Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusF5 and anti-spam
is there any policy in F5 that help me to filter mails and works as anti spam ? if yes then how can i configure it ? or it is require license ?
Nikoolayy1
MVP
MVPI don't think so. The only feature that can help a little is the ip intelligence as it will block bad source ip addresses from bad domains.
https://clouddocs.f5.com/api/irules/IP-reputation.html
F5 had a MSM module but that was a long time ago:
https://www.f5.com/content/dam/f5/corp/global/pdf/white-papers/msm-wp.pdf
THE_BLUECirrostratus
CirrostratusDear Nikoolayy1,
the ip intelligence is already activated and I'm looking for extra layer. thanks a lot.
- THE_BLUE
many thanks i will check that.
- Nikoolayy1
If don't want to buy another device you may consider SMTP relay services like SendGrid etc. that are cloud based offerings. Symantec even has Email Security.cloud but from F5 point I think that they have given up on this market :
- Nikoolayy1
Also I just renembered that you can use the URLDB for the SWG module to filter based on FQDN/Domain names:
https://devcentral.f5.com/s/question/0D51T00008GXZw0/is-there-f5-ip-intelligence-based-on-domainfqdn-domain-intelligence
Still you will need to see if you can do this for the SMTP traffic and it will be hard work and maybe not worth the efford:
https://devcentral.f5.com/s/articles/smtp-filter-and-forward-proxy
- THE_BLUE
So is that mean, i can create data group contains all blacklist domain then create irule to check the blacklist domains and it will be assigned to email VS ?!
how to write the irule ?
- THE_BLUE
and is it possible to check PTR using irule !
- Nikoolayy1
About the irule I don't think there is exactly what you are looking for but probably it could be written but it will take a lot of time to capture the traffic with TCP::collect and to match on the "From: user@domain.com" value in the emails but I admit don't have a use case to try do it. This is why I gave you the example with the iRule with smtp-filter-and-proxy.
For PTR if your device is not the DNS/GTM you may extract the needed value from the email payloadd and with the "RESOLV::lookup" to check it as I don't know if ''NAME::lookup'' supports PTR resolution:
https://clouddocs.f5.com/api/irules/resolv__lookup.html
https://clouddocs.f5.com/api/irules/NAME__lookup.html
A good note is you can use free feed lists as alternative to the F5 URLDB service for the SWG module like Minemelt if you have AFM you can add custom feed lists and if not you may check the tabul CVS importer iRule that I also use for some things.
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
https://devcentral.f5.com/s/articles/csv-tabular-data-sideband-importer
https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections
- Nikoolayy1
Another helpfull article like the one for the SMTP proxy:
https://devcentral.f5.com/s/question/0D51T00006j2p4a/logging-smtp-traffic-info-via-hsl-to-remote-log-server
Also you may try using a Stream profile than TCP::collect or SSL::collect for encrypted SMTP traffic as mentioned in:
- THE_BLUE
many thanks, your support is highly appreciated.