This article provides information on how to set up the UTM (Unified Threat Management) Anti-Spam feature.
Configuration example of the UTM (Unified Threat Management) Anti-Spam feature.
Note: At this time, the Anti-Spam feature is supported only for the SMTP protocol.
For more information on Anti-Spam, refer to the technical documentation, Security Features from the Junos OS Security Configuration Guide.
Note: At this time, the Anti-Spam feature is supported only for the SMTP protocol.
There are three steps to setting up the Anti-Spam feature:
- Define Custom Objects
- Define the feature profile and UTM policy, which will be attached to the feature profile
- Apply the UTM policy to the Security Policy as an application service
In this example, the default server based URL categories and lists are not being used; instead custom categories are defined.
Check for License
Before you begin the configuration, confirm that the UTM Anti-Spam license is installed. Run the following command, and look for anti_spam_key_sbl:
root@SRX-220> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
anti_spam_key_sbl x x x x days
Licenses installed:
License identifier: JUNOS300005 <---Anti-Spam License Key
License version: 2
Valid for device: AQ0900000016 <---SRX Serial No
Features:
anti_spam_key_sbl - Anti-Spam
date-based, 2011-05-12 08:00:00 GMT-8 - 2011-06-11 08:00:00 GMT-8
If the license is not installed, install it with the following command:
> request system license add terminal
Then copy the license from the text file, which is provided for the license, and paste it in the above command.
Define Custom Objects:
Start by setting up the Custom Objects for the Anti-Spam. Some of these objects can be shared across multiple UTM features. For the Anti-Spam, start by creating a list of URLs patterns or IP addresses for the allow and block lists.
In this example, a list of custom URL patterns are created - one defined as ip-black-list and the other as ip-white-list. These lists can be created at the [edit security utm custom-objects] hierarchy level.
- Set up the two URL pattern lists. These can be IP addresses or URL patterns using wildcards.
set security utm custom-objects url-pattern ip-black-list value http://*.sex.com
set security utm custom-objects url-pattern ip-black-list value http://*.gamble.com
set security utm custom-objects url-pattern ip-black-list value http://*.flashgames.com
set security utm custom-objects url-pattern ip-white-list value http://*.work.com
set security utm custom-objects url-pattern ip-white-list value http://*.taxes.com
set security utm custom-objects url-pattern ip-white-list value http://*.networking.com
Define the feature-profile and UTM policy
Next, set up the feature profile to look at the local spam URL lists. Then you will be able to define an action to take: either block or tag. You can define a custom string to tag either the header or the subject of the emails. In this example, the subject will be tagged with ***YEP*SPAM***.
- Set the
feature-profile to a local list and tag the subject with a custom string:
set security utm feature-profile anti-spam address-whitelist ip-white-list
set security utm feature-profile anti-spam address-blacklist ip-black-list
set security utm feature-profile anti-spam sbl profile local-profile no-sbl-default-server
set security utm feature-profile anti-spam sbl profile local-profile spam-action tag-subject
set security utm feature-profile anti-spam sbl profile local-profile custom-tag-string ***YEP*SPAM***
- Create the UTM policy for spam filtering:
set security utm utm-policy spam-block anti-spam smtp-profile local-profile
Or
- To enable only the server based Anti-Spam feature, apply the default UTM
anti-spam profile:
set security utm feature-profile anti-spam sbl profile junos-as-defaults sbl-default-server
set security utm feature-profile anti-spam sbl profile junos-as-defaults spam-action block
set security utm feature-profile anti-spam sbl profile junos-as-defaults custom-tag-string ***SPAM*** >
- Apply the default profile to a UTM policy:
set security utm utm-policy spam-block anti-spam smtp-profile junos-as-defaults
Apply the UTM policy to the Security Policy
Finally, you will need to apply the UTM policy to a security policy as an application-service. In this example, it is applied to a policy from Untrust to Trust. Create the Untrust to Trust security policy, in which the UTM policy is applied as an application-service:
set security policies from-zone untrust to-zone trust policy spam-tag match source-address any
set security policies from-zone untrust to-zone trust policy spam-tag match destination-address any
set security policies from-zone untrust to-zone trust policy spam-tag match application any
set security policies from-zone untrust to-zone trust policy spam-tag then permit application-services utm-policy spam-block
Verify UTM Anti-Spam is working:
root@> show security utm anti-spam status
SBL Whitelist Server:
SBL Blacklist Server:
msgsecurity.juniper.net
DNS Server:
Primary : 0.0.0.0, Src Interface: ge-0/0/0
Secondary: 0.0.0.0, Src Interface: ge-0/0/1
Ternary : 0.0.0.0, Src Interface: ge-0/0/2
root@> show security utm anti-spam statistics
UTM Anti Spam statistics:
Total connections: 0
Denied connections: 0
Total greetings: 0
Denied greetings: 0
Total e-mail scanned: 0
White list hit: 0
Black list hit: 0
Spam total: 0
Spam tagged: 0
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0
Statistics start time: 08/03/2012 19:30:59
Configuration example for Anti-Spam:
root@# show | no-more
version 12.1R1.9;
system {
host-name Starburst;
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
login {
message "/**** Please reload /var/tmp/default.conf when you are done ****/ ";
user lab {
uid 2000;
class superuser;
authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
}
}
services {
ftp;
ssh;
telnet;
web-management {
traceoptions {
flag dynamic-vpn;
flag webauth;
}
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.66.94/24;
}
}
}
ge-0/0/15 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 66.129.243.0/24 {
next-hop 10.10.66.1;
no-readvertise;
}
}
}
security {
utm {
custom-objects {
url-pattern {
ip-black-list {
value [ http://*.test1.com http://*.test2.com http://*.test3.com ];
}
ip-white-list {
value [ http://*.test4.com http://*.test5.com http://*.test6.com ];
}
}
}
feature-profile {
anti-spam {
address-whitelist ip-white-list;
address-blacklist ip-black-list;
traceoptions {
flag all;
}
sbl {
profile local-profile {
no-sbl-default-server;
spam-action tag-subject;
custom-tag-string ***YEP*SPAM***;
}
}
}
}
utm-policy spam-block {
anti-spam {
smtp-profile local-profile;
}
}
}
policies {
from-zone trust to-zone untrust {
policy allow-out {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy spam-tag {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy spam-block;
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
interfaces {
ge-0/0/15.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
}
}
}
}
}
2020-12-31: Replaced words that failed to represent the inclusion and diversity Juniper values