topic Re: Checkpoint Anti Spam engine customization in Firewall and Security Management

Checkpoint Anti Spam engine customization

Rui_Meleiro — Mon, 19 Mar 2018 13:13:26 GMT

I'm placing this question here as the documentation is elusive on this and eventually someone might have encountered this questions and eventually found answers to them. These are all related to the Checkpoint Gateway Postfix MTA.

1. What RBLs - if any - are used on the engine?

2. Postfix normally is installed with SpamAssassin and ClamAV. Is this the case on the embedded Postfix MTA?

3. Is it possible to deploy the policyd-weight daemon on this Postfix build?

Thanks in advance

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Mon, 19 Mar 2018 13:27:42 GMT

1. With RBL you mean Real-time Blackhole Lists ? The CP MTA is only the GW agent that completes and closes the connection with the source e-mail server and then sends the file for emulation. After the emulation is complete, the MTA sends the e-mail to the mail server on the internal network. If the Anti-SPAM Blade is enabled, this should be much better than RBLs.

2. and 3. have to be answered with "not that i would know", but you can find in-depth details for CP MTA in sk109699 Mail Transfer Agent (MTA).

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Mon, 19 Mar 2018 15:22:52 GMT

Thank your for your feedback. Nevertheless, what I can see at sk109699 is that "MTA can function as an Anti-Spam starting in R77.10 " so my guess is that it has some of those features included also. The false positives we are experiencing are mainly from gmail and outlook.com servers which are being massively listed at CASA CBL and SORBS. I might be wrong, but that leads me to consider the option that RBL checking is in place.

Hence the question, as the messages themselves are clean and free of malware and/or spam. The anti spam engine logs only show a cath all "Spam Rejected" message and we have no way to find out exactly why - no details on the reason why they are tagged are presented.

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Mon, 19 Mar 2018 15:40:06 GMT

sk108553 Mail Transfer Agent (MTA) - FAQ lists that there are 2 ways to scan SMTP traffic:

Streaming (through the FireWall kernel) - works for all blades
MTA (through user space and using postfix) - works for Threat Emulation, Threat Extraction, Anti-Spam & E-mail Security

So all depends on which blades are licensed and enabled. If AntiSPAM is not enabled, you should not experience any false positives.

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Mon, 19 Mar 2018 15:50:18 GMT

Another ressource for MTA issues is sk120260 MTA Debugging and Performance Troubleshooting Toolkit.

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Mon, 19 Mar 2018 15:51:54 GMT

All three blades (Threat Emulation, Threat Extraction and Anti-Spam ) are enabled, along with a few others. I've activated MTA as there was the possibility of timeouts on the mail servers without it as the Threat Extraction and Threat Emulation blades would eventually cause that,

Allow me to dive in a little bit on your sentence regarding Anti Spam, as I would like to understand it.

Disabling Anti Spam would certainly eliminate false positives, along with false negatives.

Or, are you saying that with the other blades enabled, the Anti Spam engine would not be required at all?

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Tue, 20 Mar 2018 15:57:55 GMT

What i really wanted to say is that CP Anti-SPAM uses the CP Cloud for IP lookup and a message content verdict - no use of standard RBLs is known here...

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Tue, 20 Mar 2018 17:49:54 GMT

Yes, my thoughts exactly. Cloud IP lookup or similar looks the same as Realtime Black List check, verify-this-ip or other variations on the same concept. My problem is that I'm fighting a whole lot of false positives on Checkpoint. These false positives cause havoc in our business relationships with our partners. And I'm given no cue on the why that's happening.Short of disabling the security features that made me choose Checkpoint in the first place, I have to search high and low for reasons and explanations. And I'm not getting them anywhere.

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Wed, 21 Mar 2018 08:00:57 GMT

I would suggest to do instead what i do at home - use Thunderbirds Bayes-Filter for Junk processing 😉

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Wed, 21 Mar 2018 10:04:04 GMT

I'm not sure we're on the same page anymore. I'm not looking for alternatives to Checkpoint. We made a huge investment on Checkpoint gateways months ago and require them to work as advertised. I'm well aware of my options and the market alternatives out there. I just don't want to throw money away.

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Fri, 23 Mar 2018 10:31:24 GMT

In short, no. Apparently Checkpoint uses their own spam fu to identify spam messages using what they call spam patterns. No disclosure on what they are, the methods involved and therefore no hint on how to prevent those. This costed us 12 days of communications havoc with some of our business partners who had their messages tagged as spam due to...something. Truth be told, false positives are scarce with Checkpoint gateways. In this case, the spam pattern was in our own mail corporate signatures. We are not detecting spam outbound and when the messages began being replied, well...you get the idea.

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Fri, 23 Mar 2018 10:44:54 GMT

Quite nice to mark ones own dissatisfied rant as the correct answer - but question is: The correct answer to which question 😞

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Fri, 23 Mar 2018 10:55:10 GMT

I'm not sure why you think any of my messages is a rant. And please excuse me if I'm breaking any unwritten netiquette.

I placed three questions four days ago. The answer for all those three questions is no (explanation follows).

Re: Checkpoint Anti Spam engine customization

G_W_Albrecht — Fri, 23 Mar 2018 11:22:52 GMT

Because you are just complaining - things (also sh..) happen, and with very complicated soft- and hardware, possible bugs or missconfiguration may even kill a company ! But that is something we all should know. Your questions had CP internals as a target, and the chance for answers seems zero to me - as this is a public site, and every competitor could read it.

So, any complaining about a product that for you did not bring enough value for the money spent or even did not work as expected at all is quite understandable - but surely not a correct answer to your questions, as they would not be real questions if you know the answers, but only traps...

Re: Checkpoint Anti Spam engine customization

Rui_Meleiro — Fri, 23 Mar 2018 12:10:55 GMT

These are not complaints at all. I have a responsibility to my company and to all its stakeholders. This post was part of a search for a solution to a problem that was hurting my company. It was related to a trial-and-error process as no documentation existed on the issue at hand...

But this is getting completely off-topic. Thank you for your insights.

Re: Checkpoint Anti Spam engine customization

Tim_Cole — Thu, 10 Jan 2019 17:49:57 GMT

You are right to complain, as I feel like we were sold damaged goods! We are getting more spam then ever. Had tickets open with CP for a few weeks now. Wow, Cisco ESA that was 12 years old did a much better job! Terrible design. Geo policy doesn't even work on MTA. (3200 series)