Cyberoam Anti Spam Implementation Guide PDF

Cyberoam Central Console
Cyberoam CentralAdministrator
Console Guide
Administrator Guide
Cyberoam Anti Spam Implementation Guide

Version 10
Document version 1.0 – 10.6.3.260 - 29/05/2015
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam
Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is
subject to change without notice.
USER’S LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam
UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam House,
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Tel: +91-79-66216666
Web site: www.cyberoam.com
Page 1 of 43
Contents
Preface ................................................................................................................................. 3
Introduction ......................................................................................................................... 5
Appliance Administrative Interfaces ................................................................................. 6

Web Admin Console .......................................................................................................................... 6
Command Line Interface (CLI) Console .......................................................................................... 7
Cyberoam Central Console (CCC) ................................................................................................... 7
Web Admin Console .......................................................................................................................... 8
Web Admin Language ..................................................................................................................... 8
Supported Browsers ........................................................................................................................ 9
Login procedure ............................................................................................................................. 10
Log out procedure .......................................................................................................................... 11
Menus and Pages .......................................................................................................................... 12
Page ............................................................................................................................................... 14
Icon bar .......................................................................................................................................... 15
List Navigation Controls ................................................................................................................. 16
Tool Tips ........................................................................................................................................ 16
Status Bar ...................................................................................................................................... 16
Common Operations ...................................................................................................................... 17
Spam .................................................................................................................................. 19
Cyberoam Gateway Anti Spam ........................................................................................ 20

Configuration ................................................................................................................................... 22
Address Group ............................................................................................................................... 25
Email Archiver ................................................................................................................................ 28
Spam Rules ...................................................................................................................................... 30
Manage Spam Rules ..................................................................................................................... 30
Quarantine ........................................................................................................................................ 36
Quarantine Digest Settings ............................................................................................................ 37
Quarantine Area ............................................................................................................................. 40
Trusted Domain ............................................................................................................................... 42
Page 2 of 43
Preface
Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to
organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats
over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more.
They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support
can be used as either Active or Backup WAN connection for business continuity.
Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti-
Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data
Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management,
Multiple Link Management, Comprehensive Reporting over a single platform.
Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack.
Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling
Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs
support. It thus offers security to organizations across layer 2 - layer 8, without compromising
productivity and connectivity.
Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its
security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’
Gold logo provide Cyberoam the readiness to deliver on future security requirements.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible
the external world and still have firewall protection.
Note
 Default Web Admin Console username is ‘admin’ and password is ‘admin’

 Cyberoam recommends that you change the default password immediately after installation to
avoid unauthorized access.
Page 3 of 43
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Cyberoam House
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Ahmedabad 380006
Gujarat, India.
Tel: +91-79-66216666
Cyberoam contact:
Technical support (Corporate Office): +91-79- 26400707
Email: support@cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.
Page 4 of 43
Introduction
Welcome to Cyberoam’s – Anti Spam User guide.
This Guide provides information on how to configure Cyberoam Anti Spam solution and helps you
manage and customize Cyberoam to meet your organization’s various requirements including
restriction of spam mails, creation of groups and archiving Emails to control web as well as
application access.
Anti Spam module is an add-on module which needs to be subscribed before use.
Note
All the screen shots in this Guide have been taken from NG series of appliances. The feature and
functionalities however remains unchanged across all Cyberoam appliances.
Page 5 of 43
Appliance Administrative
Interfaces
Appliance can be accessed and administered through:
1. Web Admin Console
2. Command Line Interface Console
3. Cyberoam Central Console
Administrative Access An administrator can connect and access the Appliance through HTTP,
HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for
access, an administrator can access number of Administrative Interfaces and Web Admin Console
configuration pages.
Appliance is shipped with two administrator accounts and four administrator profiles.
Administrator Login Credentials Console Access Privileges

Type
Super admin/admin Web Admin Full privileges for both the
Administrator Console consoles. It provides
CLI console read-write permission for
all the configuration
performed through either
of the consoles.
Default cyberoam/cyber Web Admin Full privileges. It provides
console only read-write permission for
all the configuration
pages of Web Admin
console.
Note
We recommend that you change the password of both the users immediately on deployment.
Web Admin Console
Web Admin Console is a web-based application that an Administrator can use to configure, monitor,
and manage the Appliance.
You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS
connection from any management computer using web browser:
1. HTTP login: http://<LAN IP Address of the Appliance>
2. HTTPS login: https://<LAN IP Address of the Appliance>
For more details, refer section Web Admin Console.
Page 6 of 43
Command Line Interface (CLI) Console
Appliance CLI console provides a collection of tools to administer, monitor and control certain
Appliance component. The Appliance can be accessed remotely using the following connections:
1. Remote login Utility – TELNET login
To access Appliance from command prompt using remote login utility – Telnet, use command
TELNET <LAN IP Address of the Appliance>. Use administrator password to login.
Note
Default password of TELNET connection for CLI Console is “admin”.
2. SSH Client (Serial Console)

SSH client securely connects to the Appliance and performs command-line operations. CLI console
of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance
and providing Administrator credentials for authentication.
Note
Start SSH client and create new Connection with the following parameters:
Host – <LAN IP Address of the Appliance>
Username – admin
Password – admin
Use CLI console for troubleshooting and diagnose network problems in details. For more details,
refer version specific Console Guide available on http://docs.cyberoam.com/.
Cyberoam Central Console (CCC)
Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central
Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider
(MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must:
1. Configure CCC Appliance in Cyberoam
2. Integrate Cyberoam Appliance with CCC using: Auto Discovery, Manually
Once you have added the Appliances and organized them into groups, you can configure single
Appliance or groups of Appliances.
For more information, please refer CCC Administrator Guide.
Page 7 of 43
Web Admin Console

CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console
to configure and manage the Appliance.
You can access the Appliance for HTTP and HTTPS web browser-based administration from any of
the interfaces. Appliance when connected and powered up for the first time, it will have a following
default Web Admin Console Access configuration for HTTP and HTTPS services.
Services Interface/Zones Default Port

HTTP LAN, WAN TCP Port 80
HTTPS WAN TCP Port 443
The administrator can update the default ports for HTTP and HTTPS services from System >
Administration > Settings.
Web Admin Language
The Web Admin Console supports multiple languages, but by default appears in English. To cater
to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi,
Japanese and French languages are also supported. Administrator can choose the preferred GUI
language at the time of logging on.
Listed elements of Web Admin Console will be displayed in the configured language:
 Dashboard Doclet contents
 Navigation menu
 Screen elements including field & button labels and tips
 Error messages
Page 8 of 43
Supported Browsers
You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS
connection from any management computer using one of the following web browsers:
Browser Supported Version
Microsoft Internet Explorer Version 8+
Mozilla Firefox Version 3+
Google Chrome All versions
Safari 5.1.2(7534.52.7)+
Opera 15.0.1147.141+
The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-
color.
The Administrator can also specify the description for firewall rule, various policies, services and
various custom categories in any of the supported languages.
All the configuration done using Web Admin Console takes effect immediately. To assist you in
configuring the Appliance, the Appliance includes a detailed context-sensitive online help.
Page 9 of 43
Login procedure
The log on procedure authenticates the user and creates a session with the Appliance until the user
logs-off.
To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the
browser’s URL box. A dialog box appears prompting you to enter username and password.
Screen – Login Screen
Screen Element Description

Enter user login name.
Username
If you are logging on for the first time after installation, use
the default username.
Specify user account password.
Dots are the placeholders in the password field.

Password
If you are logging on for the first time after installation with
the default username, use the default password.
Select the language. The available options are Chinese-
Simplified, Chinese-Traditional, English, French, and
Language Hindi.
Default – English
To administer Cyberoam, select ‘Web Admin Console’
Log on to To view logs and reports, select “Reports”.
To login into your account, select “My Account”.

Login button Click to log on the Web Admin Console.
Screen – Login screen elements
The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and
fast overview of all the important parameters of your Appliance.
Page 10 of 43
Log out procedure
To avoid un-authorized users from accessing Cyberoam, log off after you have finished working.
This will end the session and exit from Cyberoam.
To log off from the Appliance, click the button located at the top right of any of the Web
Admin Console pages.
Page 11 of 43
Menus and Pages
The Navigation bar on the leftmost side provides access to various configuration pages. This menu
consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related
management functions are displayed as submenu items in the navigation bar itself. On clicking
submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the
page. To view a page associated with the tab, click the required tab.
The left navigation bar expands and contracts dynamically when clicked on without navigating to a
submenu. When you click on a top-level heading in the left navigation bar, it automatically expands
that heading and contracts the heading for the page you are currently on, but it does not navigate
away from the current page. To navigate to a new page, first click on the heading, and then click on
the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the down-
scroll icon , automatically scrolls the navigation bar up or down respectively.
The navigation menu includes following modules:
 System – System administration and configuration, firmware maintenance, backup - restore

 Objects – Configuration of various policies for hosts, services, schedules and file type
 Networks – Network specific configuration viz., Interface speed, MTU and MSS settings,
Gateway, DDNS
 Identity – Configuration and management of User and user groups
 Firewall – Firewall Rule Management
 VPN – VPN and SSL VPN access configuration
 IPS – IPS policies and signature
Page 12 of 43
 Web Filter – Web filtering categories and policies configuration

 Application Filter – Application filtering categories and policies configuration
 WAF – Web Application Filtering policies configuration. Available in all the models except
CR15iNG and CR15wiNG.
 IM – IM controls
 QoS – Policy management viz., surfing quota, QoS, access time, data transfer
 Anti Virus – Antivirus filtering policies configuration
 Anti Spam – Anti Spam filtering policies configuration
 Traffic Discovery – Traffic monitoring
 Logs & Reports – Logs and reports configuration
 Note
 Use F1 key for page-specific help.

 Use F10 key to return to Dashboard.
Each section in this guide shows the menu path to the configuration page. For example, to reach
the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation
bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.
Page 13 of 43
Page
A typical page looks as shown in the below given image:
Screen – Page
Page 14 of 43
Icon bar
The Icon bar on the upper rightmost corner of every page provides access to several commonly
used functions like:
1. Dashboard – Click to view the Dashboard
2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network
parameters like IP Address, subnet mask and default gateway for your Appliance.
3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and
Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting
across applications and protocols and provide in-depth network visibility to help organizations
take corrective and preventive measures.
This feature is not available for CR15xxxx series of Appliances.
4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without
closing Web Admin console.
5. Logout – Click to log off from the Web Admin Console.
6. More Options – Provides options for further assistance. The available options are as follows:
 Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and
puts your case right into the Technical Support queue.
 About Product – Opens the Appliance registration information page.
 Help – Opens the context – sensitive help page.
 Reset Dashboard – Resets the Dashboard to factory default settings.
 Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance
is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login.
By default, Lock functionality is disabled. Enable Admin Session Lock from System >
Administration > Settings.
 Reboot Appliance – Reboots the Appliance.
 Shutdown Appliance – Shut downs the Appliance.
Page 15 of 43
List Navigation Controls
The Web Admin Console pages display information in the form of lists that are spread across the
multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides
navigation buttons for moving through the list of pages with a large number of entries. It also includes
an option to specify the number entries/records displayed per page.
Tool Tips
To view the additional configuration information use tool tip. Tool tip is provided for many
configurable fields. Move the pointer over the icon to view the brief configuration summary.
Status Bar
The Status bar at the bottom of the page displays the action status.
Page 16 of 43
Common Operations
Adding an Entity
You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available
on most of the configuration pages. Clicking this button either opens a new page or a pop-up window.
Editing an Entity
All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or the
Edit icon under the Manage column.
Deleting an Entity
You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.
To delete multiple entities, select individual entity and click the Delete button.
To delete all the entities, select in the heading column and click the Delete button.
Page 17 of 43
Sorting Lists
To organize a list spread over multiple pages, sort the list in ascending or descending order of a
column attribute. You can sort a list by clicking a column heading.
 Ascending Order icon in a column heading indicates that the list is sorted in ascending
order of the column attribute.
 Descending Order icon in a column heading indicates that the list is sorted descending
order of the column attribute.
Filtering Lists
To search specific information within the long list spread over multiple pages, filter the lists. Filtering
criteria vary depending on a column data and can be a number or an IP address or part of an
address, or any text string combination.
To create filter, click the Filter icon in a column heading. When a filter is applied to a column,
the Filter icon changes to .
Configuring Column Settings
By default on every page all columnar information is displayed but on certain pages where a large
number of columnar information is available, all the columns cannot be displayed. It is also possible
that some content may not be of use to everyone. Using column settings, you can configure to
display only those numbers of columns which are important to you.
To configure column settings, click Select Column Settings and select the checkbox against the
columns you want to display and clear the checkbox against the columns which you do not want to
display. All the default columns are greyed and not selectable.
Page 18 of 43
Spam
Spam refers to electronic junk mail or junk newsgroup postings. Some people define spam even
more generally as any unsolicited Email.
Spamming is to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages,

especially commercial advertising in mass quantities. In other words, it is an inappropriate attempt
to use a mailing list, or other networked communications facility as a broadcast medium by sending
the same message to a large number of people who did not ask for it.
In addition to being a nuisance, it also eats up a lot of network bandwidth. Because the Internet is a
public network, little can be done to prevent spam, just as it is impossible to prevent junk mail.
However, the use of software filters in Email programs can be used to remove most spam sent
through Email to certain extent.
With the number of computer users growing and the exchange of information via the Internet and
Email increases in volume, spamming has become an almost everyday occurrence. Apart from
network bandwidth, it also affects the employees productive as deletion of such mails is a huge task.
Anti spam protection is therefore a priority for anyone who uses a computer.
Page 19 of 43
Cyberoam Gateway Anti

Spam
Cyberoam Gateway Anti Spam provides a powerful tool for scanning and detecting infection and
Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP) traffic
that passes through the appliance. Cyberoam Anti Spam as a part of unified solution along with Anti
Virus and IPS (Intrusion Prevention System) provides real time virus scanning that protects all
network nodes – workstations, files servers, mail system from known and unknown attacks by worms
and viruses, Trojans, spyware, adware, spam, hackers and all other cyber threats.
Cyberoam detects spam mails based on:

 RBL (Real time Blackhole List)
 Mass distribution pattern using RPD (Recurrent Pattern Detection) technology for which
Gateway Anti Spam module subscription is required. RPD technology responsible for proactively
probing the Internet to gather information about massive spam outbreaks from the time they are
launched. This technology is used to identify recurrent patterns that characterize massive spam
outbreaks.
SMTP/S means both SMTP and SMTP over SSL. Entire configurations done will be applicable to both
the traffic. Also, SMTP over SSL and SMTP/S terms are used interchangeably but they mean the same.
Cyberoam Gateway Anti Spam solution provides a powerful tool for scanning and detecting infection
and Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP)
traffic that passes through the appliance. It inspects all the inbound mails i.e., incoming Emails –
SMTP/S, POP3, and IMAP traffic - before the messages are delivered to the receiver's mail box and
all outbound mails i.e., outgoing Emails – SMTP/S traffic - sent by the user from an Email Client.
Two separate policies and firewall rules must be configured for inbound and outbound mail traffic. If
Spam is detected, depending on the policy and the rules set, action is taken on Email. On detecting
a Spam in incoming traffic, Emails are processed and delivered to the recipient unaltered, reject and
generate a notification on the message rejection, add or change subject or change the receiver. If
Spam is detected in an outgoing SMTP/S traffic, Emails are rejected and generate a notification on
the message rejection, dropped and a notification is generated or changes the receiver. Integration
into existing network is easy as it is fully compatible with all the mail systems.
Note
Outbound Anti Spam is a subscription based module.
Cyberoam Anti Spam allows to:

 Scan Email messages for spamming by protocols namely SMTP, SMTP over SSL, POP3, IMAP
 Monitor and proactively detect recurrent patterns in spam mails and combat multi-format – text,
images, HTML etc. and multi-language threats
 Monitor mails received from Domain/IP Address
 Detect spam mails using RBLs. If Anti Spam module is not subscribed, Cyberoam will detect
spam mails based on RBL only and not on recurrent patterns in mails.
 Accept/Reject messages based on message size and message header
 Customize protection of incoming and outgoing Email messages by defining scan policies
Page 20 of 43
 Set different actions for SMTP/S, POP and IMAP spam mails
 Configure action for individual Email Address
 Notify receivers about spam messages
 Configuration
 Spam Rules
 Quarantine
 Trusted Domain
Page 21 of 43
Configuration
Anti Spam Configuration allows configuring scanning rules for traffic – SMTP/S, POP, and IMAP
defined on Address Groups or individual Emails Address or IP Address or RBLs. Administrator is
notified for critical events via system warnings and Email notifications. The administrator can archive
almost all the Emails coming into the organization and thereby keep a close watch over data leakage.
 Configuration
 Address Group
 Email Archiver
Configure restrictions on mails from Anti Spam > Configuration > Configuration.
Screen – Configure Parameters
Screen Elements Description

Bypass Spam Check Click “Bypass Spam check for SMTP/S Authenticated
For SMTP/S Connections” to bypass the Spam scanning of the
Authenticated authenticated traffic.
Connections
If enabled, SMTP/S authenticated connections are
bypassed from RBL and RPD based Spam checking.
By default, it is disabled.
Verify Sender’s IP Enable IP Reputation, if you want to verify the reputation of
Reputation the sender IP Address. Cyberoam dynamically checks the
sender IP Address and denies SMTP/S connection if IP
Address is found to be responsible for sending spam mails
or malicious contents.
If enabled, specify action for confirmed Spam Emails and

Probable Spam Emails.
 Accept – all the spam Emails are forwarded to the recipient
after scanning as per the configuration
 Reject – all the spam mails are rejected and notification is
displayed to the user.
 Drop – all the spam mails are dropped.
If both “Bypass Spam check for SMTP/S authenticated

Connections” and “Verify Sender’s IP reputation” are
Page 22 of 43
enabled, for the authenticated connections, spam

scanning based on RBL and RPD will be given the
precedence.
SMTP/S Mails Greater Specify maximum size (in KB) of the file to be scanned.
Than Size Files exceeding this size received through SMTP/S will not
be scanned.
By default, SMTP/S mails exceeding 1024 KB in size are

not scanned.
Specify 0 to increase default file size restriction for

scanning to 51200 KB i.e. files exceeding 51200 KB will
not be scanned if 0 is configured.
Note
For Cyberoam CR15i models:
Specify 0 for default size restriction of 1024 KB i.e. files

exceeding 1024 KB will not be scanned if 0 is configured.
SMTP/S Oversize Mail Specify the action to be taken on oversize files i.e. Accept,
Action Reject and Drop.
 Accept – all the oversize mails are forwarded to the

recipient without scanning.
 Reject – all the oversize mails are rejected and notification
is displayed to the user.
 Drop – all the oversize mails are dropped.
POP3 / IMAP Mails Specify maximum size (in KB) of the file to be scanned.
Greater Than Size Files exceeding this size received through POP / IMAP will
not be scanned and forwarded to the recipient without
scanning.
By default, POP3/IMAP mails exceeding 1024 KB in size

are not scanned.
Specify 0 to increase default file size restriction for

scanning to 10240 KB i.e. files exceeding 10240 KB will
not be scanned if 0 is configured.
Note
For Cyberoam CR15i models:
Specify 0 for default size restriction of 1024 KB i.e. files

exceeding 1024 KB will not be scanned if 0 is configured.
Header To Detect Specify Header value to detect recipient for POP3 / IMAP.
Recipient or POP3 /
IMAP Click Add icon to add headers and Remove icon to
delete the header which is used for detecting the recipient’s
address.
Page 23 of 43
Table – Configure Parameters screen elements
Page 24 of 43
Address Group
Address Group is the group of Email Addresses, IP Addresses, or RBLs. An address can be member
of multiple groups. To make configuration simpler you can group addresses when applying policy.
Policy applied on the address group is applicable on all the group members.
To make it easier to add Anti Spam rules, create groups of Email Addresses or IP Addresses, or
RBLs and then add one Spam Rule to take action for all Address in the group. An Address can be
member of multiple groups i.e. Address can be included in multiple Address Group.
Scanning rule can be defined for individual or group of

 Email Address or Domain
 IP Address
 RBL (Real time black hole List) (applicable only for the spam mails)
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are
responsible for spam or are hijacked for spam relay. This IP Addresses might also be used for
spreading virus.
Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one
on the list then the specified action in policy is taken.
Manage Address Group
To manage Address Groups, go to Anti Spam > Configuration > Address Group.
Screen – Manage Address Group

Add Button Add a new Address Group.
Name Name of the Address Group.
Type Type of Group: RBL, IP Address, Email Address/Domain.
Description Displays Address Group Description.
Import Icon Click to import the Address Groups.
Edit Icon Edit the Address Group.
Delete Button Delete the Address Group.
Alternately, click the Delete icon against the address group

to be deleted.
Table – Manage Address Group screen elements
Page 25 of 43
Import Email Address into an existing Address Group

Instead of adding addresses again in Cyberoam, if you already have address detail in a file, you can
upload file. If the file has multiple addresses then each address must be on the new line. File with
comma-separated address will give error at the uploading.
Click the Import Button to import CSV or text file. Select the complete path of information file.
Address Group Parameters
To add or edit an Address Group, go to Anti Spam > Configuration > Address Group.
Click Add Button to add a new group or Edit Icon to modify the details.
Screen – Add Address Group

Name Specify a name to identify the Group.
Group Type Select the Group Type.
Available Options:
 RBL – RBL is a list of IP Addresses whose owners
refuse to stop the proliferation of spam i.e. are
responsible for spam or are hijacked for spam relay.
Cyberoam will check each RBL for the connecting IP
Address. If the IP Address matches to the one on the
list then the specified action in policy is taken.
Specify Domain Name to be added as RBLs to the

Address Group.
Page 26 of 43
 IPv4 Address – Specify IP Addresses or Network

address that you want to group.
 Email Address / Domain – Specify Email Address or

Domain Name to be added to the Address Group.
On selecting “Email Address/Domain” select the type of

Address Group from the available options:
Available Options:
 Import – Select to browse and import a CSV file or a text file
to add the Email Address/Domain to address group.
 Manual – Select to manually add the Email
Address/Domain to address group.
Use Add button to add value to the list and to delete
value to the list.
Description Provide description for Address Group.
Table – Add Address Group screen elements
Page 27 of 43
Email Archiver
If you want Administrator or any other person in the organization to know about incoming mails into
the organization, you can specify Email Address to which you want to forward the copy of such mails.
By using Email Archiver, the administrator can archive almost all the Emails coming into the
organization and thereby keep a close watch over data leakage. Emails of a specific recipient or a
group of recipients can be archived using Email Archiver. Create multiple archivers to send a copy
of Emails to more than one administrator.
Cyberoam can archive all Emails intended for a single or multiple recipients and can be forwarded
to the single administrator or multiple administrators from Anti Spam > Configuration >
Email Archiver.
Screen – Manage Email Archives

Add Button Add a new Email Archive.
Name Email Archiver name.
Recipient Email Address of the recipient whose emails are archived.
Send Copy To Email Address to which the Email copy is sent.
This option can be applied to SMTP protocol only.

Edit Icon Edit the Email Archiver.
Delete Button Delete the Email Archiver.
Alternately, click the Delete icon against the Email Archiver

to be deleted.
Table – Manage Email Archivers screen elements
Add Email Archiver
To add or edit Email Archiver, go to Anti Spam > Configuration > Email Archiver. Click
the Add button to add an Email Archiver. To update the details, click on the Email Archiver or Edit
icon in the Manage column against the Archivers you want to modify.
Page 28 of 43
Screen – Add Email Archiver

Name Specify a name for the Email Archiver.
Recipient Select Email Address of the recipient whose Emails are to
be archived.
You can also add a new Email Address or domain from the
Email Archiver page itself.
Send Copy Of Email To Specify Email Address to which the Email copy is to be
sent.
This option can be applied to SMTP protocol only.

Table – Add Email Archiver screen elements
Page 29 of 43
Spam Rules
As soon as you subscribe Cyberoam Gateway Anti Spam, Spam Rules can be configured for
particular sender and recipients.
Spam Rule defines what action is to be taken if the mail is identified as a spam and to which Email
Address the copy of mail is to be sent. These rules can be applied directly to Email Addresses now
and thus, traffic can be directly scanned for Spam mails.
To reduce the risk of losing the legitimate messages, spam quarantine repository - a storage
location, provides administrators a way to automatically quarantine and remediate messages that
are identified as spam.
This will help in managing spam and probable spam quarantined mails and you can take appropriate
actions on such mails.
Detection of Spam attributes
Cyberoam uses content filtering and three RBLs - Real time Blackhole Lists – to check for the spam
attributes in SMTP/S as well as POP3 / IMAP mails:
 Premium
 Standard
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are
responsible for spam or are hijacked for Spam Relay.
Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one
on the list then the specified action in policy is taken.
Manage Spam Rules

To manage Spam Rules, go to Anti Spam > Spam Rules > Spam Rules.
Screen – Manage Spam Rules

Name Displays name of the Spam Rule.
Sender Sender Email ID.
Recipient Recipient Email ID.
Rules Conditional Rule for restricting spam mails.
Page 30 of 43
Action
SMTP/S Conditions applied for the SMTP/S mails.
POP3/IMAP Conditions applied for the POP3 mails.
Table – Manage Spam Rules screen elements
Spam Rule Parameters
To add or edit a Spam Rule, go to Anti Spam > Spam Rules > Spam Rules. Click the Add
button to add a Spam Rule. To update the rules, click on the Spam Rule or Edit icon in the
Manage column against the rule to be modified.
Note
On subscribing Outbound Spam, parameter “Anti Spam Module Has Identified Mail As” is renamed as
“Inbound Anti Spam Module Has Identified Mail As” is displayed.
Screen – Add Spam Rule

Name Specify a name for Anti Spam Rule.
Recipient Email Select Recipient Email Address. You can also add a list of
Email Address using “Add Email Address” link.
Page 31 of 43
Sender Email Select Sender Email Address. You can also add a list of
Email Address using ‘Add Email Address’ link.
IF Conditions
Anti Spam / Inbound All the Email messages that are received by the users
Anti Spam Module Has those are in a network protected by Appliance are referred
Identified Mail As as Inbound.
(Parameter “Inbound On configuring Appliance Inbound Spam, all the messages

Anti Spam Module Has received by the users are scanned for spam and Email
Identified Mail As” is virus outbreak by the Appliance.
displayed on Outbound
Spam subscription) Specified action will be taken if the Anti Spam module has
identified the Inbound Email to be one of the following:
 Spam
 Probable Spam
 Virus Outbreak
 Probable Virus Outbreak
You can set different actions for SMTP and POP mails.
Outbound Anti Spam Messages that are sent by the user from network protected
Module Has Identified by the Appliance to a remote user on other mail system are
Mail As (Option referred as Outbound.
available only on
subscription) On configuring Appliance Outbound Spam, all the
messages sent by the users are scanned before being
delivered to other users on internet for spam and Email
virus outbreak.
Specified action will be taken if the Anti Spam module has

identified the Outbound Email to be one of the following:
 Spam
 Probable Spam
 Virus Outbreak
 Probable Virus Outbreak
Note
 Outbound Spam is a subscription module.

 You can set different actions only for SMTP.
This feature is not available in Cyberoam Models - CRi

series, CRwi series, CR10iNG, CR15i, CR15iNG, CR25i,
CR25ia, CR35ia, CR50i, CR100i, CR250i, CR500i,
CR500i-8P, CR1000i and CR1500i.
Page 32 of 43
From IP Address Specified action will be taken if the mail sender IP Address
Belongs To matches the specified IP Address.
You can set different actions for SMTP/S and POP mails.
Sender IP Address Specified action will be taken if the sender is listed in the
Blacklisted by RBL specified RBL Group.
Message Size Is Specified action will be taken if the mail size matches the
specified size.
Select Message Header Specified action will be taken if the message header
contains the specified text or is equal to the specified text.
You can scan message header for spam in:
Subject – Specified action will be taken when the matching

text is found in the headers configured as per the matching
criteria.
From – Specified action will be taken when the matching

address is found in the headers configured as per the
matching criteria.
To – Specified action will be taken when the matching

address is found in the headers configured as per the
matching criteria.
Others – Specified action will be taken when the matching

text is found in the headers configured as per the matching
criteria.
None Select ‘None’ when you want to create a rule between

specific sender and recipient without any conditions. You
can set actions for SMTP/S and POP3/IMAP mails only on
the basis of sender and recipient.
Then
SMTP/S Action Select the Action to be taken for SMTP/S traffic.
Available Options:
 Reject
 Drop
 Accept (only for Inbound Spam)
 Change Recipient
 Prefix Subject (only for Inbound Spam)
POP3/IMAP Action (Only for Select the Action to be taken for POP3 / IMAP traffic.
Inbound Spam)
Available Options:
 Accept
 Prefix Subject
Page 33 of 43
Table – Add Spam Rule screen elements
Page 34 of 43
Following actions can be taken on the mail identified as the SPAM, Probable SPAM, VIRUS
OUTBREAK or Probable VIRUS OUTBREAK.
Protocol Action Meaning

SMTP/S Reject Mail is rejected and rejection notification is sent to
the mail sender.
SMTP/S Drop Mail is rejected but rejection notification is not sent

to the mail sender.
SMTP/S, Accept Mail is accepted and delivered to the intended

POP3 receiver.
SMTP/S Change Mail is accepted but is not delivered to the receiver

Recipient for whom the message was originally sent.
Mail is sent to the receiver specified in the spam

policy.
SMTP/S, Prefix Subject Mail is accepted and delivered to the intended

POP3 receiver but after tagging the subject line.
Tagging content is specified in spam policy.
You can customize subject tagging in such a way

that the receiver knows that the mail is a spam mail.
For Example
Contents to be prefixed to the original subject:
‘Spam notification from Cyberoam – ‘
Original subject: ‘This is a test’
Receiver will receive mail with subject line as:

‘Spam notification from Cyberoam - This is a test’
SMTP/S Quarantine Mail is quarantined and can be viewed or

downloaded from the Quarantine Area.
Table – Manage Actions screen elements
Page 35 of 43
Quarantine
Quarantine Digest is an Email and contains a list of quarantined messages filtered by Cyberoam
and held in the user Quarantine Area. If configured, Cyberoam mails the Quarantine Digest as per
the configured frequency to the user. Digest provides a link to User My Account from where user
can access his quarantined messages and take the required action.
 Quarantine Digest Settings

 Quarantine Area
Note
Entire Quarantine menu is not available for Cyberoam CR15i models.
Page 36 of 43
Quarantine Digest Settings

Digest service can be configured globally for all the users or for individual users.
User receives Quarantine Digest as per the configured frequency.
The Quarantine Digest provides following information for each quarantined message:
 Date and time: Date and time when message was received
 Sender: Email Address of the sender
 Recipient: Email Address of the receiver
 Subject: Subject of the message
To manage Spam Digest, go to Anti Spam > Quarantine > Quarantine Digest
Settings. You can:
 Configure
 Change User’s Quarantine Digest Settings
 Manage User’s Quarantine Digest Settings
Configure Quarantine Digest
Screen – Spam Digest Settings

Quarantine Digest Settings (Spam Digest Settings will be applicable only after you
subscribe for "Gateway Anti Spam" module.)
Enable Quarantine Enable Quarantine Digest to configure digest service for all
Digest the users.
Email Frequency Specify the Quarantine Digest mail frequency.
Digest can be mailed every hour, every day at configured

time or every week on the configured day and time.
From Email Address Specify Email Address from which the mail should be sent.
Digest mail will be sent from the configured mail address.
Page 37 of 43
Display Name Specify mail sender name. Digest mail will be sent with the
configured name.
Send Test Email Click “Send Test Email” button and provide Email Address
to which the message is to be sent for Email Address
verification i.e. Email Address is valid or not.
Reference “My Account Select Interface/Port IP from the ‘Reference “MyAccount” IP

IP” dropdown list.
User My Account link in Digest mail will point to this IP

Address. User can click the link to access his quarantined
messages and take the required action. The users not falling
under the specified Interface will have to access the
quarantined mail directly from their MyAccount.
Allow Override Enable “Allow User To Override Digest Settings”; if you want
each user to override the digest setting i.e. user can disable
the digest service so that they do not receive the Quarantine
Digest.
Change User’s Click “Change User’s Quarantine Digest Settings” button to
Quarantine Digest change the digest setting of the individual users. It allows
Settings selecting group and updating the Quarantine Digest Setting
of group members.
Table – Quarantine Digest screen elements
Page 38 of 43
Change User’s Quarantine Digest Settings

Click “Change User’s Quarantine Digest Settings” button to change the digest settings of the
individual users. It opens a new page which allows you to search groups and users for updating the
Quarantine Digest Settings of group members.
You can individually search for user and user groups.
Select the checkbox against the user to enable the Quarantine Digest. If enabled, configured
Quarantine Digest Settings are applicable for the user.
Screen – Change User’s Spam Digest Settings
Manage User’s Quarantine Digest Settings

User Name Displays username.
Name Displays a name for the User.
Group Displays Group name.
Email Displays Email Address.
Edit Icon Edit Quarantine Digest.
To save the modifications done for Email Address, click

Save icon and to cancel the modifications done click
Cancel icon .
Table – Manage Change User’s Spam Digest

Select the checkbox against the user to enable the Spam Digest. If enabled, configured Spam
Digest Settings are applicable for the user.
Page 39 of 43
Quarantine Area
Under Quarantine Area, Quarantined Mails can be searched based on sender Email Address,
receiver Email Address, and subject.
Use “Filter” section to search for mails from the list of Quarantined Mails. To view and release the
Quarantined Mails go to, Anti Spam > Quarantine > Quarantine Area.
Cyberoam reserves 5GB for Quarantine Area. Once the quarantine repository is full, older Emails
are purged.
Screen – Manage Quarantine Mails

Filter Result
Start Date Select the starting date from Calendar by clicking on
Calendar icon
End Date Select the ending date from Calendar by clicking on
Calendar icon
Sender Specify a name for the Sender.
Receiver Specify a name for the Receiver.
Filter Click “Filter” to search mails from the list of Quarantined
Mails.
Clear Click “Clear” to reset the details of Filter Result.
Subject Specify a Subject.
Sender Displays the Sender of the Mail.
Recipient Displays the Recipient of the Mail.
Subject Displays the Mail Subject.
Time Stamp Timestamp when the mail was received.
Rule Name Displays a Rule name based on which the Quarantine Mail
is considered as Spam.
Release Icon Click on the Release Icon to move the mails from
Quarantine Area to recipient’s inbox. Log color will change
when the selected mail is released to the recipient’s inbox.
Table – Manage Quarantine Mails screen elements
Page 40 of 43
Release Quarantined Mails

Either Administrator or user himself can release the Quarantined Mails. Administrator can release
the Quarantined Spam Mails from Quarantine Area while user can release from his ‘My Account’.
Released Quarantined Mails are delivered to the intended recipient’s inbox.
Screen – Before Releasing Quarantine Mails
When the selected mail is released to the recipient’s inbox, the log color will change from Violet color
to black color as shown in the Screen below.
Screen – After Releasing Quarantine Mails
Administrator can access Quarantine Area from Anti Spam > Quarantine > Quarantine
Area, while user can logon to My Account and access Quarantine Area from Quarantine Mails
> Spam > Quarantine Emails.
If Quarantine Digest is configured, user will be mailed Digest everyday which consists of all the
Quarantined Mails.
Page 41 of 43
Trusted Domain
Cyberoam also allows bypassing RBL scanning of mails from the certain domains. For this, you
have to define the domains as the trusted domains. FQDN can also be configured as trusted domain.
To manage local domains, go to Anti Spam > Trusted Domain > Trusted Domain. You
can:
 Add – Specify the Domain name and click the Add Button. Mails from the specified domains will
not be scanned.
 Delete – Click the Delete icon in the Manage column against a Domain to be deleted. A
dialog box is displayed asking you to confirm the deletion. Click OK to delete the Domain. To
delete multiple domains, select them and click the Delete button.
Screen – Add/Remove Trusted Domain
View the list of Trusted Domains
Screen Element Description

Add Button Add a new Trusted Domain.
Domain Name Displays a name for the Trusted Domain.
Delete Button Delete the Trusted Domain.
Page 42 of 43

Cyberoam Anti Spam Implementation Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberoam Anti Spam Implementation Guide PDF

Uploaded by

Copyright:

Available Formats

Cyberoam Central Console

Cyberoam Anti Spam Implementation Guide

Appliance Administrative Interfaces ................................................................................. 6

Cyberoam Gateway Anti Spam ........................................................................................ 20

 Default Web Admin Console username is ‘admin’ and password is ‘admin’

Visit www.cyberoam.com for the regional and latest contact information.

Administrator Login Credentials Console Access Privileges

Web Admin Console

For more details, refer section Web Admin Console.

Command Line Interface (CLI) Console

Default password of TELNET connection for CLI Console is “admin”.

2. SSH Client (Serial Console)

Cyberoam Central Console (CCC)

For more information, please refer CCC Administrator Guide.

Web Admin Console

Services Interface/Zones Default Port

Web Admin Language

Browser Supported Version

Microsoft Internet Explorer Version 8+

Mozilla Firefox Version 3+

Google Chrome All versions

Screen – Login Screen

Screen Element Description

Dots are the placeholders in the password field.

Log on to To view logs and reports, select “Reports”.

To login into your account, select “My Account”.

Screen – Login screen elements

Log out procedure

Menus and Pages

The navigation menu includes following modules:

 System – System administration and configuration, firmware maintenance, backup - restore

 Web Filter – Web filtering categories and policies configuration

 Use F1 key for page-specific help.

A typical page looks as shown in the below given image:

This feature is not available for CR15xxxx series of Appliances.

List Navigation Controls

the Filter icon changes to .

Configuring Column Settings

Spamming is to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages,

Cyberoam Gateway Anti

Cyberoam detects spam mails based on:

Outbound Anti Spam is a subscription based module.

Cyberoam Anti Spam allows to:

Screen – Configure Parameters

Screen Elements Description

If enabled, specify action for confirmed Spam Emails and

If both “Bypass Spam check for SMTP/S authenticated

enabled, for the authenticated connections, spam

By default, SMTP/S mails exceeding 1024 KB in size are

Specify 0 to increase default file size restriction for

For Cyberoam CR15i models:

Specify 0 for default size restriction of 1024 KB i.e. files

 Accept – all the oversize mails are forwarded to the

By default, POP3/IMAP mails exceeding 1024 KB in size

Specify 0 to increase default file size restriction for

For Cyberoam CR15i models:

Specify 0 for default size restriction of 1024 KB i.e. files

Table – Configure Parameters screen elements

Scanning rule can be defined for individual or group of

Manage Address Group

Screen – Manage Address Group

Screen Elements Description

Alternately, click the Delete icon against the address group