Email Security 9.0 Admin Guide


Email Security uses multiple methods of detecting spam and other unwanted email. These include using specific Allowed and Blocked lists of people, domains, and mailing lists; patterns created by studying what other users mark as junk mail; and the ability to enable third-party blocked lists. This chapter reviews the configuration information for Anti-Spam:

Administrators can define multiple methods of identifying spam for your organization; users can specify their individual preferences to a lesser extent. In addition, SonicWall Email Security provides updated lists and collaborative thumbprints to aid in identifying spam and junk messages.

Spam Management

When an email comes in, the sender of the email is checked against the various allowed and blocked lists first, starting with the corporate list, then the recipient’s list, and finally the Email Security-provided lists. If a specific sender is on the corporate blocked list but that same sender is on a user’s allowed list, the message is blocked, as the corporate settings have a higher priority than a user’s.

More detailed lists take precedence over the more general lists. For example, if a message is received from aname@domain.com and your organization’s Blocked list includes domain.com but a user’s Allowed list contains the specific email address aname@domain.com, the message is not blocked because the sender’s full address is in an Allowed list.

After all the lists are checked, if the message has not been identified as junk based on the Allowed and Blocked lists, Email Security analyzes the messages’ headers and contents and uses collaborative thumb-printing to block email that contains junk.

Use the Anti-Spam > Spam Management window to select options for dealing with Definite Spam and Likely Spam. The default setting for Definite Spam and Likely Spam is to quarantine the message in the user’s Junk Box.

To manage messages marked as definite spam or likely spam:
Choose one of the following responses for messages marked as Definite Spam and Likely Spam:



No Action

No action is taken for messages.

Permanently Delete

The email message is permanently deleted.

CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved.

Reject with SMTP error code 550

The message is rejected and responds with a 550 error code, which indicates the user’s mailbox was unavailable (for example, not found or rejected for policy reasons).

Store in Junk Box (recommended for most configurations)

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting.

Send To

Forward the email message for review to the specified email address. For example, you could Send to postmaster.”

Tag With

The email is tagged with a term in the subject line, for example [SPAM]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted.

Add X-Header

This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header.

For example, a header of type X-EMSJudgedThisEmail with value DefiniteSpam results in the email header as:


Select the Accept Automated Allowed List check box to allow automated lists that are created by User Profiles to prevent spam.

With this feature enabled, User Profiles analyze the recipients of emails from members of your organization and automatically added them to Allowed Lists. This helps reduce the false positives, which are good email messages judged as junk. This feature can be configured globally, for particular groups, or for specific users. SonicWall recommends enabling this feature.

NOTE: If this check box is unchecked in the Corporate, Group, or User windows, User Profiles have no effect.
Select the Skip spam analysis for internal email check box to exclude internal emails from spam analysis, resulting in a reduced amount of false positives. If you are routing internal mail through the Email Security product, SonicWall recommends that you enable this feature.
Select the Allow users to delete junk email check box to allow users to control the delete button on individual junk boxes.
NOTE: Leave this check box not selected if you have an extended away / out of the office message turned on so that your auto-reply does not automatically place all recipients on your Allowed list.
Click Apply Changes to save; selecting Revert allows you to fall back to the prior settings.

Address Books

From the Anti-Spam > Address Books page allows you to create an address book of people, companies, mailing list or IP addresses who are allowed to or are blocked from sending email to you. Select the Allowed or Blocked button to view the respective address.

If you attempt to add your own email address or your organization’s domain, SonicWall Email Security displays a warning. A user’s email address is not automatically added to the allowed list because spammers sometimes use a recipient’s own email address. Leaving the address off the allowed list does not prevent users from emailing themselves, but their emails are evaluated to determine if they are junk.

Using the Search Field

To search for an address:
Enter all or part of the email address in the Search field. For example, entering sale displays sales@domain.com as well as forsale@domain.com.
Narrow your search by selecting the People, Companies, Lists, or IPs check box(es) below the Search field.
Click Go to perform the search.

Adding People, Companies, Lists, or IPs

To add People, Companies, Lists, or IPs to the Allowed or Blocked lists:
From the Anti-Spam > Address Books page, click the Allowed or Blocked tab.
Click the Add button.

Select the list type (People, Companies, Lists, IPs) from the drop down menu.
Enter one or more address, separated by carriage returns, to add to the chosen list.
Select Add to complete.

When adding addresses, consider the following:

You cannot put an address in both the Allowed and Blocked list simultaneously. If you add an address in one list that already exists on the other, it is removed from the first one.
Email Security warns you if you attempt to add your own email address or your own organization.
Email addresses are not case-sensitive; Email Security converts the address to lowercase.
You can allow and block email messages from entire domains. If you do business with certain domains regularly, you can add the domain to the Allowed list; Email Security allows all users from that domain to send email. Similarly, if you have a domain you want to block, enter it here and all users from that domain are blocked.
Email Security does not support adding top-level domain names such as .gov or .abc to the Allowed and Blocked lists.
Mailing list email messages are handled differently than individuals and domains because Email Security looks at the recipient’s address rather than the sender’s. Because many mailing list messages appear spam-like, entering mailing list addresses prevents mis-classified messages.

Deleting People, Companies, Lists, or IPs

To delete people, companies, lists, or IPs from your Address Books:
From the Anti-Spam > Address Books page, click the Allowed or Blocked tab.
Select the check box next to the address(es) you want to delete.
Click the Delete button.

Importing and Exporting the Address Book

You can import an address book of multiple addresses to create our Allowed or Blocked lists. Note that users and secondary domains should be added prior to importing their respective address books.

The Address Book file for import must follow specific formatting to ensure successful importing:

<TAB> delimiter between data
<CR> to separate entries

Each address book entry must include each of the following:

Identifier—Specified as <email address / primary domain>
Domain / List / Email—Specified as D / L / E
Allowed / Blocked—Specified as A / B
Address List—Specified as abc@domain.com, example.com

For example:




To import an Address Book:
From the Anti-Spam > Address Books page, click the Import button on either the Allowed or Blocked tabs.
Click the Browse... button.
Select the correct file from your system.
Click the Import button.
To export the Address Book:
Select the Export button.
Save the file to your local system.

Anti-Spam Aggressiveness

The Anti-Spam > Anti-Spam Aggressiveness page allows you to tailor the SonicWall Email Security product to your organization’s preferences. Configuring this window is optional.

SonicWall Email Security recommends using the default setting of Medium unless you require different settings for specific types of spam blocking. This section includes the following subsections:

Configuring GRID Network Aggressiveness

The GRID Network Aggressiveness technique determines the degree to which you want to use the collaborative database. Email Security maintains a database of junk mail identified by the entire user community. You can customize the level of community input on your corporate spam blocking. Selecting a stronger setting makes Email Security more likely more responsive to other users who mark a message as spam.

Use the following settings to specify how stringently Email Security evaluates messages:

If you choose Mildest, you will receive a large amount of questionable email in your mailbox. This is the lightest level of Anti-Spam Aggressiveness.
If you choose Mild, you are likely to receive more questionable email in your mailbox and receive less email in the Junk Box. This can cause you to spend more time weeding through unwanted email from your personal mailbox.
If you choose Medium, you accept Email Security’s spam-blocking evaluation.
If you choose Strong, Email Security rules out greater amounts of spam for you. This can create a slightly higher probability of good email messages in your Junk Box.
If you choose Strongest, Email Security heavily filters out spam. This creates an even higher probability of good email messages in your Junk Box.

Configuring Adversarial Bayesian Aggressiveness

The Adversarial Bayesian technique refers to SonicWall Email Security’s statistical engine that analyzes messages for many of the spam characteristics. This is the high-level setting for the Rules portion of spam blocking and lets you choose where you want to be in the continuum of choice and volume of email. This setting determines the threshold for how likely an email message is to be identified as junk email.

Use the following settings to specify how stringently SonicWall Email Security evaluates messages:

If you choose Mildest, you will receive a large amount of questionable email in your mailbox. This is the lightest level of Anti-Spam Aggressiveness.
If you choose Mild, you are likely to receive more questionable email in your mailbox and receive less email in the Junk Box. This can cause you to spend more time weeding through unwanted email from your personal mailbox.
If you choose Medium, you accept Email Security’s spam-blocking evaluation.
If you choose Strong, Email Security rules out greater amounts of spam for you. This can create a slightly higher probability of good email messages in your Junk Box.
If you choose Strongest, Email Security heavily filters out spam. This creates an even higher probability of good email messages in your Junk Box.

Unjunking spam

Select the Allow users to unjunk spam check box if you want to enable users to unjunk spam messages. If left unchecked, users cannot unjunk spam messages.

Category settings

You can determine how aggressively to block particular types of spam, including sexual content, offensive language, get rich quick, gambling, advertisements, and images.

For each type of spam:

Choose Mildest to be able to view most of the emails that contain terms that relate to these topics.
Choose Mild to be able to view email that contains terms that relate to these topics.
Choose Medium to cause Email Security to tag this email as likely junk.
Choose Strong to make it more likely that email with this content is junked.
Choose Strongest to make it certain that email with this content is junked.

For example, if you don’t want to receive any email with sexual content, select Strong. If you are less concerned about receiving other categories, select Mild.

You can also select the Allow Unjunk check box to allow users to unjunk specific types of spam.

Be sure to select Apply Changes to save the settings or select Reset to Defaults to go back to the prior settings.


From the Anti-Spam > Languages page, you can allow, block, or enter no opinion on email messages in various languages. If you select No opinion, Email Security judges the content of the email message based on the modules that are installed. After configuring Language settings, click the Apply Changes button.

NOTE: Some spam email messages are seen in English with a background encoded in different character sets such as Cyrillic, Baltic, or Turkish. This is done by spammers to bypass the anti-spam mechanism that only scans for words in English. In general, unless used, it is recommended to exclude these character sets. Common languages such as Spanish and German are normally not blocked.

Black List Services

Public and subscription-based black list services, such as the Mail Abuse Prevention System (MAPS), Real-time Blackhole List (RBL), Relay Spam Stopper (RSS), Open Relay Behavior-modification Systems (ORBS) and others, are regularly updated with domain names and IP addresses of known spammers. Email Security can be configured from the Anti-Spam > Black List Services page to query these lists and identify spam originating from any of their known spam addresses.

NOTE: SonicWall Email Security performance may vary if you add Black List Services because each email is placed on hold while the BLS service is queried.

Adding to the Black List

Click Add and enter the server name of the black list service, for example list.dsbl.org. Each black list service is automatically enabled when added.

Email from Sources on the Black Lists Services

Select the Treat all email that arrives from sources on Black List Services as Likely Spam check box to prevent users from receiving messages from known spammers. If you select this check box, you are warned that enabling this feature can increase the risk of false positives, and you may not receive some legitimate email.

Spam Submissions

The Anti-Spam > Spam Submissions page allows you to manage email that is miscategorized and to create probe accounts to collect spam and catch malicious hackers. Managing miscategorized email and creating probe accounts increases the efficiency of Email Security’s spam management. This page enables administrators and users to forward the following miscategorized email messages to their IT groups, create probe accounts, and accept automated allowed lists to prevent spam.


Managing Spam Submissions

To manage spam submissions:
Navigate to the Anti-Spam > Spam Submissions page.
Enter an Email address for Submitting Missed Spam in the text field. For example, you might address all missed spam email to
Enter an email address in Submitting Junked Good Mail in the text field. For example, you might address all misplaced good email to
Establish one or more Probe Email Accounts.
Enter the email address of an account you want to use to collect junk email. The email address does not have to be in LDAP, but it does have to be an email address that is routed to your organization and passes through Email Security. For example, you might create a probe email account with the address
IMPORTANT: A probe account should NOT contain an email address that is used for any purpose other than collecting junk email. If you enter an email address that is in use, the owner of that email address will never receive another email - good or junk - again, because all email sent to that address will be redirected to the SonicWall corporation’s data center.
Click the Apply Changes button.

Probe Accounts

Probe accounts are accounts that are established on the Internet for the sole purpose of collecting spam and tracking hackers. Email Security suggests that you use the name of a past employee as the name in a probe account, for example, fredjones@example.com.

Configure the Probe Email Account fields to allow any email sent to your organization to create fictitious email accounts from which mail is sent directly to SonicWall for analysis. Adding this junk email to the set of junk email messages that Email Security blocks enhances spam protection for your organization and other users. If you configure probe accounts, the contents of the email will be sent to SonicWall for analysis.

Managing Mis-Categorized Messages

When an email message is mis-categorized, the following actions are taken:

For false negatives, Email Security adds the sender address of the junked email to the user’s Blocked List so that future email messages from this sender are blocked. (The original sender is blacklisted for the original recipient.)
For false positives, Email Security adds the addresses of good email senders that were unjunked to the user’s Allowed List. (The original sender is whitelisted for the original recipient.) If the sender email is the user’s own email address, the address is not added to the allowed list, because spammers send email pretending to be from the user. Email sent to and from the same address will always be evaluated to determine if it is junk.

These messages are sent to the global collaborative database. Good mail that was unjunked is analyzed to determine why it was categorized as junk.

Forwarding Mis-Categorized Email

You must set up your email system so that email messages sent to the this_is_spam@es.your_domain.com and not_spam@es.your_domain.com pass through Email Security.

The email addressed to not_spam@es.your_domain.com and this_is_spam@es.your_domain.com must pass through the Email Security system so that it can be analyzed. Using a domain that does not route, such as “fixit.please.com”, is recommended.

A problem can arise if the user sends an email to this_is_spam@es.your_domain.com, and the local mail server (Exchange, Notes, or other mail server) is authoritative for this email domain, and does not forward it to the Email Security system. The most common solution is included below as an example.

To forward the missed email to Email Security for analysis:
Add the this_is_spam and not_spam email addresses as this_is_spam@es.your_domain.com and not_spam@es.your_domain.com into the Email Security Junk Submission text field.
Create an A and an MX record in your internal DNS that resolves es.your_domain.com to your Email Security server's IP address.
Tell users to forward mail to this_is_spam@ES.your_domain.com or not_spam@ES.your_domain.com.The mail goes directly to the Email Security servers.

Configuring Submit-Junk and Submit-Good email accounts

Mail is considered mis-categorized if Email Security puts wanted (good) email in the Junk Box or if Email Security delivers unwanted email in the user’s inbox. If a user receives a mis-categorized email, they can update their personal Allowed list and Blocked list to customize their email filtering effectiveness. This system is similar to the benefits of running MailFrontier Desktop in conjunction with Email Security, and clicking Junk or Unjunk messages, but does not require Email Security Desktop to be installed.

The email administrator can define two email addresses within the appropriate configuration page in Email Security, such as this_is_spam@es.your_domain.comand not_spam@es.your_domain.com. As Email Security receives email sent to these addresses, it finds the original email, and appropriately updates the user’s personal Allowed and Blocked list.

Users must forward their mis-categorized email directly to these addresses after you define them so that the Email Security system can learn about mis-categorized messages.