ProSecure Unified Threat Management (UTM) Appliance Reference Manual
6-16 Content Filtering and Optimizing Scans
v1.0, January 2010
2. Click the Add table button in the Add column. The new blacklist provider is added to the real-
time blacklist, and it is disabled by default.
To delete a blacklist provider from the real-time blacklist:
1. In the real-time blacklist, click the Delete table button next to the blacklist provider that you
want to delete.
2. Click Apply to save your settings.
Configuring Distributed Spam Analysis
Spam, phishing, and other e-mail-borne threats consist of millions of messages intentionally
composed differently to evade commonly-used filters. Nonetheless, all messages within the same
outbreak share at least one unique, identifiable value which can be used to distinguish the
outbreak.
With distributed spam analysis, message patterns are extracted from the message envelope,
headers, and body with no reference to the content, itself. Pattern analysis can then be applied to
identify outbreaks in any language, message format, or encoding type. Message patterns can be
divided into distribution patterns and structure patterns. Distribution patterns determine if the
message is legitimate or a potential threat by analyzing the way it is distributed to the recipients,
while structure patterns determine the volume of the distribution.
The UTM uses a Distributed Spam Analysis architecture to determine whether or not an e-mail is
spam for SMTP and POP3 e-mails. Any e-mail that is identified as spam is tagged as spam (an
option for both SMTP and POP3) or blocked (an option possible only for SMTP).
To configure Distributed Spam Analysis and the anti-spam engine settings:
1. Select Application Security > Anti-Spam from the menu. The Anti-Spam submenu tabs
appear, with the Whitelist/Blacklist screen in view.
2. Click the Distributed Spam Analysis submenu tab. The Distributed Spam Analysis screen
displays (see Figure 6-6 on page 6-17).
Note: Unlike other scans, you do not need to configure the spam score because the
NETGEAR Spam Classification Center performs the scoring automatically as long
as the UTM is connected to the Internet. However, this does mean that the UTM
must be connected to the Internet for the spam analysis to be performed correctly.