Mailing List

By Joining the mailing list you will be notified of site updates.

Show Your Support For
This Site By Donating:

Audience: Network Admins
Last Updated: 7/30/2015 2:14:14 AM
**All times are EST**

Juniper SRX anti-spam filtering config

By Erik Rodriguez

Tags: Juniper SRX anti-spam, JunOS spam filtering, SRX spam blocking, Juniper UTM spam filter

This article provides information on enabling the UTM Anti-spam feature for the SRX firewalls.

Problem

You would like to add the UTM anti-spam protection on your SRX firewall.

Procedure

Here is how you configure the anti-spam feature on the SRX provided you have a valid or trial anti_spam_key_sbl license. Here you can see that I have 30-day (trial) license installed:

root@srx1# run show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  anti_spam_key_sbl                     1            1           0    2015-08-19 20:00:00 EDT
  dynamic-vpn                           0            2           0    permanent
  ax411-wlan-ap                         1            2           0    permanent
  logical-system                        0            1           0    permanent

The following configuration will enable the spam-block-list (sbl) from sophos labs. It will check all incoming SMTP connections against the continually updating list. If detected, it will simply block the connection and no messages will be accepted. In addition, messages accepted will also be scanned against certain signatures to further identify SPAM content. You have the ability to tag the message subject or block it. By tagging, a custom prefix of your choice will be appended to the message subject.
First we need to enable the utm anti-spam feature. The items in red are user-specific:



set security utm feature-profile anti-spam sbl profile local-profile sbl-default-server
set security utm feature-profile anti-spam sbl profile local-profile spam-action tag-subject
set security utm feature-profile anti-spam sbl profile local-profile custom-tag-string **SPAM**
set security utm utm-policy spam-block anti-spam smtp-profile local-profile

The commands above will enable the UTM anti-spam and check the sbl list located at msgsecurity.juniper.net. Notice the spam-block policy that will be referenced by the security policy.
Next, we need to apply the UTM spam-block policy to the security policy which allows SMTP traffic to the actual mail server. Here you can see my security policy pointing to an Exchange server. The commands in green add the UTM policy:


root@srx1# show security policies from-zone untrust to-zone trust policy EX25   
match {
    source-address any;
    destination-address EX;
    application junos-smtp;
}
then {
    permit {
        application-services {
            utm-policy spam-block;
        }
    }
}

Here is the command line reference:



set security policies from-zone untrust to-zone trust policy EX25 match source-address any
set security policies from-zone untrust to-zone trust policy EX25 match destination-address EX
set security policies from-zone untrust to-zone trust policy EX25 match application junos-smtp
set security policies from-zone untrust to-zone trust policy EX25 then permit application-services utm-policy spam-block

Last, check the following status and statistics to verify correct operation:


root@srx1# run show security utm anti-spam status    
SBL Whitelist Server:
SBL Blacklist Server:
    msgsecurity.juniper.net

DNS Server:
    Primary  :          8.8.8.8, Src Interface: ge-0/0/0
    Secondary:          4.2.2.2, Src Interface: ge-0/0/1
    Ternary  :          0.0.0.0, Src Interface: fe-0/0/2

Notice the SBL server address. Here is interesting look at that UTM working:


root@srx1# run show security utm anti-spam statistics 
 UTM Anti Spam statistics: 

Total connections:     16224 
Denied connections:    11314
Total greetings:       4832
Denied greetings:      0
Total e-mail scanned:  5155
White list hit:        0
Black list hit:        0
Spam total:            26
Spam tagged:           26
Spam dropped:          0
DNS errors:            0
Timeout errors:        0
Return errors:         0
Invalid parameter errors: 0

Statistics start time: 07/22/2015 02:20:11
Statistics for the last 10 days (permitted emails / spams):
day 1: 329/0
day 2: 1076/0
day 3: 459/0
day 4: 303/0
day 5: 232/0
day 6: 658/0
day 7: 737/0
day 8: 829/0

Notice that 26 email messages had their subjects apended with **SPAM** while 11,314 connections were blocked because they were found on the SBL. The number of "spams" per day will only increment if you are tagging. If you are blocking, the then "Denied connections" will increment but not both at the same time.

Conclusion

While this isn't the "best" method of anti-spam, it does a decent job of keeping most of the crap out of your inbox. In addition, this method is generally cheaper than cloud-filtering services as there are no per-mailbox limits.