This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Meleiro
Contributor
‎2018-03-19 06:13 AM
Jump to solution

Checkpoint Anti Spam engine customization

I'm placing this question here as the documentation is elusive on this and eventually someone might have encountered this questions and eventually found answers to them. These are all related to the Checkpoint Gateway Postfix MTA.

1. What RBLs - if any - are used on the engine?

2. Postfix normally is installed with SpamAssassin and ClamAV. Is this the case on the embedded Postfix MTA?

3. Is it possible to deploy the policyd-weight daemon on this Postfix build?

 

Thanks in advance

1 Solution

Accepted Solutions
Rui_Meleiro
Contributor
‎2018-03-23 03:31 AM
Jump to solution

In short, no. Apparently Checkpoint uses their own spam fu to identify spam messages using what they call spam patterns. No disclosure on what they are, the methods involved and therefore no hint on how to prevent those. This costed us 12 days of communications havoc with some of our business partners who had their messages tagged as spam due to...something. Truth be told, false positives are scarce with Checkpoint gateways. In this case, the spam pattern was in our own mail corporate signatures. We are not detecting spam outbound and when the messages began being replied, well...you get the idea.

View solution in original post

15 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-03-19 06:27 AM
Jump to solution

1. With RBL you mean Real-time Blackhole Lists ? The CP MTA is only the GW agent that completes and closes the connection with the source e-mail server and then sends the file for emulation. After the emulation is complete, the MTA sends the e-mail to the mail server on the internal network. If the Anti-SPAM Blade is enabled, this should be much better than RBLs.

2. and 3. have to be answered with "not that i would know", but you can find in-depth details for CP MTA in sk109699 Mail Transfer Agent (MTA).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Rui_Meleiro
Contributor
‎2018-03-19 08:22 AM
In response to G_W_Albrecht
Jump to solution

Thank your for your feedback. Nevertheless, what I can see at sk109699 is that "MTA can function as an Anti-Spam starting in R77.10 " so my guess is that it has some of those features included also. The false positives we are experiencing are mainly from gmail and outlook.com servers which are being massively listed at CASA CBL and SORBS. I might be wrong, but that leads me to consider the option that RBL checking is in place.

Hence the question, as the messages themselves are clean and free of malware and/or spam. The anti spam engine logs only show a cath all  "Spam Rejected" message and we have no way to find out exactly why - no details on the reason why they are tagged are presented.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-19 08:40 AM
In response to Rui_Meleiro
Jump to solution

sk108553 Mail Transfer Agent (MTA) - FAQ lists that there are 2 ways to scan SMTP traffic:

  • Streaming (through the FireWall kernel) - works for all blades
  • MTA (through user space and using postfix) - works for Threat Emulation, Threat Extraction, Anti-Spam & E-mail Security

So all depends on which blades are licensed and enabled. If AntiSPAM is not enabled, you should not experience any false positives.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-19 08:50 AM
In response to G_W_Albrecht
Jump to solution

Another ressource for MTA issues is sk120260 MTA Debugging and Performance Troubleshooting Toolkit.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rui_Meleiro
Contributor
‎2018-03-19 08:51 AM
In response to G_W_Albrecht
Jump to solution

All three blades (Threat Emulation, Threat Extraction and Anti-Spam ) are enabled, along with a few others. I've activated MTA as there was the possibility of timeouts on the mail servers without it as the Threat Extraction and Threat Emulation blades would eventually cause that,

Allow me to dive in a little bit on your sentence regarding Anti Spam, as I would like to understand it.

Disabling Anti Spam would certainly eliminate false positives, along with false negatives.

Or, are you saying that with the other blades enabled, the Anti Spam engine would not be required at all?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-20 08:57 AM
In response to Rui_Meleiro
Jump to solution

What i really wanted to say is that CP Anti-SPAM uses the CP Cloud for IP lookup and a message content verdict - no use of standard RBLs is known here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rui_Meleiro
Contributor
‎2018-03-20 10:49 AM
In response to G_W_Albrecht
Jump to solution

Yes, my thoughts exactly. Cloud IP lookup or similar looks the same as Realtime Black List check, verify-this-ip or other variations on the same concept. My problem is that I'm fighting a whole lot of false positives on Checkpoint. These false positives cause havoc in our business relationships with our partners. And I'm given no cue on the why that's happening.Short of disabling the security features that made me choose Checkpoint in the first place, I have to search high and low for reasons and explanations. And I'm not getting them anywhere.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-21 01:00 AM
In response to Rui_Meleiro
Jump to solution

I would suggest to do instead what i do at home - use Thunderbirds Bayes-Filter for Junk processing 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rui_Meleiro
Contributor
‎2018-03-21 03:04 AM
In response to G_W_Albrecht
Jump to solution

I'm not sure we're on the same page anymore. I'm not looking for alternatives to Checkpoint. We made a huge investment on Checkpoint gateways months ago and require them to work as advertised. I'm well aware of my options and the market alternatives out there. I just don't want to throw money away.

Rui_Meleiro
Contributor
‎2018-03-23 03:31 AM
Jump to solution

In short, no. Apparently Checkpoint uses their own spam fu to identify spam messages using what they call spam patterns. No disclosure on what they are, the methods involved and therefore no hint on how to prevent those. This costed us 12 days of communications havoc with some of our business partners who had their messages tagged as spam due to...something. Truth be told, false positives are scarce with Checkpoint gateways. In this case, the spam pattern was in our own mail corporate signatures. We are not detecting spam outbound and when the messages began being replied, well...you get the idea.

G_W_Albrecht
Legend Legend
Legend
‎2018-03-23 03:44 AM
Jump to solution

Quite nice to mark ones own dissatisfied rant as the correct answer - but question is: The correct answer to which question 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rui_Meleiro
Contributor
‎2018-03-23 03:55 AM
In response to G_W_Albrecht
Jump to solution

I'm not sure why you think any of my messages is a rant. And please excuse me if I'm breaking any unwritten netiquette.

I placed  three questions four days ago. The answer for all those three questions is no (explanation follows).

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-03-23 04:22 AM
In response to Rui_Meleiro
Jump to solution

Because you are just complaining - things (also sh..) happen, and with very complicated soft- and hardware, possible bugs or missconfiguration may even kill a company ! But that is something we all should know. Your questions had CP internals as a target, and the chance for answers seems zero to me - as this is a public site, and every competitor could read it.

So, any complaining about a product that for you did not bring enough value for the money spent or even did not work as expected at all is quite understandable - but surely not a correct answer to your questions, as they would not be real questions if you know the answers, but only traps...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rui_Meleiro
Contributor
‎2018-03-23 05:10 AM
In response to G_W_Albrecht
Jump to solution

These are not complaints at all. I have a responsibility to my company and to all its stakeholders. This post was part of a search for a solution to a problem that was hurting my company. It was related to a trial-and-error process as no documentation existed on the issue at hand...

But this is getting completely off-topic. Thank you for your insights. 

0 Kudos
Tim_Cole
Participant
‎2019-01-10 09:49 AM
In response to Rui_Meleiro
Jump to solution

You are right to complain, as I feel like we were sold damaged goods! We are getting more spam then ever. Had tickets open with CP for a few weeks now. Wow, Cisco ESA that was 12 years old did a much better job! Terrible design. Geo policy doesn't even work on MTA. (3200 series)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top