This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-06-01 10:41 AM
Jump to solution

SPAM attack containment

Hello, team.

Currently my client's network is under attack.
We have an On-Premise AntiSpam, which is simply not working well, and the client is receiving "infinity" of malicious SPAM mails.

As a contingency measure, we have already "detected" the countries of origin from where the attacks are coming from.

Is it advisable to work with Checkpoint's "Geo Policy" feature?

Or is it more advisable to "enable" the AntiSPAM blade and decide to work with Checkpoint as AntiSPAM, at least temporarily.
The CP AntiSPAM blade, how recommendable is it? Does this blade generate hardware resources consumption for you?

Greetings.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-06-01 11:35 AM
Jump to solution

Use Updatable Objects of the relevant Geographies in your Access Policy if that's the approach you want to take (versus legacy Geo Policy). 
Should you enable Anti Spam, you may need to enable MTA mode on the gateway unless your SMTP server doesn't require TLS.
Given the SK recommends using different gateways for Threat Prevention and Anti-Spam when using MTA, it's safe to say this will have a performance impact.

View solution in original post

11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-06-01 10:43 AM
Jump to solution

Buddy, block those countries IMMEDIATELY using updatable objects. Just create a rule and add those countries as source, dst as any and action block, any service.

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-01 11:20 AM
In response to the_rock
Jump to solution

I applied it.

Now I am in the phase of monitoring, if indeed, it starts to block it. 😄

The Geo Policy, is another option I could work with, right?

I guess it is the "criteria" of each administrator to know which one to use for these scenarios.

Cheers. 🙂

the_rock
MVP Platinum
MVP Platinum
‎2023-06-01 11:51 AM
In response to Matlu
Jump to solution

Hey bro, as @PhoneBoy said, use updatable objects, as per CP documentation, it should be used for any version above R80.20

Cheers,

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-01 11:35 AM
Jump to solution

Use Updatable Objects of the relevant Geographies in your Access Policy if that's the approach you want to take (versus legacy Geo Policy). 
Should you enable Anti Spam, you may need to enable MTA mode on the gateway unless your SMTP server doesn't require TLS.
Given the SK recommends using different gateways for Threat Prevention and Anti-Spam when using MTA, it's safe to say this will have a performance impact.

Matlu
MVP Silver
MVP Silver
‎2023-06-01 12:28 PM
In response to PhoneBoy
Jump to solution

What I understand from the comment, is that, to use the Checkpoint AntiSPAM blade, it is recommended to use it in a Firewall that is only dedicated to "work" as if it were an On-Premise AntiSPAM, right?

For the reasons that you have already exposed previously.

Greetings.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-01 12:34 PM
In response to Matlu
Jump to solution

That's the way I read that SK.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-01 12:57 PM
In response to Matlu
Jump to solution

That sounds logical.

Andy

Best,
Andy
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-06-01 01:07 PM
In response to Matlu
Jump to solution

@Matlu you can use the AntiSpam blade with only IP reputation feature enabled, this blocks all known malicious IP addresses sending mails. This is like using known Blacklists to block known bad SMTP servers. No TLS decryption needed for this and this has only minimal performance impacts. You can use all other features of AntiSpam blade without significant performance impact. Only  if you use ThreatPrevention and the MTA this will have an performance impact but it depends on your mail traffic.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-01 01:33 PM
In response to Wolfgang
Jump to solution

Hello,

Thank you for your reply.
A curiosity for ignorance, the MTA is some "option" that must be enabled, as the "AntiSPAM" blade is enabled?

I'm looking for it in my console, and I can't find it.

I think that applying your recommendation, for now is the most viable, always avoiding that the performance of the boxes may be affected.

Regards.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-06-01 01:40 PM
In response to Matlu
Jump to solution

No, there is no need to enable MTA, except you want to decrypt SMTP TLS or using ThreatExtraction/Emulation. AntiSpam is configured via old SmartDashboard see Using Anti-Spam and Mail „Configuring an IP Reputation Policy“

In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

SmartDashboard opens and shows the Anti-Spam & Mail tab.
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-01 01:47 PM
In response to Matlu
Jump to solution

Just do what @Wolfgang said

Andy

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

 

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events