Test Report September 2007. Netcore's Emergic CleanMail Service. Anti-Spam Technology Report

Test Report September 2007 Netcore's Emergic CleanMail Service Anti-Spam Technology Report

Vendor Details Name: NetCore Solutions Pvt Ltd. Address: 402, Peninsula Chambers, Peninsula Corporate Park, Ganpat Rao Kadam Marg, Lower Parel (West), Mumbai 400 013,India. Website: www.netcore.co.in Product: Emergic CleanMail Service Test Laboratory Details Name: West Coast Labs, Unit 9 Oak Tree Court, Mulberry Drive Cardiff Gate Business Park, Cardiff, CF23 8RS, UK Telephone: +44 (0) 29 2054 8400 Date: June 2007 Issue: 1.0 Author: M. Garrad Contact Point Contact name: M. Garrad Contact telephone number: +44 (0) 29 2054 8400 2

Contents Introduction 4 Test Network 6 Test Methodology 7 Product Test Reporting 8 Checkmark Certification 9 The Product 10 Test Report 11 Test Results 17 West Coast Labs Conclusion 18 Security Features Buyers Guide 19 3

Introduction The ever evolving spam threat Two years from now, spam will be solved. Bill Gates Jan. 2004 At the beginning of 2004, Bill Gates was addressing the World Economic Forum in Switzerland and confidently predicted that Two years from now, spam will be solved. Sadly his prophecy has proved somewhat wide of the mark as reports continue to emerge about the size of the problem. The latter half of 2006 saw an unprecedented rise in spam volumes with SurfControl reporting a 50% increase in spam over the previous half year, and spam now accounting for almost 90% of all email traffic on the Internet. The nature of spam has also changed. In 2004 spam content was dominated by pornography, Viagra sales and the infamous Nigerian scam advance-fee fraud spam. Those types of spam are very much still with us but have been added to by phishing attacks, Pump-and-Dump scams (which involve artificially inflating the price of a stock in order to make a quick profit on stock previously purchased cheaply) and spam that tricks users into following URL links to web sites that download malicious code that will compromise their machines. The methods used by spammers to launch their attacks have also transformed over time. The vast majority of unsolicited email is now being sent via vast armies of infected PCs known as botnets often these are the machines of home users who are unaware that they are part of the problem. This distributed system approach is making it more difficult to separate out spam emails based upon simple network-based criteria, and so companies providing anti-spam technologies are having to provide more intelligent filtering solutions. 4

In a recent interview, Dr Richard Cullen, distinguished engineer at SurfControl said, The threat landscape has changed dramatically over the past couple of years. Malware attacks are now commercial ventures, with well organized cybercrime gangs harnessing the power of vast botnet armies to launch spam, phishing, DDOS and malware attacks. The spammers are also always trying to find new ways of bypassing antispam defenses. One such technique that is on the increase is image spam emails with images containing the spammer s messages within random text designed to foil less sophisticated spam filters. Peter Firstbrook, security research director for Gartner, has reported that image spam went from 6 percent of all spam in Q3 of 2006 to 30 percent by Q4, and it is now thought to make up almost 40% of all spam. Apart from being harder to block, image spam also causes knock-on problems because the spam messages are actually larger than simple text messages. According to some reports, the average size of a spam message has increased by 77% since September last year, from 6.62Kbytes to 11.76K) and continues steadily to grow. This adds to the cost of managing email, it wastes bandwidth and also consumes storage if a company needs to archive all incoming mail. And according to the New York Times security columnist John Markoff, one recent botnet outbreak managed to consume 15% of Yahoo s resources while searching for random pieces of text to pad out such image-based messages. As a result, anti-spam vendors are now having to adapt to this new threat by both enhancing existing techniques such as heuristics rules to analyze the characteristics of image-based spam, and by adding new technology layers, such as optical character recognition technologies. Where will it all end? 5

Test Network WCL has a number of domains that collect genuine spam. These domains receive varying levels of spam and are consistent with different email environments. To reflect the email usage within a corporate environment, within each domain are a number of designated user accounts with a variety of email practices and needs including some that are subscribed to a variety of newsgroups and mailing lists. Some user accounts actively contribute to mailing lists. The multiple domains designated for testing purposes were those that, between them, receive spam at a level consistent with the defined requirements of testing. Software solutions included in the test program were installed on servers that meet the minimum specifications required by the vendor. Appliance-based solutions were installed on the network according to the vendor s recommended placing. For hosted services, WCL testes through identified email domains and changed the MX records to divert the mail stream through the hosted service. 6

Test Methodology WCL initially performed the testing with an out-of-the-box configuration, changing only those settings on the solution needed to ensure correct operation inline with the vendors recommended installation and configuration procedures. Further testing was then be performed at following the vendor s advice for the tuning or training of the solution under test. WCL finetuned the solution each day of the test, spending no more than half an hour per day undertaking such work. Throughout the course of testing, a mixture of email was be sent to the test domains from other email addresses and domains controlled by WCL to mirror genuine email activity common in business, for example requesting meetings, sending notifications to groups and non-business related social emails. Emails were also be sent from web-based accounts such as Hotmail and Google s Gmail in order to simulate external users sending nonbusiness related social emails, and home workers. Thus, during the testing period the domains received some spam, some list/newsgroup mailings and genuine individual emails. 7

Product Test Reporting Product evaluation addresses three specific areas* - Management/ Administration, Functionality, Performance plus Additional Feature Testing. 1. Management/Administration Ease of Setup/Installation Ease of Use Logging and reporting function Rule creation Customization Content Categories 2. Functionality Email Processing Steps Allow/Blocking of Email Quarantine Area Additional functionality reporting Steps to Process Email Block Email Addresses Blacklist/Whitelist Allow Email Addresses 3. Performance Volume or Percentage of spam detected False positive rate Spam incorrectly passed through Legitimate mail blocked Legitimate subscription mail blocked 8

Checkmark Certification Upon completion of the testing, individual product results are analyzed, resulting in accreditation to one of the two Checkmark Certifications for Anti-Spam subject to achieving the following catch rates:- Checkmark Anti-Spam Certification Premium 97% and over Catch Rate Checkmark Anti-Spam Certification Standard 90% and over Catch Rate 9

The Product Introduction Emergic CleanMail Service, referred to as ECM, from NetCore is a managed service providing companies with powerful and wellperforming antispam protection. As with all managed services, this solution will best suit those companies looking to outsource certain aspects of IT security, or to reduce the workload of IT Administrators or Network Teams. 10

Installation and Configuration As this is a managed service, configuration is mostly carried out by the technical teams at NetCore. The procedure for a new client is simple and straightforward - the administrator need only provide them with basic networking information, such as domain and a target collection server, and the rest is taken care of. NetCore engineers then inform the administrator, via email, when the service is ready to be used. Included within this email are the login details such as address, username, and password for the SSL-encrypted web-based interface. From this interface the administrator is able to further interact with the service. 2

Operations and Features Once logged in, the administrator is presented with a clear and concise interface that provides a quick learning curve thanks to the well-designed and intuitive layout. By reducing the time needed to become familiar with the solution, the administrator can almost immediately begin customizing the ECM solution. The interface contains menu links for the various categories and sub-categories along the top, with page content being displayed within the main area of the screen just below. By default, the administrator is directed to the Reports category, whilst other options include Administer, Settings, and Logout. Each major menu category contains several further sub-categories, providing a rich source of configuration options and report types. Once the engineers at NetCore have carried out the initial setup, the administrator is free to further customize the service through the use of these option categories. This customization includes the setup of Dictionary Checks, as well as the provision of Black and Whitelists for both domain names and IP addresses. Black and White Lists of users add additional filtering options so that so that any emails not 12

specifically addressed to one of the users are either automatically blocked or allowed. The setup of Dictionary Checks allows the administrator to help control one of the most common features found upon first implementing an antispam solution false positives. To give an example, a medical research company using ECM may enter the word Viagra as acceptable, a term that may otherwise cause a work-related email to be blocked. This flexibility demonstrates the amount of careful thought and planning that Netcore have put into making this solution a good fit for all types of business. Although configuration of the service is quick and easy, any queries can also be quickly resolved due to the provision of a structured and informative Administrators Guide along with descriptive text on each of the option pages inside the interface. Any changes made to the configuration are adopted almost instantly, thus ensuring that the service constantly meets the demands of NetCore s clients. For further ease of use, ECM has three levels of scanning that employ different options within the solution to varying degrees. The administrator can quickly switch between these three levels to best suit the requirements of the client company. These three levels are Aggressive, Mild, and Simple - allowing a fire-and-forget method of setting up the solution to those administrators not wishing to deviate 13

from any of the default settings, or working with time constraints. When handling those messages defined as Spam, NetCore defaults to delivering the messages with a prepended Spam tag in the subject line. Should any messages be blocked before they reach a user's inbox, the administrator may view details of each message including the sender address, subject line, and the date of receipt. 14

Reporting The Reports section, the default page presented at login, provides data for all the messages processed by ECM. This information is displayed in various charts and tables, providing an extensive statistical breakdown that will please even the most analytical of administrators. Contained within the Reports section are eleven individual report subcategories, each displaying their data in with standardised formatting allowing for instant familiarity with the layout of the data. Counts are kept for the number of blocked, delivered, and bounced messages, along with the total file size of the data that has been transferred. Each type of message is easily distinguished and this can serve to further enhance the administrator s understanding of the client company s mail profile and raise their ability to assess the level of both genuine and Spam mail being received by the company. Some of the report pages offer drill-down options to enable deeper analysis of the data. For example, the value next to the RBL Blocked Messages category on the Usage Reports screen is a hyperlink, and clicking on this link displays further information relating to messages blocked by the Real-time Blackhole Lists. 15

One of the key features of ECM is Netcore s Spam Digest technology. Spam Digest allows users to view a summary of blocked messages that were originally intended for them and have been stopped by the system. If an administrator wishes, the user can also be provided with a link to their private quarantine area so that any genuine messages can be released. Such user interaction releases a burden on Administrators and Support Teams who might otherwise be required to spend time researching whether the message is genuine or not, and then releasing the message to the user. To ease the setup of this function, a pre-existing list of user s addresses may be uploaded directly to the ECM interface. The administrator may then choose the frequency with which the digest should be sent, selecting between either Daily or Weekly. For those administrators wishing to take copies or backups of report data, ECM provides a link to a printer friendly version of the report, along with a link for a downloadable version. 16

Results Type of Mail Detected as Genuine Detected as Spam GENUINE 100% 0% SPAM 1% 99% Emergic CleanMail Service performed well from the outset, delivering 100% of the genuine mail correctly and correctly classifying 99% of the Spam mail. It is also worth noting that Emergic CleanMail Service delivers a good proportion of grey and list mail as genuine. This gives an organisation the flexibility and opportunity to define policies that prevent messages being blocked that could potentially be business critical. Based on the results above, West Coast Labs is pleased to award the Emergic CleanMail Service, the Checkmark Anti-Spam Premium certification. 17

Conclusion Emergic CleanMail from NetCore is a feature-rich and flexible service, providing for companies up to enterprise level with a multi-layered defense against Spam. This solution is ideal for those companies serious about removing Spam, or for any supplier offering a security service who wishes to add a well-established and highly performing Spam solution. During testing the blocking, tagging, and quarantining of Spam provided an effective method of targeting, recognising, and removing Spam from the end user s inboxes. This is enhanced by the customization options provided to the administrator via the interface. Reports are both detailed and wide-ranging and provide an excellent overview of both incoming and outgoing email traffic. Administrators under pressure should find the provision of the Spam Digest a particularly useful feature as it can potentially reduce some of the processing time overheads. From the outset of testing, ECM performed exceptionally well. Within a very short time, the solution had attained the Premium level of certification and continued to improve throughout the duration of the test period. This is due in no small part, to the method with which samples are submitted and processed by NetCore, and also the ability of the company to feed samples from each of their customers into a central solution to enhance coverage for all of their customers. Overall the ECM service handled both Spam and genuine mail in a highly efficient manner, successfully scanning all incoming mail for Spam with minimal impact on the delivery of genuine mail. NetCore is the first Indian Company to get Checkmark certification on Hosted Anti-Spam Service. 18

Security Features Buyers Guide Emergic CleanMail provides multi-layered email protection against Spam and Virus and facilitates enhanced, secure messaging performance. E-mail borne threats are eliminated right at the Internet level, much before they even touch the corporate network resulting in increased productivity, irregular bandwidth and lost of data. Backed by a 24x7 active response team with continuous real time database updates and detailed reports, CleanMail ensures 100% virus protection and 99% spam protection www.cleanmail.in Business Benefits.as stated by NetCore Eliminates threats and quarantines spam at Internet level, saving connectivity and storage costs. Emergic CleanMail(ECM) Service leverages the benefit of Managed Services model and saves time and money wasted in procurement of hardware, software, implementation and management of a In-housed solution. Extensive reporting system provides organizations a complete update on their ROI. Low Total Cost Of Ownership. Increased Employee Productivity by eliminating spam Leverage Mangaed Service Providers investment in HA environment assuring you a 24x7 uninterrupted service. Per user revenue and service model, makes costs of expansion controllable and predictable. CleanMail is Business ready, the model can be easily used to resell and co-brand without any additional effort. http://www.cleanmail.in/features-benefit.html 19

Technical Benefits.as stated by NetCore Multilayered spam blocking produces the industry's lowest false-positive rate while blocking as much as 99% of all inbound spam Domain & User level Quarantine Access The Personal Spam Manager enables end users to manage their own spam without the intervention of IT administration Dashboard with In-depth Reporting Disaster Recovery Spooling (Queues the mail incase mailserver is not reachable) Domain Specific Whitelist and Blacklist Global Data Centres delivering 99.999% uptime with 24x7 active response team CleanMail s beyond perimeter protection technique, keeps attacks like DoS and DDoS far away from the network The Recurrent Pattern Detection technique ensures that latest spam outbreaks are automatically detected without any special effort url : (http://www.cleanmail.in/features-benefit.html) 20

Security Features Buyers Guide NetCore Emergic CleanMail Service developments in the last 12 months A number of new technologies have been developed and integrated into CleanMail s Hosted Service over the last twelve months. Recurrent Pattern Detection (RPD) :- Emergic CleanMail (ECM) added the Recurrent Pattern Detection technique patented by Commtouch to its powerful detection engine to guarantee efficient detection of new spam outbreaks in realtime. Other techniques used to detect spam outbreaks include manual identification of spam patterns from outbreaks appearing in decoy. However these techniques do not guarantee a realtime detection of new outbreaks. With addition of RPD ECM has guaranteed that its users are free of spams even during these outbreaks. Virus Outbreak Detection (VOD) :- ECM made its Virus Outbreak detection capabilities more powerful with the implementation of VOD technology from Commtouch. With the implementation of this technology ECM now provides two layers of protection to its users during the Zero Hour Window. Recipient Address Verification (RAV) :- ECM's innovative Recipient Address Verification protects the organizations from Directory Harvest Attacks. This check also helps ECM to identify bad IP addresses broadcasting spams and throttle them based on the invalid recipient mails they are sending. Sender Policy Framework module has also been developed 21

Additional Noteworthy Product Features Transport Layered Security (TLS) provides assurred encrypted email delivery Encrypted web portal ensures privacy and protection of sensitive information Web bug detection capabilities which ensures that security exploits don't creep in through emails. Online dashboard provides an extensive reports supported by graphical pattern indicators and provides granular control of the filter engine Recipient Address Verification(RAV) techniques saves organizations from Directory Harvest Attacks. Global DataCentres with load balancing and redundant hardwares means no single point of failure True "Zero Hour" Anti-Virus technology based on Real Time Detection, negating risks of early stage viruses evading traditional scanners. 100% audit record of every message relayed by the service accessible by administrators and end-users if required. Beyond perimeter protection technique, keeps attacks like DoS and DDoS far way from the network 24x7 active Response team ensures that any major email incidents are identified, managed and alerted to the customer before they can do damage. 22

US SALES T +1 (717) 243 5575 EUROPE SALES T +44 2920 548 400 GLOBAL HEADQUARTERS West Coast Labs Unit 9 Oak Tree Court Mulberry Drive Cardiff Gate Business Park Cardiff CF23 8RS, UK