Field Guide 3
WatchGuard XCS Overview
Intercept Anti-Spam
The WatchGuard XCS provides a complete set of anti-spam features specifically designed to protect against
the full spectrum of current and evolving spam threats. Intercept can combine the results of several anti-spam
components to provide a better informed decision on whether a message is spam or legitimate mail with
minimal false positives. These features include:
Spam Words — Filters messages based on a dictionary of typical spam words and phrases that are
matched against a message.
Mail Anomalies — Checks various aspects of the incoming message for issues such as unauthorized
SMTP pipelining, missing headers, and mismatched identification fields.
DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor reputation.
Messages can also be rejected immediately regardless of the results of other anti-spam processing if
the client appears on a DNSBL. A configurable threshold allows administrators to specify how many
DNSBLs must trigger to consider the sender as unreliable.
URL Block List — Detects spam by examining the URLs in a message and querying a SURBL (Spam URI
Realtime Block Lists) server to determine if this URL has been used in spam messages.
ReputationAuthority — The ReputationAuthority helps to identify spam by reporting a collection of
metrics about the sender of a message, including their overall reputation, whether the sender is a dial-
up, and whether the sender appears to be virus-infected, based on information collected from installed
customer products and global DNS Block Lists. This information can be used by Intercept to reject the
message, or used as part of the overall Anti-Spam decision.
Token Analysis — Detects spam based on advanced content analysis using databases of known spam
and valid mail. This feature is also specially engineered to effectively detect image spam.
Backscatter Detection — Detects spam based on signature verification of the Envelope Sender to
prevent spam bounce emails to forged sender addresses.
Sender Policy Framework (SPF) — Performs a verification of a sending host’s SPF DNS records to
identify the source of a message.
DomainKeys Authentication — Performs a verification of a sending host’s DomainKeys DNS records
to identify the source of a message.
ReputationAuthority
The ReputationAuthority helps to identify spam by reporting behavioral information about the sender of a
message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears
to be virus-infected or sends large amounts of spam messages, based on information collected from installed
customer products and global DNS Block Lists. Domain and Sender Reputation increases the effectiveness of
ReputationAuthority by examining not only the IP reputation of a sender, but also the domain name and
envelope sender information from that IP address. This information can be used by the system to either reject
the message immediately or contribute to the Intercept score if a message is detected from a source with a
poor reputation or numerous virus infections.
If Reputation checks are enabled, the WatchGuard XCS queries the statistics on the ReputationAuthority
domain service for the sender IP address of each message received, excluding those addresses from trusted
and known networks. With the information returned from ReputationAuthority, the system can make a
decision about whether a message is spam or legitimate mail. A reputation of 0 indicates the sender is
extremely reliable and rarely sends spam or viruses. A reputation of 100 indicates the sender is extremely
unreliable and often sends spam or viruses. An IP address with no previous information from any source is
assigned a value of 50.