Field Guide 3
WatchGuard XCS Overview
Intercept Anti-Spam
The WatchGuard XCS provides a complete set of anti-spam features specifically designed to protect against
the full spectrum of current and evolving spam threats. Intercept can combine the results of several anti-spam
components to provide a better informed decision on whether a message is spam or legitimate mail with
minimal false positives. These features include:
Spam Words — Filters messages based on a dictionary of typical spam words and phrases that are
matched against a message.
Spam Rules — Uses dynamic content rules generated by WatchGuard to help detect new types of
spam messages that are not easily detected by other Intercept Anti-Spam features.
Mail Anomalies — Checks various aspects of the incoming message for issues such as unauthorized
SMTP pipelining, missing headers, and mismatched identification fields.
DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor reputation.
Messages can also be rejected immediately regardless of the results of other anti-spam processing if
the client appears on a DNSBL. A configurable threshold allows administrators to specify how many
DNSBLs must trigger to consider the sender as unreliable.
URL Block List — Detects spam by examining the URLs in a message and querying a SURBL (Spam URI
Realtime Block Lists) server to determine if this URL has been used in spam messages.
Reputation Enabled Defense (RED) — Reputation Enabled Defense helps to identify spam by
reporting a collection of metrics about the sender of a message, including their overall reputation,
whether the sender is a dial-up, and whether the sender appears to be virus-infected, based on
information collected from installed customer products and global DNS Block Lists. This information
can be used by Intercept to reject the message, or used as part of the overall Anti-Spam decision.
Token Analysis — Detects spam based on advanced content analysis using databases of known spam
and valid mail. This feature is also specially engineered to effectively detect image spam.
Backscatter Detection — Detects spam based on signature verification of the Envelope Sender to
prevent spam bounce emails to forged sender addresses.
Sender Policy Framework (SPF) — Performs a verification of a sending host’s SPF DNS records to
identify the source of a message.
DKIM/DomainKeys Authentication — Performs a verification of a sending host’s DKIM/DomainKeys
DNS records to identify the source of a message.
Brightmail Anti-Spam is also available as an add-on subscription for customers who want to enable multi-
layered Anti-Spam engines.
Reputation Enabled Defense (RED)
Reputation Enabled Defense helps to identify spam by reporting behavioral information about the sender of
a message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears
to be virus-infected or sends large amounts of spam messages, based on information collected from installed
customer products and global DNS Block Lists. Domain and Sender Reputation increases the effectiveness of
RED by examining not only the IP reputation of a sender, but also the domain name and envelope sender
information from that IP address. This information can be used by the system to either reject the message
immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation
or numerous virus infections.
If Reputation checks are enabled, the WatchGuard XCS queries the statistics on the RED domain service for the
sender IP address of each message received, excluding those addresses from trusted and known networks.
With the information returned from RED, the system can make a decision about whether a message is spam
or legitimate mail. A reputation score closer to 0 indicates the sender is extremely reliable and rarely sends
spam or viruses. A reputation score closer to 100 indicates the sender is extremely unreliable and often sends
spam or viruses. An IP address with no previous information from any source is assigned an initial score of 50.