How do I set up a Challenge-Response Spam filter?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I set up a Challenge-Response Spam filter?

Procedure:

A Challenge-Response Spam filter will only let email through from known 'good senders'. For unknown users, it will quarantine their email and then challenge them to authorize themselves somehow - typically by answering a simple question in a challenge email sent from MailMarshal to the unknown user. Once the external user has been authorized, MailMarshal can automatically release the originally quarantined email and the same user should not be challenged for authentication again.   

Current releases of Trustwave SEG include default rules to achieve this purpose. These rules make use of the Message Release function.

  1. Customize and enable the rule Challenge-Response by Group or Challenge-Response Block Unknown. These rules hold mail from unknown senders and request a confirmation from the sender.
  2. Enable the Challenge-Response Successful rule. This rule monitors for a confirmation message and releases the original message when the confirmation arrives. It also adds the sender to a list of accepted senders.

For details, see the Default Rules documents for current product versions.

Notes:

There are some pitfalls associated with the Challenge/Response system.

  • It may block legitimate newsletters or other messages where the sender address is unattended. For this reason it might be a good idea to couple this rule with an end-user Safe Sender list managed via the Web-based Spam console, as well as initial entries in the global accepted list.
  • Remember that a challenge issued in English will be understood only by users able to read the language. Keep this in mind if you think there is a chance you will have non-English speaking people legitimately sending mail to your organization.
  • It is a good idea to send as few notifications as possible in response to Spam messages. Frequently the return address is spoofed - it may be an invalid address, or an innocent third party's address. For that reason the default rules are found after all filtering of suspect messages.

This article was previously published as:
NETIQKB45330

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10462.aspx