build up its effectiveness after it is first enabled. However, it retains its data across restarts and the data it collects is persistent across restarts. The Fastpass table is divided into two parts:
trial table Contains the entries that are being evaluated for inclusion in the pass table. A determination is made to move an IP address from the trial table to the pass table according to successful testing for legitimate messages for the IP address. Contains the entries that are granted a pass by the Fastpass module according to no spam coming from the IP address for a specified number of messages.
pass table
By default, the Fastpass table can contain up to 250,000 IP address entries. 25% of the overall table size is reserved for the IP addresses that are granted a pass (up to 62,500 entries). The remaining 75% is reserved for trial table space. Default module settings are as follows:
<module xsi:type="fastpassModuleType" name="libfastpass" enabled="false" critical="false" profiling="false"> <tableSize>250000</tableSize> <entrySamplingRate>3</entrySamplingRate> <legitMessagesRequired>12</legitMessagesRequired> <initialSamplingRate>5</initialSamplingRate> <ignoreGray enabled="false"/> <excludeRanges/>
163
<bounceStrings> <bounceString>mailer-daemon</bounceString> <bounceString>postmaster</bounceString> <bounceString>autoreply</bounceString> <bounceString>auto-reply</bounceString> </bounceStrings> <persistIntervalSeconds enabled="true">600</persistInvervalSeconds <dropBlock enabled="false" /> </module>
Table 6-5 describes the Fastpass module valid elements and their values. Table 6-5 Element
tableSize
Fastpass module elements Description

Capacity of the Fastpass table, expressed as the number of IP addresses stored. Up to 25% of the specified table capacity can be used for the pass table. The trial table uses the remainder the trial table for those IP addresses that are selected for evaluation but are not yet granted a pass. Example: <tableSize>50000</tableSize>
entrySamplingRate Specifies the likelihood that messages from an unknown IP address are selected for evaluation and entered into the trial table. A value of 1 is a reserved value. Only use this value at the direction of Symantec Technical Support. A value of 'n' will result in an IP address having a 1 in 'n' chance of being entered into the trial table each time a legitimate message from that IP address is received. For example, specifying an entry rate of 5 results in a 1 in 5 chance that an IP address is entered into the trial table. Example: <entrySamplingRate>3</entrySamplingRate>
164
Table 6-5 Element

legitMessages Required
Fastpass module elements (continued) Description

Specifies the number of legitimate messages that must be sampled from an IP address before it is granted a pass. Note that due to the sampling rate attribute (entrySamplingRate), not every source that sends a legitimate message is immediately placed into the trial table. Example: <legitMessagesRequired>12</legitMessagesRequired>
initialSamplingRate Specifies the initial, nominal sampling rate that is used to determine antispam processing on messages when a pass is first issued to an IP address. As the IP address continues to send legitimate messages, the sampling rate decreases from this nominal rate. For example, an attribute value of 8 results in nominally sampling 1 message out of 8 immediately after a pass is granted. As additional legitimate messages are received from an IP address, the nominal sampling rate is adjusted so that fewer messages are sampled. The nominal sampling rate cannot fall to less than 5 times the initial sampling rate. In other words, with an initial sampling rate of 8, the nominal sampling rate would gradually decrease towards 8 5 as additional legitimate messages are processed, until the nominal sampling rate is 1 message out of 40. Example: <initialSamplingRate>5</initialSamplingRate>
ignoreGray
Determines how a message with a disposition of gray (suspected spam) is handled for an IP address that is granted a pass. If ignoreGray is enabled, a sampled message with a disposition of suspected spam is treated as legitimate for the purposes of Fastpass. If ignoreGray is disabled, a sampled message given a disposition of suspect spam causes a pass to be revoked. Example: <ignoreGray enabled="true" />
165
Table 6-5 Element

excludeRanges

Specifies a set of address ranges that are never entered into the Fastpass table. Symantec Message Filter processing is always performed for addresses in any exclude range. Notation for exclude ranges is the same as the notation that is used for internal address ranges: individual IP address, address/mask, hostnames, or CIDR notation.
Note: If you specify hostnames, an additional load is incurred. The

system has to look up the hostname of the IP for every sampled message to ensure that it does not match a hostname that you have specified in the excludeRanges. Example: <excludeRanges> <excludeRange>192.0.2.0/24</excludeRange> </excludeRanges>
bounceStrings
Specifies a series of strings that can indicate a message is a bounce (an automatically-generated message). If any bounce string that is specified occurs (in unencoded form) within either the Subject or From header, then the message is treated as a bounce. It is excluded from Fastpass module processing. This comparison is case-insensitive. Regardless of the defined bounce strings, any message that contains an auto-submitted header is treated as a bounce. Example: <bounceStrings> <bounceString>mailer-daemon</bounceString> <bounceString>postmaster</bounceString> <bounceString>autoreply</bounceString> <bounceString>auto-reply</bounceString> </bounceStrings>
166
Table 6-5 Element

persistInterval Seconds

Specifies the persistence interval. By default, the persistIntervalSeconds value is enabled with a value of 600. To disable persistIntervalSeconds, change the "enabled" value in the configuration file to false. If the value that is specified in the configuration file is an integer, persistence occurs every time persistIntervalSeconds has passed since the previous persist dump or when the bmserver process is sent a shutdown signal. Consider the impact if you modify the persistIntervalSeconds value. For example, a low persistIntervalSeconds value can result in a data dump almost continuously. Conversely, a high value can essentially disable persistence until bmserver shuts down. Example: <persistIntervalSeconds enabled="true">600 </persistInvervalSeconds>
dropBlock
Causes Fastpass to drop all. Dropping the /24 range increases effectiveness against attacks where the sender can easily change IP addresses within the range (for example, snowshoe spam). This element is enabled by default on clean installations. It is disabled by default on upgrade. Change the enabled value to true to cause Fastpass to drop all entries from the table in the entire /24 block when a spam message is received from an address that has a pass. Enabling this setting increases effectiveness with minimal performance impact. For example: <dropBlock enabled="true"/>
Some Fastpass use scenarios Table 6-6 provides some scenarios that you might encounter if you enable Fastpass and suggested solutions.
167
Table 6-6
Troubleshooting Fastpass Suggestion or solution

Enable Fastpass. It cuts down on the messages that you filter. When you configure Fast pass optimally, it does not appreciably increase spam for your users. Increase the legitMessagesRequired attribute. The higher you make this number, the harder it is for an IP address to get a pass. A pass is less likely to be granted to a site that sends a mixture of legitimate and spam messages. Perhaps your message stream has so much spam that few passes are granted. Or perhaps your traffic of legitimate messages comes from such a diverse set of addresses that it takes a long time for Fastpass to be effective. Check the messages in the log for table duration. The log gives the number of seconds of data that is retained in the tables. A value of 86,400 equals one day. Increasing the duration increases the effectiveness of Fastpass, assuming that the system runs long enough to take advantage of the increased duration. You can increase the duration when you increase the table size or decrease the entrySamplingRate.
Scenario or problem
I can see that as our number of email messages increases, we do not have sufficient server capacity to filter all of them. I have enabled Fastpass. But now I occasionally see some missed spam that is attributed to Fastpass. What should I do?
I do not get as much effect from Fastpass as I had hoped.
libpermit
Consent services, whitelist module, and blacklist module (permitModuleType). Default:
<module xsi:type="permitModuleType" name="libpermit" enabled="true" critical="false" profiling="false"> <url ruleName="permit">https://aztec.brightmail.com/rules2full/ permit_rules </url>
Table 6-7 describes the libpermit valid elements and their values.
168
Table 6-7 Element

ruleFile
Valid libpermit elements Description

Specifies the directory location and file name for the Allowed Senders List and the Blocked Senders List. Linux and Solaris default: /opt/symantec/sbas/Scanner/etc/allowedblockedlist.txt

/opt/symantec/sbas/Scanner with /$loadpoint. Windows default: \Program Files\Symantec\SBAS\Scanner\Config\allowedblockedlist.txt internalRange Specifies the default list of included internal mail host ranges. The modules ignore the addresses that are associated with the messages that are within an internal range. If the value "hidden" is set to "true," the internal ranges do not appear in the Internal Mail Hosts list in the Control Center. A value of "false" causes entries to appear in the Control Center so that you can be edit or delete them. An address can be entered in plain IP, CDR, or netmask format. The default internal mail hosts ranges are as follows:

<internalRange hidden="true">0.0.0.0/255.0.0.0</internalRange> <internalRange hidden="true">10.0.0.0/255.0.0.0</internalRange>
<internalRange hidden="true">127.0.0.0/255.0.0.0</internalRange> <internalRange hidden="true">169.254.0.0/255.255.0.0</internalRange> <internalRange hidden="true">172.16.0.0/255.240.0.0</internalRange> <internalRange hidden="true">192.168.0.0/255.255.0.0</internalRange> See Specifying internal mail hosts on page 355. bbl enabled Specifies that you want the Scanner to scan against the allowed senders list or blocked senders list for permit rules. Default: <bbl enabled="true" />
169
Table 6-7 Element

rcvdDNSBL
Valid libpermit elements (continued) Description

Enables or disables a lookup of the IP addresses in the RECEIVED line headers of a message, using the third-party blacklist Services. A value of true enables DNS lookup. A value of false disables it. Default: <rcvdDNSBL enabled="false" />
safelist
When true, the libpermit module checks the IP addresses against Symantec safe IP lists. IP addresses that match entries in the safe list bypass content scanning resulting in faster scanning for known good senders. Default: <safelist enabled="true" />
extendedWhite Check
When true, the libpermit module checks addresses in addition to the logical connection address against the customer-defined Allowed Senders List. Generally, the logical connection address is the first address found when the header is scanned that is not an address that is included in an internalRange definition. When false, only the first address of header addresses not defined in an internalRange element is considered. If missing, the default value of false applies. Default: <extendedWhiteCheck enabled="false"/>
dbgShowScan
If you enable this element, the product logs the IP addresses that are parsed from the message. In order for this debug setting to send information to the log file, the logging level for the bmserver program process must be set to the debug level. When you enable this option, it can affect performance even if the debug level is not set to this level. Use this attribute for advanced troubleshooting and leave it at false unless you are instructed to change it by Symantec Support. If you set it to true, it can have a negative impact on system performance. Default: <dbgShowScan enabled="false"/>
170
Table 6-7 Element

dbgDumpRules
Valid libpermit elements (continued) Description

If you enable this element, the rules are dumped to the log. Rules from the downloaded rule set are considered restricted and are not dumped at customer sites. For this debug setting to send information to the log file, the logging level for the bmserver program process must be set to the debug level. When you enable this option, it can affect performance even if the debug level is not set to this level. Use this attribute for advanced troubleshooting and leave it at false unless you are instructed to change it by Symantec Support. If you set it to true, it can have a negative impact on system performance. Default: <dbgDumpRules enabled="false"/>
dbgTimeRuleLoad Logs the amount of processing time that is used to load rules. In order for this debug setting to send information to the log file, the logging level for the bmserver program process must be set to the debug level. When you enable this option, it can affect performance even if the debug level is not set to this level. Use this attribute for advanced troubleshooting and leave it at false unless you are instructed to change it by Symantec Support. If you set it to true, it can have a negative impact on system performance. Default: <dbgTimeRuleLoad enabled="false"/>
dbgTimeRuleSearch If you enable this option after rule loading, it executes 1,000,000 random searches of the IP rules and logs the processing time that is used. For this debug setting to send information to the log file, the logging level for the bmserver program process must be set to the debug level. When you enable this option, it can affect performance even if the debug level is not set to this level. Use this attribute for advanced troubleshooting and leave it at false unless you are instructed to change it by Symantec Support. If you set it to true, it can have a negative impact on system performance. Default: <dbgTimeRuleSearch enabled="false"/>
171
About the Language Service Type

By default, the Language Service Type is named language, is disabled, and has not expired. Default:
<service xsi:type="languageServiceType"name="language" enabled="false" expired="false">
The Language Service Type consists of the liblanguageid module.
liblanguageid
This module uses models to identify the language or languages in which a message is composed. Default:
<module xsi:type="languageModuleType" name="liblanguageid" enabled="true" critical="false" profiling="false">
Similar to the consent service type, the related modules contain characteristics such as name and type. In addition to these standard values, other definitions may also apply. Table 6-8 describes the liblanguageid valid elements and their values. Table 6-8 Element
maxLanguages
Valid liblanguageid elements Description

Maximum number of the languages that are returned on analysis. Default: <maxLanguages>3</maxLanguages>
maxMessageSize
Specifies the maximum size, in bytes, that a message can be to be processed. Default: <maxMessageSize>100000</maxMessageSize>
172
Table 6-8 Element

sampleSize
Valid liblanguageid elements (continued) Description

Number of bytes that are examined from the message to determine its language. The sample is selected randomly from each message. Using more than 512 bytes does not provide measurably more accurate results in language identification for this module. Default: <sampleSize>512</sampleSize>
About the Reinsert Service Type

By default, the Reinsert Service Type is named "Reinsert" and is enabled. Default:
<service xsi:type="reinsertServiceType" name="reinsert" enabled="true">
The Reinsert Service Type consists of the libreinsert module.
libreinsert
The message reinsertion module reinserts processed messages into the MTA queue. Default:
<module xsi:type="reinsertModuleType" name="libreinsert" enabled="true" critical="false" profiling="false">
Table 6-9 describes the libreinsert valid elements and their values. Table 6-9 Element
timeout
Valid libreinsert elements Description

Maximum allowed time, in seconds, between when a message is first reinserted and when that message is passed on to the MTA for delivery. If the specified time is exceeded, the message is scanned again. Default: <timeout>600</timeout>
Configuring Symantec Message Filter without the Control Center About the Programs section
173
Table 6-9 Element

recipients
Valid libreinsert elements (continued) Description

Lists the email addresses that are trusted recipients for message insertion. Messages for these recipients are not scanned. Default: <recipients> <trustedRecipient>*Feedback@Feedback*.brightmail.com</trustedRecipient> </recipients> This address can include ? as a wildcard for any single character or * as a wildcard for zero or more characters.
x-header
X-header that must be included in the message header in order for reinsertion to occur. Default: <xheader>X-BLTReinsert</xheader>
About the Programs section

The <programs> </programs> section of the bmiconfig.xml file contains settings for the following programs:
Filter See About the Filter program on page 174. Client See About the Client program on page 175. Server See About the Server program on page 177. Conduit See About the Conduit program on page 178. LiveUpdate See About the LiveUpdate program on page 182. Antivirus Cleaner See About the AntiVirus Cleaner program on page 187. Harvester See About the Harvester program on page 192.
174
About the Filter program

For Sendmail-based installations, the Filter enables communications between Symantec Message Filter and Sendmail. In the configuration file, the address for communication is provided through the sendmailConnection element. The Filter is only used in the implementations that use the Sendmail MTA. Default:
<program xsi:type="bmifilterType" name="bmifilter"> <sendmailConnection> inet:41001 </sendmailConnection> </program>
Attribute settings let you override the return values from the bmifilter to Sendmail. When bmifilter encounters what it considers an error state, it sends by default an accept (SMFIS_ACCEPT) value back to Sendmail. By default, when it encounters what it considers to be a warning state, it sends an ignore (SMFIS_CONTINUE) value back to Sendmail. Table 6-10 describes the bmifilter valid elements and their values. Table 6-10 Element
errorHandling
Valid bmifilter elements Description

Error handling is confined to memory allocation difficulties. This handler sends a message from Symantec Message Filter to Sendmail through the bmifilter. The following messages are possible: ignore Continue processing the message for any other available milters. In other words, Symantec Message Filter is done with any processing for this message. accept Accepts the message for this state. reject Rejects the message for this state.
175
Table 6-10 Element

warningHandling
Valid bmifilter elements (continued) Description

Warnings are confined to configuration problems and queue problems or when the product initialization produces a warning. This handler sends a message to Sendmail through the bmifilter. Set this attribute to ignore in all circumstances. The following messages are possible: ignore Continue processing the message for any other available milters. In other words, Symantec Message Filter is done with any processing for this message. accept Accepts the message for this state. reject Rejects the message for this state.
About the Client program

The Client monitors the MTA and shuttles messages for processing by the Server. The Client program is defined as follows: Default:
<program xsi:type="bmClientType" name="bmclient">
Table 6-11 describes the Client program valid elements and their values. Table 6-11 Element
servers
Valid Client program elements Description

Specifies the name and the port that is assigned to the server host for the Client. Default: <server host="$SERVER$" port="41000"> </server>
176
Table 6-11 Element

log
Valid Client program elements (continued) Description

Specifies the log level, log retention characteristics, and log file location information. See About managing statistics for stand-alone Scanners on page 207. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ bmclient_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\ Symantec\SBAS\Scanner\Logs\bmclient_log.txt</log>
connection
Defines the connection characteristics for the Client. Valid elements are as follows: timeoutSec Number of seconds the Client waits for a response from a Server before it breaks the connection. maxPerServer The maximum number of connections with each Server that is maintained in an open state during message processing. This option also sets the maximum number of connections possible with each Server. numberPersistent The maximum number of persistent connections with each Server that is maintained in an open state during message processing. This number must be less than or equal to maxPerServer.
Default: <connection timeoutSec="0" maxPerServer="1000" numberPersistent="512"/>
177
Table 6-11 Element

transaction
Valid Client program elements (continued) Description

Defines the connection characteristics for the Client. Valid elements are as follows: timeoutSec Number of seconds the Client waits for a response from a Server before it breaks the connection. bufferFlushSize Number of bytes to buffer for email body and header processing.
Default: <transaction timeoutSec="0" bufferFlushSize="65536" />
delay Enables (true) a delay in the initial communications to the Server or CommunicationInit disables (false) an initial delay in communications connection to the Server. Symantec recommends that you enable this option only for single-threaded client integrations. Default: <delayCommunicationInit>false </delayCommunicationInit>
About the Server program

The Server processes the email messages that are sent to it by the Client. It returns one or more verdicts to the Client for each message that it processes. The Server program is defined as follows: Default:
<program xsi:type="bmserverType" name="bmserver">
Table 6-12 describes the Server program valid elements and their values.
178
Table 6-12 Element

log
Valid Server program elements Description

Specifies the log level, log retention characteristics, and log file location information. See About managing statistics for stand-alone Scanners on page 207. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ bmserver_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\ Symantec\SBAS\Scanner\Logs\bmserver_log.txt</log>
networkAddress
Address of the Server. Multiple addresses are not supported. The asterisk (*) indicates any available computer on the indicated port (all local Ethernet addresses). Default: <networkAddress host="*" port="41000"> </networkAddress> The pidFile attribute has been removed.
maxQueueSize
The bmserver keeps an internal queue of transactions with clients. You can expand or contract this value to adjust for performance limits on your host. If the queue is full, the bmserver rejects connections. A larger queue size can adversely affect RAM availability. It can also increase the need to swap memory. Default: <maxQueueSize>2048</maxQueueSize>
About the Conduit program

The Conduit performs the following functions:
Manages the communications setup between Symantec and your site during installation and initial setup Obtains the rule updates from Symantec Security Response
179
Validates the new rules Delivers the rule updates to the modules Consolidates the statistics information and uploads it to Symantec Security Response
Default:
<program xsi:type="conduitType" name="conduit">
Table 6-13 describes the Conduit program valid elements and their values. Table 6-13 Element
log
Valid Conduit program elements Description

Specifies the log level, log retention characteristics, and log file location information. See About managing statistics for stand-alone Scanners on page 207. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ conduit_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\ Symantec\SBAS\Scanner\Logs\conduit_log.txt</log>
kickCommand
Command that re-initializes the Server. Linux and Solaris default: <kickCommand>/opt/symantec/sbas/Scanner/bin/ kicker /opt/symantec/sbas/Scanner/etc/ bmiconfig.xml /opt/symantec/sbas/Scanner/jobs/ bmserver/bmserver.pid</kickCommand>

/opt/symantec/sbas/Scanner with /$loadpoint. Windows default: <kickCommand>C:\PROGRA~1\Symantec\SBAS\Scanner\ bin\kicker.exe -s BMISERVERSVC</kickCommand>
180
Table 6-13 Element

interval
Valid Conduit program elements (continued) Description

Time value, in seconds, to wait between queries for new rules. Default: <interval>60</interval>
Note: Do not change this value without consulting Symantec Support.

overrideRule Overrides frequency of ruleset updates to the BLOC, which are UpdateTTLSeconds normally set dynamically by the BLOC. For instance, to force a 1 minute check interval, set to 60. Changes are not recommended unless directed by Support. Default: <overrideRuleUpdateTTLSeconds min="0" max="300" /> minKickInterval Seconds Sets a minimum rate of "kicks" of the engine (for example, module ruleset reload) so that the rate can be reduced if a performance problem occurs. Changes are not recommended unless directed by Support. Default: <minKickIntervalSeconds>1</minKickIntervalSeconds> blocStatsInterval Number of interval increments to wait before the Conduit sends statistics to Symantec Security Response. For example, if the value of interval is 60 (seconds), and the value of blockStatsInterval is 10, the Conduit sends statistics every 10 minutes. Default: <blocStatsInterval>10</blocStatsInterval>
Note: Do not change this value without consulting Symantec Support.

statsCleanThreshold Sets the number of days that mc_stats files are retained on the computers that process messages but are not attached to the Control Center. These files are available for the Agent to process them when the Control Center is again available. Default: <statsCleanThreshold>3</statsCleanThreshold>
181
Table 6-13 Element

httpTimeout

Sets a timeout value, in seconds, for the HTTP communication between the Conduit and Symantec Security Response. Default: <httpTimeout>3600</httpTimeout>
statsURL
URL at which stats files are available for retrieval by Symantec Security Response. Default: <statsURL> https://aztec.brightmail.com/stats/</ statsURL>
Note: Do not change this element. The software does not function
properly with a value other than the default. registrationURL URL to which the installer connects to establish the secure keys that are based on your customer license. Default: <registrationURL>https://register.brightmail.com/ register</registrationURL>
properly with a value other than the default. testURL URL for testing the exchange of Client and Server keys that are used to establish secure HTTPS communication. Default: <testURL>https://aztec.brightmail.com/rules2/ blrm</testURL>
properly with a value other than the default.
182
Table 6-13 Element

proxy

Specifies whether proxy service is required for receiving rules through secure HTTPS. Valid values are true and false. The default value is false. Default: <proxy enabled="false"> <server host="none" port="false"/> </proxy> If this option is enabled=true, you must at least supply a server host. You can also supply the port. The port attribute must be a TCP/IP address. There is no default port. Use the following for a proxy user name and password, if needed. Example: <password>mySecurePassword</password> <username>myIdentity</username>
About the LiveUpdate program

Symantec Message Filter relies on up-to-date information to detect viruses and threats. One of the most common reasons that problems occur is that virus definition files are not up-to-date. Symantec regularly supplies the updated virus definition files that contain the necessary information about all newly discovered viruses and threats. Regular updates of that information maximize security and guard your organization against infections and the downtime that is associated with an outbreak. LiveUpdate performs the following functions:

Obtains the antivirus rule updates from Symantec Definition Server Validates the new rules Delivers the rule updates to the antivirus module
Default:
<program xsi:type="jluControllerType" name="jlu-controller">
See About LiveUpdate rule updates on page 209. Table 6-14 describes the LiveUpdate program valid elements and their values.
183
Table 6-14 Element

log
Valid LiveUpdate program elements Description

Specifies the log level, log retention characteristics, and jlu-controller log file location information. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ jlu_controller_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\ Symantec\SBAS\Scanner\Logs\jlu_controller_log.txt</log>
kickCommand
Specifies the command that re-initializes the Server. Default for Linux and Solaris: <kickCommand>/opt/symantec/sbas/Scanner/bin/ kicker /opt/symantec/sbas/Scanner/etc/ bmiconfig.xml /opt/symantec/sbas/Scanner/jobs/ bmserver/bmserver.pid</kickCommand>

/opt/symantec/sbas/Scanner with /$loadpoint. Default for Windows: <kickCommand>C:\PROGRA~1\Symantec\SBAS\Scanner\ bin\kicker.exe -s BMISERVERSVC</kickCommand>
jluClientLog
Specifies the file that contains jlu-client log. Jlu-controller component uses jlu-client for downloading platinum antivirus definitions. Default for Linux and Solaris: <jluClientLog>> /var/log/brightmail/ liveupdt.log</jluClientLog> Default for Windows: <jluClientLog>C:\Program Files\Symantec\ SBAS\Scanner\Logs\liveupdt.log</jluClientLog>
184
Table 6-14 Element

javahome
Valid LiveUpdate program elements (continued) Description

Specifies the location of Java Runtime Environment. Default for Linux and Solaris: <javahome>/opt/symantec/sbas/Scanner/jre</javahome> Default for Windows: If you are a Windows user, you need to install Java Runtime Environment 1.5 or later. If you already have installed JRE on your computer, Symantec Message Filter detects it and saves the javahome location. See System requirements on page 51.
jlutempdir
Specifies the temporary directory for LiveUpdate where it initially downloads platinum antivirus definitions. Default for Linux and Solaris: <jlutempdir>/tmp</jlutempdir> Default for Windows: <jlutempdir>C:\Program Files\Symantec\ SBAS\Scanner</jlutempdir>
mode
Specifies the type of antivirus definitions, where 1 is Platinum definitions and 2 is Rapid Release definitions. Default for Linux, Solaris, and Windows: <mode>2</mode>
185
Table 6-14 Element
platinumDefsHost Specifies from where to obtain platinum virus definitions. Platinum virus definitions can be obtained from the Symantec LiveUpdate server or from the LAN host. To obtain virus definitions from the LAN host you need to specify the address, port, user name, password, and proxy host information. For example, <customServer enabled="true"> <address>http://192.168.0.1</address> <username>pqr</username> <password plain="true">1234</password> <proxy enabled="true"> <server host="192.168.0.1" port="12"/> <username>xyz</username> <password plain="true">abc</password> </proxy> </customServer> Default for Linux, Solaris, and Windows: <platinumDefsHost defaultUrl= "http://liveupdate.symantecliveupdate.com:80"> <customServer enabled="false"> </customServer> </platinumDefsHost> See Obtaining the virus definition updates on page 342.
186
Table 6-14 Element

avDefsPlatinum Product

Specifies the product name, version, type of definition, and language attributes of the platinum definitions. Default for Linux, Solaris, and Windows: <avDefsPlatinumProduct> <name platformControl="win64">SMF Virus Definitions Windows 64-bit</name> <name platformControl="win32">SMF Virus Definitions Windows 32-bit</name> <name platformControl="linux">SMF Virus Definitions RHEL 32-bit</name> <name platformControl="solaris">SMF Virus Definitions Sparc-Solaris 32-bit</name> <version>1.0</version> <type>VirusDef</type> <language>SymAllLanguages</language> </avDefsPlatinumProduct>
rapidReleaseUrls
Specifies the Rapid Release definitions URLs and sequence number URLs for Rapid Release definitions downloads. Default for Linux, Solaris, and Windows: <rapidReleaseUrls> <seqUrl>http://definitions.symantec.com/ /defs/rapidrelease/version-info.txt</seqUrl> <defsUrl platformControl="win32">http: //definitions.symantec.com/defs/rapidrelease/ ennlu.x86</defsUrl> <defsUrl platformControl="win64">http: //definitions.symantec.com/defs/rapidrelease/ symrapidreleasedefsi64.exe</defsUrl> <defsUrl platformControl="linux">http: //definitions.symantec.com/defs/rapidrelease/ ennlu.lin</defsUrl> <defsUrl platformControl="solaris">http: //definitions.symantec.com/defs/rapidrelease/ ennlu.sol</defsUrl> </rapidReleaseUrls>
187
About the AntiVirus Cleaner program

The AntiVirus Cleaner first processes messages for cleaning and then transfers potentially infected messages from a spool to an SMTP server for delivery. Multiple destinations can be accommodated. Default:
<program xsi:type="cleanerType" name="cleaner">
Table 6-15 describes the AntiVirus Cleaner program valid elements and their values. Table 6-15 Element
log
Valid AntiVirus Cleaner program elements Description

Specifies the log level, log retention characteristics, and log file location information. See About managing statistics for stand-alone Scanners on page 207. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ cleaner_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\ Symantec\SBAS\Scanner\Logs\cleaner_log.txt</log>
188
Table 6-15 Element

smtpClient
Valid AntiVirus Cleaner program elements (continued) Description

The AntiVirus Cleaner has a definition for the SMTP Client that contains a timeout setting and the address for the SMTP Server. Default: <smtpClient> <timeout>480000</timeout> <servers> <server host="127.0.0.1" port="25"/> </servers> </smtpClient> Valid elements are as follows:
timeout Number of miliseconds the Cleaner waits before it ends an idle connection to the SMTP Server. Default: <timeout>480000</timeout>
servers IP address and port of the SMTP server to which the Cleaner sends the messages that are cleaned. The default port is 25. Alternatively, you can enter a hostname or an IP address. The Cleaner cannot perform an MX lookup. You can enter multiple addresses for redundancy when separated by a comma and a space. The Cleaner uses the first address that works. The Cleaner does not perform automatic load balancing. Default: <servers> <server host="127.0.0.1" port="25"/> </servers>
189
Table 6-15 Element

avNoticeFile

The path to the XML file that contains all of the notifications that the Cleaner uses to notify the recipient or sender of a cleaned message. Linux and Solaris default: <avNoticeFile>/opt/symantec/sbas/Scanner/etc/ Notification.xml</avNoticeFile>

/opt/symantec/sbas /Scanner with /$loadpoint. Windows default: <avNoticeFile>C:\Program Files\ SBAS\Scanner\etc\Notification.xml</avNoticeFile>
maxSender Notifications
The maximum number of notifications that the Cleaner sends to senders of email viruses per queue run. For example, if this value is set to 20, and 50 messages are in the AntiVirus Spool when the Cleaner begins a queue run (processing run) on the AntiVirus Spool, it sends a notification to the senders of the first 20 messages that it attempts to clean. It does not send a notification to the senders of the other 30 messages. This process repeats for each queue run. You can use this setting to prevent Symantec Message Filter from clogging the network with messages in the case of a virus attack. The default value of 0 disables sender notification. To enable sender notification, this element can be set to 1 or more. Default: <maxSenderNotifications>0 </maxSenderNotifications>
numberThreads
The number of threads with which the Cleaner runs. Default: <numberThreads>5</numberThreads>
190
Table 6-15 Element

spool

Location of the antivirus spool where the Server deposits infected mail for the Cleaner. Default: <spool width="8" depth="0">$SPOOLDIR$$/$virus </spool>
heuristicLevel
Heuristic level for the antivirus scanning engine. The heuristic level determines the way in which viruses are flagged and can be one of the following: 0 - No heuristics 1 - Lowest level 2 - Medium level 3 - Highest level This value must match the heuristic value for the AntiVirus Module. See "libantivirus module". Default: <heuristicLevel>2</heuristicLevel>
maxContainedFile Maximum file size, in bytes, beyond which the program consults the Bytes <deleteBigFiles> setting. Set this value to be equal to or larger than the maximum file size that your environment expects for any message. In most situations the value that you set for the maxContainedFileBytes element in the module definition in the AntiVirus Service Type process should be less than or equal to the value given here. Default: <maxContainedFileBytes>104857600</ maxContainedFileBytes>
191
Table 6-15 Element

deleteBigFiles

The action that is taken when the size of an attachment, in bytes, exceeds the value of the <maxContainedFileBytes> definition. The values for this element are as follows: False The file is skipped without further processing. This setting lets viruses pass through to a recipient's inbox. True The file is deleted from the message.
Default: <deleteBigFiles value="false"/>
defaultUserName
The email address specified in this element is used in the "From" line when a message is sent back to the sender of a virus. You must change the default value if you enable sender notification. See "maxSenderNotifications". Default: <defaultUserName>avcleaner@yourdomain.com </defaultUserName>
notificationSubject String to be included in the subject line when a message is sent to the sender of a virus. The contents of the Notification.xml file determines the text. Default: <notificationSubject>You have a virus! </notificationSubject>
maxScanTime
The maximum amount of time the AV scanner can attempt to scan a message before it stops. Default: <maxScanTime>600</maxScanTime>
192
About the Harvester program

The Harvester transfers programs from a spool to an SMTP server. The Harvester handles the messages the Quarantine and the AntiVirus Cleaner deposit. Multiple destinations can be accommodated. The Harvester program is defined as follows: Default:
<program xsi:type="harvesterType" name="harvester">
Table 6-16 lists the Harvester program valid elements and their values. Table 6-16 Element
log
Valid Harvester program elements Description

Specifies log the level, log retention characteristics, and log file location information. See About managing statistics for stand-alone Scanners on page 207. Default for Linux and Solaris: <log level="4" period ="1" periodUnits="DAY" numberRetained="30"> /var/log/brightmail/ harvester_log</log> Default for Windows: <log level="4" period ="1" periodUnits="DAY" numberRetained="30">C:\Program Files\Symantec \SBAS\Scanner\Logs\harvester_log.txt</log>
interval
Length of time the Harvester waits during normal processing. The Harvester processes a batch of 2000 messages. It then waits the specified number of seconds before it processes the next batch. Default: <interval>60</interval>
numberThreads
Number of threads to make available for connections to the SMTP server. Default: <numberThreads>5</numberThreads>
Configuring Symantec Message Filter without the Control Center About the Engine section
193
Table 6-16 Element

smtpClient
Valid Harvester program elements (continued) Description

The Harvester has a definition for the SMTP client that contains a timeout setting (in miliseconds) and the address for the SMTP server. Default: <smtpClient> <timeout>480000</timeout> <servers> <server host="127.0.0.1" port="25"/> </servers> </smtpClient>
spool
Location of the spool where the Server should deposit sidelined mail. Depth and width parameters can also be specified here. Default: <spool width="8" depth="0">$SPOOLDIR$$/ $spam </spool>
maxRetries
Maximum number of times the Harvester attempts to redeliver a message. Default: <maxRetries>3</maxRetries>
retryIntervals
Amount of time the Harvester waits before it attempts a retry. Use a csv list of times, in seconds, to wait between attempts. Default: <retryIntervals> 0,300,1800 </retryIntervals>
About the Engine section

The Engine (bmengine) section of the configuration file controls several key aspects of filtering. Table 6-17 lists the bmengine valid elements and their values.
194
Table 6-17 Element

precedence
Valid bmengine elements Description

Specifies which disposition is processed first when a message has multiple dispositions. For example, a message can contain a virus and require custom filtering. Use hyphens (-) to separate dispositions. Dispositions are ordered highest to lowest in the list. Default: <precedence>reinsert-worm-custom_worm-virus-safeallow-custom_allowreject-custom_reject-spamcustom_spam-gray-custom_graysideline-discardunscannable-custom_unscannable-knownlang </precedence>
Note: Do not change this setting. Doing so can have serious

performance impacts and can lead to an increase in false positives. defaultDestination Specifies the destination where the Server delivers a message if it does not match any other dispositions. The value of this element should always match the destination value for the default policy. Default: <defaultDestination>inbox</defaultDestination>
195
Table 6-17 Element

statsThreshold
Valid bmengine elements (continued) Description

Specifies the sampling probability for each filtered message. The element value can be any number between 0 and 1 inclusive, with up to 5 significant digits. In practice, this number represents the percentage chance that any given message will have statistics reported for it. For example:

A value of 0 means that no statistics are reported. A value of 1 means that a statistic for every message is reported. A value 0.5 means that every message has a 50% chance of being reported.
This element only affects what is sent to Symantec Security Response by the Conduit. It does not affect the locally stored statistics that the Control Center uses.
Note: Do not change this setting without specific instruction from

Symantec Support. Default: <statsThreshold>1.0</statsThreshold>
spamThreshold
Value at and beyond which a message is classified as spam. By default, messages with a combined score of 90 or higher are classified as spam. Default: <spamThreshold>90</spamThreshold>
Note: Do not change this setting. Doing so can cause your software
to cease functioning properly, and can lead to an increase in false positives. clientOptin Specifies how users can be opted into Symantec services. When true, the integration is expected to handle all of the matters that are related to opt-in status. When false, the product handles all of the matters that are related to opt-in status. False is the only valid selection. Default: <clientOptin enabled="false" />
196
Table 6-17 Element

allowActions ToOverride Destination

Allows the <action> tag in the winning policy to override the <destination> value for some recipients. This value should be left at true in most cases. Change to false when you use an MTA that is only capable of deleting messages and cannot modify or insert headers into a message. When you set this attribute to false, it can have a significant negative impact on system performance. Many messages are placed in the Harvester spool directory and require processing by the Harvester. Default: <allowActionsToOverrideDestination enabled= "true" />
earlyVerdictsIP
Lets the Scanner determine an early verdict on the IP address before the entire message is received. For more information about early verdicts, see the Symantec Message Filter Software Development Kit Development Guide. The earlyVerdictsIP is disabled by default. To enable connection time verdicts, you must set its value to enabled='true'. Default: <earlyVeridctsIP enabled="false" />
bmiCheck Reputation
bmiCheckReputation is a convenience API that gives the reputation of the IP address that is passed to it. See About bmiCheckReputation on page 197.
MAL
Lets you save the message audit logs to bmserver logs or system logs. Bmserver logs are saved in bmserver_log.txt file in the Scanner\Logs\bmserver_log.txt location for Windows scanner and in the /var/log/brightmail/bmserver_log location for UNIX scanner. The configuration of the facilities in the Syslog lets you direct messages to various local files. The specified facility does all the logging when you use the Syslog. The default facility is Mail. Default: <MAL enabled="false" location="applicationlog" facility="mail"/>
197
Table 6-17 Element

tracker

Lets Symantec Support diagnose the false positives and false negative messages. Default: <tracker legacy="false" compressed="default" hash="sha1" signed="true" />
About bmiCheckReputation
bmiCheckReputation is a convenience API that gives the reputation of the IP address that is passed to it.
BMI_API BmiError bmiCheckReputation(BmiSystem *system, const char *ip_dotted_quad, BmiVerdict **verdict)
where:
BmiSystem *system - ptr to BMI System context const char *ip_dotted_quad - IP for which the reputation is needed const BmiVerdict **verdict - verdict to be returned
Internally, bmiCheckReputation maps to the following sequence of API calls:

bmiInitMessage bmiProcessConnection bmiFreeMessage
If the early verdict feature is enabled and if the IP address that is passed is blacklisted, a verdict is returned. If the early verdict feature is enabled and if the IP address that is passed is not blacklisted, the verdict pointer is NULL. If the early verdict feature is disabled, the verdict pointer is NULL irrespective of the reputation of the passed IP address. The message is handled according to the destination in the verdict. The BmiVerdict structure that is allocated here needs to be freed by the calling function.
/* * Sample usage of the convenience API bmiCheckReputation * Free the verdict once after using it. */
198
Configuring Symantec Message Filter without the Control Center About the Policies section
BmiVerdict *verdict_temp = NULL; //used with bmiCheckReputation. Not a //const so that it can be freed using //bmiFreeVerdict if(strlen(IP_Addr) > 0) { err = bmiCheckReputation(CSink::sm_bmisystem, IP_Addr, &verdict_temp); if (verdict_temp != NULL) { bmi_debug2("The verdict destination is %s", bmiVerdictAccessDestination(verdict_temp)); // Handle the message next according to the destination // in the verdict } else { bmi_debug1("The verdict is null"); // Do nothing } if (verdict_temp != NULL) { bmiFreeVerdict(verdict_temp); } goto err_exit;
About the Policies section

Each policy in the policies section defines a policy by the following criteria:

Defining a set of users (a population) Defining the dispositions to be used for a population
Table 6-18 lists the Policies section valid elements and their values.
199
Table 6-18 Element

population
Valid Policies section elements Description

Defines the groups of users for a policy. The total population for a policy is limited to 10,000 member elements. No limit on the actual number of users that are represented by the member elements exists. A valid address pattern must be either an email address or a domain name. Default: <population> <member xsi:type="addressPattern">*</member> </population>
disposition
A disposition is a result returned by a module, represented by a string. For example, spam, virus, and worm are dispositions. In other documentation, dispositions are called verdicts. String that is returned for a given verdict that contains the disposition. There must be one destination element within the disposition unless the disposition has a referral attribute. The destination string is treated according to the following rules:
destination
If the string is not specified, this option instructs Symantec Message Filter to remove all the recipients from the verdict that contains this empty destination. If the string matches the string that is defined in the value of default destination. Symantec Message Filter delivers the message normally for all the recipients from the verdict that contains this string. If the string is anything else, Symantec Message Filter modifies the message headers for all the recipients from the verdict that contains this string. This modification instruction is a semicolon-delimited list of modifications, each of which can have any of the following formats: Xheader: value Adds a header that is called Xheader with the specified value. Subject: value Replaces the Subject line with value. Subject: value%s Prepends the value to the beginning of the Subject line. Subject: %x value Appends the value to the end of the Subject line.
Note: These behaviors relate primarily to Sendmail and Windows

IIS-based installations. Behaviors can be different for other MTAs.
200
Table 6-18 Element

action
Valid Policies section elements (continued) Description
201
Table 6-18 Element

Describes the server/engine action to be performed on a given verdict that contains the disposition. This element is an optional element that has no string value. A sample action appears as follows: <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <replace>X-Whitelist: TRUE</replace> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> The <action> element has the following attributes: type Required attribute for which the only valid value is bmispool. This attribute saves the message to disk. name
Server action name, required. The name that the Control Center uses to assist in configuration and can be any of the following: Clean

Folder Quarantine SaveToDisk notifyUnscannable Modify
path Single path element, required. The value of the path element is the location on disk where the message and its accompanying .recipients file are saved. modify Optional element that can only contain a <headers> element.
headers Optional element subordinate to the <modify> element. A headers element can contain any number of add, replace, or transform elements. The add and replace elements take an attribute: value pair as their value.
The following examples show some of the uses of headers:
202
Table 6-18 Element
<add> Subject: new_subject </add>
Adds a subject line of new_subject. More than one subject line can be added. The one shown depends on the MTA. <replace> Subject: new_subject </replace>-Replaces the old subject with a new subject, new_subject. <transform> Subject: [spam] %s </transform> Prepends the subject line, %s, with [spam].
Note: You can create the policies that result in the different actions that
are performed on the same message, if different policies apply to different recipients. However, be careful when you create multiple policies that use different message header modifications. Modifying the headers of the same message in different ways for different recipients can lead to performance issues. Referral An optional attribute that maps one disposition to another. For example, if referral=virus is specified for worm, all virus messages are processed in the same manner as worm messages.
Sample policy
The following example shows part of a configuration file. This example is intended to show the basic format of the XML only. If you plan to use this text, carefully edit the text to conform to your site specifics and requirements.
<policy name="Default" precedence="64000" enabled="true"> <population> <member xsi:type="addressPattern">*</member> </population> <attributes> <engine> <disposition name="custom_spam" referral="spam"/> <disposition name="custom_gray" referral="gray"/> <disposition name="custom_worm" referral="worm"/> <disposition name="custom_allow" referral="allow"/> <disposition name="custom_reject" referral="reject"/> <disposition name="custom_unscannable" referral="unscannable"/> <disposition name="reinsert"> <destination>inbox</destination></disposition> <disposition name="allow">
203
<destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <replace>X-Whitelist: TRUE</replace> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="safe"> <destination>inbox</destination> </disposition> <disposition name="knownlang"> <destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <replace>X-Language-Identified: TRUE</replace> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="spam"> <destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <transform>Subject: [Spam]%s</transform> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="gray"> <destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify>
204
<headers> <transform>Subject: [Suspected Spam]%s</transform> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="virus"> <destination></destination> <action name="clean" type="bmispool"> <path>$SPOOLDIR$$/$virus</path> </action> </disposition> <disposition name="worm"> <destination></destination> </disposition> <disposition name="unscannable"> <destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <transform>Subject: [WARNING - NOT VIRUS SCANNED]%s </transform> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="reject"> <destination></destination> <action name="modify" type="bmispool"> <path>$SPOOLDIR$$/$spam</path> <modify> <headers> <transform>Subject: [Spam]%s</transform> </headers> </modify> <server host="127.0.0.1" port="25"/> </action> </disposition> <disposition name="sideline"> <destination>inbox</destination>
Configuring Symantec Message Filter without the Control Center Managing logs for stand-alone Scanners
205
</disposition> <disposition name="discard"> <destination></destination> </disposition> </engine> </attributes> </policy>
Managing logs for stand-alone Scanners

Several services maintain logs for message scanning and processing activities on each Scanner. All logs and their settings are individually defined within the appropriate program section of the configuration file. Log levels should be kept low, 4 for example, under normal operating situations. The <logdir></logdir> element sets the directory for log files in the Installation section of the configuration file, bmiconfig.xml. See About the Installation section on page 147. The logging behavior for all logs follows a common pattern which the <log></log> tag governs in each service section. Specified in this tag are log level, log retention characteristics, and log file location information. For stand-alone scanners, you must set the log level to 5 or more in bmiconfig.xml file to enable Message audit log in bmiconfig.xml file.
About the log level element

Specifies the log information level. The level is an integer from 0-7, designating the severity of the error. Choose from the following levels:
0 1 2 3 4 5 6 Emergency: System is unusable Alert: Action must be taken immediately Critical conditions Error conditions Warning conditions Normal but significant conditions Informational message
206
Configuring Symantec Message Filter without the Control Center Managing logs for stand-alone Scanners
Debug level message
For problem situations, set this value to 6. After you resolve the difficulty, set it to 4. In some circumstances, Symantec Support may ask you to set the value to 7 to obtain debug information as well. Note: To capture a verdict for each message in the log, set bmserver logging to at least level 5. With high message volume this configuration can use up a large amount of disk space.
About the log period element

Specifies the length of time to retain logs as a number of periodUnits.
About the periodUnits element

Interval for log retention, entered as a string. Valid values are day or hour.
About the numberRetained element

Integer value that specifies the number of rolled logs to retain. If this value is left blank or set to 0, rollover logs are not deleted automatically. For example, if you want to roll over the log every 4 hours and maintain 42 old logs (1 weeks worth of logs with 4 logs per day) in addition to the current log, a <log></log> tag might look like as follows:
<log level="4" period="4" periodUnits="HOUR" numberRetained="42"> /var/log/brightmail/$sectionname_log</log>
The file into which log information is rolled from the primary file is named baselog_filenamePeriod_start, where:
baselog_filename Indicates the process that is being logged.
Configuring Symantec Message Filter without the Control Center About managing statistics for stand-alone Scanners
207
period_start
The beginning point of the previous period as defined in the <log></log> tag. As an example, if the Server starts at 3:25 PM on December 18, 2008, with the above configuration parameters, the existing log is rolled over to boserver_log200412181200, and at 4:00 PM, the log gets rolled over to log200412181600. Any log activity between 3:00 and 4:00 PM is written to the 12:00 P.M. log. If the bmserver_log already exists on startup and contains entries after 12:00 PM, the original log is retained without change and all the currently logged items are appended to it. The contents of the first log after startup may vary depending on the time of startup and the length of time that the Server is inactive.
About managing statistics for stand-alone Scanners

Each Scanner maintains its own statistics for email processing. The Scanner statistics are maintained in the file mc_stats.<epoch>.xml. For each file, the word epoch is replaced with a 10-digit number which is the UNIX epoch time (the number of seconds since January 1, 1970, 00:00 o'clock). The file is generated, at most, once per minute and is stored in the statistics directory. The stats directory is defined in the bmiconfig.xml file as:
Linux and Solaris <statsdir>/opt/symantec/sbas/Scanner/stats</statsdir>

/opt/symantec/sbas/Scanner with /$loadpoint. Windows <statsdir>C:\Program Files\Symantec\SBAS\Scanner\stats</statsdir>
The tag <statsCleanThreshold> tag governs the retention period for this file in the Conduit section of bmiconfig.xml. The default file retention period for <statsCleanThreshold> is three days. At the end of the retention period the Conduit deletes the file. The bmi_eng_stats and other stats files should not be modified. The Conduit should manage it directly. However, if you do not use a Control Center, you can view the mc_stats.<epoch>.xml file to access statistics information. Table 6-19 lists the Scanner statistics tags that are in the contents file. Table 6-19 Tag
LOG MSG
Scanner statistics tags Description

Log, includes version Message tag
208
Configuring Symantec Message Filter without the Control Center About managing statistics for stand-alone Scanners
Table 6-19 Tag

ip etime latency bytes helo from VERD disp rules RCPT addr
Scanner statistics tags (continued) Description

IP address End time of the message processing The time that it took the message to process The size of the message in bytes Helo domain Mail from address Verdict Disposition Rules that fired on this message Message recipient Recipient address
Example:
<LOG version="2.0"> <MSG ip="10.160.242.6"etime="1155252285" latency="7892" bytes="58262"helo="localhost.localdomain"from="h_melville @scrivener.org">"> <MOD name="libreinsert"/><MOD name="libantivirus"/><MOD name="libsieve"/><MOD name="libpermit"/><MOD name="libbh"/><MOD name="libintsig"/><MOD name="libstatsig"/><MOD name="libspamsig"/><MOD name="libspamhunter"/> <VERD disp="none"rules="54448880,54448996,54447698,5445 0843,54451695,54451729,54451819,54451822, 54451844,54451846,54451848,54451851,54451866, 54451879,54451881,54451962,54451982,54447 897,54454560,54454294"> <RCPT addr="bartelby@toms-black-hole. symantecs.org"/> </VERD> </MSG> </LOG>
Configuring Symantec Message Filter without the Control Center About conduit rule updates
209
About conduit rule updates

The file ruleupdates.xml is a self-explanatory file that provides information about the type of rule that is updated and the time of last update. You may want to view this file to verify rule status for stand-alone Scanners. A single entry in the file appears as follows:
<RULEUPDATE last-modified-date="YYYY-MM-DDThh:mm:ss" lastupdate="YYYY-MM-DDThh:mm:ss" ruletype="TYPE"/>
where:
last-modified-date Date Symantec Security Response changed the rule set. Date and time are given in UTC. Date the rule set was last downloaded and written to the local file system. Date and time are given in UTC. A type of rule that corresponds to a module name.
lastupdate
Ruletype
Table 6-20 describes the Conduit rule updates valid rule types. Table 6-20 Rule type
blrm hashes spamhunter spamsigs intsigs statsig permit_rules
Conduit rule types Module name

regex hashes spamhunter spamsig intsig statsig permit
About LiveUpdate rule updates

The file jlustats.xml is a self-explanatory file that provides information about the antivirus rule that is updated. You may want to view this file to verify rule status for stand-alone Scanners. A single entry in the file appears as follows:
210
Configuring Symantec Message Filter without the Control Center About LiveUpdate rule updates
<RULEUPDATE ruletype="av" lastupdate="YYYY-MM-DDThh:mm:ss" lastupdate-status="STATUS" current-status="STATUS" last-modified-date=" YYYY-MM-DDThh:mm:ss" lastupdate-version="YYYY-MM-DD" lastupdate-revision="REVISION" lastupdate-package="PACKAGE" last-good-update=" YYYY-MM-DDThh:mm:ss" retries-since-last-good-update="THE NUMBER OF ATTEMPTS" />
where,
ruletype lastupdate Type of the antivirus rule. The date when the antivirus rule set was last downloaded. Date and time are given in UTC. Status of the last download antivirus rule set. A status can be In-progress, Success, Failed, or Waiting. Status of the current antivirus rules download. In-progress, Success, Failed, or Waiting. The date when Symantec Security Response changed the rule set. Date and time are given in UTC. Version of the last downloaded antivirus rule set. Revision of the last downloaded antivirus rule set. Package that was last downloaded. Last successful antivirus rule set that was download. The number of attempts that were made to download the antivirus rule set since last successful download.
lastupdate-status
current-status
last-modified-date
lastupdate-version lastupdate-revision lastupdate-package last-good-update
retries-since-last-good-update
Chapter
Configuring Java Messaging Server to integrate with Symantec Message Filter

About integrating the Sun Java Messaging Server MTA with Symantec Message Filter Configuring Messaging Server for Symantec Message Filter Using the Control Center with Messaging Server Troubleshooting issues with Messaging Server integration
About integrating the Sun Java Messaging Server MTA with Symantec Message Filter
This section describes how the Sun Java System Messaging Server MTA (Messaging Server) interacts with Symantec Message Filter to create a secure email environment. Follow these instructions to install the Symantec Message Filter server. Then, configure Messaging Server to use Symantec Message Filter.
Installation overview
Symantec Message Filter software can be located on the same system as the MTA or on a separate host. Alternatively, you can have a farm of Symantec Message Filter Servers serving one or more MTAs. The Symantec Message Filter SDK uses
212
Configuring Java Messaging Server to integrate with Symantec Message Filter About integrating the Sun Java Messaging Server MTA with Symantec Message Filter
the bmiconfig_client.xml file to determine which servers to use. These steps assume that you install the Symantec Message Filter server and Messaging Server on the same host. See Configuring a multi-node deployment on page 218. Messaging Server uses the Symantec Message Filter SDK to communicate with the Symantec Message Filter server. The MTA dispatches the messages that are based on the response from Symantec Message Filter. After an MTA receives a mail message, the MTA sends a copy of the message contents to the Symantec Message Filter server. Symantec Message Filter determines if the message is a spam or virus. It then returns a destination string to the MTA. Based on the destination string, the MTA either discards the message, alters it, delivers it to a particular folder in the Message Store. The MTA might also deliver it to the default inbox folder, depending on the Sieve action that is configured on the Sun Java Messaging Server side Once the SDK is loaded, several factors and levels of granularity determine the Symantec Message Filter message processing. You use the software to opt-in for active processing of one form or another by using a specific "optin" value. The following criteria determine message processing behavior:
Whether the source channel or destination channel is enabled for Symantec Message Filter (imta.cnf) Whether there is a channel default for the services for which you have opted-in (imta.cnf) Whether there is a per domain opt-in value (LDAP) Whether there is a per-user opt-in value (LDAP)
Messaging Server passes an opt-in variable to the Symantec Message Filter server according to the following conditions:
If a destination opt-in value (spamfilternoptin) or a source opt-in value (sourcespamfilternoptin) is passed, marking is placed on a relevant channel in the imta.cnf file. If a domain or user has the appropriate LDAP attribute set to an opt-in value, the opt-in value is passed as the value of the optin variable to Symantec Message Filter. If you enable the client-side opt-in and the opt-in value is not set, the default is NULL. Specific users' emails are not filtered with any Symantec Message Filter services. Thus, if you want to configure no filtering and the Symantec Message Filter client side filtering is enabled, pass NULL as the opt-in value to Symantec Message Filter.
The following opt-in values are offered with Symantec Message Filter:
Configuring Java Messaging Server to integrate with Symantec Message Filter Configuring Messaging Server for Symantec Message Filter
213
spam virus reinsert language custom consent
In addition, Symantec Message Filter supports Group Policies, which enable different actions for different users according to the same verdict. See About group policies on page 241. When a message contains a virus, you can configure the software to clean the virus and resubmit the cleaned message back to the MTA. Messaging Server supports early verdicts when this feature is enabled in Symantec Message Filter (this feature is disabled by default). See Table 6-10 on page 174.
Configuring Messaging Server for Symantec Message Filter

Follow these procedures to configure Messaging Server for Symantec Message Filter and verify that it functions. Note: A backward slash (\) at the end of a line of code indicates that the line continues unbroken to the following indented line.
214
To modify the option.dat and imta.cnf files
Modify the option.dat file as follows. The Symantec Message Filter client is located under the /usr/lib directory. The bmiconfig_client.xml file is located under the /opt/SUNWmsgsr/config/ directory.
! ! Brightmail Configuration Settings ! ! Fundamental options to locate the Brightmail client library routines and ! client library configuration file: ! SPAMFILTER1_CONFIG_FILE=/opt/SUNWmsgsr/config/ bmiconfig_client.xml SPAMFILTER1_LIBRARY=/user/lib/libbmiclient.so ! ! Options typically recommended for good operational practice; but make ! sure you haven't already set LOG_FILTER elsewhere in option.dat! ! SPAMFILTER1_OPTIONAL=-2 LOG_FILTER=1 ! ! Site's goal-specific/Brightmail-configuration-specific options; ! must be coordinated with site's Brightmail configuration: ! ! The "null" verdict -- means to discard the message ! SPAMFILTER1_VERDICT_0=null SPAMFITLER1_ACTION_0=data:,discard ! ! An "X-verdict: spam" verdict -- means to file to "spam" folder ! SPAMFILTER1_VERDICT_1=*X-verdict: spam* SPAMFILTER1_ACTION_1=data:, require "fileinto"; fileinto "spam";
215
Modify the imta.cnf file. Symantec Message Filter scanning can be selected in the MTA in a variety of ways, by use of either a per-user or per-domain LDAP attribute or according to a source or a destination channel. A typical usage is to scan the messages that are destined for locally hosted users. In other words, on all of the messages that are delivered to users by an ims-ms channel, or by tcp_lmtp* client channels. For instance, to trigger Symantec Message Filter spam filtering on all of the messages that ims-ms channel delivers to the store. If the system uses spam or virus filter package # 1, add destinationspamfilter1optin spam, virus, reinsert, language, custom, and consent to the ims-ms channel definition in the imta.cnf file. Such a channel definition might appear as follows:
! ims-ms ims-ms defragment subdirs 20 notices 1 7 14 21 28 \ backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" \ maxjobs 2 pool IMS_POOL fileinto $U+$S@$D \ destinationspamfilter1optin1 \ spam,virus,reinsert,language,custom,consent ims-ms-daemon
Compile the MTA configuration.

./imsimta cnbuild
Restart the MTA Dispatcher. This step causes the MTA to start a new SMTP process with the new Symantec Message Filter configuration.
imsimta restart dispatcher
216
To verify that the Messaging Server is operational
Run the imsimta test -rewrite command on a sample local user address. There should be no errors. For example:
/opt/SUNWmsgsr/sbin/imsimta test -rewrite -debug=level=4 -filter user99@red.example.com 12:32:29.33: - passed. 12:32:29.33: - send_access mapping check: l|postmaster@host1.red.example.com|ims-ms|user99@ims-ms-daemon 12:32:29.33: Mapping 4 applied to |postmaster@host1.red.example.com|ims-ms|user99@ims-ms-daemon 12:32:29.33: Final result "l|postmaster@host1.red.example.com|ims-ms|user99@ims-msdaemon" 12:32:29.33: - passed. 12:32:29.33: - adding address user99@ims-ms-daemon to channel ims-ms 12:32:29.33: Closing URL context 1, new type = 7 12:32:29.33: - adding address user99@red.example.com to headers. 12:32:29.33: Copy estimate after address addition is 2 *** Expanded address: user99@red.example.com Submitted address list: ims-ms user99@ims-ms-daemon (orig user99@red.example.com, inter user99@red.example.com, host ims-ms-daemon) *NOTIFY-FAILURES* *NOTIFY-DELAYS* Submitted notifications list:
2 3
Compose and send an email. Look at the Symantec Message Filter server logs under the /var/log/brightmail directory and verify that the bmserver_logs file contains information about this message. If the MTA is configured as described in the preceding steps with the following values for option.dat options:

SPAMFILTER1_VERDICT_0=null SPAMFILTER1_ACTION_0=data:, discard SPAMFILTER1_VERDICT_1=*X-verdict: spam*
217
SPAMFILTER1_ACTION_1=data:, require "fileinto"; fileinto "spam"; LOG_FILTER=1
then the LOG_FILTER=1 causes inclusion of an additional field in the message transaction records in the mail.log* files that record both other sorts of Sieve filter results, as well as Symantec Message Filter results that are applied to each message recipient. Exactly what appears in the result portion of this field depends on the verdict or destination that the software returns, and how the MTA in turn is configured to react to that verdict or destination. But the general form is:
spamfilter<n>:<hash-of-mta-verdict-option>, <Sieve-action(s)-comma-separated>
where in general (when other forms of Sieve filtering are also in use) this is one part (also comma-separated) within the overall filter field. For instance, a message recipient with no general MTA Sieve, no applicable channel Sieve, no applicable domain Sieve, and no personal Sieve, but where Symantec Message Filter returned a "null destination-data" result (normally configured to be interpreted as a request to discard the message, it having been determined to be spam), where here Symantec Message Filter is assumed to be configured as spam/virus filter package # 1, might show in the filter field as:
'spamfilter1:EAA5NDZBMUI5Mzc2NDQ1Nj==, discard;'
Or, if the system has been configured to return X-brightmail: destination-data (normally configured to be interpreted as a request to file the message to a "spam" folder), in the case of messages that are determined to be spam, then this might show in the filter field as:
'spamfilter1:4boPbmmLpLfF4Jax2IwLng==, fileinto "spam";'
If you set SPAMFILTER1_OPTIONAL=-2 and LOG_FILTER=1, then that provides the following two ways to verify the MTA/Symantec Message Filter operation:

Check for warning syslog messages. Check that "expected" results appear in the filter field in mail.log* records.
You can also check statistics through the Control Center.
218
Configuring a multi-node deployment

On a multi-node installation of Symantec Message Filter and Messaging Server -- where the Symantec Message Filter server is running on one host and Messaging Server is running on a separate host -- in addition to the previous steps, perform the following steps: To configure Symantec Message Filter on multi-node deployments
Copy the libbmishareddata.so to the Scanner directory. For example:

cp libbmisharedata.so /opt/symantec/sbas/Scanner/lib
Make sure that the Symantec Message Filter Client is installed where your MTA exists.
About enabling the tracker for Messaging Server

The Client can provide the rule IDs of the rules that were violated to the Messaging Server. Specific details on violated rule IDs are listed in the XBrightmail-Tracker header for a given message and Symantec Support can use to help diagnose problems. The following is an example of an encoded X-Brightmail-Tracker header:
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJpMTGxVLPwMCoK8Eb52twvJffYu0aEQdGj+Vrb7IGMEY JBpcmZaUml1gpRAcXJObGqhYnCGZ8XfaSpeAIU8XvmVcYGxh3MHUxcnAICfhLtH 0N7WLk5BAW4JU4fL2PEcSWEBCVeDCpm2kCI/ MqRpbi0jyjTYxAG7luKuzZwXh3vc4hRiYOzkOMAhyMSjy8jAwMDEKsiWXFlbkgce 5DjJIcTEqiEHG+pPyUyozE4oz4otKc1OJDjBIcPEoiEDneYqDbijPTYVJqHBwCC3r ZpFhA4koSEEWCRanpqRVpmTklqUUQhZcYRaWEIZI8BalFuZklEPFXjOJA98BkMvNK4Ea/ AtrKhLC1JBEhJdXAaFWsrvtk67qSx1sXnRed5rfp5mVBv3ucZ76aeJblNIm3l2XoTv SK/zV/zaOIrkXRHo8KnjV6RF1IWS4df1Qy5fZaTh+f8rJdZmlGK7LEDB6+5t7XuPn1 r2fxXlfnJZTpKa+2NizofLow8dWemI+3Azqf1/jvdAi41G5wtlu4PDXC9JK65xFOJZ bijERDLeai4kQAgHpFCdwBAAA=
To create a header with the value that the Client returns, you can use one of the following methods:
Configuring Java Messaging Server to integrate with Symantec Message Filter Using the Control Center with Messaging Server
219
Modify the filter
Modify the filter in option.dat file as follows: require ["addheader"]; addheader "X-Brightmail-Tracker $M" For example: SPAMFILTER1_STRING_ACTION=data:,require "addheader"; addheader "X- Brightmail-Tracker: $M";addtag "SPAM detected $U" $M acts as a substitute character that adds the tracker information after the X-Brightmail-Tracker header. This setting should always be enabled.
Modify the option.dat file
In the option.dat file, add the following entry: LOG_FILTER = 1 This entry logs the verdict, the tracker, and the action taken.
Using the Control Center with Messaging Server

The Control Center provides an easy way to generate, audit, and modify antispam and antivirus policies for your organization. These policies are stored in bmiconfig.xml for each Symantec Message Filter Scanner in your environment. The following example shows how the destination string that is generated when a message matches a Group Policy definition enables Symantec Message Filter and Sun Messaging Server to work together. If you were to create a Group Policy by the Control Center that deletes spam messages, you would see the following in the bmiconfig.xml file:
<disposition name=spam'> <destination></destination> </disposition>
That is, if the Server determines that a message is spam, it returns the string null to Sun Messaging Server. You would then configure Messaging Server accordingly, instructing it to delete spam messages by adding the following lines to the option.dat file:
! The following tells Sun Messaging Server to discard the message if ! Symantec Message Filter returns a "null" verdict. spamfilter1_verdict_0=null spamfilter1_action_0=data:,discard
220
Configuring Java Messaging Server to integrate with Symantec Message Filter Troubleshooting issues with Messaging Server integration
You would then recompile the configuration files using the imsimta cnbuild and then restart your server by the imsimta refresh command. Note: Changes that you make by the Control Center are propagated to all Scanners but do not alter Sun Messaging Server configuration files. To configure Symantec Message Filter to work with Messaging Server
Using the Control Center, access the Advanced Settings page: http://host:port/brightmail/settings/advanced/editAdvancedSettings.do The host and port are the host and port on which the Control Center serves Web pages. In most cases, use the following address to access the Web page: http://localhost:41080/brightmail/settings/advanced/editAdvancedSettings.do
2 3 4
Under Global Attributes, set Custom MTA Integration to true. Select Use client-side opt-in. Otherwise, the Summary page indicates that the Scanners are inaccessible and disabled. After configuring your actions for spam and virus, configure custom X-headers within the Control Center for each spam verdict (for example: X-verdict: spam). On the MTA side, you must create a Sieve script that matches the X-headers (disposition strings) returned by the Server and takes a specific action for each disposition. For example, the following script places spam into the spam folder:
spamfilter1_verdict_1=*X-verdict: spam* spamfilter1_action_1=data:,require "fileinto"; fileinto "spam";
Configure an X-header and matching Sieve script for each Brightmail verdict.
Troubleshooting issues with Messaging Server integration

Use the following suggestions to troubleshoot problems with your configuration:
If there is a problem in bringing up the Symantec Message Filter server, check the log file for errors. If the log file does not display errors, then there is most likely a write permissions problem with the log file. For troubleshooting problems, you can change the log level from the default of 4 to log level 7. Level 7 should be used for debugging only. Leaving the debug level at 7 decreases performance and fills your disk. Modify the bmiconfig.xml file under
221
the /opt/symantec/sbas/Scanner/etc directory to change the server log level from the default value of 4 to 7. Note: If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. If you are using a non-default directory, modify the bmiconfig.xml file under the /$loadpoint/Scanner/etc directory. Then restart the mailwall. Also, modify the bmiconfig_client.xml file in the /opt/symantec/sbas/Scanner (default directory) or /$loadpoint/Scanner (non-default directory) to change the client log level from 4 to 7, and then restart the client.
If there is a problem with either Symantec Message Filter itself, or with the integration configuration, check the following: If the SPAMFILTERn_OPTIONAL option in the file option.dat is set to -2 or 2, then trouble getting a result back from the nth spam or virus filter package results in a syslog notice, with syslog facility and the severity that the SNDOPR_PRIORITY global MTA option controls, with text of the general form:
SPAMFILTERn, error-text
When Symantec Message Filter is the spam filter or virus filter package, more informational text may be available. If error location or type information is also available, then the text takes the form: where the square bracket characters that is shown above indicate the optional additional information and are not part of the actual output string. In the case of Symantec Message Filter, the error-text always indicates the stage at which processing failed. The error-location can be any of client, network, or server; the error-type can be any of memory, network, timeout, data, module down, type arg, or bad version.
SPAMFILTERn, error-text [ - error-location ][ - error-type ]
When configuring the MTA for Symantec Message Filter, consider turning on other debug items until the spam filter works (in option.dat). For example:
! Turn on debug info mm_debug=5 os_debug=1
222
Chapter
Configuring Sendmail to integrate with Symantec Message Filter


About integrating Sendmail Understanding the filter address and optional settings About configuring Sendmail Switch to work with Symantec Message Filter Configuring Sendmail for Symantec Message Filter with sendmail.cf About configuring Sendmail for Symantec Message Filter with M4 About using the runner and cron
About integrating Sendmail

The Symantec Message Filter Client communicates with the Sendmail MTA with the Sendmail Mail Filter API. To implement this integration, the Symantec Message Filter Client uses the Filter (bmifilter -- an intermediary program) which connects to Sendmail over a socket connection. The Filter program also controls client-side actions, such as removing mail and tagging spam. Based on the version of Sendmail that you use, do the following:
If you use Sendmail Switch, use the Sendmail Administration Console to define the filter. See About configuring Sendmail Switch to work with Symantec Message Filter on page 225.
224
Configuring Sendmail to integrate with Symantec Message Filter Understanding the filter address and optional settings
If you use Sendmail 8.12.11 or later, either manually edit the sendmail.cf file or edit the M4 file. See Configuring Sendmail for Symantec Message Filter with sendmail.cf on page 226. See About configuring Sendmail for Symantec Message Filter with M4 on page 227.
When you install Symantec Message Filter, the Filter is configured to use port 41001 with a default setting of inet:41001. This Filter port number must correspond to the port number for the Xbmifilter setting in Sendmail.
Understanding the filter address and optional settings

In Sendmail 8.12.11 and later, the X setting has the following format:
Xbmifilter,S=inet:<port_number>@<computer>.your_domain.com
where <port_number> is the valid networking port number that you configured for the bmifilter program, and <computer> is the IP address or DNS name of the computer that runs bmifilter. You can also specify the behavior when Sendmail cannot connect to the Filter. You can configure Sendmail to:
Temporarily reject the message with an SMTP 4xx instruction. To specify this behavior, add the F=T flag to the X setting. Permanently reject the message with an SMTP 5xx instruction. To specify this behavior, add the F=R flag to the X setting. Accept the message and send it through (as if the Filter is not present). You specify this behavior by omitting the F= option. Specify a timeout period. To specify a timeout period, add the T=C flag to the X setting.
The following example omits the F= flags so that Sendmail accepts messages if it cannot connect to the Filter:
Xbmifilter, S=inet:41001@<computer>.your_domain.com
where <computer> is the host to which Sendmail connects. If you do not specify a computer name, Sendmail tries to connect on the same computer. In Sendmail Switch, you specify the filter name, filter address, and optional settings differently. You type bmifilter in the Filter Name field, and the filter address and optional settings in the Equates field of the INPUT_MAIL_FILTERS() option.
Configuring Sendmail to integrate with Symantec Message Filter About configuring Sendmail Switch to work with Symantec Message Filter
225
See About configuring Sendmail Switch to work with Symantec Message Filter on page 225. The following example shows the use of the T= flag to specify a timeout period (this example may not be optimal for your environment):
Xbmifilter, S=inet:41001@machine.your_domain.com, F=T, T=C:10m;S:1m;R:1m;E:10m
where C is the connect timeout, S is the send time-out, R is the receive timeout, E is the total timeout, and m represents minutes. To specify both F= and T= flags, separate them with a comma followed by a space. For more information on the syntax for this setting, on the Internet, go to the following URL:
http://www.milter.org
About configuring Sendmail Switch to work with Symantec Message Filter

Before you follow this procedure, make sure that you have followed the instructions to configure Milter protocol for sendmail. See Configuring the Milter protocol for Sendmail on page 76. To configure Sendmail Switch to work with a Symantec Message Filter
1 2 3 4 5 6 7 8 9
Use the appropriate URL for your environment and open the Sendmail Administrator Console in a Web browser. Log on to the Sendmail Administrator Console. Click Edit Existing Configuration. If necessary, select the host or cluster to configure, and then click select. Highlight an existing configuration or type a configuration in the text field, and then click load. In the menu on the left side, click Expert Configuration. In the scrolling list, select INPUT_MAIL_ FILTERS(), and then click view/edit. Click add. In the Filter Name field, type bmifilter.
226
Configuring Sendmail to integrate with Symantec Message Filter Configuring Sendmail for Symantec Message Filter with sendmail.cf
10 In the Equates field, specify the filter address and any optional settings.
The following example is appropriate in most cases:
S=inet:port@machine.xyz.com, T=C:10m;S:1m;R:1m;E:10m
The filter name and the filter executable name must be the same to monitor it from the Service Control page. See Understanding the filter address and optional settings on page 224.
11 Click Apply to apply the filter. 12 Save your changes and deploy the configuration file.
Configuring Sendmail for Symantec Message Filter with sendmail.cf

You can configure Sendmail to work with Symantec Message Filter in several ways. You can either edit the sendmail.cf file, or you can use M4 to generate a new sendmail.cf file. The information about using M4 is available. See About configuring Sendmail for Symantec Message Filter with M4 on page 227. The instructions to be followed, before you start this procedure, are available.See Configuring the Milter protocol for Sendmail on page 76. To configure Sendmail for Symantec Message Filter with sendmail.cf
1 2
Log on as root. Open the Sendmail configuration file, sendmail.cf. The sendmail.cf file is located in the following location: /var/mail/sendmail.cf or /etc/mail/sendmail.cf.
In the OPTIONS section, add the Filter as follows:

OPTIONS O InputMailFilters=bmifilter
In the MAIL FILTER DEFINITIONS section, type the following line to complete the socket for the Filter configuration:
Xbmifilter, S=inet:port@machine.your_domain.com
See Understanding the filter address and optional settings on page 224.
Save the file.
Configuring Sendmail to integrate with Symantec Message Filter About configuring Sendmail for Symantec Message Filter with M4
227
Type the following command to stop Sendmail:

# /etc/init.d/sendmail stop
Type the following command to verify that Sendmail is no longer running:

# ps -ef | grep sendmail
If any processes are shown other than grep, type the following command for each process to terminate it:
# kill process_id
Type the following command to restart Sendmail:

# /etc/init.d/sendmail start
10 Type the following command to verify that Sendmail has restarted:

# ps -ef | grep sendmail
About configuring Sendmail for Symantec Message Filter with M4

You can configure Sendmail to work with Symantec Message Filter in several ways. You can either edit the sendmail.cf file, or you can use M4 to generate a new sendmail.cf file. This section covers what you need to know to use M4 to configure Sendmail. The information about using sendmail.cf file is available. See Configuring Sendmail for Symantec Message Filter with sendmail.cf on page 226. The instructions to be followed before you start this procedure are available. See Configuring the Milter protocol for Sendmail on page 76. If you use an M4 file, instead of editing sendmail.cf, you should edit your M4 file to include the following command, and then regenerate your sendmail.cf file as usual: INPUT_MAIL_FILTER(bmifilter', S=inet:41001@machine.xyz.com, T=C:10m;S:5m;R:5m;E:10m') where 41001 is any valid networking port number that you configure for the bmifilter program, and machine.xyz.com is the IP address or DNS name of the computer that runs bmifilter. This command must come after any MAILER line(s).
228
Configuring Sendmail to integrate with Symantec Message Filter About using the runner and cron
The information about timeout settings is available. See Understanding the filter address and optional settings on page 224.
About using the runner and cron

Both cron and the runner play a major role in operating scanners. The following section describes the important interactions.
About managing Scanner components with cron

During product installation, a cron job is set up to run the AntiVirus Cleaner on a periodic basis. You can run the cron at any interval of minutes that you want with the following command if you use the default directory:
*/<n> * * * * /opt/symantec/sbas/Scanner/sbin/runcleaner.sh
where <n> is the number of minutes in that intervals that you want to run the cron. Here is a sample crontab for the mailwall user in a Scanner to run the AntiVirus Cleaner every ten minutes if you use the default directory:
# BMI: Run the AV Cleaner from # /opt/symantec/sbas/Scanner/sbin/runcleaner.sh */10 * * * * /opt/symantec/sbas/Scanner/sbin/runcleaner.sh
Note: If you use a non-default directory, replace /opt/symantec/sbas/Scanner with /$loadpoint/.
Understanding automatic library paths

Each script that a crontab statement calls refers to the file, /opt/symantec/sbas/Scanner/etc/brightmail-env. Note: If you use a non-default installation directory location, replace /opt/symantec/sbas/Scanner with /$loadpoint. The following command sets the LD_LIBRARY_PATH:
# Sets environment variables needed by Symantec # Brightmail Anti-Spam executables. LD_LIBRARY_PATH=/opt/symantec/sbas/ Scanner/lib:/usr/local/lib
229
export LD_LIBRARY_PATH BMI_CONFIG_FILE=/opt/symantec/sbas/Scanner/ etc/bmiconfig.xml export BMI_CONFIG_FILE
If you ever need to reset LD_LIBRARY_PATH to a value other than this default, change its value in this file. The value is passed to crontab.
About managing Scanner components with the runner

The runner is a job control shell similar to inittab in UNIX. A configuration file configures the runner that you specify during the invocation of the runner. Use the runner to start, monitor, and stop program facilities for an individual Scanner as necessary. When the runner starts, it creates a lock file with a name generally formed as runner_configuration_file_name.lock. This file guards against multiple instances of the runner starting with a configuration file that is already in use and controlling the processes that are specified in the configuration file. The runner creates pid files for the processes it starts at /opt/symantec/sbas/Scanner/jobs. The kicker uses one of the .pid files that the runner creates (bmserver.pid) to reload rules as they are received from Symantec Security Response. The complete path to this file is as follows: /opt/symantec/sbas/Scanner/jobs/$program/$program.pid where $program represents a particular component. Note: If you use a non-default directory, replace /opt/symantec/sbas/Scanner with /$loadpoint/. The runner is configured to monitor the Server daemons and restarts any defined jobs that exit. By default, the runner executes a clean-up script that is called process-cleanup before it restarts any job that exits with a non-zero status. The clean-up script puts crash information in a directory and sends a notification to the postmaster alias. Depending on the exit status of a job, the clean-up script can also perform additional functions. In Scanner stand-alone or troubleshooting situations, you can use the runner to start, monitor, and stop the following job processes:

Server Conduit Filter Harvester
230
Agent LiveUpdate
For default installations, the runner starts only bmagent. The runner can start the Server but for the AntiSpam Filters Module and the AntiVirus Filters Module remain inactive. This situation happens if a module is not registered or if a trial time period has expired. Check the logs for the Server if you suspect such a condition exists.
Starting the runner

During installation, an rc script for the runner is installed in /etc/init.d. The rc script is called mailwall. You can start, stop, and restart the runner with the following commands:
/etc/init.d/mailwall start /etc/init.d/mailwall stop /etc/init.d/ mailwall restart
You can also start the runner from the command line. The runner takes as a single argument the location of the configuration file and service that you want to control. For example, you can type the following command to control the Server:
$ /opt/symantec/sbas/Scanner/etc/runner Scanner/etc/runner.cfg & /opt/symantec/sbas/
Note: If you use a non-default directory, replace /opt/symantec/sbas/Scanner with /$loadpoint/. The runner then operates in the background, so there is no response. You can check that the runner is functional by searching for its process ID:
$ ps -ef | grep runner
This command should return process IDs for all of the jobs that are specified in runner.cfg, along with other information.
About stopping the runner (and all Scanner jobs)

You can stop the runner with /etc/init.d/mailwall stop. You can also send a TERM signal to the runner as user mailwall:
$ ps -ef | grep runner $ kill runner_pid
where runner_pid is the process ID that the ps command you ran first returns.
231
The runner then sends TERM signals to its jobs, waits until they exit, and then terminates itself.
Testing the runner

During installation, the install script creates a customized runner configuration file that includes job lines for the Server, the Conduit, the LiveUpdate, BMI Filter, and bmagent. Only bmagent is active. The other jobs are not operational until after the Scanner is connected to the Control Center. After this connection is made, inactive programs become active through the runner. See About the runner configuration file on page 233. Note: Stop the runner if it is executing. Otherwise, the runner restarts jobs after you stop them. To test the runner
Type the following command to verify that no Symantec Message Filter software processes are running. Otherwise, when you start the runner, duplicate processes contend for ports.
$ ps -ef | grep mailwall $ kill bmserver_process_id \ conduit_process_id bmifilter_process_id
As user mailwall, type the following command to invoke the runner.

$ /etc/init.d/mailwall start
See Starting the runner on page 230.
Wait for the runner to start the jobs. The specific amount of time that you must wait for the runner to start all of the jobs depends on the wait times that are specified in the configuration file that you use.
Type the following command to verify that the runner has started and that it has started all of the processes that are specified in the runner configuration file.
$ ps -ef | grep mailwall
The runner monitors following processes:

Server Conduit
232
Filter Harvester Agent LiveUpdate
As user mailwall, type the following command to terminate the runner:

$ /etc/init.d/mailwall stop
About monitoring job statuses

After it has started, the runner reads its configuration file. Then it starts jobs for each process, waiting the initial wait period that is configured in the respective job control line. The runner creates a file called job-name.pid in the working directory of each job that is started. However, the runner does not have its own PID file. The location for each job is defined in the D attribute of the runner.cfg file. When the job exits, the runner deletes the file. The presence of the file is an indication that the job is running. If a job exits with a non-zero status, the runner executes the process-cleanup script along with any secondary processes clean-up can require, waits the configured normal wait period, then restarts the process. The process-cleanup script creates a directory that is also in the location that the D option of the job control line specifies. The directory name is based on the date timestamp and timestamp of the event. The process-cleanup script places the following types of files in this directory:
core.Z file, if there is a core dump If the computer's core size is set too low, no dump is provided. For that reason, set the core size to unlimited. ps/pid files that list the processes that are running at the time (to facilitate troubleshooting) File that contains the message that are sent to the postmaster ident output of each module and library Regularly monitor and delete the accumulated files in this directory.
Sending a USR1 signal to the runner causes it to write the following information to the logging facility that the F parameter in the runner.cfg file specifies:

List of jobs Current states
233
Total run time Number of crashes (non-zero exits)
About stopping and starting jobs

To stop a single process, create a file called job-name.stop in the working directory of the process. The contents of the file are irrelevant -- only the name is used. The name should match the job name that is specified in the N attribute of the job line in the runner.cfg file. For example:
$ touch job-name.stop
Once every second, the runner looks in the working directory of each job for a file called job-name.stop. If the file exists, the runner first sends a TERM. If the job does not turn off in the termination period, the runner sends a KILL. Stopped jobs do not run their clean-up scripts. A job can be restarted by removing the job-name.stop file. The runner restarts the job the next time it checks the working directory (once every second). If the job is not running and there is no job-name.stop file in its working directory, check the runner configuration file to make sure that the job control entry for the process is correct. See About the runner configuration file on page 233. Once you are sure that there is a proper entry for the job in the runner configuration file, you can restart the runner.
About the runner configuration file

The runner.cfg file must be set up on every computer that is running a Scanner. It is installed by default on the computer or computers where the installer runs. An example runner.cfg file based on the default directory is as follows:
# The runner does not support the UNIX backslash convention # Lines in this # -Comments: # -Termination: signals # are sent to it waits # for them to then runner file are one of the following: null or start with "#" default termination period is the period after TERM the jobs (after the runner gets a TERM) during which die nicely; if they haven't died in this period
234
# kills them with impunity (KILL) # format is "T<number of seconds>" # -Facility: set the syslog facility # format is "F<syslog_facility>" # -User/Group: sets user and group that runner and all children run as # format is "U<user_name>:<group_name>" where: # U<user_name> -- switches user but leaves group unchanged # U:<group_name> -- switches group but leaves user unchanged # U<user_name>:<group_name> -- switches both user and group # -Option: The one option available is to operate runner as a daemon or # not as a daemon # format is Ooption, where: # Odaemon -- runner operates as a daemon # Onodaemon -- runner does not operate as a daemon # If omitted, the default setting of Onodaemon is used # -Job control: define a job to run # format is "J<N>^<D>^<E>^<C>^^<R>" where: # J -- initial character of each job control line # N -- job name # D -- directory to start job and cleanup from # E -- program name to exec (with args) # C -- cleanup program name to exec (with args) # special args allowed in the C argument list are: # -v3 -- indicates that %E and %G are needed # (if this parameter is not present process-cleanup # doesn't need %E and %G) # %N -- name of job # %S -- job exit status # %E -- job exit code # %G -- job signal code # %O -- path to file with the program's output # I -- initial wait period (number of seconds before first running of <E>) # R -- normal wait period (number of seconds after cleanup before # subsequent running of <E>) # set termination period to 30 seconds T30 # change the syslog facility to mail Fmail
235
# change the user to mailwall and group to bmi Umailwall:bmi # set daemon option to operate runner as a daemon Odaemon # jobs
#bmserver job line Jbmserver^/opt/symantec/sbas/Scanner/jobs/bmserver ^/opt/symantec/sbas/Scanner/bin/bmserver -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^0^0 #conduit job line Jconduit^/opt/symantec/sbas/Scanner/jobs/conduit ^/opt/symantec/sbas/Scanner/bin/conduit -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^10^0 # the bmifilter job for sendmail-milter. # This job requires that the directory: # bmifilter exists, and is writeable by runner. #bmifilter job line Jbmifilter^/opt/symantec/sbas/Scanner/jobs/bmifilter ^/opt/symantec/sbas/Scanner/bin/bmifilter -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^30^5 #harvester job line Jharvester^/opt/symantec/sbas/Scanner/jobs/harvester ^/opt/symantec/sbas/Scanner/bin/harvester -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml -d daemon^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^0^30 #bmagent job line Jbmagent^/opt/symantec/sbas/Scanner/jobs/bmagent
236
^/opt/symantec/sbas/Scanner/sbin/bmagent -c /opt/symantec/sbas/Scanner/etc/agentconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^0^30 #jlu-controller job line Jjlu-controller^/opt/symantec/sbas/Scanner/jobs/jlu-controller ^/opt/symantec/sbas/Scanner/bin/jlu-controller -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^10^0
Note: If you modify the runner.cfg file, you must restart the runner by typing: /etc/init.d/mailwall restart Table 8-1 lists the configuration file types of entries. Table 8-1 Entry type
Comments Termination period
Configuration entry types Description

Blank lines or the lines that start with a pound sign (#) are comments. The format for the termination period is: Tseconds where seconds is a positive integer. (In the example, this number is 30.) After TERM signals are sent to the jobs of the runner, the runner waits for them to exit cleanly for the interval that T defines. If they have not exited by the end of this interval, then the runner terminates them with KILL.
Logging facility
The runner can direct output to standard error (stderr), which sends errors directly to the user terminal, or to one of the standard syslog facilities at the ERR level. The format for the logging facility is: Ffacility where facility is the name of any standard syslog facility. (In the example, this is mail.) See syslog documentation for the standard syslog facilities.
Note: The logging facility that is specified relates to information that

the runner logs. The jobs that the runner log operates to the locations that is specified in the Brightmail configuration file, bmiconfig.xml.
237
Table 8-1 Entry type

User and group name
Configuration entry types (continued) Description

You can change the user in the runner by editing the U option in the runner.cfg file. This definition includes all groups of which the user is a member. The format for the user is: U$username:$groupname In the example, this is Umailwall:bmi. With this setting, runner and all jobs it operates start as mailwall.
Daemon operation You can set up the runner to operate as a daemon. If you omit this line, the runner does not operate as a daemon. The possible settings are as follows: Odaemon The runner operates in the background as a daemon Onodaemon The runner does not operate as a daemon
Note: The instructions throughout this document assume that the

runner operates as a daemon.
238

Job control lines
239

Each of these lines defines a job to run. With the exception of the first two elements, each element in the job control line is separated by a carat (^). The format is: JN^D^E^C^I^R. This table uses as its example the first job line in the runner configuration file: Jbmserver^/opt/symantec/sbas/Scanner/jobs/bmserver ^/opt/symantec/sbas/Scanner/bin/bmserver -c /opt/symantec/sbas/Scanner/etc/bmiconfig.xml ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O^0^0
Note: If you use a non-default directory, replace

/opt/symantec/sbas/Scanner with /$loadpoint/. The following list describes the elements in the runner configuration file: J Initial character of job control line. For example: J N Job Name: ASCII string that defines the name of the job. For example: bmserver D Working Directory: The runner starts the job and archives cleanup in this directory. The runner also places PID files in this directory. If the job dumps core and is configured to do so, it dumps in this directory For example: /opt/symantec/sbas/Scanner/jobs/bmserver E Program Name to run (with arguments). The Server takes one argument:
-c /path/to/config indicates the path to the configuration file. For example: ^/opt/symantec/sbas/Scanner/etc/process-cleanup -v3 %N postmaster %S %E %G %O
%O = Use job output filename (stdout and stderr) C Cleanup program name to run (with arguments). If C is empty, no
240

cleanup script is executed. Special arguments are allowed in the C argument list: -v3 = indication that %E and %G parameters is used in clean-up %N = Name of job (for example, bmserver) postmaster = address to send report; the postmaster alias must exist and be properly configured %S = Job exit status %E = job exit code %G = job signal code I Initial wait period: The number of seconds before first running of E For example: 0 R Normal wait period: The number of seconds after cleanup before restart of E. For example: 0
Chapter
Using group policies


About group policies Creating group policies Working with group policies
About group policies

You can configure message management options for an unlimited number of user groups with the group policies that you can define. Policies collect the antispam, antivirus, and filtering verdicts and apply actions for a group. Symantec Message Filter provides a preconfigured Default group policy, which is disabled by default. The Default group policy contains all users and all domains. Although you can modify actions for the Default group policy, you cannot add members to, change the precedence of, nor delete this group policy. You can create and manage group policies from the Group Policies page in the Control Center. The Group Policies page provides the following information:
A list of all the group policies The Default group policy always appears at the bottom of the list of policies. Whether a policy is enabled or disabled The precedence order of your policies For each type of violation for a policy, the actions that Symantec Message Filter takes
See Creating group policies on page 243. See Working with group policies on page 244.
242
Using group policies About group policies
The maximum number of entries in the Group Members list for a group policy is 10,000. If you require more than 10,000 entries, contact your Symantec representative for instructions on how to configure MySQL and Tomcat to support more entries. This limitation refers to the number of entries in the Group Members list, not the number of users at your company. Table 9-1 shows the actions that you can select for email verdicts. Table 9-1 Verdict
Spam, Suspected Spam, Blocked sender, Company-specific content
Email verdicts and available actions Available actions

Deliver the message normally Delete the message Deliver the message to the recipient's spam folder Save the message to disk Forward the message
Quarantine the message You must specify the Quarantine IP address on the Quarantine > Settings page to select this action. See Specifying the Quarantine SMTP IP address on page 283. Modify the message Mass-mailing worm Virus

Deliver the message normally Delete the message Deliver the message normally Delete the message Clean and then deliver the message Deliver the message normally Delete the message Deliver the message to the recipient's spam folder Save the message to disk Forward the message
Unscannable
Quarantine the message You must specify the Quarantine IP address on the Quarantine > Settings page to select this action. See Specifying the Quarantine SMTP IP address on page 283. Modify the message
Notify the recipient of unscannable reason
Using group policies Creating group policies
243
Note: If you have a mix of UNIX and Windows Scanners, do not use the "Save the message to disk." This action cannot function properly since there is no common directory that has the same path for multiple platforms.
Creating group policies

You can specify the groups of users that are based on email addresses or domain names. For each group, you can specify email filtering actions for different types of violations. To create a new group policy, do all of the following:

Create a name for the policy. Add the members for which the policy applies. For each type of violation, specify the actions to be taken if the policy is violated. After you create the policy, you must enable it for it to take effect.
To create a group policy
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policies page, click Add. In the Policy name box, type a name for the group policy.
To add a new member to this group policy
1 2
On the Add Group Policy page under Group Members, click Add. On the Add Group Policy Members page in the Email addresses or domain names box, type a valid email addresses or domain name. Separate multiple entries with commas. Use * to match zero or more characters and ? to match a single character. To add all recipients of a particular domain as members, type the following: *@domain.com
Click Save.
244
Using group policies Working with group policies
To import group policy members from a file
1 2
On the Add Group Policy page under Group Members, click Import. Type the appropriate path and file name (or click Browse to locate the file on your hard disk), and then click Import. The file should be a comma-delimited or newline-delimited plain text file.
To define filtering actions for a new group policy
Under each type of violation, select a filtering action. See About group policies on page 241.
Click Save.
To enable a group policy
On the Group Policies page, select the check box next to a group policy, and then click Enable.
Working with group policies

You can do the following tasks with group policies:
Edit an existing group policy. You might want to change an existing policy to modify how you want to handle a violation, change how a subject line is appended, or how an X-header is labeled. See To edit an existing group policy on page 245. Set the policy precedence. If you have multiple policies, you can determine the order in which the Scanner evaluates the message. When a message triggers a violation, Symantec Message Filter does not evaluate for any policies with a lower precedence. You cannot change the precedence order of the Default group policy. See To set group policy precedence on page 245. Export group You can export the members of a group policy to a .csv file to use in policy members to other applications, such as Excel. a file. See To export group policy members to a file on page 246.
245
Disable a group policy.
You may want to disable a group policy periodically. When you disable a group policy, the policy still exists but is not active. When Symantec Message Filter scans a message, it does not filter against the policies that are disabled. The ability to disable a policy lets you create the policies that you can enable periodically, as needed. It also lets you troubleshoot policy issues. See To disable a group policy on page 246.
Delete a group policy member.
You can delete a member of a group policy if the member is no longer with the organization or if the policy no longer applies to that member. See To delete a group policy member on page 246.
Delete a group policy.
You can delete a group policy that you no longer need. See To delete a group policy on page 246.
View group policy Since group policies can be applied to many users and domains, information for a Symantec Message Filter lets you view all of the policies that apply particular user or to a specific user or domain. domain. See To view group policy information for a particular user or domain on page 247.
To edit an existing group policy
1 2 3
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy that you want to modify, and then click Edit. Add or delete members or change filtering actions for this group policy as you did when you created it. See Creating group policies on page 243.
To set group policy precedence
1 2 3
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy whose precedence you want to move, and then click Move Up or Move Down. You cannot change the precedence of the Default group policy.
246
To export group policy members to a file
1 2 3 4 5 6
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy that contains the list of members that you want to export, and then click Edit. On the Edit Group Policy page, under Group Members, click Export. In the File Download dialog box, click Save. In the Save As dialog box, specify the location where you want to save the exported and click Save. The file is saved in .csv format.
To disable a group policy
1 2 3
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy that you want to disable, and then click Disable. You cannot disable the Default group policy.
To delete a group policy member
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy that contains the member that you want to delete, and then click Edit. On the Edit Group Policy page, under Group Members, check the box beside the member's name that you want to delete, and then click Delete. You can delete multiple members at the same time.
To delete a group policy
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. On the Group Policy page, check the box beside the group policy that you want to delete, and then click Delete. In the confirmation box, click OK to confirm that you want to delete the group policy.
247
To view group policy information for a particular user or domain
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. Click Find User. Type an email address or domain name, and then click Find User. The list of the enabled group policies to which the user or domain belongs appears with the highest precedence listed on top.
248
Chapter
10
Quarantining spam messages


About the quarantine About LDAP compatibility for the Quarantine About the Quarantine page What administrators can do in the Quarantine Working with messages in the Quarantine for end users Configuring the Quarantine Administering the Quarantine
About the quarantine

The Quarantine provides storage of spam messages. Your end users can access their quarantines through a Web-based interface, or you can configure the Quarantine for administrator-only access. Use of the Quarantine is optional. Install the Quarantine on the same computer as the Control Center.
About LDAP compatibility for the Quarantine

Unless you configure the Quarantine for administrator-only access, the Quarantine requires an LDAP server to authenticate end users as they log on to access their quarantined messages and to let the Quarantine to expand user mail aliases. The following LDAP servers that are compatible with the Quarantine are as follows:
250
Quarantining spam messages About LDAP compatibility for the Quarantine
Active Directory (all versions) iPlanet/SunONE/Java Directory Server
You should provision the LDAP server with your users and ensure it works properly before you configure the Quarantine to access it. To configure the Quarantine to access your LDAP server, you should be familiar with the particular LDAP schema that your company uses. If you do not have an LDAP directory or do not want end users to access the Quarantine, you can configure the Quarantine for administrator-only access. See Configuring the Quarantine for administrator-only access on page 275.
Configuring the Quarantine for other LDAP servers

You can configure the Quarantine to access LDAP servers other than Active Directory or iPlanet/SunONE/Java Directory Server. The following steps provide guidelines to configure the Quarantine to let end users log on and access their spam messages. Note: If you use OpenLDAP as an LDAP server, make sure you configure it to accept LDAP v2 protocol requests. To configure the Quarantine for other LDAP servers
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click LDAP. Under LDAP Server, in the Server box, type the fully qualified domain name or IP address of the LDAP server, such as ldap.symantecexample.com. In the Port box, type the TCP/IP port for the LDAP server that you specified in the Server box. The default LDAP port is 389.
Click the Type drop-down list and click Other.
251
Under LDAP Server Login, select one of the following options:

Anonymous bind Unless you configure LDAP to allow anonymous access, this setting does not usually have adequate authentication privileges for the Quarantine to access the necessary LDAP information. Select Anonymous Bind to specify empty Name and Password boxes. Use the following Type the user name and password for an account that can authenticate as an administrator. The Name box and Password box cannot be empty.
Click Test Login to verify that the Quarantine can authenticate against LDAP with the information that you provided. If the test is successful, text similar to the following appears at the top of the page.
Test login to LDAP server successful.
Continue with the step 9.
If the test is unsuccessful, the following message appears:

Test Login to LDAP Server failed.
Confirm the information that you provided. Do not proceed until you obtain positive results when you click Test Login.
Leave the Windows Domain Names box blank. supplied.
10 Click Auto Fill to fill in the boxes with the information that you have already 11 Click Test Query to determine if the Quarantine can access the required user
information. If the test is successful, the text that confirms the success of the test appears. The maximum number of returned users per specified base DN is 1000 in this test. If you have more than 1000 users in your directory server, a message similar to the following appears:
Query results DC=yourdomain,DC=com - 1000+ Users
252
12 If the test is unsuccessful, an error message describing the problem appears.

For example, if the Query start or Query filter are unavailable, a message like the following appears.
For testing query, please specify Start and Filter attributes.
Modify the appropriate settings and continue with the next step.
13 If the test query was successful but the response time is slow or your site has
multiple domains, modify the Query start (base DN). Make your Base DN as descriptive as possible to make queries faster, such as by specifying the CN or OU. For example:
CN=users,DC=msalpha,DC=com or OU=Marketing,DC=msalpha,DC=com
If you have multiple domains, list each domain separated by an ampersand (&), such as:
DC=msalpha, DC=com&DC=ldapbeta,DC=com or CN=Users,DC=ldapalpha,DC=com&OU=Marketing,DC=ldapbeta,DC=com or CN=Users,DC=ldapalpha,DC=com&OU=Marketing,DC=ldapbeta, DC=com&OU=Sales,DC=msbeta,DC=com
253
14 If the Test Query was unsuccessful, you may need to modify one or more of
the following settings from the defaults that are provided when you click Auto Fill. Select one of the following options:
Query filter The Query filter must include the values from User logon name attribute, Primary email attribute, and Email alias attribute as wildcard searches. These values are filled in when you click Auto Fill. The default value is: (&(|(objectClass=inetMailGroup)(objectClass=person))(|(mail=*) (mailalternatedaddress=*))) User login name attribute Primary email attribute Email alias attribute The default is: mail Specify a single-valued attribute holding the primary email address. Specify a single-valued attribute holding the alias email address.
15 Click Save.
Configuring the Quarantine for Active Directory

The following steps describe how to configure the Quarantine to let users specified in Active Directory log on and access their spam messages. To configure Quarantine to access Active Directory
1 2 3
In the Control Center, click the Settings tab. In the left pane under System Settings, click LDAP. Under LDAP Server, in the Server box, type the fully qualified domain name or IP address of an Active Directory domain controller, such as dc.symantecexample.com. If you have a multi-domain Active Directory forest, specify the fully qualified domain name or IP address of the Global Catalog server on the root domain. See Determining fully qualified domain names on Windows on page 256.
In the Port box, type the TCP/IP port for the Active Directory server that you specified in the Server box. The default LDAP port is 389.
Click the Type drop-down list and select Active Directory.
254
Under LDAP Server Login, select one of the following options:

Anonymous bind Unless you configure Active Directory to allow anonymous access, this setting does not usually have adequate authentication privileges for the Quarantine to access the necessary Active Directory information. Choose Anonymous Bind to specify empty Name and Password boxes. Use the following Type the user name and password for an account that can authenticate as an administrator. Specify the user name as NetBIOS\user name, such as MSALPHA\Administrator. The Name box and Password box cannot be empty. See Determining NetBIOS names on Windows on page 256.
If you connect to an Active Directory forest, specify an administrator that has administrative privileges across the domains that you specify in the Windows Domain Settings box.
Click Test Login to verify that the Quarantine can authenticate against Active Directory with the information that you provided. If the test is successful, text similar to the following appears at the top of the page. Continue with the step 9.

In the Windows Domain Names box, type the NetBIOS domain names that Active Directory uses. If you have multiple domains, separate them with a semicolon. See Determining NetBIOS names on Windows on page 256. For example:
MSALPHA;MSBETA
If you specify multiple domains, users must choose the appropriate NetBIOS domain from a list on the logon page when they log on to the Quarantine.
255
10 Click Auto Fill to fill in the boxes with the information that you have already
supplied.
11 Click Test Query to determine if the Quarantine can access the required user
12 If the test is unsuccessful, an error message that describes the problem

appears. For example, if the Query start or Query filter is absent, a message like the following appears.
multiple domains, modify the Query start (base DN). Make your Base DN as specific as possible to make queries faster, such as by specifying the CN or OU. For example:
If you have multiple OU's or domains, list each separated by an ampersand (&), such as:
DC=msalpha,DC=com&DC=msbeta,DC=com or CN=Users,DC=msalpha,DC=com&OU=Marketing,DC=msbeta,DC=com or CN=Users,DC=msalpha,DC=com&OU=Marketing,DC=msbeta, DC=com&OU=Sales,DC=msbeta,DC=com
256
the following settings from the defaults that are provided when you click Auto Fill. Select one of the following options:
Query filter The Query filter must include the values from User logon name attribute, Primary email attribute, and Email alias attribute as wildcard searches. These values are filled in when you click Auto Fill. The default value for Active Directory is: (&(|(objectCategory=group)(objectCategory=person ))(&(|(mail=*)(proxyAddresses=*))(sAMAccountName=*)))
User login name attribute Primary email attribute Email alias attribute
The default value for Active Directory is: sAMAccountName The default value for Active Directory is: mail The default value for Active Directory is: proxyAddresses
15 Click Save.
Determining fully qualified domain names on Windows

Follow this step to determine the fully qualified domain name for your Active Directory domains. To determine fully qualified domain names on Windows
Click Start and select Programs > Administrative Tools > Active Directory Domains and Trusts. The fully qualified domain name appears on the left side of the window.
Determining NetBIOS names on Windows

Follow these steps to determine the NetBIOS name for your Active Directory domains.
257
To determine the NetBIOS names on Windows
1 2 3
Click Start and select Programs > Administrative Tools > Active Directory Domains and Trusts. Select an Active Directory domain from the left side of the window. Click Action, and then click Properties. The value in the "Domain name (pre-Windows 2000)" box is the NetBIOS name for the selected domain.
Configuring a Global Catalog to work with the Quarantine

To configure the Quarantine to access a Global Catalog, specify the port for the Global Catalog, usually 3268, in the LDAP Settings page in the Quarantine. Also, verify that the nCName attribute is replicated to the Global Catalog. To replicate the nCName attribute to the Global Catalog with the Active Directory Schema snap-in
1 2 3 4 5 6 7
Click Start, click Run, type regsvr32 schmmgmt.dll, and click OK. Click Start, click Run, type mmc, and click OK. On the File menu, click Add/Remove Snap-in. Click Add and select Active Directory Schema from the list. In the left pane, expand Active Directory Schema, and click Attributes. In the right pane, locate and double-click the nCName attribute. Select the Replicate this attribute to the Global Catalog check box. If an error occurs after you perform the steps above, make sure that the current domain controller has permission to modify the schema.
To grant permission to the current domain controller
1 2 3 4
Open the Active Directory Schema snap-in as described above. In the left pane, click Active Directory Schema to select it. On the Action menu, click Operations Master. Check the The Schema may be modified on this Domain Controller box. If replication to the Global Catalog cannot be modified as described above, contact your Symantec representative for a work-around.
258
Configuring the Quarantine for iPlanet/Sun ONE/Java Directory Server

The following steps describe how to configure the Quarantine to let users specified in iPlanet, Sun ONE, or Java Directory Server log on and access their spam messages. To configure the Quarantine to access iPlanet/Sun ONE Directory Server
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click LDAP. Under LDAP Server, in the Server box, type the fully qualified domain name or IP address of the LDAP server, such as ldap.symantecexample.com. In the Port box, type the TCP/IP port for the LDAP server that you specified in the Server box. The default LDAP port is 389.
5 6
Click the Type drop-down list and click iPlanet/Sun ONE/Java Directory Server. Under LDAP Server Login, select one of the following options:
Anonymous bind Unless you configure LDAP to allow anonymous access, this setting does not usually have adequate authentication privileges for the Quarantine to access the necessary LDAP information. Select Anonymous Bind to specify empty Name and Password boxes. Use the following Type the user name and password for an account that can authenticate as an administrator. For iPlanet, Sun ONE, or Java Directory Server, the default administrator is cn=Directory Manager. The Name box and Password box cannot be empty.
Click Test Login to verify that the Quarantine can authenticate against LDAP with the information that you provided. If the test is successful, text similar to the following appears at the top of the page.
Continue with the step 9.
259

Leave the Windows Domain Names box blank. supplied.
10 Click Auto Fill to fill in the boxes with the information that you have already 11 Click Test Query to determine if the Quarantine can access the required user
information with the settings that are filled in after you clicked Auto Fill.
12 Click Auto Fill to fill in the boxes with the information that you supplied. 13 Click Test Query to determine if the Quarantine can access the required user
14 If the test is unsuccessful, an error message that describes the problem

appears. For example, if the Query start or Query filter is absent, a message like the following appears.
260
multiple domains, modify the Query start (base DN). Make your Base DN as descriptive as possible to make queries faster, such as by specifying the CN or OU. For example:
If you have multiple domains, list each domain separated by an ampersand (&), such as:
DC=msalpha, DC=com&DC=ldapbeta,DC=com or CN=Users,DC=ldapalpha,DC=com&OU=Marketing,DC=ldapbeta,DC=com or CN=Users,DC=ldapalpha,DC=com&OU=Marketing,DC=ldapbeta, DC=com&OU=Sales,DC=msbeta,DC=com
Quarantining spam messages About the Quarantine page
261
the following settings from the defaults that is provided when you click Auto Fill. Select one of the following options:
Query filter The Query filter must include the values from User logon name attribute, Primary email attribute, and Email alias attribute as wildcard searches. These values are filled in when you click Auto Fill. The default value is: (&(|(objectClass=inetMailGroup)(objectClass= person))(|(mail=*) (mailalternatedaddress=*)))
User login name attribute
The default value is: mail
Primary email attribute
The default value is: mail
Email alias attribute
The default value is: mailAlternateAddress
17 Click Save.
About the Quarantine page

The Quarantine tab provides a summary of the messages in the Quarantine. The user message list page is similar. See Differences between the administrator and end user Quarantine pages on page 263. Table 10-1 lists the tasks that you can perform on the Quarantine page.
262
Table 10-1 Task

Sort messages
Quarantine page tasks Description

By default, messages appear in date descending order. The newest messages are listed at the top of the page. Click on the column heading to select the column by which to sort. A triangle appears in the selected column to indicate ascending or descending sort order. Click on a message subject to view an individual message. Occasionally you may see messages in the Quarantine that are not spam. Click on the check box to the left of a misidentified message and then click This is not Spam to redeliver the message to the intended recipient. This task also removes the message from Quarantine. Depending on how you configure the Quarantine, a copy of the message may also be sent to an administrator email address (such as yourself), Symantec, or both. This configuration lets the email administrator or Symantec monitor the effectiveness of the Symantec Message Filter software. Click on the check box to the left of each message to select a message for deletion. After you select all of the messages on the current page that you want to delete, click Delete. When you delete a message in the administrator's Quarantine, you also delete the message from the applicable user's Quarantine. For example, if you delete Kathy's spam messages in the administrator's Quarantine, Kathy cannot see those messages when she accesses the Quarantine.
View messages Redeliver misidentified messages
Delete individual messages
Delete all messages Search messages
This option deletes all of the messages in the Quarantine, including those on other pages. This option deletes all users' spam messages. This option lets you search messages for a specific recipient, sender, subject, message ID, or date range. See About searching messages on page 266.
263
Table 10-1 Task

Navigate through messages
Quarantine page tasks (continued) Description

The following icons show how to navigate through the Quarantine page:
Configure settings Click the Settings option to configure settings for the Quarantine. To return to the message list from the settings area, click the Quarantine tab. See Configuring the Quarantine on page 274.
Administrator Quarantine page details

Note the following Quarantine behavior:
When you navigate to a different page of messages, the status of the check boxes in the original page is not preserved. For example, if you select three messages in the first page of messages and then move to the next page, when you return to the first page, all of the message check boxes are cleared. The "To" column in the message list page indicates the intended recipient of each message as listed in the message envelope. When you display the contents of a single message in the message details page, the To header (not envelope) information is displayed, which spammers often forge.
Differences between the administrator and end user Quarantine pages

The pages that appear for administrators and end users on your network have some differences:
End users can only view and delete their own spam messages. Quarantine administrators can view and delete all users' spam messages, either one by one, deleting all messages, or deleting the results of a search.
264
Quarantining spam messages What administrators can do in the Quarantine
When End users click This Is Not Spam, the message is delivered to their own main inbox. When a Quarantine administrator clicks This Is Not Spam, the message is delivered to the inbox of the intended recipient. The administrator message list page includes a "To" column that contains the intended recipient of each message. End users can only see their own messages, so the "To" column is unnecessary. The Settings option is only available to Quarantine administrators. End users only have access to the Quarantine, not the rest of the Control Center.
What administrators can do in the Quarantine

This section describes what Administrators should know about working with the Quarantine, as follows:

Accessing the Quarantine What administrators can do within a spam message About searching messages
Accessing the Quarantine

Administrators access the Quarantine through the Control Center. All administrators can work with messages in Quarantine. Administrators without full privileges or Manage Quarantine rights do not see the Quarantine link in the Settings tab. The Settings option is grayed out. To access the Quarantine
In the Control Center, do one of the following:

To view the contents of the Quarantine To modify the Quarantine settings Click the Quarantine tab.
Click the Settings tab, and in the left pane under System Settings, click Quarantine.
What administrators can do within a spam message

When you click on the subject line of a message on the Quarantine page, the contents of the individual spam message appears. This task lets you view the spam message before you determine what action to take with it.
265
When you view the Quarantine, the original graphics in messages are replaced with graphics of gray rectangles. This feature suppresses offensive images and prevents spammers from verifying your email address. If you release the message by clicking This is not Spam, the original graphics are viewable by the intended recipient. The ability to view the original graphics within the Quarantine is unavailable. Table 10-2 lists the tasks that you can perform while you view a spam message. Table 10-2 Task
Redeliver misidentified messages
Actions to take while you view a spam message Description

When you click This is not Spam, you redeliver the message to the intended recipient. This task also removes the message from Quarantine. Depending on how you configure the Quarantine, a copy of the message may also be sent to the email administrator (you), Symantec, or both. This method lets you and Symantec monitor the effectiveness of the Symantec Message Filter software.
Delete the message To delete the message that you are viewing, click Delete. When you delete a message, the page refreshes and displays the next message. If there are no more messages, the message list page appears. Deleting a message in the administrator's Quarantine also deletes the message from the applicable user's Quarantine. For example, if you delete Kathy's spam messages in the administrator's Quarantine, Kathy cannot see those messages when she accesses the Quarantine. Navigate through messages You can navigate through messages as follows: Next Takes you to the next message Previous Takes you to the previous message
Return to the Quarantine page Display full or brief headers
Takes you back to the Quarantine page.
By default, the From, To, Subject, and Date headers of a message appear. To display all headers available to the Quarantine, click Display Full Headers. The full headers may provide clues about the origin of a message. Keep in mind that spammers usually forge some of the message headers. To hide the full headers, click Display Brief Headers.
Configure settings Click the Settings tab to configure settings for Quarantine. To return to the message list from the settings area, click the Quarantine tab. See Configuring the Quarantine on page 274.
266
Table 10-2 Task

Attachments
Actions to take while you view a spam message (continued) Description

The names of attachments appear at the bottom of the message, but the actual attachments cannot be viewed from within Quarantine. However, if you redeliver a message by clicking This is not Spam, the message and attachments are accessible from the inbox of the intended recipient.
Differences between the administrator and end user message pages

The difference between the message page that appears for administrators and the page that appears for end users is as follows:
End users can only view and delete their own spam messages. Quarantine administrators can view and delete messages for all users. End users only have access to the Quarantine page, not the rest of the Control Center.
About searching messages

You can search for messages on the Quarantine page. Type one or more search options or choose a time range to display matching messages in the administrator Quarantine. The search results appear in a page similar to the Quarantine page. About searching messages lists the ways in which you can conduct a search. Table 10-3 Method
Search using multiple characteristics
Ways to conduct a Quarantine search Description

If you search for multiple characteristics, only the messages that match the combination of characteristics appear in the search results. For example, if you type "LPQTech" in the From box and "Inkjet" in the Subject box, only messages that contain "LPQTech" in the From header and "Inkjet" in the Subject header appear in the search results.
267
Table 10-3 Method

Search message envelope "to" recipient
Ways to conduct a Quarantine search (continued) Description

Type in the To box to search the message envelope RCPT TO recipient in all messages for the text that you typed. You can search for a display name, the user name portion of an email address, or any part of a display name or email user name. If you type a full email address in the To box, only the user name portion of user_name@symantecexample.com is searched for. You can attempt to search for the domain portion of an email address by typing the domain. If more than 50% of the messages contain part of the search phrase, nothing appears. See Search details on page 268. The search is limited to the envelope To, which may contain different information than the header To that appears on the message details page.
Search "from" headers
Type in the From box to search the From header in all messages for the text that you typed. You can search for a display name, email address, or any part of a display name or email address. The search is limited to the visible message From header, which in spam messages is usually forged. The visible message From header may contain different information than the message envelope. Type in the Subject box to search the Subject header in all messages for the text that you typed.
Search subject headers
Search the Type in the Message ID box to search the message ID in all messages message ID header for the text that you typed. The message ID is not visible in the Quarantine. It can be obtained by examining the mail log on the MTA. In addition, most email clients have the capability of displaying the full message header, which includes the message ID. The first email server to receive the message assigns the message ID, which is supposed to be a unique identifier for a message. However, spammers may tailor the message ID to hide their identities. For legitimate email, the message ID may indicate the domain where the message was sent from and or the email server that sent the message. Search by time range Choose a time range from the Time Range list to show all messages from that time range. You can also choose Customize to search by specific time range.
268
Search details
Note the following search behavior:
If any term in the search phrase matches 50% or more of the messages in the database, then the search shows no results. About 570 common words such as "after" and "which" are ignored in any of the search boxes, as well as the word "spam." These are called MySQL stopwords. Also, words of three characters or less are ignored. This behavior applies to To, From, Subject, and Message ID searches. If any word in a multiple word search is found in a message, that message is considered a match. For example, searching for "red carpet" matches "red carpet," and also "red wine" and "flying carpet." You do not have to put quote marks around the search text that contains spaces. Searches match exact whole words only in To, From, Subject, and Message ID searches. A word is considered a group of letters, numbers, or underscores. For example, if you search for "finance," the search would not find "refinance." Also, if you searched for "user_name@symantecexample.com," the search is interpreted as "user_name" OR "example." Since "com" is three characters, it is ignored. The @ and the period are treated as spaces. Search results are sorted by date descending order by default. Results can be resorted by clicking on a column heading. Wildcards such as * are not supported in search. All searches are literal. If you search for multiple characteristics, only the messages that match the combination of characteristics appear in the search results. For example, if you typed "LPQTech" in the From box and "Inkjet" in the Subject box, only the messages that contain "LPQTech" in the From header and "Inkjet" in the Subject header appear in the search results. All text searches are case-insensitive. For example, if you type emerson in the From box, then messages with a From header that contains emerson, Emerson, and eMERSOn all appear in the search results. The amount of time that is required for the search depends on how many search boxes you filled in and the number of messages in the current mailbox. Searching in the administrator mailbox takes longer than searching in a user's mailbox. Spammers can forge some of the visible messages headers such as From and To and the invisible envelope information. Sometimes they forge header information with the actual email addresses or domains of innocent people or companies.
Quarantining spam messages Working with messages in the Quarantine for end users
269
Differences between the administrator and end user search pages

Some differences between the administrator search page and the user search page are as follows:

Quarantine administrators can search for recipients. In the Search Results page, users can only delete their own spam messages. Quarantine administrators can delete all users' spam messages.
Working with messages in the Quarantine for end users

This section describes what end users should know about working with the Quarantine.
Accessing the Quarantine

Users access the Quarantine by logging into the Control Center with the user name and password for the type of LDAP server that your company uses. The Quarantine message list page displays after logon.
About the message list page

The message list page is the first page that appears when you log in. It provides a summary of the messages in the Quarantine.
Sorting messages
By default, messages are listed in date descending order. The newest messages are listed at the top of the page. Click on the To, From, Subject, or Date column heading to select the column by which to sort. A triangle appears in the selected column that indicates ascending or descending sort order. Click on the selected column heading to toggle between ascending and descending sort order.
Viewing messages
Click on a message subject to view an individual message.
Redelivering misidentified messages

You may see messages in the Quarantine that are not spam. Click on the check box to the left of a misidentified message, and then click This is not Spam to
270
redeliver the message to your usual inbox. This setting also removes the message from the Quarantine. Depending on how your email administrator configured the Quarantine, a copy of the message may also be sent to the email administrator, Symantec, or both. This method lets the email administrator and Symantec monitor the effectiveness of the Symantec Message Filter software.
Deleting individual messages

Click the check box to the left of each message to select a message for deletion. After you select all of the messages on the current page that you want to delete, click Delete.
Deleting all messages

Click Delete All to delete all the messages in your Quarantine mailbox, including those on other pages. Click OK in the confirmation window or Cancel if you change your mind.
Searching messages
Click Search to search messages for a specific sender, subject, message ID, or date range. See Searching messages on page 272.
Navigating through messages

Table 10-4 shows how you can navigate through message list pages. Table 10-4 Icon Navigating through messages on the end-user message list page Description
Go to beginning of messages.
Go 50 pages ahead. This icon appears if there are 50 pages or more of messages after the current page. Go to the end of messages. This icon appears if there are less than 50 pages of messages after the current page. Go to previous page of messages.
271
Table 10-4
Navigating through messages on the end-user message list page (continued) Description
Go to next page of messages.
Icon
Choose up to 50 pages before or after the current page of messages.
Message list page details

When you navigate to a different page of messages, the status of the check boxes in the original page is not preserved. For example, if you select three messages in the first page of messages and then move to the next page, when you return to the first page, all the message check boxes are cleared.
Message Details page

When you click on the subject line of a message in the message list page, this page displays the contents of individual spam messages.
Redelivering misidentified messages

Click This is not Spam to redeliver the message to your inbox. This also removes the message from the Quarantine. Depending on how your email administrator configures the Quarantine, a copy of the message may also be sent to the email administrator, Symantec, or both. This lets you, the administrator, and Symantec monitor the effectiveness of the Symantec Message Filter software.
Deleting the message

To delete a message after you view it, click Delete. When you delete a message, the page refreshes and displays the next message. If there are no more messages, the message list page appears.
Navigating through messages

Table 10-5 describes ways to navigate messages.
272
Table 10-5 Icon

Next Previous
Navigating through messages on the end-user message details page Description

Go to the next message Go to the previous message
Returning to the message list

To return to the message list, click Back To Messages.
Displaying full or brief headers

By default, the From, To, Subject, and Date headers of a message appear. To display all headers that are available to the Quarantine, click Display Full Headers. The full headers may provide clues about the origin of a message. Keep in mind that spammers can forge some of the message headers. To hide the full headers, click Display Brief Headers.
Graphics appear as gray rectangles

When you view the Quarantine, the original graphics in messages are replaced with graphics of gray rectangles. This feature suppresses offensive images and prevents spammers from verifying your email address. If you release the message by clicking This is not Spam, you can view the original graphics when the message is delivered to your main inbox. The ability to view original graphics within the Quarantine is unavailable.
Attachments
The names of attachments appear at the bottom of the message; the actual attachments cannot be viewed from within Quarantine. However, if the message is misidentified spam, when you redeliver it by clicking This is not Spam, the message and attachments are accessible from your inbox.
Searching messages
Click Search on the message list page to display the search page. Type in one or more boxes or choose a time range to display matching messages in your Quarantine mailbox. The search results appear in a page similar to the message list page.
273
Searching using multiple characteristics

If you search for multiple characteristics, only the messages that match the combination of characteristics appear in the search results. For example, if you type "LPQTech" in the From box and "Inkjet" in the Subject box, only messages that contain "LPQTech" in the From header and "Inkjet" in the Subject header appear in the search results.
Searching "From" headers

Type in the From box to search the From header in all messages for the text that you typed. You can search for a display name, email address, or any part of a display name or email address. The search is limited to the visible message From header, which in spam messages is usually forged. The visible message From header may contain different information than the message envelope.
Searching subject headers

Type in the Subject box to search the Subject header in all messages for the text that you typed.
Searching the message ID header

Type in the Message ID box to search the message ID in all of the messages for the text that you typed. The message ID is not visible in the Quarantine. It can be obtained by examining the mail log on the MTA. In addition, most email clients have the capability of displaying the full message header, which includes the message ID. The first email server to receive the message assigns the message ID, which is supposed to be a unique identifier for a message. However, spammers may tailor the message ID to hide their identities. For legitimate email, the message ID may indicate the domain where the message was sent from or the email server that sent the message.
Searching by time range

Choose a time range from the Time Range list to show all of the messages from that time range. You can also choose Customize to search by a specific time range.
Search details
Note the following search behavior:
If any term in the search phrase matches 50% or more of the messages in the database, then the search shows no results.
274
Quarantining spam messages Configuring the Quarantine
About 570 common words such as "after" and "which" are ignored in any of the search boxes, as well as the word "spam." These are called MySQL stopwords. Also, words of three characters or less are ignored. This configuration applies to To, From, Subject, and Message ID searches. If any word in a multiple word search is found in a message, that message is considered a match. For example, searching for "red carpet" matches "red carpet," and also "red wine" and "flying carpet." You do not have to put quote marks around search the text that contains spaces. Searches match exact whole words only in To, From, Subject, and Message ID searches. A word is considered a group of letters, numbers, or underscores. For example, if you search for "finance," the search would not find "refinance." Also, if you search for "user_name@symantecexample.com," the search is interpreted as "user_name" OR "example." Since "com" is three characters, it is ignored. The @ and the period are treated as spaces. Search results are sorted by date descending order by default but can be resorted by clicking on a column heading. Wildcards such as * are not supported in search. All searches are literal. If you search for multiple characteristics, only the messages that match the combination of characteristics are listed in the search results. For example, if you type "LPQTech" in the From box and "Inkjet" in the Subject box, only messages that contain "LPQTech" in the From header and "Inkjet" in the Subject header appear in the search results. All text searches are case-insensitive. If you type emerson in the From box, then messages with a From header that contains emerson, Emerson, and eMERSOn are all displayed in the search results. The amount of time that is required for the search depends on how many search boxes you filled in and the number of messages in the current mailbox. Spammers can forge some of the visible messages headers such as From and To and the invisible envelope information. Sometimes they forge header information with the actual email addresses or domains of innocent people or companies.
Configuring the Quarantine

The options that you can configure to customize the Quarantine are as follows:

Delivering messages to the Quarantine Configuring the Quarantine for administrator-only access About configuring the end user and distribution list notification digests
275
About the delete unresolved email setting Setting the Quarantine message retention period Configuring the number of messages to appear per page Configuring the logon help Specifying the Quarantine SMTP IP address Configuring the Quarantine port for incoming SMTP email Specifying the Quarantine message and size thresholds
Delivering messages to the Quarantine

Use the Group Policies filtering actions to deliver spam messages to the Quarantine from Server. Note: The Quarantine does not use a separate SMTP mail server to send notifications and resend misidentified messages. However, an SMTP mail server must be available to receive notifications and the misidentified messages that the Quarantine sends. Set this SMTP server on the SMTP Insertion Settings page. The SMTP server that you choose should be downstream from the Server, as notifications and misidentified messages do not require filtering. To deliver messages to the Quarantine
1 2 3 4
In the Control Center, click the Settings tab. In the left pane under System Settings, click Group Policies. Under Groups, click the name of a group. On the Edit Group Policy page, under AntiSpam Actions, set the filtering action to Quarantine the Message for the spam types that you want. Typically, you should set If a message is spam and If a message is suspected spam to Quarantine the Message.
5 6
Click Save. Repeat this process for each group policy that you want to set to deliver messages to the Quarantine.
Configuring the Quarantine for administrator-only access

If you do not have an LDAP directory server configured or you do not want users in your LDAP directory to access the Quarantine, you can configure the Quarantine so that only administrators can access it.
276
When administrator-only access is enabled, you can still perform all the administrator tasks including redelivering misidentified messages to local users. However, notification of new spam messages is disabled when administrator-only access is enabled. See What administrators can do in the Quarantine on page 264. To configure the Quarantine for administrator-only access
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Check the Administrator-only Quarantine box. Click Save.
About configuring the end user and distribution list notification digests
By default, a notification process runs at 4 A.M. every day and determines if users have new spam messages in the Quarantine since the last time the notification process ran. If so, it sends a message to users who have new spam to remind them to check their spam messages. You can send notification digests to users on distribution lists. You can also change the notification digest frequency and format.
About notification for distribution lists and aliases

If the Quarantine is enabled, a spam message that is sent to an alias with a one-to-one correspondence to a user's email address is delivered to the user's normal quarantine mailbox. For example, if tom is an alias for tomevans, quarantined messages that are sent to tom or to tomevans arrive in the Quarantine account for tomevans. Note: An "alias" on UNIX or "distribution list" on Windows is an email address that translates to one or more other email addresses. In this text, distribution means an email address that translates to two or more email addresses. When Symantec Message Filter forwards a spam message that is sent to a distribution list to the Quarantine, the message is not delivered in the intended recipients' Quarantine. Instead, the message is delivered to a special Quarantine mailbox for that distribution list. However, you can configure the Quarantine to send notification digests about the messages in a distribution list mailbox to the recipients of that distribution list by selecting the Notify distribution lists check box on the Quarantine Settings page. If the Include View link box is selected on the Quarantine Settings page, recipients of the notification digest can view all of the quarantined distribution list messages. If a recipient clicks the This Is Not
277
Spam option for a message in the quarantined distribution list mailbox, the message is delivered to the normal inboxes of the distribution list recipients. For example, if a distribution list that is called mktng contains Ruth, Fareed, and Darren, spam sent to mktng and configured to be quarantined is not delivered to the Quarantine inboxes for Ruth, Fareed, and Darren. If the Notify distribution lists check box on the Quarantine Settings page is selected, then Ruth, Fareed, and Darren receive email notifications about the quarantined mkting messages. If the Include View link box is selected on the Quarantine Settings page, then Ruth, Fareed, and Farren can view the quarantined mkting messages by clicking on the View link in the notification digests. If Ruth clicks on the This Is Not Spam option for a quarantined mkting message, the message is delivered to the inboxes of Ruth, Fareed, and Darren.
Changing the notification digest frequency

You can change the frequency at which notification messages are sent to users. The default frequency is every day. To not send notification messages, change the Notification frequency to NEVER. To change the notification digest frequency
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Quarantine Notification, click the Notification frequency drop-down list and select the notification frequency that you want. Click Save.
Editing the notification digest templates

The notification digest templates determine the appearance of notification messages that are sent to users as well as the message subject and send from address. By default, the notification templates for standard quarantined messages and quarantined distribution list messages are different. This feature lets you customize the notification templates for each type of quarantined message. The default notification templates are similar to the text that is listed below. The distribution list notification template lacks the information about logging on. In your browser, the text does not wrap, so you have to scroll horizontally to view some of the lines. This feature prevents unusual line breaks or extra lines if you choose to send notifications in HTML format. Quarantine Summary for %USER_NAME%
278
There are %NEW_MESSAGE_COUNT% new messages in your Spam Quarantine since you received your last Spam Quarantine Summary. These messages will automatically be deleted after % QUARANTINE_DAYS% days. To review the complete text of these messages, go to %QUARANTINE_URL% and log in. ===================== NEW QUARANTINE MESSAGES ====================== %NEW_QUARANTINE_MESSAGES% ==================================================================== Table 10-6 lists the variables in the notification digest that is sent to users. Table 10-6 Variable
%NEW_MESSAGE_COUNT%
Notification message variables Description

Number of new messages in the user's Quarantine since the last notification message was sent.
%NEW_QUARANTINE_MESSAGES% List of messages in the user's Quarantine since the last notification was sent. For each message, the contents of the From, Subject, and Date headers are printed. View and Release links appear for each message if they are enabled and you have chosen Multipart or HTML notification format. %QUARANTINE_DAYS% Number of days that messages in the Quarantine are kept. After that period, messages are purged. URL that the user clicks to display the Quarantine logon page. User name of user receiving the notification message.
%QUARANTINE_URL%
%USER_NAME%
To edit the notification digest templates
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Quarantine Notification, click Edit next to Notification templates.
279
In the Send from box, type the email address that the notification digests should appear to be from. Since users can reply to the email address that you provide, type an address where you can monitor users' questions about the notification digests. Specify the full email address including the domain name, such as admin@symantecexample.com. In the Subject box, type the text that should appear in the Subject header of notification digests, such as "Your Suspected Spam Summary." Do not put message variables in the subject box. They are not expanded. The Send from and Subject settings are the same for both the user notification template and distribution list notification template.
Edit the user notification template, distribution list notification template, or both. See Table 10-6. The text does not wrap in the Control Center. This configuration prevents unusual line breaks or extra lines if you choose to send notifications in HTML format. Do not manually insert breaks if you plan to send notifications in HTML.
7 8
On the Edit Notification Templates page, click Save. On the Quarantine Settings page, click Save.
Enabling notification for distribution lists

You can configure the Quarantine to send notification digests about the messages in a distribution list mailbox to the recipients in a distribution list. See About notification for distribution lists and aliases on page 276. To enable notification for distribution lists
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Quarantine Notification, check Notify distribution lists. On the Quarantine Settings page, click Save.
Selecting the notification digest format

The notification digest template determines the MIME encoding of the notification message that are sent to users as well as whether View and Release links appear in the message.
280
To select the notification digest format
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Quarantine Notification, click the Notification format drop-down list and select one of the following options:
Multipart (HTML and text) Send a notification message in MIME multipart format. Users see either the HTML version or the text version depending on the type of email client they use and the email client settings. The View and Release links do not appear next to each message in the text version of the summary message. Send the notification message in MIME type text or html only. Send the notification message in MIME type text or plain only. If you choose Text only, the View and Release links do not appear next to each message in the summary message.
HTML only Text only
Check Include View link to include a View link next to each message in the notification digest message summary. When a user clicks on the View link in a notification digest message, the adjacent message appears in the Quarantine in the default browser. This check box is only available if you choose Multipart (HTML and text) or HTML only notification format. If you remove the %NEW_QUARANTINE_MESSAGES% variable from the notification digest template, the new message summary (including the View links) are not be available.
Check Include Release link to include a Release link next to each message in the notification digest message summary. The Release link is for misidentified messages. When a user clicks on the Release link in a notification digest message, the adjacent message is released from the Quarantine and sent to the user's normal inbox. This check box is only available if you choose Multipart (HTML and text) or HTML only notification format. If you remove the %NEW_QUARANTINE_MESSAGES% variable from the notification digest template, the new message summary (including the Release links) are not available.
In the Summary line limit box, specify the maximum number of summary entries that can appear in the quarantine notification. The default setting is 100.
On the Quarantine Settings page, click Save.
281
Configuring recipients for misidentified messages

If users or administrators find false positive messages in the Quarantine, they can click This is not Spam redelivers the messages to the user's inbox. You can also send a copy to a local administrator, Symantec, or both. The messages should be sent to a local administrator in your organization who monitors misidentified messages to determine the effectiveness of Symantec Message Filter. Symantec analyzes message submissions to determine if the antispam filters need to be updated. However, Symantec does not send confirmation of the misidentified message submission to the administrator or the user submitting the message. To configure recipients for misidentified message
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Misidentified Messages, check Brightmail Logistics and Operations Center (BLOC) to report misidentified messages to Symantec. This option is enabled by default.
Check Administrator to send copies of misidentified messages to a local administrator and type the appropriate email address. Type the full email address including the domain name, such as admin@symantecexample.com. The administrator email address must not be an alias, or a copy of the misidentified message is not delivered to the administrator email address. Errors are recorded on the Log tab.
About the delete unresolved email setting

By default, the quarantined messages that are sent to non-existent email addresses that are based on LDAP lookup are deleted. If you clear the check box for Delete messages sent to unresolved email addresses, these messages are stored in the Quarantine postmaster mailbox. See Checking the Quarantine postmaster mailbox on page 287. Note: If there is an LDAP server connection failure or LDAP settings are not configured correctly, then the quarantined messages that are addressed to non-existent users are stored in the Quarantine postmaster mailbox whether the Delete unresolved email check box is selected or cleared.
282
Setting the Quarantine message retention period

You can change the amount of time spam messages are kept before they are deleted. You may want to shorten the retention period if quarantined messages use too much of your computer's disk space. However, a shorter retention period increases the chance that users may have messages deleted before they have been checked. The default retention period is 7 days. By default, a Quarantine process runs at 1 A.M. every day to delete messages older than the retention period. Each time the process runs, at most 10,000 messages can be deleted. If your organization receives a large volume of spam messages, contact your Symantec representative for instructions on how to change the deletion frequency. To set the Quarantine message retention period
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. In the Days to store in Quarantine before deleting box, type the maximum number of days to store messages in the Quarantine before deleting. On the Quarantine Settings page, click Save.
Configuring the number of messages to appear per page

The Messages to display per page setting specifies how many lines of messages appear on the message list page. Larger numbers cause the message list page to take longer to load. To configure the number of messages to appear per page
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Click the Messages to display per page drop-down list and specify how many messages appear per page. On the Quarantine Settings page, click Save.
Configuring the logon help

By default, when users click on the "Need help logging in" link on the Control Center logon page, online Help appears in a new window. You can customize the logon help in the following ways:
Modify the contents of the existing logon help page
283
Specify a custom logon help page
These changes only affect the logon help page, not the rest of the online Help. Both of these methods require knowledge of HTML. To modify the contents of the existing logon help page
Open the following file in a text editor such as WordPad or vi:

Linux or Solaris .../Tomcat/jakarta-tomcat-4.1.27/webapps/brightmail/ help/login_help_contents.jsp ...\Tomcat\jakarta-tomcat-4.1.27\webapps\brightmail\ help\login_help_contents.jsp
Windows
2 3
Edit the login_help_contents.jsp file. Use the existing contents as a guide. Although the file name extension is .jsp, the file is coded in HTML. Save and exit from the login_help_contents.jsp file.
To specify a custom logon help page
Create a Web page that tells your users how to log in. Make the page available on your network. The Web page should be accessible from any computer where users log onto the Quarantine. In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. In the Login help URL box, type the URL to the Web page that you created. To disable your custom logon help page, delete the contents of the Login help URL box.
2 3 4
Specifying the Quarantine SMTP IP address

You must specify the Quarantine SMTP IP address if you want to use the "Quarantine the message" action in a Group Policy. See About group policies on page 241. To specify the Quarantine SMTP IP address
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. In the Quarantine IP box, type the Quarantine SMTP IP address. On the Quarantine Settings page, click Save.
284
Configuring the Quarantine port for incoming SMTP email

By default, the Quarantine accepts quarantined messages from the Scanner on port 41025. But you can change this setting if needed. You do not need to change any Scanner settings to match the change in the Quarantine Port box. You cannot configure the quarantine SMTP interface IP manually. To configure the Quarantine port for incoming SMTP email
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. In the Quarantine Port box, type the new port. On the Quarantine Settings page, click Save.
Specifying the Quarantine message and size thresholds

No alert or notification occurs if the Quarantine thresholds are exceeded. However, you can be alerted when disk space is low, which may occur when a large number of messages are in the Quarantine database. See Setting up event-based alerts on page 368. Symantec Message Filter lets you modify the fields even if you do not check the corresponding check box. Please ensure that you check these check boxes when you configure the Quarantine threshold settings. Table 10-7 lists the Quarantine options that you can configure to limit the number of messages in the Quarantine or the size of the Quarantine. Table 10-7 Threshold
Maximum size of quarantine database
Quarantine thresholds Description

Maximum amount of disk space that is used for quarantined messages. When a new message arrives after the threshold is met, the 10 oldest messages are deleted, and the new message is kept. If you do not check the check box, the oldest messages are not deleted, but the alert is sent when the limit exceeds 90% of the specified value.
Maximum size per Maximum amount of disk space that is used for quarantine messages, user per user. When a new message arrives after the threshold is met, the 10 oldest messages of the user are deleted, and the new message is kept.
Quarantining spam messages Administering the Quarantine
285
Table 10-7 Threshold
Quarantine thresholds (continued) Description
Maximum number Maximum number of messages for all users (the same message that of messages are sent to multiple recipients counts as one message). When a new message arrives after the threshold is met, the oldest message is deleted, and the new message is kept. Maximum number Maximum number of quarantine messages per user. of messages per When a new message arrives after the threshold is met, the oldest user message is deleted, and the new message is kept.
To specify the Quarantine message and size thresholds
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Under Quarantine Thresholds, for each type of threshold that you want to configure, select the check box and enter the size threshold or message threshold. Click Save.
Administering the Quarantine

This section specifies the ways in which you can administer the Quarantine:

Starting and stopping the Quarantine Checking the Quarantine postmaster mailbox About checking the Quarantine error log About backing up the Quarantine message database Troubleshooting the Quarantine
Starting and stopping the Quarantine

The installer configures the Quarantine to start when the computer is turned on and to stop when the computer is turn off. However, there may be times when you need to manually stop and restart the Quarantine processes. For example, to investigate a problem on the computer where Quarantine is installed.
286
Note: If you need to use the Tomcat commands in .../Tomcat/jakarta-tomcat-version/bin/, you must source the file /opt/brightmail/bmiq-env.sh to set JAVA_HOME and CATALINA_HOME. Start and stop Tomcat using the commands below, which do not require sourcing bmiq-env.sh. To start the Quarantine processes on Linux and Solaris
To start Tomcat and related processes like the Expunger and Notifier, log on as root or use sudo and run the following commands:
# /etc/init.d/tomcat4 start Using CATALINA_BASE: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 Using CATALINA_HOME: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 Using TALINA_TMPDIR: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 /temp Using JAVA_HOME: /opt/brightmail/jre
To start MySQL, log on as root or use sudo and run the following commands:
# /etc/init.d/mysql.server start # Starting mysqld daemon with databases from /opt/brightmail/MySQL/ mysql-pro-4.0.16-sun-solaris2.8-sparc/data
To stop the Quarantine processes on Linux and Solaris
To stop MySQL, log on as root or use sudo and run the following commands:
# /etc/init.d/mysql.server stop Killing mysqld with pid NNNNN Wait for mysqld to exit. done
To stop Tomcat and related processes like the Expunger and Notifier, log on as root or use sudo and run the following commands:
# /etc/init.d/tomcat4 stop Using CATALINA_BASE: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 Using CATALINA_HOME: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 Using CATALINA_TMPDIR: /opt/brightmail/Tomcat/jakarta-tomcat-4.1.27 /temp Using JAVA_HOME: /opt/brightmail/jre
287
To start the Quarantine services on Windows
1 2 3 4 5 6
Click Start, point to Programs, point to Administrative Tools, and click Services. Navigate to and click Tomcat. Click the Start Service triangle at the top of the Services window to start Tomcat. Navigate to and click MySql. Click the Start Service triangle at the top of the Services window to start MySql. Close the Services window.
To stop the Quarantine services on Windows
1 2 3 4 5 6
Click Start, point to Programs, point to Administrative Tools, and click Services. Navigate to and click MySql. Click the Stop Service square at the top of the Services window to stop MySql. Navigate to and click Tomcat. Click the Stop Service square at the top of the Services window to stop Tomcat. Close the Services window.
Checking the Quarantine postmaster mailbox

If the Quarantine cannot determine the proper recipient for a message that it receives, it delivers the message to a postmaster mailbox accessible from the Quarantine. Your network may also have a postmaster mailbox that you access with a mail client that is separate from the Quarantine postmaster mailbox. Spam messages may also be delivered to the Quarantine postmaster mailbox if there is a problem with the LDAP configuration. No notification messages are sent to the postmaster mailbox. To check the Quarantine postmaster mailbox
1 2 3 4
Log into the Control Center as an administrator with full privileges or Manage Quarantine rights. In the Control Center, click the Settings tab. In the left pane, under System Settings, click Quarantine. Click Search.
288
5 6
In the To box, type postmaster. Click Search.
About checking the Quarantine error log

Periodically, you should check the Quarantine error log. All of the errors that are related to the Quarantine are written to the BrightmailLog.log file. The file is located in the Quarantine installation directory. The default location is as follows:
Linux and Solaris Windows /opt/brightmail/sbas/ControlCenter/BrightmailLog.log C:\Program Files\BrightmailAnti-Spam\BrightmailLog.log
This file is a plain text file that you can view with a text editor such as Notepad or vi. Each problem results in a number of lines in the error log. See Troubleshooting the Quarantine on page 289.
Increasing the amount of logging information in the BrightmailLog.log

If you have problems with the Quarantine, you can increase the detail of the log messages that are saved into BrightmailLog.log. Change the settings in the log4j.properties file to increase the details. The BrightmailLog.log contains logging information for the Quarantine and the Control Center. When you increase the logging level of log4j.properties, it creates a lot of log information. You should increase the maximum size of the BrightmailLog.log. To increase the amount of logging information in the BrightmailLog.log
Open the following file in a text editor such as WordPad or vi:

Linux and Solaris .../Tomcat/jakarta-tomcat-version/webapps/brightmail/ WEB-INF/classes/log4j.properties ...\Tomcat\jakarta-tomcat-version\webapps\brightmail\ WEB-INF\classes\log4j.properties
Windows
Find the following line:

#log4j.rootLogger=ERROR, file
Change the word ERROR to DEBUG.
289
Find the following line:

log4j.appender.file.MaxFileSize=5MB
5 6
Change 5MB to the number that you want, such as 10MB. Find the following line:
log4j.appender.file.MaxFileSize=5MB
Change the number after MaxBackupIndex to the number that you want, such as 40. This setting determines the number of saved BrightmailLog.log files. For example, if you specify 2, BrightmailLog.log contains the newest information, BrightmailLog.log.1 contains the next newest, and BrightmailLog.log.2 contains the oldest information. When BrightmailLog.log reaches the size that log4j.appender.file.MaxFileSize indicates, then it is renamed to BrightmailLog.log.1, and a new BrightmailLog.log file is created. The original BrightmailLog.log.1 is renamed to BrightmailLog.log.2, etc. This number times the value of log4j.appender.file.MaxFileSize determines the amount of disk space that is required for these logs.
8 9
Save and exit from the log4j.properties file. Change the settings of the log4j.properties file back to the original settings when you finish debugging the Quarantine.
About backing up the Quarantine message database

Messages in the Quarantine are stored in a MySQL database. See About backing up MySQL data on page 119.
Troubleshooting the Quarantine

The following sections address the issues that you might have with the Quarantine.
Message "The operation could not be performed" appears

You may see the following message appear at the top of the Quarantine page when you view email messages in the Quarantine:
The operation could not be performed.
If you see this message, check the Quarantine error log. See Checking the Quarantine postmaster mailbox on page 287.
290
Cannot log on due to conflicting LDAP and Control Center accounts

If there is an account in your LDAP directory with the user name of "admin," you cannot log on to Quarantine as that user. You can only log on as the Control Center administrator with that user name. The existing LDAP admin account conflicts with the default Control Center administrator, which is also admin. To address this problem, you can change either the user name in LDAP or the user name of the Control Center administrator.
Error in the Quarantine log file due to large spam messages

If you check the Quarantine log file and see lines similar to those that appear below, the messages that Symantec Message Filter forwarded to the Quarantine are larger than the standard packet size that MySQL uses. If you see this error and expect to receive more large messages, you can configure the MySQL client and server to receive larger packets. For more information, on the Internet, go to the following URL: http://www.mysql.com/doc/en/Packet_too_large.html
com.mysql.jdbc.PacketTooBigException: Packet for query is too large (3595207 > 1048576) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1554) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1540) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1005) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1109) at com.mysql.jdbc.Connection.execSQL(Connection.java:2030) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement. java:1750) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement. java:1596) at org.apache.commons.dbcp.DelegatingPreparedStatement.executeUpdate (DelegatingPreparedStatement.java:207) at com.brightmail.dl.jdbc.impl.DatabaseSQLManager.handleUpdate (Unknown Source) at com.brightmail.dl.jdbc.impl.DatabaseSQLManager.handleUpdate (Unknown Source) at com.brightmail.dl.jdbc.impl.DatabaseSQLTransaction.create (Unknown Source) at com.brightmail.bl.bo.impl.SpamManager.create(Unknown Source) at com.brightmail.service.smtp.impl.SmtpConsumer.run(Unknown Source)
291
Users do not see distribution list messages in their Quarantine

When Symantec Message Filter forwards a spam message that is sent to a distribution list to the Quarantine, the message is not delivered in the intended recipients' quarantine. Instead, the message is delivered to a special Quarantine mailbox for that distribution list. See About notification for distribution lists and aliases on page 276.
Undeliverable Quarantined messages go to the Quarantine postmaster mailbox

If the Quarantine cannot determine the proper recipient for a message that is received from Symantec Message Filter, it delivers the message to a postmaster mailbox that is accessible from the Quarantine. Your network may also have a postmaster mailbox that you access with a mail client that is separate from the Quarantine postmaster mailbox. See Checking the Quarantine postmaster mailbox on page 287.
Error in the Quarantine log file due to running out of disk space or full work directory
If you check Quarantine log file and see lines similar to those listed below, make sure that you have not run out of disk space on the computer where the Quarantine is installed.
9 Jan 2004 00:00:22 (ERROR:5396:6396):[2032] Error connecting to 192.168.1.4:41025: Unknown Error; Out of range. 9 Jan 2004 00:00:22 (ERROR:5396:6396):[4042] smtp_direct: failed to connect to SMTP server. 9 Jan 2004 00:00:22 (ERROR:5396:6396):[4019] Module SMTP_DIRECT failed on message C:\Program Files\Brightmail\bmispool\1184. 1072896064.9305:processing halted.
If that is not the problem, perform the procedure as follows:
292
To resolve Quarantine Log file
Delete the following directory:

Linux and Solaris Windows .../Tomcat/jakarta-tomcat-version/work ...\Tomcat\jakarta-tomcat-version\work
2 3
Restart the computer where the Quarantine is installed. Make sure the following directory is empty:
Linux and Solaris Windows /opt/brightmail/bmispool C:\Program Files\Brightmail\bmispool
Users receive notification messages but cannot access messages in the Quarantine
If some end users can successfully log into Quarantine and read their spam messages, but others get a message saying that there are no messages to display, there may be a problem with the Active Directory (LDAP) configuration. The users who cannot access their messages are in a different Active Directory domain than the users who can access their messages. Configure LDAP in the Control Center to use a Global Catalog, port 3268, and verify that the nCName attribute is replicated to the Global Catalog. See Configuring a Global Catalog to work with the Quarantine on page 257.
Duplicate messages appear in the Quarantine when you log on as administrator

You may notice multiple copies of the same message when you log into the Quarantine as an administrator. When you read one of the messages, all of them are marked as read. This behavior is intentional. If a message is addressed to multiple users at your company, the Quarantine stores one copy of the message in its database, although the status (for example, read and deleted) of each user's message is stored per-user. Because the administrator views all users' messages, the administrator sees every user's copy of the message. If the administrator clicks This is not Spam, just the selected message or messages are redelivered to the users' mailboxes, not all the duplicate messages.
293
Maximum number of messages in the Quarantine

If you do not set any Quarantine thresholds and your computer has adequate capacity, there is a 1 TB (terabyte) MySQL limit on the number of messages that can be stored in Quarantine (the same message that are sent to multiple recipients counts as one message). See Specifying the Quarantine message and size thresholds on page 284.
Copies of misidentified messages are not delivered to the administrator

If you type an email address in the Administrator box under Misidentified Messages on the Quarantine Settings page but the messages are not to be delivered to the email address, make sure the email address is not an email alias. The administrator email address for misidentified messages must be a primary email address including the domain name, such as admin@symantecexample.com.
294
Chapter
11
Creating reports

About reports Working with reports Report generation error
About reports
Symantec Message Filter reports can provide you with information about filtering activity at your site. With Symantec Message Filter reports, you can do the following tasks:
Analyze consolidated filtering performance for all Scanners and investigate the spam and virus attacks that target your organization. Create several predefined reports that track useful information, such as which domains are the source of most spam and which recipients are the top targets of spammers. Export report data for use in any reporting software or spreadsheet software for further analysis. Schedule reports to be emailed at specified intervals.
You run, schedule, and customize reports from the Control Center.
About available reports

By default, Symantec Message Filter keeps track of the following totals over all Scanners for the time period that you specify:
Messages processed by a given Scanner
296
Creating reports About reports
Spam messages that are detected Suspected spam messages that are detected, based on your Spam Scoring settings Total blocked messages, based on the entries in your Blocked Senders List Total allowed messages, based on the entries in your Allowed Senders List False positives or possibly legitimate messages that a Scanner has identified as spam Total viruses and worms
Table 11-1, Table 11-2, and Table 11-3 lists the pre-set reports that you can generate and their contents. The last column lists the reporting data that you must instruct Symantec Message Filter to track before you can generate the specified report. Table 11-1 Report type
Mail Summary
Mail summary report Displays

A summary of total mail
Required report data storage options

None
Table 11-2 Report type

Detection
Virus reports Displays

A summary of total viruses and worms

None
Top Sender Domains Top Senders
The domain names of the senders Senders of viruses and worms Sender domains The email addresses of the top senders of viruses and worms Senders Sender domains
Specific Senders
Number of viruses and worms by Senders the senders that you specify Sender domains
Top Sender HELO Domain names of the SMTP HELO Sender HELO domains Domains* servers from which viruses and worms are received
297

Top Sender IP Connections*
Virus reports (continued) Displays

The top IP connections from which viruses and worms are received The domain names of the recipients of viruses and worms

Senders Sender domains Recipient Domains
Top Recipients Domains
Specific Recipients The filtering activity for specific email addresses that you choose Top Recipients The email addresses of the top recipients of viruses and worms
Recipients
Recipients

Detection
Summary reports Displays Required report data storage options
A summary of total detected None messages (spam, blocked, allowed and suspected spam messages) and also reports false positives The domain names of the senders Sender domains of detected messages The email addresses of the top senders of filtered messages Detected the messages that are filtered by the senders that you specify Senders
Top Sender Domains Top Senders
Specific Senders
Senders
Top Sender HELO Domain names of the SMTP HELO Sender HELO domains Domains* servers from which messages are received Top Sender IP Connections* Top Recipients Domains The top IP connections from which spam are received The domain names of the recipients of detected messages Senders
Recipient Domains
Specific Recipients The filtering activity for specific email addresses that you choose
Recipients
298

Top Recipients
Summary reports (continued) Displays

The email addresses of the top recipients of detected messages

Recipients
* If you are running any Scanners in internal relay configurations, the SMTP HELO name or IP connection address could be the name or connection of your gateway computer, rather than the Internet address you might expect. You can choose from a selection of reports. You can customize reports to include specific date ranges, time period groupings, email delivery, and a choice of comma-separated value (CSV) or HTML output options. For some reports, you can filter based on specific recipients and senders. See About planning for disk space storage needs on page 34. See Setting the retention period for reporting data on page 300.
About the report data

The Processed column in the report shows the total number of messages that were processed. Each of the columns to the right of the Processed column shows the number of messages and their categories and the percent that category represents of the total messages processed. Table 11-4 lists some information that you should consider when you evaluate reports.
299
Table 11-4 Information

Reports are presented in the local time of Control Center.
Report data Description

Symantec Message Filter stores statistics in the stats directory on the individual hosts that run Scanners. The date and hour for each set of these statistics are recorded in Greenwich Mean Time (GMT). Also, a single Control Center that is connected to all the Scanners generates the reports that represent all the connected hosts. The combined numbers from all Scanners in the reports are presented in the local time zone of the Control Center. Although the reports themselves do not list timesthey only list a dateyou should be aware of the implications of the GMT/local time conversion. The boundaries for splitting the reporting data into groups of days, weeks, or months are set from the perspective of the Control Center. For example, in the summer California is 7 hours behind GMT. Assume that a Scanner receives and marks a message as spam at 5:30 P.M. local time on April 23, Friday (12:30 AM, April 24, Saturday GMT). When you generate the report, Symantec Message Filter determines the day in which the email belongs based on where the report is generated. If the Control Center is in Greenwich, the resulting report counts it in GMT (the local time zone), so it increases the spam count for April 24. If the Control Center is in San Francisco, California, the report counts it in Pacific Daylight Time (the local time zone) and increases the spam count for April 23.
By default, data is By default, statistics are retained for seven days. If Symantec Message saved for one Filter already has seven days of data, the oldest hour of statistics is week. deleted as each new hour of statistics is stored. See Setting the retention period for reporting data on page 300. Statistics are recorded per message delivery, not per message. For example, if a single email lists 12 recipients, that email is delivered to all 12. Therefore, it increases the processed count by 12 for that day. If this message is spam, it also increases the spam count by 12 for that day. Note that if you run a Spam: Specific Recipients report in this situation and list one of the 12 recipients, both the processed count and the spam count for that recipient increases by 1. For virus reports, if you configure the AntiVirus Cleaner to deliver clean mail to the same instance of the MTA that runs Symantec Message Filter, the virus message is double-counted in the Processed total in the virus report. It is counted one time for the original virus message and another time for the cleaned message.
Virus Messages are double-counted when both the Clean and Deliver action is selected.
300
Table 11-4 Information

Reports are limited to 1,000 rows.
Report data (continued) Description

The maximum size for any report (including a scheduled report) is 1,000 rows.
Setting the retention period for reporting data

You can specify the number of days, weeks, or months that Symantec Message Filter should keep track of reports data. Depending on your organization's size and message volume, the disk storage requirements for reports data can be quite large. You should monitor the storage that is required for reporting over time and adjust the retention period accordingly. See About planning for disk space storage needs on page 34. To set the retention period for reporting data
1 2 3
In the Control Center, click the Reports tab, and then click Settings. Change the number of days, weeks, or months that Symantec Message Filter keeps track of your reporting data. Click Save.
Selecting the data to track

By default, Symantec Message Filter tracks data for the following reports: Spam Detection and Virus Detection. Before you can generate other reports, you must configure Symantec Message Filter to track and store data appropriate for the report. For example, to generate recipient-based reports such as Spam/Virus: Specific Recipients, you must configure Symantec Message Filter to store recipient information. See About the report data on page 298. To select the data to track
1 2 3 4
In the Control Center, click the Reports tab. Click Settings. Under Reports Data Storage, select the report data that you want to track. Click Save.
Creating reports Working with reports
301
Working with reports

You can perform the following tasks with reports:

Running reports Saving reports Printing reports Scheduling, editing, or deleting reports
Running reports
You can run an ad hoc report to get a summary of filtering activity, provided that report data exists to generate a given report type. The report results appear in the browser window. Before you generate a report, ensure that you have configured Symantec Message Filter to track the appropriate data for the report. See Selecting the data to track on page 300. To run a report
1 2 3
In the Control Center, click the Reports tab. Under Report Filter, click the Report type drop-down menu and select a report type. Click the Time Range drop-down list and do one of the following:
To specify a preset Select Past Hour, Past Day, Past Week, and Past Month. range To specify a Click Customize, and then click the Start date and End date fields custom time range to specify the dates. When you click the Start Date and End Date fields, a calendar appears to let you graphically select a date. You must enable JavaScript for the calendar to appear.
4 5
Click the Group By drop-down list to the time frame that you want the report grouped by. For the reports that rank results, such as Spam: Top Senders, in the Display top <n> entries field, type the number of entries that you want to display per group. For the reports that filter on specific recipients, such as Spam: Specific Recipients or Virus: Specific Recipients, in the Recipients field for Senders field, type an email address.
302
Separate multiple senders or recipients with spaces, commas, or semi colons. Some tips on how to specify addresses are as follows:
To match on user_1@domain.com, you can use fully qualified email addresses (user_1@domain.com) or you can use the alias alone (user_1). If a user name matches more than one email address (for example, user_1@domain1.com and user_1@domain2.com), all addresses with that alias appear in the report.
Click Run Report. If there is data available, the report that you select appears in the browser window. Depending on how much data is available for the report that you select, report generation may take up to several minutes.
Saving reports
Once you create a report in the Control Center, you can save the report. You can save the results in a Web-based format, such as HTML. You can export the report to a comma-delimited format, suitable for importing into spreadsheet or database applications. If you use Netscape 7.1 and your browser saves exported .csv reports with a .do extension, set the Helper Application MIME type correctly in Netscape Preferences. See Running reports on page 301. To save a report
In a report, click Save as HTML or Save as CSV. Options only appear if there is data for the specified report parameters.
2 3 4
In the File Download dialog box, click Save. In the Save As dialog box, specify the location where you want to save the exported and click Save. In the File dialog box, select the location where you want to save the report.
Printing reports
After you create a report, you can print it. See Running reports on page 301. To print a report
In a report, click Print Report.
303
Scheduling, editing, or deleting reports

You can schedule some reports to run automatically at specified intervals. You can also specify that scheduled reports be emailed to one or more recipients. Note: Reports that filter based on specific senders or recipients such as Spam: Specific Senders, Spam: Specific Recipients, Virus: Specific Senders, and Virus: Specific Recipients cannot be scheduled. Ensure that you configure Symantec Message Filter to track the appropriate data for the report. See Selecting the data to track on page 300. To schedule a report
1 2 3 4 5 6 7 8 9
In the Control Center, click Settings. Under System Settings, click Reports. Under Scheduled Reports, click Add. Under Scheduled Reports, click the Report type list and select the type of report that you want to schedule. Click the Group by list, and select Hour, Day, Week, or Month. In the Top entries field, specify the number entries that you want to display per group. Click the Time range list, and select Past Hour, Past Day, Past Week, or Past Month. Under Report Generation Time, in the Generate report at fields, specify the time at which you want to generate the report. Based on the reporting interval that you want, perform one of the following tasks:
To schedule daily reports To schedule weekly reports To schedule monthly reports Click Daily, and click Every day or click Weekdays only.
Click Weekly, and click any combination of days.
Click Monthly, and specify a day of the month or click Last day of every month.
304
10 Under Report Format, select one of the following options to specify the
format:
HTML CSV Formats the report in HTML format Formats the report in comma-separated-values format
11 Under Report Destination, in the Send to the following email addresses

field, type at least one email address. You can use spaces, commas, or semi-colons as separators between email addresses to facilitate cut and paste addresses from email clients.
12 Click Save. 13 In the Send from field on the Report Settings page, type the email address
from which reports should appear to be sent.
14 Click Save.
To edit a scheduled report
1 2 3 4
In the Control Center, click Settings. Under System Settings, click Reports. Under Scheduled Reports, check the option beside the scheduled report that you want to edit. Click Edit. You can also click the underlined report name to go directly to the edit page for the report.
5 6
Edit the settings. Click Save.
To delete a scheduled report
1 2 3 4
In the Control Center, click Settings. Under System Settings, click Reports. Under Scheduled Reports, select any of the reports that you want to delete. Click Delete.
See About reports on page 295.
Creating reports Report generation error
305
Report generation error

Instead of displaying the expected reports, Symantec Message Filter might display the following message:
No data for the specified parameters
If you received this message, verify the following:
Data exists for the filter that you specified. For example, perhaps you specified a recipient address that did not receive any mail over the specified period when you generated a Specific Recipients report. You configured Symantec Message Filter to keep data for that report type. See Selecting the data to track on page 300. You can produce reports even if you do not currently track data. This error can happen if you collect data in the past and then turned off data tracking. The data that is collected is available for report generation until it is old enough to be automatically purged. After that period, report generation fails.
306
Creating reports Report generation error
Chapter
12
Using filters to protect your environment and block unwanted mail


About Symantec Message Filter filters About specifying senders to permit or block About filtering for spam About filtering for viruses About custom filters
About Symantec Message Filter filters

Most customers find that the filters that Symantec provides handle all their needs. If you want to supplement Symantec filtering, you can customize filtering at your site. For example, you can set up lists of allowed and blocked senders, adjust the criteria for suspected spam messages, create custom filters, and more. Policies control the corresponding actions for the filters that you create and modify in this section. See To set group policy precedence on page 245. Symantec Message Filter provides the following filters, all of which you can customize:
Blocking and permitting senders (Allowed Senders Lists, Blocked Senders Lists, and Reputation Lists)
308
Using filters to protect your environment and block unwanted mail About specifying senders to permit or block
Spam filtering Antivirus filtering Custom filters
About specifying senders to permit or block

Filtering based on the source of the message, whether it is the sender's domain, email address or mail server IP connection, can be a powerful way to fine-tune mail processing at your site. The information in this section describes global blocked and allowed senders lists, which are applied at the server level. Symantec Message Filter provides the following tools to let you specify which senders to permit and which senders to block:
Define an Allowed Symantec Message Filter treats the email that comes from an address Senders List. or connection in the Allowed Senders List as legitimate mail. As a result, you ensure that such mail is delivered immediately to the inbox and bypasses any other filtering. The Allowed Senders List reduces the small risk that the messages that are sent from trusted senders are treated as spam or filtered in any way. See Adding senders to the Allowed Senders List on page 315. Define a Blocked Senders List. Symantec Message Filter supports a number of actions for mail from a sender or connection on your Blocked Senders List. As with spam verdicts, you can use policies to configure a variety of actions to perform on such mail. For example, actions include deletion, forwarding, and subject line modification. See Adding senders to the Blocked Senders List on page 313.
309
Use the Reputation Service.
By default, Symantec Message Filter is configured to use the Reputation Service. Symantec monitors hundreds of thousands of email sources to determine how much email that is sent from these addresses is legitimate and how much is spam. The service currently includes the following lists of IP addresses, which are continuously compiled, updated, and incorporated into the Symantec Message Filter filtering processes: Open Proxy List IP addresses that are open proxies that spammers use. Safe List IP addresses from which almost no outgoing email is spam. Suspect List IP addresses from which almost all of the outgoing email is spam.
No configuration is required for these lists. You can choose to disable the Open Proxy List and the Suspect List. See Selecting reputation services to use on page 319. Incorporate lists Third parties compile and manage lists of desirable or undesirable IP managed by other addresses. These lists are queried with DNS lookups. When you parties. configure Symantec Message Filter to use a third-party sender list, Symantec Message Filter checks whether the sending mail server is on the list. If so, Symantec Message Filter performs a configured action according to the policies in place. See Importing sender information into a senders list on page 317.
How Symantec Message Filter identifies senders and connections

Symantec Message Filter uses the following methods to identify senders and connections:
310
Supported methods for identifying senders
You can use the following methods to identify senders for your Allowed Senders List and Blocked Senders List: Specify sender addresses or domain names. Symantec Message Filter checks the following characteristics of inbound mail against those in your lists: MAIL FROM Address in the SMTP envelope. Specify a pattern that matches the value for localpart@domain in the address. You can use wildcards in the pattern to match any portion of the address. FROM Address in the message headers. Specify a pattern that matches the value for localpart@domain in the From header. You can use wildcards in the pattern to match any portion of this value. Specify IP connections. Symantec Message Filter checks the IP address of the mail server that initiates the connection to verify if it is on your Allowed Senders Lists or Blocked Senders Lists. Wildcards are not supported. Although you can use network masks to indicate a range of addresses, you cannot use the subnet masks that define non-contiguous sets of IP addresses (for example, 69.84.35.0/255.0.255.0). Supported notations are as follows: Single host: 128.113.213.4 IP address with subnet mask: 128.113.1.0/255.255.255.0 Supply the lookup domain of a third-party sender service.

Symantec Message Filter can check message sources against third-party DNS-based lists to which you subscribe.
Automatic expansion of subdomains
When Symantec Message Filter evaluates domain name matches, it expands the specified domain to include subdomains. For example, Symantec Message Filter expands symantecexample.com to include biz.symantecexample.com and, more generally, *@*.symantecexample.com. This evaluation ensures that any possible subdomains are allowed or blocked as appropriate.
311
Logical connections and internal mail servers: non-gateway deployments
When you deploy Symantec Message Filter at the gateway, it can reliably obtain the physical or peer IP connection for an inbound message. It can then compare the connection to the connections that are specified in the Allowed Senders List and Blocked Senders List. If you deploy the product elsewhere in your network (for example, downstream from the gateway MTA), Symantec Message Filter works with the logical IP connection. Symantec Message Filter obtains the address that is provided when the message entered your network. Your network is based on the internal address ranges that you supply to Symantec Message Filter when you setup your Scanners. Therefore, it is important that you identify all the internal mail hosts in your network. See Specifying internal mail hosts on page 355.
About the Allowed Senders List and the Blocked Senders List
Note the following considerations about the Allowed Senders List and Blocked Senders List:
Overall filtering precedence Symantec Message Filter keeps track of the different filters that trigger a violation to determine an overall verdict for a message. Preset precedence rules govern the ultimate verdict. For example, Symantec Message Filter gives a higher precedence to matches against the Allowed Senders Lists and Blocked Senders Lists.
312
Precedence within If a message source falls into both the Allowed Senders List and the the multiple lists Blocked Senders List, the Allowed Senders List has precedence. The message is delivered to the recipient's inbox. Within the lists, IP addresses are generally more reliable for source filtering than email addresses, which are easily forged. In addition, lists that you create or (email-based and IP-based) have precedence over the lists that Symantec creates. Note that list information from third-party DNS blacklists that you specify does not have priority over Symantec lists. In the event of a conflict between the Safe List (part of the Reputation Service) and an entry from a DNS blacklist, the Symantec-propagated list takes precedence. The following list summarizes the precedence:

Allowed Senders List (IP addresses) Allowed Senders List (third-party allowed senders services) Blocked Senders List (IP addresses) Allowed Senders List (email addresses) Blocked Senders List (email addresses) Safe List Open Proxy List Blocked Senders List (third-party blocked senders services)
Duplicate entries
You cannot have the exact same entry in both the Blocked Senders List and the Allowed Senders List. If an entry already exists in one list, you receive the message "Duplicate sender - not added" when you try to add it to the other list. The entry may not appear in the list that you work with. To move from one list to the other, delete it from the first and add it to the second. If you have two entries such as a@b.com and *@b.com in the two different lists, the precedence in the previous bullet wins. Incorporating third-party lists adds additional steps to the filtering process. For example, in a DNS list scenario, for each incoming message, the IP address of the sending mail server is queried against the list, similar to a DNS query. If the sending mail server is on the list, the mail is flagged as spam. If your mail volume is high and you run inbound mail through a third-party database, you could hamper performance because of the requisite DNS lookups. Symantec recommends that you use the Reputation Service instead of enabling third-party lists.
Performance impact of third-party DNS lists
313
Use Allowed Senders Lists for external IP addresses only
Symantec Message Filter has default internal IP address ranges from which it ignores IP address data. The benefit is that your Scanner saves time and resources by not scanning messages from these trusted locations. Therefore, you need only use the Allowed Senders list for external IP addresses.
Use case scenarios to allow or block senders

Table 12-1 provides some examples of why you would employ lists of allowed or blocked senders along with an example of a pattern that you might use to match the sender. Table 12-1 Use cases for using Allowed Senders Lists and Blocked Senders Lists Solution Pattern example
Problem
Mail from an end Add the colleague's email address jdoe@symantecexample.com user's colleague is to the Allowed Senders List. occasionally flagged as spam. A newsletter that is wanted is flagged as spam. Add the domain name that the newsletter uses to the Allowed Senders List. newsletter.com
An individual Add the specific email address to Joe.doe*@symantecexample.com sends unwanted the Blocked Senders List. mail to people in your organization. Numerous people from a specific range of IP addresses send unsolicited mail to people in your organization. After analyzing the received 192.168.133.191/255.255.0.0 headers to determine the sender's network and IP address, add the IP address and netmask to the Blocked Senders List.
Adding senders to the Blocked Senders List

To prevent unwanted messages from being delivered, you can add specific email addresses, domains, and connections to your Blocked Senders List.
314
To add senders to the Blocked Senders List
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders. Click Add. On the Add Blocked Senders page, in the Blocked email addresses or domain names box, type a sender address. If the address or domain that you type matches an incoming message's SMTP envelope FROM address, header From address, or both, the message is considered to be from a blocked sender. Symantec Message Filter automatically filters the subdomains on the specified domain. The message is handled based on the policies that are set in place. Acceptable characters include all alphanumerics and special characters, except the plus sign (+). Use * to match zero or more characters and? to match a single character. Some examples are as follows:
symantecexample.com chang@symantecexample.com, marta@symantecexample.com, foo@bar.symantecexample.com malcolm@symantecexample.com sara*@symantecexample.com malcolm@symantecexample.com sara@symantecexample.com, sarahjane@symantecexample.com jo??@symantecexample.com john@symantecexample.com, josh@symantecexample.com
In the Blocked IP address box, type the numerical IP address for hosts from which to block connections. You can use subnet masks and CIDR notations. You cannot use the subnet masks that define non-contiguous sets of IP addresses (for example, 192.168.37.0/255.0.255.0). Wildcards are not supported.
315
In the Third Party Blocked Senders Services box, specify the third-party DNS blacklist to which you subscribe. Wildcards are not supported.
Click Save.
Adding senders to the Allowed Senders List

To ensure that messages from specific email addresses, domains, and connections are not treated as spam, you can add them to your Allowed Senders List. To senders to the Allowed Senders List
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Allowed Senders. Click Add. On the Add Allowed Senderspage, in the Allowed email addresses or domain names box, type a sender address. If the address or domain that you type matches an inbound message's SMTP envelope FROM address, header From address, or both, the message is considered to be from a blocked sender. Symantec Message Filter automatically filters the subdomains on the specified domain. The message is handled according to the policies that are set in place. Acceptable characters include all alphanumerics and special characters, except the plus sign (+). Use * to match zero or more characters and? to match a single character. Some examples are as follows:
symantecexample.com chang@symantecexample.com, marta@symantecexample.com, foo@bar.symantecexample.com malcolm@symantecexample.com sara*@symantecexample.com malcolm@symantecexample.com sara@symantecexample.com, sarahjane@symantecexample.com jo??@symantecexample.com john@symantecexample.com, josh@symantecexample.com
316
In the Allowed IP addresses box, type the numerical IP address for hosts from which to allow connections. You can use subnet masks and CIDR notations. You cannot use the subnet masks that define non-contiguous sets of IP addresses (for example, 192.168.37.0/255.0.255.0). Wildcards are not supported.
In the Third Party Allowed Senders Services box, specify the third-party DNS whitelist to which you subscribe. Wildcards are not supported.
Click Save.
Deleting senders from senders' lists

You can remove senders from either sender list. To delete senders from senders lists
1 2 3
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders or Allowed Senders, depending on the list that you want to work with. In the list of senders, check the box beside the sender that you want to remove from your list, and then click Delete.
Editing senders in senders' lists

You can edit the senders in either sender list at any time. To edit senders in senders' list s
1 2 3
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders or Allowed Senders, depending on the list that you want to work with. In the list of senders, check the box beside the sender whose information you want to modify, and then click Edit. You can also click an underlined sender name to automatically jump to the corresponding edit page.
Make any changes, and then click Save.
317
Enabling or disabling senders in senders' lists

When you add a new sender to your Blocked Senders List or Allowed Senders List, Symantec Message Filter automatically enables the filter when it scans inbound messages. You may need to periodically disable and then re-enable senders from your list for troubleshooting or testing purposes or if your list is not up-to-date. Symantec Message Filter treats mail from a sender that you disabled as it would any other message. To enable or disable senders in senders' lists
1 2
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders or Allowed Senders. A red x in the Enabled column indicates that the entry is currently disabled. A green check mark in the Enabled column indicates that the entry is currently enabled.
In the list of senders, do one of the following:
To enable a sender entry that is currently disabled, check the box beside the sender information, and then click Enable. To disable a sender entry that is currently enabled, check the box beside the sender information, and then click Disable.
Importing sender information into a senders list

If you have many senders and addresses to add to your Blocked Senders List or Allowed Senders List, it is easier to place the sender information in a text file and then import the file. To add sender information, patterns, and DNS zones, you need to modify a text file (allowedblockedlist.txt) that is provided with your Symantec Message Filter software. The file is line-oriented and uses a format similar to LDIF. It has the following restrictions and characteristics:

The file must have the required LDIF header that is included upon installation. Each line contains exactly one attribute, along with a corresponding pattern. Empty lines or white spaces are not supported. Lines beginning with # are ignored. Entries terminating with the colon-dash pattern (:-) are disabled; entries terminating with the colon-plus pattern (:+) are enabled
318
To populate the list, specify an attribute and follow it with a pattern. In the following example, a list of attributes and patterns follows the LDIF header.
## Permit List # dn: cn=mailwall@brightmail.com, ou=bmi objectclass: top objectclass: bmiBlackWhiteList AC: 65.86.37.45/255.255.255.0 AS: grandma@aol.com RC: 20.45.32.78/255.255.255.255 RS: spammer@aol.com BL: spl.spamhaus.org # Example notations for disabled and enabled entries follow RS: rejectedspammer@aol.com:RS: rejectedspammer2@aol.com:+
Table 12-2 lists the attributes and the syntax for importable values. Table 12-2 Attribute
AC: RC:
Syntax to prepare importable list for allowed and blocked senders Example
Meaning
Allowed connection or network Rejected or blocked connection/network
Acceptable values
Numerical IP address and network mask Single IP address: of host to allow or block using the AC:192.168.37.45/255.255.255.255 format a.b.c.d/e.f.g.h. AC:192.168.37.45 CIDR ranges of contiguous IP address Class C network: for allowed or blocked networks. Wildcards are not supported. RC: 192.168.37.0/255.255.255.0 CIDR notation of above network: RC: 192.168.37.0/24
AS: RS:
Allowed sender Rejected or blocked sender
All alphanumerics and special characters, except the plus sign (+). Use * to match many characters and ? to match a single character.
Single sender address: RS: spammer@symantecs.org Fixed size noisy address: RS: john?????@symantecexample.com
BL: WL:
Third party blocked sender server Third party allowed sender service
Numerical IP address or canonical name BL: spl. spamhaus.org of a third party whitelist or blacklist service. Wildcards are not supported.
319
To import sender information into a senders list
1 2 3 4 5
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders or Allowed Senders. Click Import. Under Import Blocked Senders, type the location of the file that you want to import or click Browse to locate the file and then click Open. Click Import. Symantec Message Filter merges data from the imported list with the existing sender information.
Exporting sender information from senders lists

You can easily export to a single file all the information in your Allowed Senders List and Blocked Senders List. To export sender information senders lists
1 2
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Blocked Senders or Allowed Senders. You do not need to check the boxes beside the individual sender names. The export feature exports the entire list.
Click Export. Your browser prompts you to open the file from its current location or save it to disk.
Selecting reputation services to use

The reputation service is a service that Symantec manages which continuously compiles and updates the following lists of IP addresses:
Open Proxy List Safe List Suspect List IP addresses that are open proxies used by spammers. IP addresses from which almost no outgoing email is spam. IP addresses from which almost all of the outgoing email is spam.
Symantec monitors hundreds of thousands of email sources to determine how much email that is sent from these addresses is legitimate and how much is spam. Email from given email sources can then be blocked or allowed based on the source's reputation value as Symantec determines.
320
Using filters to protect your environment and block unwanted mail About filtering for spam
By default, all of the reputation services are enabled. Note: The Suspect List is always enabled and cannot be disabled. To disable reputation services
1 2 3
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Reputation Service. Under Brightmail Reputation Service Lists, uncheck the check boxes for the lists that you do not want to use. The Suspect List cannot be disabled.
Click Save.
About filtering for spam

Spam is unsolicited bulk email, most often advertising messages for a product or service. It wastes productivity, time, and network bandwidth. You can define which messages are spam, suspected spam, or not spam based on the scores that Symantec Message Filter assigns to messages. You can also configure how to dispose of spam and suspected spam messages. See Adjusting spam scoring on page 320. You can enable a feature to scan certain message text attachments. Symantec Message Filter can search these text attachments for URLs, which may be an indicator that a message is spam. See Rejecting spam at the gateway on page 321. If you deploy Symantec Message Filter at the gateway, you can save scanning resources by blocking spam at the gateway. See Rejecting spam at the gateway on page 321. Symantec Message Filter also provides the Fastpass feature to improve performance. See Increasing the speed for processing messages on page 323.
Adjusting spam scoring

When Symantec Message Filter evaluates whether messages are spam, it calculates a spam score from 1 to 100 for each message according to techniques such as
321
pattern matching and heuristic analysis. An email is defined as spam if it receives a score in the range of 90 to 100. For more aggressive filtering, you can optionally define a discrete range of scores 89 - 25. The messages that score within this range are considered suspected spam. Suspected spam is a separate category that you set on the Spam Scoring page. You can use policies to specify different actions for the messages that are identified as suspected spam and the messages that Symantec identifies as spam. For example, assume that you configure your suspected spam scoring range to encompass scores from 80 and 89. If an incoming message receives a spam score of 89, Symantec Message Filter considers this message as suspected spam. It applies the action that you have in place for suspected spam messages. Messages that score 90 or above are subject to the action that you have in place for spam messages. You can gradually move the threshold setting down 1 point to 5 points a week until the number of false positives is acceptable. To test the effects of spam scoring, set up a designated mailbox or user to receive false positive notifications. You can use this mailbox to monitor the effects of changes to the spam score threshold. To adjust the spam score
1 2 3 4 5
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Spam Scoring. Under Do you want any messages to be flagged as suspected spam, click Yes. Click and drag the slider to increase or decrease the lower bound of suspected spam range. You can also type a value in the box. Click Save.
Rejecting spam at the gateway

If you have Symantec Message Filter deployed at the gateway, you can conserve spam scanning resources when you reject spammers at connection time. Symantec Message Filter determines if the IP address is in the list of blocked senders. If the message is in the blocked senders list, it indicates a verdict (instruction on how to handle a message) before the message contents are sent across the network connection. If the message is blocked, your MTA does not need to continue through the remainder of the calls, thereby reducing scanning resources.
322
Note: If Symantec Message Filter is not at the gateway, no early verdict is generated, even if the logical IP is on the blocked senders list. The logical IP cannot be tested for reputation because it is not available. Messages that are blocked at connection cannot be quarantined. Nor can these messages be annotated as spam and eventually added to the Blocked Senders List or determined to be false positives. For more information about early verdicts work, see the Symantec Message Filter Software Development Kit Development Guide. To reject spam at the gateway
1 2 3
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Spam Scoring. Under Early Verdicts IP, check Enable Early Verdicts IP. This feature is disabled by default.
Click Save.
Scanning email text attachments

Symantec Message Filter can scan text attachments to determine if they contain URLs, which could indicate that the message is spam. Symantec Message Filter can scan the following message text attachments based on their MIME type:
Microsoft Word and Microsoft Works attachments, MIME types:

application/doc application/ms-word application/msword application/msworks application/vnd.ms-word application/vnd.ms-works application/word
RTF format attachments, MIME type:
application/rtf
HTML and XML attachments, MIME types:
application/html
323
application/phtml application/xhtml application/xhtml_xml
Attachments whose file names end in any of the following extensions:

.doc .htm .html .rtf .txt .wps .xml
Note: If you enable this feature, there can be an impact on memory and performance, depending on the number of message attachments that are scanned and their size. To scan email text attachments
1 2 3
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Spam Scoring. Under Scan Attachments, check Enable scan attachments. This feature is disabled by default.
Click Save.
Increasing the speed for processing messages

The Fastpass feature improves performance by skipping a subset of antispam filters for IP addresses with a demonstrated history of sending no spam messages. You can also specify one or more ranges of IP addresses to exclude from Fastpass. All antispam processing is performed for the addresses that you exclude. You can specify individual IP addresses, or you can use the address, hostmask, or CIDR notation. To increase the speed for processing messages
1 2
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Spam Scoring.
324
Using filters to protect your environment and block unwanted mail About filtering for viruses
3 4
Under Fastpass, check Enable fastpass. Click Save.
To exclude IP addresses from Fastpass
1 2 3 4 5 6
In the Control Center, click the Settings tab. In the left pane, under AntiSpam, click Spam Scoring. Under Fastpass, in theExclude Ranges box, click Add. Type an IP address, IP range (for example, 192.168.37.0/255.255.255.0), or hostname to exclude from Fastpass. Click Save. Click Save again.
About filtering for viruses

When you enable antivirus filtering, Symantec Message Filter Scanners scans for and detects viruses in email. When it detects a virus, it applies the actions that you specify in the antivirus policies. For example, you can instruct the Scanner to:

Deliver the message normally. Delete the message. Clean the message with the AntiVirus Cleaner and then redeliver the message through an SMTP process.
You can also set policies for mass-mailing worms and the potential virus messages that the Scanner cannot process (unscannable messages). After the Scanner processes messages, the AntiVirus Cleaner creates a configurable advisory text message. This message informs the user that the infected attachment is cleaned, deleted, or delivered without cleaning. If the message is delivered, the Cleaner inserts the original message as an attachment to the advisory message. The Cleaner also places a special identifying line in the message header so that the message is not filtered again for viruses. See About virus notification messages on page 383. If your antivirus subscription is expired, an expiration message appears next to the AntiVirus Cleaner component on the Status page. If your subscription lapses, virus filtering ceases. Contact your Symantec representative for instructions on how to purchase or renew a virus filtering license. See About monitoring the system status on page 361.
Using filters to protect your environment and block unwanted mail About custom filters
325
See About registering your Scanner license on page 357.
Configuring antivirus filter settings

Configure antivirus filter settings to establish the policies that you want Symantec Message Filter to take if a virus is detected or if a file cannot be scanned. To configure antivirus filter settings
1 2 3 4 5
In the Control Center, click the Settings tab. In the left pane, under AntiVirus, click Settings. To enable antivirus filtering, check Scan messages for viruses. Under Heuristic Level, select the level for the antivirus scanning engine. In the Maximum archive scan depth box, specify a depth level for recursively compressed zipped archive files. If Symantec Message Filter reaches this depth level, it treats the message as unscannable. It stops processing the message and applies the action that you specify for unscannable files. Do not set this value too high or you can be vulnerable to a zip bomb, in which huge amounts of data are zipped into very small files. Do not set this value too low, or nested sets of replies and forwards on legitimate messages can trigger the threshold.
In the Maximum file size to scan box, specify a maximum attachment size in megabytes. If Symantec Message Filter detects a file that meets or exceeds the maximum attachment size, it treats the message as unscannable. It stops processing the message and applies the action that you specify for the unscannable files. Do not set this value too high or you can be vulnerable to a zip bomb.
In the Maximum archive scan time box, type the maximum amount of time (in seconds) that the Scanner should attempt to scan the archive file. If the Scanner cannot scan the file in the amount of time that you specify, the file triggers the Unscannable policy. Click Save.
About custom filters

You can create custom filters with the keywords and phrases that are found in specific areas of a message. When you write filters at the server level, you can supplement Symantec Message Filter. Based on the policies that you set up, you
326
can perform a wide variety of actions on the messages that match your custom filters. You can use custom filters to:
Block messages with specific body content, specific file attachment types, or file names to eliminate spam viruses. Block oversized messages to control message volume and preserve disk space. Block email from the marketing lists that generate user complaints or use up excessive bandwidth. Block the messages that contain certain text in their headers or bodies.
Actions that are specified for custom filter matches do not override the actions that result from matches in your Blocked Senders List or Allowed Senders List or from matches against the antispam filters that Symantec provides. In other words, if a message's sender matches an entry in your Blocked Senders List or Allowed Senders List or if Symantec determines a message to be spam, custom filters have no effect on the message. Keep in mind the following when you create custom filters:
Unless the Symantec Message Filter software is in communication with an MTA that is deployed at the border of the Internet (your gateway), the envelope domain or IP address on a message that is checked by the Envelope Helo Domain or Peer IP test may be the internal domain that passed on the message from the email gateway, rather than the Internet address you might expect. See Specifying internal mail hosts on page 355. To start out, you may want to set your policies so that the messages that trigger custom filters are quarantined, forwarded, or modified instead of deleted. When you are sure the custom filters work correctly, you can adjust the action. If you accepted the default installation directories, the custom filters that you create are stored in the following file:
Linux and Solaris Windows /opt/brightmail/sieve_script.txt C:\Program Files\Brightmail\Config\sieve_script.txt
This file is coded in the Sieve language. See About creating filters in Sieve on page 371. You can manually edit the Sieve code that Symantec Message Filter creates, but if you run the editor in the Control Center again, your manual changes are overwritten.
327
You cannot configure Symantec Message Filter to check messages against a combination of custom filters that you create in the Control Center and custom filters file that you create. If you create Sieve scripts without the Control Center, such as for previous versions of Symantec Brightmail AntiSpam, you have the following options:
You can recreate the behavior of the Sieve scripts with the custom filters editor. You can continue to use a text editor to create new or edit existing Sieve scripts.
Creating conditions in custom filters

Table 12-3 describes the rule components that you can use when you create a filter. Table 12-3 Component name
Envelope From Address
Filter components Test against

From address in the message envelope. The envelope information is not usually visible in mail reading programs, such as Outlook.
Example
janesymantecexample.com jane@symantecexample.com
Envelope To Address
The "to" address in the message envelope. The envelope information is not usually visible in mail reading programs, such as Outlook.
Envelope Helo Domain
Sending domain listed in the HELO/EHLO SMTP command. The envelope information is not usually visible in mail reading programs, such as Outlook.
comsymantecexample symantecexample.com
328
Table 12-3 Component name

Peer IP
Filter components (continued) Test against Example
IP address of the SMTP client that See the examples at left has contacted the local MTA. Type the peer IP in one of these formats: Single host: 192.168.213.4 Netmask Source-IP: 192.168.1.0/255.255.255.0 The envelope information is not usually visible in mail reading programs, such as Outlook.
From Address
From message header.
To Address
To message header.
Cc Address
Cc (carbon copy) message header. janesymantecexample.com jane@symantecexample.com
Bcc Address
Bcc (blind carbon copy) message header. To, Cc, and Bcc message header.
janesymantecexample.com jane@symantecexample.com janesymantecexample.com jane@symantecexample.com
Recipient
Correspondent
From, To, Cc, and Bcc message header. Sender message header.
janesymantecexample.com jane@symantecexample.com janesymantecexample.com jane@symantecexample.com
Sender
Subject Header Field
Subject message header.
$100 F R E E, Please Play Now!
Message header that is specified Reply-To reply-to Message-ID in the accompanying text field. A header is case-insensitive. Do not type the trailing colon in a header.
329
Table 12-3 Component name

MIME Header
Filter components (continued) Test against

Message header or MIME header that is specified in the accompanying text field. A header is case-insensitive. Do not type the trailing colon in a header.
Example
Reply-To reply-to Content-Type Content-Disposition
Message Body
Contents of the message body. This component test is the most processing intensive, so you may want to add it as the last condition in a filter to optimize the filter.
You already may have won
Size
Size of the message in bytes, 2 kilobytes, or megabytes, including 200 the header and body. 2000
Table 12-4 describes the filter tests that are available when you create a custom filter. Table 12-4 Test type
Is Contains
Filter tests Ability to use characters * and Description ? act as wildcard characters
No No Exact match for the supplied text. Tests for the supplied text within the component that is specified. This test is sometimes called a substring test. Equivalent to text* wildcard test with Matches. Equivalent to *text wildcard test with Matches. Match for the string with wildcards, if supplied.
Starts with
No
Ends With
No
Matches
Yes
330
Table 12-4 Test type

Exists
Filter tests (continued) Ability to use characters * and Description ? act as wildcard characters
No Tests for the presence of the message header in the drop-down list or typed in the text box.
Note: All text tests are case-insensitive and there are negative Test Types. Some tests are not available for some components.
Using Wildcards with the "matches" and "does not match" tests
If you specify the Matches or Does not Match test for a component, you can use the * and ? wildcard characters. To match either * or ?, precede each with \ as shown in Table 12-5. You can use multiple instances of *, ?, \*, and \? in combination with normal characters in the same search term. Table 12-5 lists the wildcard characters that you can use in the Matches and Does not match tests. Table 12-5 Character
*
Wildcards in Match and Do Not Match Tests Description

Match zero or more characters
Example
sara*
Sample Matches
sara, sarah, sarahjane, saraabc%123
s*m*
sam, simone, sm, s321m$xyz
Match any one character
j?n
jen, jon, j2n, j$n
jo?? \* Match the asterisk character Match the question mark character b\*\*
john, josh, jo4#
b**
\?
now\?
now?
331
Guidelines for creating conditions

Keep in mind the following suggestions and requirements as you create the conditions that make up a filter:

There is no limit to the number of conditions that you can use per filter. You can create the custom filters that block or allow email according to the sender information. However, it is best to use the Allowed Senders List and Blocked Senders List. It is appropriate to create custom filters if you need to block or keep email based on a combination of the sender and other criteria, such as the subject or recipient. All tests for words and phrases are case-insensitive, meaning that lowercase letters in your conditions match lower- and uppercase letters in messages, and uppercase letters in your conditions match lower- and uppercase letters in messages. For example, if you test that the subject contains "inkjet", then "inkjet", "Inkjet", and "INKJET" in a message subject matches. If you instead test for "INKJET" in the subject, then "inkjet", "Inkjet", and "INKJET" still matches. This applies to all test types and all filter components. Multiple white spaces in an email header or body are treated as a single space character. For example, if you test that the subject contains "inkjet cartridge", then "inkjet cartridge" and "inkjet cartridge" in a message subject matches. If you instead test for "inkjet cartridge" in the subject, then "inkjet cartridge" and "inkjet cartridge" still matches. This suggestion applies to all test types and all filter components. A message subject that contains "i n k j e t c a r t r i d g e" does not match a test for "inkjet cartridge" or "inkjet cartridge". The order of conditions in a filter does not matter as far as whether a filter matches a message. However, if a filter has Message Body tests, you can optimize the filter if you position them as the final conditions in a filter. Spammers can forge some of the visible messages headers and the usually invisible envelope information. Sometimes they forge header information using the actual email addresses or domains of innocent people or companies. Use care when you create filters against spam that you receive.
Creating custom filters

The custom filters editor provides a way to create custom filters without programming them in the Sieve language. See About creating filters in Sieve on page 371.
332
To create custom filters
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters. Click Add. In the Filter description box, write a description for the filter. The description also appears on the main Custom Filters Editor window.
Under Conditions, click the drop-down list and select All or Any to determine if all or any one of the conditions you set in this filter must be met for the filter to trigger. This setting has no effect for filters with only one condition. Each row in the filter is called a condition.
For each condition, choose the message component and value to test against. Table 12-3 Table 12-4 Table 12-5
7 8 9
Click Add Condition to add a new condition. To remove the bottom-most condition, click Delete Condition. In the Action section, choose one of following categories for messages when the conditions in the filter are met:

Treat as Spam Treat as Suspected Spam Treat as Allowed Sender Treat as Blocked Sender Treat as Mass-Mailing Worm Treat as Unscannable for Viruses Treat as Company-Specific Content Deliver the message normally
You can use group policies to control what happens to messages that fall into these categories. See To set group policy precedence on page 245.
10 Click Save.
333
Editing custom filters

You can edit a custom filter that you create. To edit custom filters
1 2 3
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters. In the list of filters, check the box beside the filter that you want to modify, and then click Edit. You can also click an underlined filter description to display the corresponding edit page.
4 5
Change the filter as needed. Click Save.
Deleting custom filters

You can delete a filter if it is no longer needed. You can disable a custom filter if you want it to be temporarily inactive. See Enabling and disabling custom filters on page 334. To delete custom filters
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters. Check the box beside the filter that you want to delete. Click Delete.
Specifying the order in which filters are evaluated

Filters are evaluated in the order that they appear on the list. If a message triggers more than one filter, Symantec Message Filter performs the action of the first filter that is triggered. You can change the order in which the product evaluates filters. Position the filters that you think will match more often earlier in the list. To specify the order by which filters are evaluated
1 2
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters.
334
3 4
In the list of filters, check the box beside the filter that you want to move. Click Move Up or Move Down to move up the selected filter or down in the list of filters.
Enabling and disabling custom filters

After you create custom filters, they are automatically enabled. For testing or other administrative purposes, you may need to enable or disable one or more filters without having to delete them. By disabling filters, they become inactive but still appear in the main Custom Filter list. To enable or disable custom filters
1 2 3
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters. Do one of the following:
To enable a filter, check the box beside the wanted filter, and then click Enable. To disable a filter, check the box beside the wanted filter, and then click Disable.
Importing a Sieve-coded custom filters file

You can import a hand-coded custom filters file rather than use the custom filters editor. Ensure that your Sieve filter conforms to Symantec Message Filter implementation for Sieve. See About creating filters in Sieve on page 371. To import a Sieve-coded custom filters file
1 2 3 4 5
In the Control Center, click the Settings tab. In the left pane, under Content Filtering, click Custom Filters. Under Custom Filters, click Use a custom filters file, and then click Browse. In the dialog box, locate the custom filters file. In the Control Center, click Import. The Control Center transmits the file and instructs all Servers to load it.
Sample custom filters

Following are examples of the custom filters that you can configure in the Control Center.
335
You can set actions for the messages that match custom filters. See To set group policy precedence on page 245.
Intercept large messages

Figure 12-1 shows how to detect an email message larger than 3 MB. Figure 12-1 Messages larger than 3 MB
Intercept messages with a specific subject line

Figure 12-2 shows how to detect a message with a specific subject line, such as a chain letter.
336
Figure 12-2
Messages with a specific subject line
Intercept messages that are based on the sender and recipient

Figure 12-3 shows how to detect messages from a specific sender that is sent to a specific recipient. The example uses the Envelope From Address and Envelope To Address components because these are harder to forge than the From and To headers.
337
Figure 12-3
Messages that are based on sender or recipient
Intercept messages with a specific MIME type

Figure 12-4 shows how to detect the messages that have a MIME attachment ending in.exe.
338
Figure 12-4
Messages with a specific MIME type
Chapter
13
Keeping your product up-to-date


About updating virus definitions Obtaining the virus definition updates Obtaining definitions when a new or emerging threat is discovered Setting a local mirror of the LiveUpdate server
About updating virus definitions

Symantec Message Filter relies on up-to-date information to detect viruses and threats. One of the most common reasons that problems occur is that virus definition files are not up-to-date. Symantec regularly supplies the updated virus definition files that contain the necessary information about all newly discovered viruses and threats. Regular updates of that information maximize security and guard your organization against infections and the downtime that is associated with an outbreak. The Brightmail LiveUpdate service on Windows platform and jlu-controller daemon on Solaris and Linux platforms are used to update antivirus definitions on Symantec Message Filter. Table 13-1 lists the methods that you can use to obtain updated virus definitions from Symantec.
340
Keeping your product up-to-date About updating virus definitions
Table 13-1 Method

LiveUpdate
Methods to obtain updated virus definitions from Symantec Description

LiveUpdate downloads and installs available definitions to update your protection. See About LiveUpdate on page 340. See Obtaining the virus definition updates on page 342. See Setting a local mirror of the LiveUpdate server on page 344.
Rapid Release
Rapid Release definitions are more frequently updated than the LiveUpdated definitions. These definitions can be used when you need quick response to emerging threats. Rapid Response is an alternative to LiveUpdate. See About Rapid Release virus definitions on page 342. See Obtaining definitions when a new or emerging threat is discovered on page 344.
You must have a valid content license to install definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions. Your environment is vulnerable to attacks.
About LiveUpdate
LiveUpdate virus definitions undergo rigorous quality assurance testing before they are published. It is downloaded through HTTP communication from the Symantec LiveUpdate server through the Java LiveUpdate (JLU) client. The JLU client requires 32-bit Java Runtime Environment (JRE) v1.5 or later versions. On Linux and Solaris platforms, JRE is bundled with Symantec Message Filter's installer. Whereas, on Windows platform, you must install JRE before Symantec Message Filter installation. Following are the installation locations of the JLU client:
On Linux and Solaris platforms

/opt/Symantec/LiveUpdate
On Windows platform
<Program Files Folder>\Common Files\Symantec Shared\Java LiveUpdate
The configuration file for the JLU client is liveupdate.conf. The liveupdate.conf is available in the following location:
Keeping your product up-to-date About updating virus definitions
341
On Linux and Solaris platforms

/etc
On Windows platform
<Common Apps Folder>\Symantec\Java LiveUpdate
Windows 2008 For example:

C:\ProgramData\Symantec\Java LiveUpdate
Windows 2003 For example:

c:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate
Symantec Message Filter uses the JLU client to download virus definitions and the JLU client uses liveupdate.conf file to read configuration information. The HTTP address of the LiveUpdate server is listed in this file. The JLU client creates liveupdt.log in the location:
On Linux or Solaris platforms

/opt/Symantec/LiveUpdate
On Windows platform
<Common Apps Folder>\Symantec\Java LiveUpdate
The liveupdt.log file contains entries of JLU client activities. The JLU client also uses a working directory to download antivirus definitions temporarily whose path is provided during the Symantec Message Filter installation. The Symantec Message Filter's LiveUpdate service entries are logged in the jlu_controller_log file. An additional log file liveupdate.log is created in the Symantec Message Filter Scanners log directory when the JLU client experiences any error. This log file is a copy of the JLU clients LiveUpdate log file at that point. If your organization has several Symantec Message Filter servers, you can obtain definitions at a single place on an internal server. Then you can disseminate these definitions to all of your Symantec Message Filter servers. This configuration lets you limit the amount of Internet traffic that accesses Symantec LiveUpdate. For setting up the internal server, you must set up a local mirror of the LiveUpdate server. See About updating virus definitions on page 339. See Obtaining the virus definition updates on page 342. See Setting a local mirror of the LiveUpdate server on page 344.
342
Keeping your product up-to-date Obtaining the virus definition updates
About Rapid Release virus definitions

Rapid Release virus definitions are created when a new threat is discovered. They respond to high-level outbreaks and might be made available before the LiveUpdate definitions quality assurance process is complete. They can be augmented later on by more robust detection capabilities in certified definitions. Rapid Release virus definitions are published more frequently than LiveUpdate definitions. It is the default option to download antivirus definitions in Symantec Message Filter. It is downloaded through HTTP communication from the Symantec Rapid Release server in every 150 minutes. The download interval of 150 minutes is fixed. Following are the URL entries in the bmiconfig.xml file for Rapid Release definitions downloads:
<seqUrl>http://definitions.symantec.com/defs/rapidrelease/ version-info.txt</seqUrl> <defsUrl platformControl='linux'>http://definitions.symantec.com/defs/ rapidrelease/ennlu.lin</defsUrl>
You can change these URLs to point to a different Rapid Release server. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance testing as LiveUpdate definitions. Symantec encourages you to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Response definitions to a test environment before you install them on your network. See About updating virus definitions on page 339. See Obtaining definitions when a new or emerging threat is discovered on page 344.
Obtaining the virus definition updates

Platinum virus definitions and Rapid Release virus definitions are the two types of the virus definitions that you can obtain for your product. Symantec Message Filter is configured to obtain Rapid Release virus definitions by default. If you want to obtain Platinum virus definitions, you must enable Platinum option in the Control Center. See Obtaining definitions when a new or emerging threat is discovered on page 344.
Keeping your product up-to-date Obtaining the virus definition updates
343
You can specify the source from where you want to obtain Platinum virus definitions as follows:
Symantec Website Downloads the virus definitions directly from the Symantec LiveUpdate server. This is the default option. LAN host If your organization has several Symantec Message Filter servers, you can obtain definitions on an internal server. Then you can disseminate the definitions to all of your Symantec Message Filter servers. This configuration lets you limit the amount of Internet traffic that accesses Symantec LiveUpdate. In this scenario, you must specify the information for the LAN host and if required proxy.
Note: The LAN host option is unavailable when you select

the Rapid Release option .
See About updating virus definitions on page 339. To obtain virus definition updates from Symantec LiveUpdate server
1 2 3 4
In the Control Center, click Settings. Press Shift + A to access the advanced settings. Under Antivirus Ruleset, click Platinum. Click Download certified virus definitions from the Symantec website. For more information on setting up a LAN host, see the LiveUpdate Administrator's Guide.
Click Save.
To obtain virus definition updates from a LAN host
1 2 3 4 5 6 7 8
In the Control Center, click Settings. Press Shift + A to access the advanced settings. Under Antivirus Ruleset, click Platinum. Click Download virus definitions from a LAN host. In the Address field, type the IP address of the LAN host. In the Username field and Password field, type the user name and password, if required to access the LAN host. If you use a proxy server, check Use a proxy. In the Proxy host field, type a valid host name.
344
Keeping your product up-to-date Obtaining definitions when a new or emerging threat is discovered
In the Proxy port field, type a valid port number. if required to access the proxy host.
10 In the Username field and Password field, type the user name and password 11 Click Save.
Note: LiveUpdate uses the proxy that you define for the Scanner to download virus definitions from Symantec. If you download virus definitions from a LAN host, LiveUpdate uses a proxy only if you have defined one.
Obtaining definitions when a new or emerging threat is discovered

You can use Rapid Release when you need quick responses to the emerging threats. Rapid Release definitions are the most useful for a perimeter defense to mitigate quickly spreading threats. Symantec Message Filter is configured to obtain Rapid Release virus definitions by default. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance testing as LiveUpdate definitions. Symantec encourages you to rely on the LiveUpdate definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network. When you enable Rapid Release virus definition updates, Symantec Message Filter uses the Symantec Web site as the source for the definition updates. See Obtaining the virus definition updates on page 342. To obtain definitions when a new or emerging threat is discovered
1 2 3 4
In the Control Center, click Settings. Press Shift + A to access the advanced settings. Under Antivirus Ruleset, select Rapid Release. Click Save.
See About updating virus definitions on page 339.
Setting a local mirror of the LiveUpdate server

Local mirror of LiveUpdate server can be setup to download antivirus definitions at a single place. Later these antivirus definitions can be downloaded by multiple
Keeping your product up-to-date Setting a local mirror of the LiveUpdate server
345
Symantec Message Filter installations. LiveUpdate Administrator downloads antivirus definitions periodically and then transfers these definitions to a distribution server (HTTP server). All other Symantec Message Filter installations download definitions from this distribution server. To set a LiveUpdate Administrator servers address, you can either enter LiveUpdate Administrator distribution servers address in advanced settings of the Control Center or directly modify the following bmiconfig.xml entry:
<platinumDefsHost defaultUrl= 'http://liveupdate.symantecliveupdate.com:80'> <customServer enabled='true'> <address>URL of distribution server</address> <username></username> <password plain='true'></password> <proxy enabled='false'></proxy> </customServer> </platinumDefsHost>
To set a local mirror of the LiveUpdate server
1 2 3 4 5
In the Control Center, click Settings. Press Shift + A to access the advanced settings. In Antivirus Ruleset section, select Platinum. Select Download virus definitions from a LAN host . Enter the LiveUpdate Administrator address.
For more information, see LiveUpdate Administrator User Guide. See About updating virus definitions on page 339. See About LiveUpdate on page 340. See Obtaining the virus definition updates on page 342.
346
Keeping your product up-to-date Setting a local mirror of the LiveUpdate server
Chapter
14
Managing Symantec Message Filter Scanners, hosts, and components


About Scanners, hosts, and components Managing the Symantec Message Filter Scanners Adding administrators Specifying the insertion host Specifying internal mail hosts About registering your Scanner license
About Scanners, hosts, and components

The general classifications of computers that run Symantec Message Filter software are: Control Centers and Scanners. These designations can be logical or physical, depending on the specific software that you install on each host. For example, you can install the Control Center software and the Scanner software on the same computer. In this case, the computer that you use becomes both your Control Center and a Scanner. In addition to setting up Symantec Message Filter-specific hosts, you also need to provide information about other hosts. For example, you need to identify the computer that reinserts messages. Also, if you do not deploy all Scanners at the gateway, you need to identify all internal mail servers that process mail for
348
Managing Symantec Message Filter Scanners, hosts, and components Managing the Symantec Message Filter Scanners
connection filtering for your Allowed Senders List and Blocked Senders List to work. See Specifying internal mail hosts on page 355.
Managing the Symantec Message Filter Scanners

You can manage the Symantec Message Filter Scanners by doing any of the following:

Adding a Scanner Testing a Scanner Editing a Scanner Enabling and disabling a Scanner Deleting a Scanner Viewing the status of Scanners and components Starting and stopping Symantec Message Filter Scanners and components
Adding a Scanner
Adding a scanner requires several tasks to complete the process, as follows:
Set up the Scanner. Specify the components to enable. When you install the Scanner, specify the host name, IP address, and port for the Scanner. In the next stage of the Scanner configuration, decide which components you want to enable and configure. The components that you can enable are the Client and the Server. You can enable one or both of these components. To configure a Server consists of the following tasks: Specify the port that the Server uses. For the Client and the Server to communicate with each other, you must provide the port number. You need to provide the network address of the computer that runs the Server. Specify optional proxy server configuration for the Conduit. The Conduit enables secure HTTPS transmission of the filter updates that is sent from the BLOC to your Scanner. It also sends statistics information from your Scanners to the BLOC. The Conduit is pre-configured to connect to the necessary URLs for a given rule type or to the BLOC for statistics transmissions. If your site requires a proxy server for HTTPS Web access, you must specify it.
Configure the Server.
349
Set up Server connections for the Client.
To configure the Client, you must specify the available Servers to which the Client can connect.
To set up the Scanner
1 2 3 4 5 6
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Brightmail Scanners. Click Add. In the Scanner description box, specify a name for the Scanner. In the Hostname/IP address box, type the fully qualified hostname or IP address for the Scanner that you want to add. In the Agent port box, accept the default port that the Agent uses. Do not change the Agent port value.
Click Next.
To specify the components to enable on a Scanner
1 2
Check the components that you want to enable. Click Configure beside the component that you want to configure.
To configure the Server
On the Configure Brightmail Server page, type the port number on which the Server listens for Client connections. Only one port can be specified per server.
2 3
If you need to configure a proxy server for the Conduit, check Use a proxy server to receive filter updates. In the Address box, type the address for your proxy server. Typically, this address is specified as a server name or IP address.
4 5 6
In the Port box, type the port that your proxy server uses. In the User name box, type your user ID for authentication, if required. In the Password box, type your password, if required. Your password does not appear on the page as you type it.
7 8
In the Confirm password box, type your password again. Click Save.
350
To set up Server connections for Clients
Do one of the following:

To add a Server Select a server from the Available Brightmail Servers list, and then click Add. Select a server from the Connected Brightmail Servers list, and then click Remove.
To prevent a Server from receiving client connections
Testing a Scanner
After you add a Scanner, you can quickly test whether the Scanner is up and whether the Agent is able to make a connection. To test a Scanner
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Brightmail Scanners. On the Brightmail Scanners page, select the hosts that you want to test, and then click Test. If the test is successful, feedback appears at the top of the page.
Editing a Scanner
After you set up a Scanner, you can go back and edit the configuration. For example, you can change the host IP address or enable different components. To edit a Scanner
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Brightmail Scanners. On the Brightmail Scanners page, select the host that you want to edit, and then click Edit. You can also click the underlined description of a Scanner to go directly to the Edit Brightmail Scanner page.
Make any changes to the host components or included components as you did when you added the scanner. See Adding a Scanner on page 348.
Click Save.
351
Enabling and disabling a Scanner

For troubleshooting or testing purposes, you might need to disable and then re-enable a Scanner. Also, before you delete a Scanner, you must disable it. A disabled Scanner does not process mail. To enable or disable a Scanner
1 2
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Brightmail Scanners. A red x in the Enabled column indicates that the Scanner is disabled. A green check mark in the Enabled column indicates that the Scanner is enabled.
In the list of available Scanners, do one of the following:

To enable a Scanner To disable a Scanner Check the box beside the Scanner description to select it, and then click Enable. Check the box beside the Scanner description to select it, and then click Disable.
The list updates to reflect the change.
Deleting a Scanner
When you delete a Scanner through the Control Center, you do not physically remove Scanner softwareyou only remove the specific Scanner definition from the Control Center database. To prevent a Scanner from continuing to run after you delete the definition, make sure you disable it before you delete it. See Enabling and disabling a Scanner on page 351. To delete a Scanner
1 2 3 4
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Brightmail Scanners. On the Brightmail Scanners page, check the box beside the Scanner description that you want to delete, and then click Delete. In the confirmation dialog box, click OK to confirm.
Viewing the status of Scanners and components

You can view more detailed status for all your configured Scanners and for the Quarantine from one central location on the Control Center. You can also selectively stop and start components and Brightmail Scanners from this page.
352
Managing Symantec Message Filter Scanners, hosts, and components Adding administrators
The Status page shows the following information:

Quarantine information (if you use the Quarantine) The configured Scanners in your network The associated components for each Scanner The status (running or not) of the hosts and components
To view the status of Scanners and components
In the Control Center, click the Status tab.
Starting and stopping Symantec Message Filter Scanners and components

You can start and stop Symantec Message Filter Scanners and most components from the Status page. You can work with individual components on a specific Scanner or you can start or stop all components on all Scanners with one operation. To start or stop Symantec Message Filter Scanners and components
1 2 3
In the Control Center, click the Status tab. Select the Scanner or component that you want to start or stop. To select all components on all Scanners, click Components. Do one of the following:

To stop a component, click Stop. To start a component, click Start.
Adding administrators
You can create additional administrator accounts and grant each administrator the level of management privileges for different components of Symantec Message Filter. For example, you might want to delegate management of the Quarantine to another administrator who is only able to modify Quarantine settings. When you grant an administrator limited privileges, you can assign any or all of the following management actions:

Manage the Quarantine Manage status and logs Manage reports Manage group policies
Managing Symantec Message Filter Scanners, hosts, and components Adding administrators
353
The available tabs and settings in the Control Center change dynamically depending on your level of administrator privileges. Once you log on as an administrator, you only see the tabs that are pertinent to your management privileges. Only administrators with full privileges can create a new administrator account. The following sets of privileges apply to the specified administrator levels:
Full Administrative Privileges This level of privileges includes access to the following:

Summary tab Status tab Reports tab Logs tab Quarantine tab All links on the Settings tab
Limited Privileges: This level of privileges includes access to the following: Manage Quarantine tab Quarantine Settings tab with the following links only: Administrators

LDAP Quarantine
Limited Privileges: This level of privileges includes access to the following: Manage Status and Summary tab Logs Status tab

Logs tab Settings tab with the following links only: Administrators
Logs
Limited Privileges: This level of privileges includes access to the following: Manage Reports Reports tab
Settings tab with the following links only: Administrators
Reports
Limited Privileges: This level of privileges includes access to the following: Manage Group Settings tab with the following links only: Policies Administrators
Group Policies
354
Managing Symantec Message Filter Scanners, hosts, and components Specifying the insertion host
To add an administrator
1 2 3 4 5 6 7 8
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Administrators. Click Add. In the User name box, type the name of the administrator that you want to add. In the password box, type the administrator's password. In the confirm password box, type the password again to confirm. In the Email address box, type the new administrator's email address. Check Receive alert notifications if you want Symantec Message Filter to email the administrator when error conditions arise with Symantec Message Filter components. You can define these error conditions in the Alerts page on the Settings tab. See Setting up event-based alerts on page 368.
Under Privileges, do one of the following:

To add an Click Full Privileges. administrator with access to all available Control Center settings To add an Click Limited Privileges and check the boxes according to the administrator with management roles that you want to assign. limited access
10 Click Save.
Specifying the insertion host

During the filtering process, Symantec Message Filter must periodically remove a message from the mail flow, modify it, and then reinsert it back into the mail stream. Symantec Message Filter also generates messages, such as email notifications and message quarantine digests, that must be sent unfiltered to administrators and end users. Note the following when you specify an insertion host:
Supported syntax
Managing Symantec Message Filter Scanners, hosts, and components Specifying internal mail hosts
355
Specify an IP address or hostname (for example, 192.168.9.12 or symantecexample.com). Specify 127.0.0.1 to use the current computer.
Optional insertion host specific to antivirus operations Symantec Message Filter diverts the messages that contain known viruses through a virus cleaner, then re-inserts them into the mail stream. During this process, if the virus can be isolated from the mail message, it is removed. Otherwise, all message content is stripped and replaced with text to notify the recipient of the fact.
You can specify one insertion host for cleaned messages and another insertion host for all other messages. To specify the insertion host
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click SMTP Insertion Hosts. Under Brightmail Control Center, in the Host box and Port box, type the SMTP server that the Control Center uses. This server is used to send the following types of messages:

Messages that are released to the inbox by Quarantine users Alerts Reports
4 5 6 7
Under Brightmail Scanners, click the Brightmail Scanner drop-down list and select a Scanner. In the Host and Port boxes, type the SMTP server that delivers the messages that are cleaned by Symantec Message Filter. In the next set of Host and Port boxes, type the insertion host that deliver all other reinserted messages. Click Save.
Specifying internal mail hosts

To provide accurate source-based filtering for the Allowed Senders List and the Blocked Senders List, Symantec Message Filter needs to know which IP addresses are internal to your organization. Internal servers are typically internal relay servers or the mailbox servers that are located downstream from the gateway servers. A gateway server is usually deployed at or near the Internet and accepts incoming Internet email messages and forwards these messages to the appropriate internal mailbox servers.
356
Managing Symantec Message Filter Scanners, hosts, and components Specifying internal mail hosts
If you deploy Symantec Message Filter anywhere else but at the gateway, you need to provide information about your internal mail or MX network. With this information, Symantec Message Filter can extract a message's logical connection address, which is the connection address obtained where the message entered your network. In non-gateway deployments, Symantec Message Filter uses this logical connection to match against IP the connections that are specified on your Allowed Senders List, Blocked Senders List, or the Safe List which the Reputation Service provides. See About adjusting MX records for Symantec Message Filter software on page 42. Note: You can disregard this section if all your Scanners are deployed at the gateway. Note the following considerations about internal mail hosts:
Symantec Message Filter bases its view of your network on the specified internal address ranges and on the received headers that remain intact between the edge of your network and the computers on which the Scanners are deployed. If you choose to provide a hostname when you identify an internal host, ensure that the hostname resolves to a single address. The use of internal mail hosts settings to extract logical connections applies only to the Blocked Senders List, the Allowed Senders Lists, and the Safe List. It does not apply for reporting, custom filters, or other features that make use of IP connection addresses. In the latter cases, you should deploy Symantec Message Filter at the gateway if you want to receive the most complete information about IP addresses. You do not need to specify any private address space (for example, 192.168.0.0/8 or other subnets that is defined as private in RFC 1918) in the internal address range. These addresses are automatically incorporated into the internal address range.
Note: Instead of only identifying the address range for your MX/mail network, you can add your entire internal network range in one step (x.y.z.0/24). With this method, if you ever add new mail servers, new networks, or add IP addresses to your network, you do not need to adjust the settings on this page. If you choose this method, the Reputation Service does not apply to these addresses. (The consequences of this method are minimal since the addresses are from your own network.)
Managing Symantec Message Filter Scanners, hosts, and components About registering your Scanner license
357
To specify internal mail hosts
1 2 3 4 5
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Internal Mail Hosts. Because one or more Brightmail Scanners are deployed on non-gateway mail servers, click No. Under Internal Mail Host, click Add. On the Add Internal Mail Host page, type the mail server. You can provide the hostname, IP address, or IP range. Do not specify the hostnames which DNS resolves to multiple addresses or to a randomly selected address.
6 7
Click Save. Do one of the following:

To edit an internal Select the host, and then click Edit. Make any changes, and then mail host click Save. To remove an Select the host, and then click Delete. internal mail host from the list If you are finished Click Save. working with the list of internal mail hosts
About registering your Scanner license

For Symantec Message Filter to be fully functional, you must register two licenses. One license activates scanning. The other license lets you obtain updated filters from Symantec. When no license is registered, you can still access the Control Center. However, the Scanner is disabled and you do not receive any updated filters. You can only register one license when you install the product. You must install the second license after installation is complete. For client-only Scanners, registration is not required. License registration involves the following process:
358
Obtain a license file from Symantec.
To request a license file, you must have the license serial number for each license that you want to activate. After you complete the registration process, Symantec sends you the appropriate license file by email. You must register the license for the Scanner to scan email messages and receive updated filters.
Register the license file.
Symantec issues a serial number for each type of license that you purchase. Each serial number must be registered (individually or at the same time) to receive a license key for the associated license. License keys are delivered in a Symantec license file (.slf). The serial number is provided on a license certificate, which is mailed separately and arrives in the same time frame as your software. For security reasons, the license certificate is not included in the software distribution. If you upgrade from a previous version of the product and you have an active maintenance contract, you might receive the serial number certificate with an upgrade insurance letter. Your license certificate should arrive within three to five business days of when you receive your software or subscribe to Symantec Premium AntiSpam. The license certificate contains the serial numbers for the licenses that you have purchased. If you do not receive the license certificate, contact Symantec Customer Service at 800-721-3934 or your reseller to check the status of your order. If you have lost your license certificate, contact Symantec License Administration. To request a license file, you must have the serial number that is required for activation. (Each license has a separate serial number.) The serial number is used to request a license file and to register for support. The serial number is printed on the license certificate that was mailed to you. The format of a serial number is a letter followed by 10 digits; for example, F2430482013. The license file that Symantec sends to you is contained within a .zip file. The .slf file the .zip file contains is the actual license file. Ensure that your inbound email environment permits .zip email message attachments. Warning: License files are digitally signed. If you attempt to edit a license file, you corrupt the file and render it invalid. To renew a license that has expired, contact your Symantec sales representative. See Where to get more information about Symantec Message Filter on page 24.
359
To obtain a license file
In a Web browser, type the following address: https://licensing.symantec.com/acctmgmt/index.jsp Your Web browser must use 128-bit encryption to view the site.
2 3 4
If a Security Alert dialog box appears, click OK. Follow the instructions that are provided on the Web site to request a license file. When you receive the email message from Symantec that contains the license file, save the license file to a location that is easily accessible. The file is delivered as a .zip file. You must extract the file contents from the file.
To register your Scanner for Linux and Solaris
As root user and from the /opt/symantec/sbas/Scanner/sbin directory, run the registration script:
$ su root # cd /opt/symantec/sbas/Scanner/sbin register.sh
If you use a non-default directory, replace /opt/symantec/sbas/Scanner with /$loadpoint/.
Type the path of your license file.
To register your Scanner for Windows
Browse to the installation location of your Scanner files. The default installation location is as follows: C:\Program Files\Symantec\SBAS\Scanner\Bin
Double-click the following file: regwizard.exe The Brightmail Registration Wizard appears.
3 4 5 6
On the Brightmail Registration Wizard pane, click Next. Type the location of your license file or browse to the location and select your Symantec license file (.slf), and then click Next. If your site requires a proxy server for HTTPS access, click Proxy Settings to specify the proxy server. Click Finish to exit the Registration Wizard.
360
Chapter
15
Monitoring the Symantec Message Filter status and events


About monitoring the system status Working with Logs Setting up event-based alerts Checking the versions of Symantec Message Filter components
About monitoring the system status

You can monitor the following status information on the Summary tab in the Control Center:

An at-a-glance look at how Symantec Message Filter is performing Graphs for recent spam and virus filtering statistics Summary status about filters and enabled components
Table 15-1 shows the information that is available on the Summary tab.
362
Monitoring the Symantec Message Filter status and events Working with Logs
Table 15-1 Item

System Status
Summary tab status information Summarizes

The summary status shows the following information: Whether antivirus or antispam filtering is enabled or disabled Whether Servers are accessible
Available operations
If available, click the links in the right-most column to go to the Status tab for more information.
Whether filters are current Filters are considered out-of-date if an update has not been received in the time frame that specified in the Alerts page on the Setting tab Quarantine disk space usage
Last 60 Minutes
Message processing and filtering None. over the last 60 minutes Message processing and filtering Reset to clear the values and start statistics since a point in time a new point in time. Message processing and filtering Use the Display list to choose over the last 24 hours whether to chart percentages of caught spam, viruses, or both. Message processing and filtering Use the Display list to choose over the last 30 days whether to chart percentages of caught spam, viruses, or both.
Totals Since date
Last 24 Hours
Last 30 Days
Working with Logs

Each Scanner maintains a database of log information. When you view these logs on the Control Center, you can diagnose error conditions and keep track of many aspects of your system during its operation. You can choose to store logging data for the following Symantec Message Filter components:

Server Client Conduit Harvester
363
AntiVirus Cleaner LiveUpdate
You can designate the severity of errors that you want written to the log files. Symantec Message Filter provides several logging levels, with each successive level including all errors from the previous levels. The default logging level for each Symantec Message Filter software component is Warnings. Your choices, from the least to the greatest amount of error reporting, are as follows:

Errors Warnings Notices Information Debug
Symantec Message Filter provides a message auditing component that lets you save the message audit logs to bmserver logs or system logs. The Message audit log provides you with a trail of detailed information about every message that has been accepted and processed by a Scanner. Auditing information is used to track what decisions were made within a single Scanner framework. The Message audit log does not replace debug or information level logging. Unlike standard Scanner logging, the Message audit log provides information specifically associated with a message. Bmserver logs are saved in bmserver_log.txt file at the following locations:
Windows scanner UNIX scanner Scanner\Logs\bmserver_log.txt /var/log/brightmail/bmserver_log
The configuration of the facilities lets you direct messages to various local files. The specified facility does all the logging when you use the Syslog. The default facility is mail. You can configure Syslog for the following facilities: kern, mail, user, daemon, auth, lpr, news, uucp, cron, local0, local1, local2, local2, local3, local4, local5, local6, local7. See Configuring the syslog.conf file for Syslog facilities settings on page 366. To limit the size of the database that stores log data on Symantec Message Filter Scanner computers, Symantec Message Filter stores seven days of log data with a maximum storage allotment of 512 MB. If the database already has 512 MB of data or seven days of data, the oldest log data is deleted as new log data comes
364
into the system. To keep more log data for a longer period, you can change the default maximum log size and retention period settings. See Modifying Log settings on page 364.
Modifying Log settings

You can modify the Log settings to specify Log levels for the Symantec Message Filter components and to specify the Log storage limits. To modify Log settings
1 2 3 4 5 6
In the Brightmail Control Center, click the Settings tab. In the left pane, under System Settings, click Logs. Click the Host description drop-down list and select the Scanner for which to adjust log settings. For each component listed, select a log level that corresponds to the severity of errors that you want written to the log file. Select Enable message audit log to save the logs for scanned messages. Do one of the following:
Select Bmserver log Saves the Message audit logs to Bmserver logs. To enable Message audit log with Bmserver log, the log level must be Notice, Information, or Debug. Select Event log Select Syslog Saves the Message audit logs to Windows event logs. Saves the Message audit logs to UNIX syslog. Select the appropriate syslog facility from the Facility list. Based on the facility level, the logs are directed to the different files. You must configure /etc/syslog.conf file for desired facility. This file stores the information about facilities and the locations of the log files. See Configuring the syslog.conf file for Syslog facilities settings on page 366.
365
If desired, select Apply to all Hosts to apply the same log level settings to all hosts. If you select Event Log for your Windows scanner and select Apply to all Hosts, UNIX scanners are configured for Syslog with the default facility.
Under Log Storage Limits, do any of the following to keep the size of logs manageable:
To restrict the size of the database that Check Maximum log size, type the size, and stores log data click the drop-down list to specify KB, MB, or GB. To restrict the number of days for which Symantec Message Filter logs data In the Number of days to store logs box, type the number of days.
Under Log Display, in the Number of logs to display per page box, type the number of logs entries to display per page on the Logs tab.
10 Click Save.
You must restart the selected component for changes to log file locations to take effect.
11 Do one of the following:

Click OK to save your settings and restart the component. Click Cancel to save your settings without restarting the component.
Viewing and saving logs

You can view logs for a specific Scanner or you can view logs for all Scanners. You can also save logs to a text file to review later and edit with another application, such as Excel. To view logs
1 2
In the Control Center, click the Logs tab. Under Filter, do all of the following:

Click the Host drop-down list and select a Scanner. Click All to view log data for all configured Scanners. Click the Component drop-down list and select the specific component for which you want to view log information. Click All to view log data for all components.
366
In the Time range list, do one of the following:

To specify a preset Select one of the following: range Past Hour

Past Day Past Week Past Month
To specify a different time period
Click Customize, and then click the calendar icons to the right of the Start Date and End Date to graphically select a time range.
4 5
Click the Severity drop-down list to select the type of errors that you want to view. Click Display. The Logs tab updates to show the log entries that are based on the filter that you created. Log entries are presented in summary form as rows in a table. Click the Description link to view details.
After the logs appear in the browser, you can do any of the following:
To save the log information for the current query to a text file for further review To remove all stored log data Click Save Log, and then in the next dialog box, click Save.
Click Clear All Logs, and then click OK to dismiss the confirmation message.
To adjust settings Click Settings. for the Logs, such as the number of entries to display on a page or the logging levels
Configuring the syslog.conf file for Syslog facilities settings

If you have a scanner on UNIX and you want to enable Message audit log for syslog, you must configure /etc/syslog.conf. This file describes the use of UNIX syslog as a logging and auditing mechanism for operating systems and applications. It provides administrators with a single point of management to collect, distribute,
367
and process the data. You can configure this file for the desired facility, log level, and the log file locations. Based on the facility level, the logs are directed to the different files. Before you configure this file for the desired facility, you must check the settings in the /etc/syslog.conf file in your computer. This file may already have the settings for the facility that you want to configure. To configure syslog.conf file for syslog facility settings
1 2
Browse to /etc/syslog.conf and open the file. Do any of the following:

To add facility, log level, and Type the facility name followed by a period and the log log file location level. Then press TAB and type the file name. Facilityname.level TAB filename For example, mail.notice /var/log/maillog
To log the messages for all Type an asterisk and a period (*.) before the log level. the facilities for desired level Then press TAB and type the file name. *.level TAB filename For example, *.debug filename
To log messages of all levels Type the facility name followed by a period and an that the facility generates asterisk (.*). Then press TAB and type the file name. Facilityname.* TAB filename For example, kern.* filename
To stop all logs from being written to log files simultaneously
Type the facility name followed by a period and the log level. Then press TAB and type a hyphen (-) before the log path. For example, mail.notice - /var/log/maillog
368
Monitoring the Symantec Message Filter status and events Setting up event-based alerts
3 4
Save the syslog.conf file. To restart the syslogd daemon to reread the configuration file, type one of the following in the command line:
Linux and Solaris 8.x/9.x Solaris 10 /etc/init.d/syslog restart
svcadm refresh svc:/system/system-log:default
See Working with Logs on page 362. See Modifying Log settings on page 364.
About tracking messages with the SMTP message ID

Symantec Message Filter includes the SMTP message ID in the log entries. The SMTP message ID lets you trace a specific message across your infrastructure as it passes through the message flow. An example of a log entry that contains the SMTP message ID appears as follows:
4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ module_api.c:823] envelope from: <jdoe@symantecs.org> 4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ module_api.c:831] helo from: symantecexp 4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ bmi_extractips.c:565] parsed ip 172.16.0.0 as 172.16.0.0 4 Aug 2008 12:46:13 (NOTICE:18168.6): [27166] [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] Message For: <jdoe@symantecs.org> returned Disposition: <null>. Default destination will be returned for normal delivery. 4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ blt_mta_api.c:1150] Disposition Settings for:jdoe@symantecs.org Destination:[(null)] ActionType:[0] 4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ blt_mta_api.c:1236] ActionTable: 0 Unique Entry: 562A8F3EE4E5C94981E2259E3253BEB1 Recips: 1 4 Aug 2008 12:46:13 (DEBUG:18168.6): [F28D9477302544B18B5D0C98FD5CDC79@symantecexp] [src/ blt_mta_api.c:7089] bmiEndMessage: UniqueActionEntries across all tables: 1
SMTP message ID
Setting up event-based alerts

When certain operating conditions arise, Symantec Message Filter automatically sends email alerts to administrators.
Monitoring the Symantec Message Filter status and events Checking the versions of Symantec Message Filter components
369
The conditions that generate alerts are as follows:

A component does not respond or is not working. Antispam filters and antivirus filters are older than a specified time. You can specify when filters are considered out of date. Disk space is low.
Symantec Message Filter monitors these settings when it displays the filter status on the Summary tab and Status tab. You can also specify who to inform by email when alert conditions arise. To set up event-based alerts
1 2 3
In the Control Center, click the Settings tab. In the left pane, under System Settings, click Alerts. Under User Notification, type the email addresses of the users who should receive alerts. Separate multiple email addresses with commas.
4 5 6
In the Send from box, type the email address that the alert should appear to be from. Under Alert Conditions, check the boxes next to the conditions that you want to send alerts. If you want to be notified when filters are out of date, complete the necessary date boxes. To avoid receiving unnecessary alerts, do not set the "AntiSpam filters are older than" setting to less than 2 hours. While most antispam filters are disseminated every 5 minutes to 10 minutes, the Reputation Service filters are updated every hour or so. Also note that antivirus definitions are not propagated as frequently as antispam filters.
Click Save.
Checking the versions of Symantec Message Filter components

You can check the versions of the following software that you have installed:

Brightmail Control Center Brightmail Quarantine Java
370
Monitoring the Symantec Message Filter status and events Checking the versions of Symantec Message Filter components
MySQL
To check the versions of Symantec Message Filter components
In your Internet browser, type the following: http://localhost:port/brightmail/BrightmailVersion where port is the port that Tomcat uses, typically 41080.
Appendix
Creating filters by coding in Sieve

This appendix includes the following topics:

About creating filters in Sieve Working with manually edited Sieve filters file Sieve implementation details Sample Sieve scripts
About creating filters in Sieve

If you are familiar with the Sieve language, you can create custom filters when you edit a Sieve filters file instead of with the Custom Filters Editor. Symantec Message Filter provides an implementation Sieve. The Sieve filters file that you create must adhere to this implementation for UNIX and for Windows. This section describes the differences between the RFC3028 version of Sieve and the Symantec Message Filter implementation of Sieve. This section assumes that you have a thorough understanding of all Sieve commands, particularly those not included here. For a generalized description of Sieve and descriptions of the require and header control commands, on the Internet, go to the following URL: www.faqs.org/rfcs/rfc3028.html Note: Symantec Technical Support does not provide support for how to write or modify Sieve scripts. For help with Sieve scripts, contact your system administrator.
372
Creating filters by coding in Sieve Working with manually edited Sieve filters file
Working with manually edited Sieve filters file

Consider the following guidelines as you write Sieve scripts:
Restart the Symantec Message Filter Server after you edit the Sieve script. Whenever you manually edit the Sieve filters file, you need to restart all the Symantec Message Filter Servers for the new Sieve filters to take effect. See Starting and stopping Symantec Message Filter Scanners and components on page 352.
The Custom Filters Although you can manually edit the Sieve code that the Custom Filters Editor erases Editor creates, when you add another filter with the Custom Filters changes to the Editor, your manual changes are overwritten. Sieve filters file. Avoid nesting Deeply nested if-then statements can result in impaired performance. if-then statements. Consider writing long sequences of separate if-then statements. Pay attention to white space. Terminate execution promptly. Multiple white spaces in an email header or body are treated as a single space character (ASCII 0x20). For example, " foo" is treated as " foo." In general, you should terminate execution as early in the script as possible. For example, use stop statements immediately after an action is specified. You might also structure scripts so that conditions with the highest probability of script matching appear first. For example, if all messages from symantecsexample.org can trigger the matched action, and if most of your messages come from symantecsexample.org, then test for symantecsexample.org early in the script. The body test is the most CPU-intensive. So you might want to add it as the last test in a sequence, so that other, less intensive tests trigger first. Remember that encoded headers are not decoded before being tested. Headers that contain text with RFC2047 encodings are tested based on their encoded values. Note that mail clients display the decoded values of these headers.
Sieve implementation details

Below are the implementation details that can help you with Sieve coding.
Creating filters by coding in Sieve Sieve implementation details
373
Sieve filters file location

Upon initialization, Symantec Message Filter Servers attempt to retrieve Sieve the filters that are stored in the file sieve_script.txt, located in the following directories:
Linux and Solaris Windows /opt/symantec/sbas./Scanner/ C:\Program Files\Brightmail\Config
You can review a sample file of Sieve filters in the following subfolders:
Linux and Solaris Windows /opt/symantec/sbas/Scanner/etc/sieve_script.sample.txt C:\Program Files\Brightmail\etc\sieve_script.sample.txt
To use Sieve scripts, copy the sample file to the file named sieve_script.txt. After you make changes to custom filters in this file, follow the procedures to import a Sieve-coded custome filters file. See Importing a Sieve-coded custom filters file on page 334.
Supported Sieve commands

The Sieve language contains the following types of commands:

Control Action Test
Symantec Message Filter supports the control commands that is described in at the following URL: http://www.faqs.org/rfcs/rfc3028.html The following sections provide documentation on the Action and Test commands in the Symantec Message Filter implementation of Sieve. You should only use the keep and matched (equivalent to sideline) action commands in the Symantec Message Filter implementation of Sieve for Windows. Do not use any of the other action commands that are described in RFC3028 in your Sieve scripts. For example, instead of using the discard Action command in your group policies, set the action to take for Company-specific Content (messages that match custom filters) as Delete the message. See To edit an existing group policy on page 245.
374
Sieve Action commands

The Symantec Message Filter implementation of Sieve supports the following Action commands:
Keep The keep command files a message into the user's inbox. If a message does not match any filters in your Sieve script, that message has an effective action of keep and is delivered to the user's inbox. The matched command indicates that a test condition is met regarding the message that is being processed. The command is an extension to the standard set of Sieve Action commands. When a match occurs, the message is handled with the action that is specified for Company-specific Content for the group policy that applies to the recipient. The capability string to specify for the matched command with require is sideline. Syntax: matched For example: require "sideline"; if allof (header :is "to" " jdoe@symantecexample.com", header :is "subject" "job opening") { matched; stop; } When a match occurs, the message is handled using the action that is specified for Company-specific Content for the group policy that applies to the recipient. In this example, all messages that are sent to jdoe@symantecexample.com with the words "job opening" as the subject line are processed based on the action that is specified for Company-specific Content for the group policy that applies to the recipient (in this example, jdoe@symantecexample.com).
Matched
Sieve test commands

The Symantec Message Filter implementation for Windows of Sieve includes standard, modified, and new test commands.
375
address
Tests for the presence of specific email addresses in header lines. Your system's performance may degrade if you search for a long list of email addresses. Performs a logical AND on the tests that you supply to it. Performs a logical OR on the tests that you supply to it. Tests for the presence of the specified header(s). Always evaluates to false. Tests for the presence of a character string in the specified header (does not apply to MIME entity headers). Headers are defined in the following URL: http://www.faqs.org/rfcs/rfc2822.html
allof anyof exists false header
not size true
Takes another test as an argument and yields the opposite result. Tests if a message is over or under the specified size. Always evaluates to true.
The following Sieve test commands have been modified or are new extensions implemented by Symantec Message Filter:
body envelope This test command searches the body of a message for a string. Tests for specified email addresses in the SMTP envelope as described in RFC3028. The Symantec Message Filter implementation also lets you test for the HELO/EHLO domain and the IP address of the computer contacting the server. This test command searches both normal and MIME headers for a string.
mimeheader
Body
The body test evaluates to true if any line of the body of a message contains any listed key. However, it does not examine MIME headers. The body test examines text MIME attachments but not binary MIME attachments (even if they contain text, such as Microsoft Word .doc files). RFC2822 defines what constitutes the body of an email message. Basically, all text that follows the CR/LF lines that end the header section is the body. For more details, on the Internet, go to the following URL: http://www.faqs.org/rfcs/rfc2822.html
376
The capability string to specify for the body test with require is body. Syntax: body <comparator> [MATCH-TYPE] <key-list: string> For example:
require ["body", "sideline"]; if body :contains "top-secret" { matched; stop; }
This example tests for "top-secret" in the body of the message. If it is found, the message is handled with the action that is specified for Company-specific Content for the group policy that applies to the recipient.
Envelope
As described in RFC3028, you can use from to search the FROM address used in the SMTP MAIL command, and to to search the TO address used in the SMTP RCPT command. In addition, Symantec Message Filter provides extensions to the envelope command as follows:
Helo Tests the sending domain that is listed in the HELO/EHLO SMTP command that is stored in the envelope. Tests the IP address of the SMTP client that contacts the local MTA. The i;ip-mask comparator supports match types :is and :contains. Notations that are supported for comparison are as follows:

peerip
Single host: 128.113.213.4 Netmask Source-IP: 128.113.1.0/255.255.255.0 CIDR: 198.0.0.0/8 (equivalent to 198.0.0.0/255.0.0.0)
The capability string to specify for the envelope test with require is envelope. Syntax: envelope <comparator> [MATCH-TYPE] <key-list: string> Unless the Symantec Message Filter software is in communication with an MTA that is deployed at the gateway, the envelope domain or IP address on a message that the envelope test checks may be the internal domain that passed on the message from the email gateway, rather than the Internet address that you might expect.
377
The envelope information is not usually visible in mail reading programs, such as Outlook.
Mimeheader
The mimeheader test searches for all headers at the beginning of a message as well as MIME headers. This test is particularly helpful to identify the messages that contain executable MIME attachments. It is syntactically identical to the header test. The capability string to specify for the mimeheader test with require is mimeheader.
Syntax: mimeheader <comparator> [MATCH-TYPE] <header-names: string> <key-list: string>
For example:
require ["mimeheader", "sideline"]; if mimeheader :contains "Content-Type" ".jpg.vbs" { matched; stop; }
In this example, the MIME header Content-Type contains the substring .jpg.vbs (a Visual Basic script that is renamed to appear to be an image file). The message is handled with the action that is specified for Company-specific Content for the group policy that applies to the recipient. For example:
require ["mimeheader", "sideline"]; if anyof (mimeheader :contains "Content-Disposition" "filename=AnnaKournikova.jpg.vbs", mimeheader :contains "Content-Type" "name=AnnaKournikova.jpg.vbs") { matched; stop; }
In this example, the filename is checked for both the Content-Disposition and Content-Type headers. If the target filename appears in either header type, the
378
Creating filters by coding in Sieve Sample Sieve scripts
message is handled with the action that is specified for Company-specific Content for the group policy that applies to the recipient. For example:
require ["mimeheader", "sideline"]; if mimeheader :contains "Content-Type" ["video", "audio"] { matched; stop; }
In this example, the system handles the messages that contain video or audio type attachments with the action that is specified for Company-specific Content for the group policy that applies to the recipient. Note that MIME types do not have to reflect the actual contents. A video attachment or audio attachment can be sent as application/octet-stream. To successfully block unwanted content, analyze both filenames and media types.
About Sieve action precedence

When a Sieve script runs, it can combine multiple actions. However, only the action with the highest precedence is applied to the message. When the actions are combined, the supported Sieve actions behave as follows (in the order of precedence):
matched If the execution of a script results in both matched and keep, the keep is ignored. If the execution of the script results in no actions, a keep is performed.
keep
Custom takes precedence over matched and keep. Only one custom Sieve action
is returned at a time.
Sample Sieve scripts

Following are examples of Sieve scripts that you can use for a variety of tasks. The action that is taken on matching messages depends on the policies that you have in place for content filters.
379
Intercept adult content

This example detects potentially offensive content. A longer version of this sample Sieve script is in the following location:
Linux or Solaris Windows /opt/symantec/sbas/Scanner/etc/sieve_adult.sample C:\Program Files\Brightmail\etc\sieve_adult.txt
A sample email message that you can send through your email server to test this script can be found at the following location:
Linux and Solaris Windows /opt/symantec/sbas/Scanner/etc/tests/sieve.adult.msg C:\Program Files\Brightmail\etc\tests\sieve.adult.msg
Note: Both files contain obscene language.

# # filter adult content # require ["body", "sideline"]; # filter based on sender if header :contains "from" "porn king" { matched; stop; } # filter based on subject if header :contains "subject" "hot pics" { matched; stop; } if header :contains "subject" "adults only" { matched; stop;
380
} # filter using wildcards if body :matches "*mailto*@btamail.net*" { matched; stop; }
# filter based on domain names and URLs if body :contains "worldwidewebhost" { matched; stop; } if body :contains "www.netmails.com/members" { matched; stop; }
# filter based on body text if body :contains "hot girls" { matched; stop; }
# look for combination of suspicious words in subject header if allof ( anyof ( header :contains "subject" " hot", header :contains "subject" "sexy" ), anyof ( header :contains "subject" "girls", header :contains "subject" "women" ))
381
{ matched; stop; }
Set a size limit on inbound mail

This example detects any email message larger than one megabyte.
require "sideline"; if size :over 1M { matched; stop; }
Intercept chain letters

This example detects a specific chain letter.
# catch chain letters require "sideline"; if anyof (header :is "Subject" "DO NOT DELETE!! THIS REALLY WORKS!!!!", header :is "Subject" "RE: DO NOT DELETE!! THIS REALLY WORKS!!!!") { matched; stop; }
Intercept a particular virus

This example detects the Anna Kournikova virus.
# catch the kournikova virus require ["mimeheader", "sideline"]; if anyof (mimeheader :contains "Content-Disposition" "filename=AnnaKournikova.jpg.vbs", mimeheader :contains "Content-Type" "name=AnnaKournikova.jpg.vbs") { matched;
382
stop; }
Intercept greeting cards

This example detects messages from the domain bmarts.com, a source of greeting cards.
# catch greeting cards require "sideline"; if header :contains "Received" "bmarts.com" { matched; stop; }
Intercept senders that are based on the HELO domain

You can create custom filters to test that are based on the results of the HELO domain API call. The HELO/EHLO domain is available through the envelope helo data.
require ["envelope", "sideline"]; if envelope :matches "helo" "spammer.com" { matched; stop; }
Appendix
Editing virus notification messages

This appendix includes the following topics:

About virus notification messages About customizing the cleaner notification file About the cleaner notification file listing
About virus notification messages

Whenever the Symantec Message Filter sidelines and processes a message for virus cleaning, it extracts the appropriate text from an XML file. It creates an advisory message (that you can customize) that informs the recipient of the action taken. Symantec Message Filter then inserts the original message as an attachment to the advisory message. This method ensures that the advisory message is always presented to the user, and that the original message is included unless it is deleted as uncleanable.
About customizing the cleaner notification file

You can edit the Notification.xml file to customize the advisory text that Symantec Message Filter uses. The file is located in the following location:
Linux and Solaris Windows /opt/symantec/sbas/Scanner/etc/Notification.xml C:\Program Files\Brightmail\etc\Notification.xml
384
Editing virus notification messages About customizing the cleaner notification file
At the beginning of Notification.xml, you can change the character set and content transfer encoding to use for the advisory messages. By default, Symantec Message Filter software uses the US-ASCII character set and 7-bit encoding to send the advisory text in the XML notification template. Notification.xml includes the following tags: <char-set> and <content-transfer-encoding>. You can edit these tags to specify a different character set or content encoding for AntiVirus Cleaner notification messages. For example, to use the Latin 2 character set (ISO 8859-2), which contains characters for 15 Eastern European languages, you would edit these tags to appear as follows:
<char-set>"ISO-8859-2"</char-set> <content-transfer-encoding>"8bit"</content-transfer-encoding>
You may also want to provide more or less detail in these notifications, depending on your audience. In the XML file, each notification message is constructed with an <advisory> element. Each <advisory>element contains a block of information, depending on the disposition of the message. For example, after Symantec Message Filter successfully cleans a message, it retrieves text from the cleaned_sentence advisory as shown in the following excerpt from the XML file:
<advisory name="cleaned_sentence">
<text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been cleaned.</text>
</advisory>
When you make changes to the XML file, modify only the customizable text. If you adjust the placement of the variable tags that is identified by the <t> tag, ensure that you do not change the values of the tokens within the tag. Do not modify any other tags or structures. For example, to make changes to the text Symantec Message Filter inserts for cleaned messages, only edit the boldface text, as shown in the following example:
<advisory name="cleaned_sentence">
<text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been cleaned.</text>
Editing virus notification messages About the cleaner notification file listing
385
</advisory>
See About the cleaner notification file listing on page 385.
About the cleaner notification file listing

This section shows the full contents of the cleaner notification Notification.xml file, which contains text for notifications that the Cleaner issues as it sidelines messages and processes messages. You can modify certain text in <advisory> elements. See About customizing the cleaner notification file on page 383.
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE advisory-list SYSTEM "AdvisoryStore.dtd">

<advisory-list char-set="us-ascii" content-transfer-encoding="7bit">

<advisory name="cleaned_sentence"> <text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been cleaned.</text> </advisory>
<advisory name="deleted_cant_clean_sentence"> <text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been deleted because the file cannot be cleaned.</text> </advisory>
<advisory name="deleted_cant_replace_sentence">
386
<text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been deleted because the Symantec decomposer cannot modify its container.</text> </advisory>
<advisory name="deleted_too_large_sentence"> <text><t name="file_name"/> was deleted because it is too large.</text> </advisory>
<advisory name="deleted_cant_rebuild_sentence"> <text><t name="file_name"/> was deleted because the Symantec decomposer cannot rebuild its container.</text> </advisory>
<advisory name="virus_still_there_sentence"> <text><t name="file_name"/> is still infected with the malicious virus <t name="virus_name"/> because the Symantec decomposer cannot modify its container.</text> </advisory>
<advisory name="cant_scan_container_corrupted_sentence"> <text>The container <t name="file_name"/> was not scanned because it is corrupted (Symantec decomposer reports <t name="error"/>). If you are able to open it, use caution when doing so as it may contain files with viruses.</text> </advisory>
<advisory name="cant_scan_oless_corrupted_sentence"> <text>The Microsoft document <t name="file_name"/> was not scanned because it is corrupted (Symantec decomposer reports <t name="error"/>). If you are able to open it, use caution when doing so as it may contain embedded files with viruses.</text> </advisory>
<advisory name="cant_scan_encrypted_sentence"> <text><t name="file_name"/> was not scanned for viruses because it is encrypted.</text>
387
</advisory>
<advisory name="cant_scan_too_large_sentence"> <text><t name="file_name"/> was not scanned for viruses because it is too large.</text> </advisory>
<advisory name="scan_error_sentence"> <text><t name="file_name"/> was not scanned for viruses because of the error: <t name="error"/></text> </advisory>

<advisory name="deleted_sentence"> <text><t name="file_name"/> was infected with the malicious virus <t name="virus_name"/>, but was unable to be cleaned, and has been removed.</text> </advisory>
<advisory name="error_sentence"> <text><t name="file_name"/> is believed to be infected, but the condition cannot be confirmed, or the file cannot be disinfected. It is recommended that you DO NOT open the file without first checking with your system administrator and/or the sender.</text> </advisory>
<advisory name="rcpt_text"> <text>This message has been processed by Brightmail(r) AntiVirus using Symantec's AntiVirus Technology.
388
<t name="file_actions"/>
For more information on antivirus tips and technology, visit http://www.brightmail.com/antivirus . </text> </advisory>
<advisory name="rcpt_html"> <text> <![CDATA[ <HTML> <BODY> This message has been processed by Brightmail® AntiVirus using Symantec's AntiVirus Technology. <PRE> ]]> <t name="file_actions"/> <![CDATA[ </PRE> For more information on antivirus tips and technology, visit <A HREF="http://www.brightmail.com/antivirus"> http://www.brightmail.com/antivirus</A>. </BODY> </HTML> ]]> </text> </advisory>
<advisory name="error_text"> <text>ERROR_TEXT: During the processing of this email an error occurred. For more information please contact your Symantec(r) representative.
389
</text> </advisory>
<advisory name="error_html"> <text> <![CDATA[ <HTML> <BODY> ERROR_HTML: During the processing of this email an error occurred. For more information please contact your Symantec® representative. </BODY> </HTML> ]]> </text> </advisory>
<advisory name="sender_text"> <text>
The message you sent has been processed by Brightmail(r) AntiVirus using Symantec's AntiVirus Technology.
<t name="file_actions"/>
You may want to install or update antivirus software on your computer.
For more information on antivirus tips and technology, visit http://www.brightmail.com/antivirus
390
Headers of infected message:
<t name="message_headers"/>
</text> </advisory>
<advisory name="sender_html"> <text> <![CDATA[ <HTML> <BODY> The message you sent has been processed by Brightmail® AntiVirus using Symantec's AntiVirus Technology. <PRE> ]]> <t name="file_actions"/> <![CDATA[ </PRE> You may want to install or update antivirus software on your computer. For more information on antivirus tips and technology, visit <A HREF="http://www.brightmail.com/antivirus"> http://www.brightmail.com/antivirus</A>. 
 Headers of infected message:
<PRE> ]]>
391
<t name="message_headers"/>
<![CDATA[ </PRE>
</BODY> </HTML> ]]>
</text> </advisory>
</advisory-list>
392
Index
Symbols
<$nopagebsgtEdit, see also configure. 350
A
Accessing Quarantine 264 Active Directory configuration for Quarantine 253 Add administrators 347 Brightmail Scanner 348 group policy 243 new member to group policy 243 senders to your allowed senders list 315 senders to your Blocked Senders List 313 Adjusting spam scoring 320 Administering Quarantine 285 Administrator add 347 message details page 264 message list page 264 Administrator-only Quarantine access 275 Adult content interception 379 Alerts, setting up event-based 368 Allowed and Blocked Senders lists about 311 reasons to use Blocked Senders 313 Anti-Virus 34 Antivirus definitions 342 Attachments 272 Automatic expansion of subdomains 309
Brightmail Control Center getting started 347 operating system compatibility 50 processes, services 50 reinstalling on UNIX 71 Brightmail Reputation Service 319 Brightmail Scanner about 347 delete 351 disabling 351 editing configuration 350 enabling 351 managing 347 status information 351 testing 350 viewing status 351 Brightmail Server 33 Brightmaillog.log 288 bstProcedure to enable data tracking for reports 300
C
Chain letter interception 381 Checking Quarantine error log 288 Quarantine postmaster mailbox 287 software versions 369 status of the MySQL database 118 Checking for port availability via TCP/IP 50 Choosing data to track 300 notification format 280 Cleaner notification file customization 383 Cleaner notification file listing 385 Compatibility, Quarantine/LDAP 50 Components, about 347 Configure anti-virus filtering 325 Brightmail Clients 350 deleting unresolved email setting 281 global catalog to work With quarantine 257
B
Backing up MySQL data 119 Body command 375 Brightmail AntiSpam identifies senders and connections 309 starting 352 stopping 352 Brightmail Client 33
394
Index
Configure (continued) login help 282 messages Per Page in Quarantine 282 Quarantine for Active Directory 253 Quarantine for administrator-only access 275 Quarantine for Exchange 5.5 264 Quarantine for iPlanet/Sun ONE/Java Directory 258 Quarantine port for incoming SMTP email 284 Quarantine settings 266 recipients for misidentified messages 281 spam scoring 320 user and distribution list notification digests 276 Configuring Sendmail for the Brightmail Filter via m4 227 via Sendmail Switch 225 via sendmail.cf 226 Connections from server to client 350 Create conditions in custom filters 333 custom filters 325 new group policy 243 reports 295 Custom filtering details about 334 disabling 334 editing 331 enabling 334 importing a custom filters file 334 samples 334 Customizing Brightmail Reputation Service 319 Cleaner notification file 383 filtering at your site 307
Delete (continued) group policy member 244 individual Quarantine messages 270 senders from lists 316 unresolved email setting 281 Delivering messages to Quarantine from the Brightmail Server 275 Deployment at email server 32 gateway 27 Determining filter order 333 fully qualified domain names on Windows 256 netbios names on Windows 256 Differences between the administrator and user message list pages 263 between the administrator and user message pages 266 between the administrator and user search pages 269 Disable Brightmail Scanners 351 filters 334 group policy 244 senders 317 Disk space maintenance 118 Displaying full or brief headers 272 Does not match test 330 Domain names, Windows 256 Duplicate messages in Quarantine 292
E
Edit Brightmail Scanner configuration 350 existing group policy 244 filters 333 senders 316 Enable Brightmail Scanners 351 data tracking for reports 300 filters 334 group policy 243 notification for distribution lists 279 senders 317 Encoded headers decoded 372 Envelope command 376 Error in Quarantine log file from no disk space or full work directory 291
D
Data backup MySQL 119 Decoding headers 372 Define filtering actions for new group policy 244 Definitions LiveUpdate 342 Delete all Quarantine messages 270 Brightmail Scanners 351 filters 333 group policy 244
Index
395
Error in Quarantine log file from very large spam messages 290 Export group policy members to file 244 Export sender information 319
F
Facilities settings 366 File containing Sieve filters 373 Filter order determination 333 Filtering testing 78 Filtering, third party 34, 41 Firewall Settings 38 Frequency of digest notification 277
Insertion host specification 355 Intercept adult content 379 chain letters 381 greeting cards 382 MIME type 337 sender or recipient 336 senders, based on the HELO domain 382 specified virus 381 Internal IP address specification 355 Internal mail host addresses 357 iPlanet/Sun ONE directory server access 258
J
JLU 182 updating virus definitions 342
G
Global catalog configuration 257 Graphics appear as gray rectangles 266, 272 Greeting card interception 382 Group policy add 243 delete 244 delete a member from 244 disable 244 edit existing 244 enable 243 managing 244
L
LDAP server alternate access 250 server configuration 249 LDAP Compatibility 249 LDAP for Quarantine, compatibility 50 License file Windows 69 LiveUpdate log 182 program elements 182 updating virus definitions 339, 342 Log Increasing amount of logging information in Brightmaillog.log 288 LiveUpdate 182 modifying settings 364 Quarantine error log, Checking 288 saving 365 view for Brightmail Scanner 365 viewing 365 working with 362 Logical connections and internal mail servers, non-Gateway Deployments 309 Login problems 290 Login steps 347 Logout steps 90
H
Header decoding 372 Header, displaying full or brief 272 Helo domain 382 Hosts, about 347 http //docs.sun.com/app/docs/coll/1312.2 134 //docs.sun.com/source/819-3714/ index.html#wp35446 134 //www.postfix.org/ MILTER_README.html#smtp-only-milters 76 //www.sun.com/blueprints/0806/819-7663.pdf 134 //www.sun.com/blueprints/1006/820-0132.html 134
I
Import custom filters file 334 group policy members from file 243 sender information 317
M
Maintenance disk space 118
396
Index
Maintenance (continued) system 369 Maintenance of the system, periodic 369 Manage group policies 241, 244 Scanners, hosts and components 347 Match and Does Not Match tests 330 Maximum number of Quarantine messages 293 Message "the operation could not be performed.bsxd3 is displayed 289 details page 271 interception based on MIME type 337 interception based on sender/recipient 336 list page 269 list page details 271 Message audit log 362 bmserver log 364 event log 364 syslog 364 Message filtering, testing 78 MIME-based message interception 337 Mimeheader command 377 Modifying log settings 364 MX Records 42 MySQL checking version 107 configuring 107 data backup 119 database status 118 repairing database 107
N
Navigating through messages 266, 270271 Nesting if-then statements 372 Netbios names on Windows 256 Notification for distribution lists/aliases 276
O
Operating system compatibility, Brightmail Control Center 50
P
Periodic system maintenance 369 Ports 38, 50 Printing reports 302 Procedure to add an administrator 354
Procedure to (continued) add email addresses, domains, and third-party lists to Allowed Senders list 315 add email addresses, domains, and third-party lists to your Blocked Senders list 314 adjust the spam score for suspected spam 321 change the notification digest frequency 277 change the order by which filters are checked 333 choose a notification format 280 configure AntiVirus filtering 325 configure Quarantine for administrator-only access 275 configure Quarantine to access Active Directory 253 configure Quarantine to access an alternate LDAP Server 250 configure Quarantine to access iPlanet/Sun ONE Directory Server 258 configure recipients for misidentified message submissions 281 configure the Brightmail Server 349 create a new group policy 243 create custom filters 332 define filtering actions for new group policy 244 delete a Brightmail Scanner 351 delete a filter from the list 333 delete a group policy 244 delete a group policy member 244 delete a scheduled report 304 delete senders from your Blocked Senders list or Allowed Senders list 316 deliver messages to Quarantine 275 determine the NetBIOS name for your Active Directory domains 257 disable a group policy 244 display messages sent to the postmaster mailbox 287 edit a Brightmail Scanner 350 edit a filter in the list 333 edit a scheduled report 304 edit an existing group policy 244 edit senders in Blocked or Allowed Senders list 316 edit the notification templates, digest subject, and send from address 278 enable a group policy 243 enable or disable a Brightmail Scanner 351 enable or disable filters in custom filters list 334
Index
397
Procedure to (continued) enable or disable senders from your lists 317 export group policy members to a file 244 export sender information from Blocked Senders or Allowed Senders list 319 grant permission to the current domain controller 257 import a custom filters file 334 import group policy members from a file 243 import sender information from allowedblockedlist.txt file 319 modify contents of existing login help page 283 modify log settings for a Brightmail Scanner 364 replicate the NCName attribute to the Global Catalog with Active Directory Schema snap-in 257 run a report 301 save a report 302 schedule a report 303 select lists in Brightmail Reputation Service 320 set group policy precedence 244 set the number of messages displayed per page 282 set the Quarantine Message Retention Period 282 set up a Brightmail Scanner 349 set up alerts 369 set up Brightmail Server connections for Brightmail Clients 350 specify a custom Login help page 283 specify how long Brightmail AntiSpam saves report data 300 specify Quarantine message and size thresholds 285 specify the addresses for internal mail hosts 357 specify the components to enable on a Brightmail Scanner 349 specify the insertion host for a Brightmail Scanner 355 start Quarantine processes on UNIX 286 start Quarantine services on Windows 287 stop Quarantine processes on UNIX 286 stop Quarantine services on Windows 287 test a Brightmail Scanner 350 view group policy information for user or domain 244 view the status of Brightmail Scanners and components 352
Q
Quarantine access administrator-only configuration 275 administrator-only access 275 configuration for Active Directory 253 distribution lists and aliases 276 duplicate messages 292 for Exchange 5.5 configuration 264 for iPlanet/Sun ONE/Java Directory Server configuration 258 global catalog configuration 257 LDAP compatibility 50 LDAP for end user access 249 LDAP Server alternate access 250 log file error for no disk or directory space 291 log file error from very large spam messages 290 message navigation 266, 270271 message redelivery 269 message retention, setting 282 message sorting 269 messages per page configuration 282 messages, maximum allowed 293 port for SMTP email configuration 284 searching details 268, 273 set up delivery of messages to Quarantine 80 size and message thresholds 284 Stopping and Starting 285 testing spam filtering to Quarantine 79 thresholdsbsx11 285
R
Rapid Release definitions 339, 344 Rapid Response updates 344 Redelivering misidentified messages 269, 271 Registering Symantec Brightmail AntiSpam Windows 69 Reinstalling Brightmail Control Center on UNIX 71 Report available types 295 creating 295 data tracking 300 deletion 304 editing scheduled report 304 enable data tracking 300 presentation 302 printing 302 retention 300
398
Index
Report (continued) run 301 save 302 schedule 303 troubleshooting report generation 301 Reputation Service customization 319 Returning to the message list 266 Run report 301
S
Sample custom filters 334 Saving reports 302 Scheduling reports 303 Search, details 268, 273 Searching "Frombsxd3 Headers 273 Message ID header 273 messages 266, 270, 272 subject headers 273 using Multiple Characteristics 273 using Time Range 273 Selecting the notification digest format 279 Sender interception 382 sender reputation service 123 Senders disabling 317 enabling 317 Sendmail configuring for Brightmail Filter with m4 227 configuring for Brightmail Filter with sendmail.cf 226 Sendmail Switch 223 Sendmail Switch, enable for Brightmail Filter 225 serial numbers, licensing 357 Server connections for Clients 350 Set alerts 369 Brightmail Scanners 348 event-based alerts 368 group policy precedence 244 Quarantine message retention period 282 retention period for reporting data 300 size limit on incoming mail 381 Settings, available 325 Sieve Action commands 374
Sieve (continued) action Precedence 378 changing the filters file 372 execution termination 372 filters file Location 373 implementation details 372 manually edited filters 372 statement nesting 372 supported commands 373 Test Commands 374 Sieve commands Body 375 Envelope 376 Mimeheader 377 SMTP insertion host specification 355 Software compatibility, Quarantine/LDAP 50 Software versions 369 Sorting messages 269 Spam filtering, testing 78 Specifying Allowed and Blocked Senders 308 internal mail hosts 355 Quarantine message and size thresholds 284 SMTP insertion host 354 Starting and stopping Brightmail AntiSpam 352 Starting and stopping Quarantine 285 Status MySQL database 118 Subdomain expansion 309 Sun ONE directory server access 258 Supported methods for identifying senders 309 Supported sieve commands 373 Symantec Brightmail AntiSpam Registering on Windows 69 Syslog settings 366 Syslog.conf file 366 System maintenance 369
T
TCP/IP Ports 50 Terminate execution promptly 372 Testing anti-virus filtering 78 delivery of legitimate mail 77 spam filtering 78 spam filtering to Quarantine 79 spam filtering with subject line modification 78 Testing Brightmail Scanners 350
Index
399
Tests for matching 330 Threshold specification for Quarantine 285 Tomcat configuring 107 Tracking report data 300 Troubleshooting login problems 135 Quarantine 289 report generation 301
U
Undeliverable Quarantined messages 291 Upgrading Brightmail Control Center 72
V
Verifying Brightmail Scanner installation 73 normal delivery 77 spam filtering 78 spam filtering to Quarantine 79 Version, how to check 369 View Brightmail Scanner logs 365 group policy information for user or domain group policy 244 messages 269 status of Brightmail Scanners and components 351 Viewing and saving logs 365 Virus interception 381
W
White space 372
X
X-Headers 41

SMF Imp Guide 630

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SMF Imp Guide 630

Hochgeladen von

Copyright:

Verfügbare Formate

Symantec Message Filter 6.

Symantec Message Filter 6.3 Implementation Guide

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Contacting Technical Support

Product release level

Licensing and registration

Support agreement resources

Technical Support ............................................................................................... 4 Chapter 1 Introducing Symantec Message Filter ............................ 15

Planning for installation .................................................... 27

Installing Symantec Message Filter ................................. 45

Configuring the Control Center ........................................ 87

Optimizing Symantec Message Filter ............................ 123

206 206 206 207 209 209

Configuring Sendmail to integrate with Symantec Message Filter .............................................................. 223

Using group policies ......................................................... 241

Quarantining spam messages ........................................ 249

Creating reports ................................................................. 295

331 331 333 333 333 334 334 334

Keeping your product up-to-date ................................... 339

366 368 368 369

Creating filters by coding in Sieve ................................. 371

Editing virus notification messages .............................. 383

Index ................................................................................................................... 393

Introducing Symantec Message Filter

About Symantec Message Filter

Introducing Symantec Message Filter What's new in Symantec Message Filter

What's new in Symantec Message Filter

New features Description

See Installing Symantec Message Filter on Windows on page 66.

Introducing Symantec Message Filter Components of Symantec Message Filter

Table 1-1 Feature

New features (continued) Description

Components of Symantec Message Filter

Introducing Symantec Message Filter Components of Symantec Message Filter

Table 1-2 Component

Components of Symantec Message Filter (continued) Description

Introducing Symantec Message Filter How Symantec Message Filter works

How Symantec Message Filter works

How Symantec Message Filter works

What you can do with Symantec Message Filter

Table 1-3 Task

Symantec Message Filter tasks Description

Stop mass-mailer worm attacks

Dispose of unwanted encrypted email

Table 1-3 Task

Symantec Message Filter tasks (continued) Description

Block unwanted email

Let trusted email bypass scanning

Table 1-3 Task

Symantec Message Filter tasks (continued) Description

Where to get more information about Symantec Message Filter

Planning for installation

About deploying Symantec Message Filter

Planning for installation About deploying Symantec Message Filter

About deploying at the gateway layer

About the advantages of deploying at the gateway level

Lets you enable the early verdict feature

About the basic deployment

Planning for installation About deploying Symantec Message Filter

About deploying behind a firewall

About deploying in a demilitarized zone

Planning for installation About deploying Symantec Message Filter