Symantec Mail Security Handling of Open Proxy Spam

This story is about an unexpected behavior in Symantec Mail Security for SMTP (version 5.0.1) and how to access the double-secret advanced settings in the admin console.

To explain: As with any mail server, our postmaster address gets a tremendous volume of spam. I’m not sure why we’ve got all of our mail server administrators receiving the email to postmaster – maybe it’s because on our Lotus Domino server the postmaster address and the Domin admin address go to the same place? I don’t know; I’m not a Domino admin, but firewall and antivirus administration are part of my job duties. Anyway, the volume of spam dumping into all of our Domino admins’ mailboxes has gotten bad enough that they asked me to start rejecting everything sent to postmaster. That’s probably not Best Practices . . . but I understand why they’re asking for it.

We use Symantec Mail Security for SMTP (5.0.1) to block viruses and spam before it hits Domino. SMS lets you set up compliance policies based on syntax-maatching rules, so I set up a compliance policy to automatically quarantine any email with our postmaster address in the recipient field. This reduced the amount of spam, but curiously, did not completely stop it. So I investigated.

msg_tracking

SMS applies filter rules in order, and apparently some rules are applied before my new ‘postmaster’ compliance policy. If a message matches the Open Proxy filter, then the actions defined for that filter get applied instead. Which, in this case, seemed to be ‘Send a bounce message, Delete the message’. And for messages where the spammer had forged the sender’s address and used our postmaster’s address for it, the bounce notifications sent by our own SMS server were still getting sent to postmaster.

Well, that behavior should be configurable, shouldn’t it? I went looking for where to configure the Open Proxy List filter. Under Policies, in Sender Groups, I found two groups that might be what the message tracking report was showing as ‘Open Proxy List’. The most obvious was the one named Open Proxy Senders, but I reasoned that Blocked Senders (Third Party Services) might also apply, since that’s where our DNS black lists are specified. But neither of these groups was configured to ‘Send a bounce message, Delete the message’.

sender_groups

At this point, I called Symantec tech support, and here’s where the case started to get interesting. As it turns out, Symantec provides their own open proxy list, separate from the DNSBLs that customers can add. And by default, the product’s behavior for messages that match the Symantec-supplied list is not configurable by the end user. I absolutely hate when developers design in features that are deliberately not configurable in the UI. That’s so . . . Microsoft.

Evidently, someone else had already stumbled across this problem before me, because a recent patch to SMS had added a control to the admin console to let you adjust this behavior. Good! But guess where you find it?

The Symantec tech instructed me to go to Settings. Then she had me click on some white space on the side of the screen – making sure that no buttons or text fields had focus. Then she had me hit Shift+A. This opens a secret Advanced Attributes view. As far as the tech could tell me, this secret settings screen is not documented in any of the end user guides, probably because, like editing the Windows registry, if you don’t understand what you’re doing, changing any of these settings can break Symantec Mail Security.

That said, it still irks me that there are a lot of undocumented or unconfigurable aspects of this product. I think that it would save Symantec a lot of calls if they were willing to put the knowledge and the power to fix things in the hands of the email admins who use SMS. At least then you’d know it was your own fault when you broke the server.

advanced_settings

Here at the bottom of the Advanced Attributes screen, somewhat obscurely labeled ‘Static Firewall Backup’, is the setting that should change the behavior for handling Open Proxy List messages.

And here’s another report from later in the day, showing that the policy change worked.

sms_test

Advertisements

#advanced-settings, #open-proxy-list, #secret-settings, #symantec-mail-security-for-smtp