MailMarshal SMTP 2006 Anti-Spam Technology



Similar documents
How To Protect From The Internet With Mailmarshal Smt And Mailmper For Exchange

MailMarshal Exchange in a Windows Server Active/Passive Cluster

TRUSTWAVE SEG SPAMCENSOR EXPLAINED

Using the Message Releasing Features of MailMarshal SMTP Technical White Paper October 15, 2003

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

MailMarshal SMTP Anti-Spam Configuration

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

About this documentation

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Reporting and Incident Management for Firewalls

Upgrading to MailMarshal Version 6.0 SMTP Technical Reference

SPAM FILTER Service Data Sheet

Intercept Anti-Spam Quick Start Guide

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

SurfControl Filter for SMTP

Services Deployment. Administrator Guide

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Security. Help Documentation

Avira Managed Security AMES FAQ.

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

V1.4. Spambrella Continuity SaaS. August 2

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Advanced Settings. Help Documentation

User Guide. MailMarshal SMTP. Version 6.0

FortiMail Filtering Course 221-v2.2 Course Overview

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Introduction. How does filtering work? What is the Quarantine? What is an End User Digest?

Quick Reference. Administrator Guide

Comprehensive Anti-Spam Service

MailMarshal 6.0 SMTP Performance Benchmarking White Paper June 2004

Do you need to... Do you need to...

MDaemon Vs. Microsoft Exchange Server 2013 Standard

NetIQ Aegis Adapter for Databases

Understanding Junk filtering & Anti-Spam controls

PROOFPOINT - SPAM FILTER

T E C H N I C A L S A L E S S O L U T I O N

Comprehensive Filtering. Whitepaper

Eiteasy s Enterprise Filter

Migration Project Plan for Cisco Cloud Security

Quick Start Policy Patrol Spam Filter 5

Anti Spam Best Practices

ESET Mail Security 4. User Guide. for Microsoft Exchange Server. Microsoft Windows 2000 / 2003 / 2008

Barracuda Spam Firewall

Anti Spam Best Practices

Anti-Spam White Paper

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Global Reputation Monitoring The FortiGuard Security Intelligence Database WHITE PAPER

Quick Start Policy Patrol Mail Security 10

MDaemon configuration recommendations for dealing with spam related issues

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Websense Security Transition Guide

Using NetIQ Security and Administration Products to Ensure HIPAA Compliance March 25, Contents

Kaspersky Anti-Spam 3.0

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Trustwave SEG Cloud Customer Guide

GFI Product Comparison. GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.0

Barracuda Security Service

Spam DNA Filtering System

Mailwall Remote Features Tour Datasheet

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Release Notes for Websense Security v7.2

FortiMail Filtering. Course for FortiMail v4.0. Course Overview

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Deploying Layered Security. What is Layered Security?

Trend Micro Hosted Security Stop Spam. Save Time.

Quick Start Policy Patrol Spam Filter 9

Symantec Protection for SharePoint Servers Implementation Guide

WebMarshal User Guide

Comprehensive protection. Streamlined administration console

ContentCatcher. Voyant Strategies. Best Practice for Gateway Security and Enterprise-class Spam Filtering

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Policy Patrol 7 Upgrade Guide

ModusMail Software Instructions.

GFI Product Manual. Administration and Configuration Manual

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

eprism Security Suite

K12 Spam Management Blocked s from parents

FortiMail Filtering. Course 221 (for FortiMail v5.0) Course Overview

Tufts Technology Services (TTS) Proofpoint Frequently Asked Questions (FAQ)

Trend Micro Hosted Security. Best Practice Guide

Integration With Third Party SIEM Solutions

Transcription:

MailMarshal SMTP 2006 Anti-Spam Technology August, 2006 Contents Introduction 2 Multi-layered spam detection and management 2 SpamCensor: Marshal s unique heuristic filter 2 URLCensor: Live URL blacklist checking 3 External DNS blacklists: Query your favorite blacklist 3 CountryCensor: Analyze country of origin 3 Zero Day: For large-scale new spam outbreaks 4 DHA: Protection against Directory Harvest Attacks 4 TextCensor: Create your own custom scripts 4 And a host of other features.. 4 How effective is MailMarshal at blocking spam? 5 What about false positives? 5 Enabling end users to manage spam 5 Putting it together: a rules-based approach. 6.and a suite of management options 6 Conclusion 6 This whitepaper gives an overview of the anti-spam technology used by MailMarshal. While MailMarshal is great at blocking spam, it is much more than an anti-spam solution. MailMarshal provides organizations with the means to control all incoming and outgoing email content, including spam, viruses, text, and attachments within a rules-based framework. 1

Introduction This whitepaper gives an overview of the anti-spam technology used by MailMarshal SMTP 2006. While MailMarshal is great at blocking spam, it is much more than an anti-spam solution. MailMarshal provides organizations with the means to control all incoming and outgoing email content, checking for spam, viruses, specific text and attachments within a rules-based framework. You can envisage MailMarshal as an email toolkit, where a multitude of tools can be deployed to check and manage your email. When it comes to anti-spam, detection is important. But so is management. MailMarshal uses technologies that enable high spam detection rates with exceptionally easy and flexible administration. And it does this within the context of an integrated email content management package. MailMarshal offers organizations an effective and flexible means to control spam, with a rapid return on investment. Multi-layered spam detection and management Spam is constantly evolving as spammers employ ever more sophisticated techniques to evade filters. Also, the rate of spam evolution appears to be increasing. Spam is now the domain of sophisticated money-generating organizations with a high level of technical prowess. The result is that no single piece of anti-spam technology is likely to be effective against spam. Your best approach is to adopt a multi-faceted solution. MailMarshal has an array of anti-spam tools that together, layer-by-layer, identify and deal with spam. MailMarshal Multi-Layered Anti-Spam Protection SpamCensor URLCensor DNS Blacklists CountryCensor Zero Day Updates Directory Harvest Protection TextCensor Whitelists and Blacklists Anti-Spoofing and Anti-Relay SpamCensor: Marshal s unique heuristic filter The SpamCensor is at the core of the MailMarshal anti-spam solution. The SpamCensor is an heuristic filter that consists of approximately 3000 individual tests for spam. It is a scoring-based system where rules work in combination to end up with a total score of the spamminess of a message. Once the score reaches a threshold, action is taken like quarantining or tagging the message. The SpamCensor is built and automatically updated on a weekly basis by members of Marshal s TRACE (Threat Research and Content Engineering) team. This is a group of security analysts who examine live email streams for patterns and typical spam traits. The experience and knowledge of the TRACE team is a key factor in the effectiveness of the SpamCensor. This knowledge is backed up by a number of proprietary tools and systems that automatically machine-learn patterns and assign 2

scores to rules to optimize performance. The SpamCensor is self-contained, standalone and requires no work by an administrator. If you used nothing else in MailMarshal, the SpamCensor alone would result in very good spam detection. Sometimes customers ask why the SpamCensor is not updated as often as other antispam solutions or their virus scanner. The simple answer is that it is not a signaturebased system. In such systems, each signature is an independent entity and equates to a single message. In the SpamCensor, rules are heuristic and interdependent. Individual signature updates are unnecessary. A weekly release cycle is used to carefully craft, train and test each SpamCensor prior to release. This approach results in a highly predictive filter that is very good at detecting tomorrow s spam, as well as today s. URLCensor: Live URL blacklist checking One very effective way of blocking spam is to extract domain information from URLs in the body of the message, and check that information against one or more of the URL blacklists available. This method is known as SURBL (Spam URL Realtime Blacklisting). MailMarshal's implementation of URL blacklisting is called URLCensor, and it contains the following advanced features: Ability to use any number of URL blacklist databases. Can also check IP addresses of extracted domains. Local caching of results, to increase speed and to reduce the load on DNS servers. Handles obfuscated URLs. Ability to use multiple URL blacklists in a policy-based framework (i.e. only block a message if it is listed on two or more URL blacklists). External DNS blacklists: Query your favorite blacklist Another established way of blocking spam is to check the sender against a blacklist of known spamming hosts. There are quite a number of blacklists of varying quality and availability. As the services use DNS as the method of querying their servers, they are also often referred to as DNS blacklists. The effectiveness of this method of blocking spam is entirely dependent on the quality of your chosen list, and how often it is updated. The services sometimes attract criticism because, occasionally, legitimate email hosts can find themselves unwittingly on the list, and it becomes difficult to send email to them. Even so, a good DNS blacklist can be effective at blocking spam and should form part of an overall antispam strategy. MailMarshal has integrated DNS blacklist support and ships with some already configured. Administrators can apply one or more DNS blacklists as needed. CountryCensor: Analyze country of origin The CountryCensor is unique technology developed by Marshal which allows a mail administrator to identify the countries through which a message has traveled, and handle it accordingly. The technology analyzes IP addresses to identify the country of origin. Internet authorities allocate blocks of IP Addresses to each country, and CountryCensor uses a database of these allocations to identify the country of origin. You can then set policy in MailMarshal to scrutinize messages from some countries more closely, or deny messages from certain countries altogether. For example, if you never do business with anyone in the Republic of Zamunda you can block any messages originating from that country. You can also grant individual exceptions such as the domains of any customers you might have in that country. 3

Zero Day: For large-scale new spam outbreaks From time to time, large-scale or worldwide spam outbreaks occur. Marshal has the ability to push out targeted Zero Day protection measures. If you enable the Zero Day policy, these measures are automatically applied. Zero Day spam measures are designed to provide interim protection until the SpamCensor is next updated. DHA: Protection against Directory Harvest Attacks DHA prevention guards your system against Directory Harvest Attacks (DHAs). Spammers use DHAs to determine valid email addresses at your domain. This mechanism can detect a DHA, drop the connection from the connecting server and blacklist the server for a specified length of time.. TextCensor: Create your own custom scripts MailMarshal has an integrated text scanner called the TextCensor. These scripts can be used in numerous ways to stop spam they provide you with the flexibility to look for almost anything. The TextCensor engine has advanced capability, and its scripts support: Boolean operators e.g. AND, OR, NOT Proximity operators e.g. NEAR, FOLLOWEDBY, INSTANCES Phrase weightings e.g. "FREE!" might be given a higher weighting than buy now Targeting of different parts of message. The scripts can be limited to searches the header, body, subject lines, or attachments And a host of other features.. The features listed above represent the core of MailMarshal s anti-spam capabilities. But MailMarshal also uses a range of other methods to deal with spam as well: User groups for managing whitelists and blacklists Anti-spoofing Anti-relay Denial of Service (DOS) protection Receiver HELO connection rules Reverse DNS lookups Regular expression header matching and rewriting Advanced custom category scripts for combining regular expression matching and TextCensor scripts. When all these technologies are combined together into one layered solution, MailMarshal is one of the most effective and easy to manage solutions for defeating spam on the market. 4

How effective is MailMarshal at blocking spam? The Marshal TRACE team closely monitors the performance of anti-spam on live MailMarshal servers subjected to streams of incoming spam. The following chart illustrates its performance: Detection Rate % 100% 98% 96% 94% 92% 90% 88% 86% 84% 82% 80% Source: Marshal Ltd. MailMarshal Spam Detection May-Aug 2006 15/05 22/05 29/05 5/06 12/06 19/06 26/06 SpamCensor Week 3/07 10/07 17/07 24/07 All Anti-Spam Tools 31/07 7/08 14/08 There are a few points to note here: The average detection rate of SpamCensor alone during this period was 97.8%. The SpamCensor combined with the other anti-spam tools (e.g. URLCensor and DNS Blacklists), MailMarshal s effectiveness against spam increases to 99.5%. Overall effectiveness remains constant at ~99.5%. In weeks where the SpamCensor rate drops, the other tools act as a buffer to keep the overall detection rate up. What about false positives? It is relatively easy to block spam. The trick is to do it with a minimum of false positives. MailMarshal achieves spam false positive rates of better than 0.01% false positive rate (1 in 10,000 messages). This is an excellent figure when benchmarked against other best-in-class anti-spam systems. An important point to note here is that the 0.01% false positive rate is based on all email, including subscription bulk email. Legitimate, person-to-person business email has an even better rate approaching 0.0001% or 1 in 1,000,000 messages. The critical issue with false positives is managing them. Regardless of what solution you have, at some point a false positive will occur. MailMarshal makes it easy to manage spam and ensure that a legitimate email is not lost. Enabling end users to manage spam No solution is completely foolproof with regard to false positives. The key thing is managing them and ensuring that these messages are not lost or deleted. This is one of the areas where MailMarshal has significant advantages. Quarantined spam can be subjected to the end user Spam Quarantine Management (SQM). This system 5

periodically sends a digest email to each user with a list of blocked spam that was addressed to them. The user can then link directly from the email to the online SQM system and manage their own spam as they wish releasing quarantined messages and defining safe senders or senders they want to block in the future. Putting it together: a rules-based approach. Flexibility is one of MailMarshal s strengths. You can harness the power of MailMarshal s pre-configured spam technology, such as the SpamCensor and get great results. However, MailMarshal also provides the ability to customize rules for every site. Administrators can combine rule elements together to create a policy that is greater than the sum of its parts. Here is a simple example: Spam messages are often not very large almost invariably less than 125Kb in size. This fact can be used in conjunction with TextCensor scripts and whitelists to create an accurate rule, as in the following example from the MailMarshal rule wizard: When a message arrives Where message is incoming Except where addressed either to or from 'Excluded Users' Except where addressed from 'Friendly ListServers' Where message size is less than '125 Kb' And where message is categorized as 'Spam' Move the message to 'Spam'.and a suite of management options Once a message has been determined as spam, administrators must decide what action to take with it. MailMarshal provides a wide array of possible actions for the maximum flexibility. Here is a sample of the many options available: Move the message to a quarantine folder Copy the message to a folder Send a notification message Write a custom log message to the database for later reporting Rewrite the message headers e.g. mark the subject line with [SPAM] Route the message to another host Pass the message to another rule for processing Delete the message Messages can be monitored and controlled using the MailMarshal Console. Administrators can have any number of consoles and they can be configured to control only specified user groups if desired. Conclusion MailMarshal provides email administrators with the technology for controlling spam. It combines leading, new technology with traditional anti-spam approaches. Above all, as stressed in this paper, it provides anti-spam capability in a highly flexible and easy to use solution. In short, MailMarshal has: The range and depth of technology for maximum accuracy in spam detection A rules-based approach for maximum usability A suite of management options for maximum flexibility in the enterprise. Marshal is committed to providing the best possible email content security solution. Our research and development team is working continuously to improve MailMarshal - adding greater accuracy of detection and more intuitive and flexible management functionality. For more information on MailMarshal please contact your Marshal reseller or sales representative, or visit www.marshal.com. 6

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal, except as otherwise permitted by law. Except as expressly set forth in such license agreement or nondisclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal may make improvements in or changes to the software described in this document at any time. 2006 Marshal Limited, all rights reserved. U.S. Government Restricted Rights: The software and the documentation are commercial computer software and documentation developed at private expense. Use, duplication, or disclosure by the U.S. Government is subject to the terms of the Marshal standard commercial license for the software, and where applicable, the restrictions set forth in the Rights in Technical Data and Computer Software clauses and any successor rules or regulations. Marshal, MailMarshal, the Marshal logo, WebMarshal, Security Reporting Center and Firewall Suite are trademarks or registered trademarks of Marshal Limited or its subsidiaries in the United Kingdom and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Marshal s Worldwide and EMEA HQ Marshal Limited, Renaissance 2200, Basing View, Basingstoke, Hampshire RG21 4EQ United Kingdom Phone: +44 (0) 1256 848080 Fax: +44 (0) 1256 848060 Email:emea.sales@marshal.com Americas Marshal Inc. 5909 Peachtree Dunwoody Road NE, Suite 770, Atlanta, GA 30328 USA Phone: +1 404 564-5800 Fax +1 404 564-5801 Email: americas.sales@marshal.com info@marshal.com www.marshal.com Asia-Pacific Marshal Software (NZ) Ltd Suite 1, Level 1, Building C Millennium Centre 600 Great South Road Greenlane, Auckland New Zealand Phone: +64 9 984 5700 Fax: +64 9 984 5720 Email: apac.sales@marshal.com 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information