cancel
Showing results for 
Search instead for 
Did you mean: 

F5 and anti-spam

THE_BLUE
Cirrus
Cirrus

is there any policy in F5 that help me to filter mails and works as anti spam ? if yes then how can i configure it ? or it is require license ?

1 ACCEPTED SOLUTION

11 REPLIES 11

I don't think so. The only feature that can help a little is the ip intelligence as it will block bad source ip addresses from bad domains.

 

 

https://clouddocs.f5.com/api/irules/IP-reputation.html

 

 

 

 

F5 had a MSM module but that was a long time ago:

 

https://www.f5.com/content/dam/f5/corp/global/pdf/white-papers/msm-wp.pdf

Dear Nikoolayy1,

the ip intelligence is already activated and I'm looking for extra layer. thanks a lot.

If don't want to buy another device you may consider SMTP relay services like SendGrid etc. that are cloud based offerings. Symantec even has Email Security.cloud but from F5 point I think that they have given up on this market :

 

 

https://www.mailchannels.com/why-use-an-smtp-relay-service/

Also I just renembered that you can use the URLDB for the SWG module to filter based on FQDN/Domain names:

 

 

https://devcentral.f5.com/s/question/0D51T00008GXZw0/is-there-f5-ip-intelligence-based-on-domainfqdn-domain-intelligence

 

 

 

Still you will need to see if you can do this for the SMTP traffic and it will be hard work and maybe not worth the efford:

 

 

https://devcentral.f5.com/s/articles/smtp-filter-and-forward-proxy

So is that mean, i can create data group contains all blacklist domain then create irule to check the blacklist domains and it will be assigned to email VS ?!

how to write the irule ?

and is it possible to check   PTR using irule !

About the irule I don't think there is exactly what you are looking for but probably it could be written but it will take a lot of time to capture the traffic with TCP::collect and to match on the "From: user@domain.com" value in the emails but I admit don't have a use case to try do it. This is why I gave you the example with the iRule with smtp-filter-and-proxy.

 

 

For PTR if your device is not the DNS/GTM you may extract the needed value from the email payloadd and with the "RESOLV::lookup" to check it as I don't know if ''NAME::lookup'' supports PTR resolution:

 

 

https://clouddocs.f5.com/api/irules/resolv__lookup.html

 

https://clouddocs.f5.com/api/irules/NAME__lookup.html

 

 

 

A good note is you can use free feed lists as alternative to the F5 URLDB service for the SWG module like Minemelt if you have AFM you can add custom feed lists and if not you may check the tabul CVS importer iRule that I also use for some things.

 

 

https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld

 

 

https://devcentral.f5.com/s/articles/csv-tabular-data-sideband-importer

 

 

https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections

many thanks i will check that.

Another helpfull article like the one for the SMTP proxy:

 

https://devcentral.f5.com/s/question/0D51T00006j2p4a/logging-smtp-traffic-info-via-hsl-to-remote-log-server

 

 

 

Also you may try using a Stream profile than TCP::collect or SSL::collect for encrypted SMTP traffic as mentioned in:

 

 

https://devcentral.f5.com/s/question/0D51T00006j2p4Z/irule-for-smtp-passing-client-ip-addr-to-backen...

many thanks, your support is highly appreciated.