MailScanner:

1

• MailScanner
• Cost-Effective
• Email Protection
• Julian Field
• Chief Technology Officer
• Fortress Systems Ltd
• www.fsl.com

2
The Problem

• Viruses, worms, trojans all spread by mail
• About 5 of incoming mail
• Costs roughly 25,000 to clean a server
• Spam
• Microsoft estimate 50 of employees mail
• Phishing fraud attacks
• Business worth over 100m p.a. in USA

3
Solutions

• Email scanning services
• Hardware appliances
• Software solutions

4
Services

• Messagelabs, Postini, Brightmail (Symantec)
• Scan mail entering and leaving your site
• Cannot scan mail within your site
• Potential security problem at large sites
• Huge marketing budgets, lots of FUD
• FUD Fear, Uncertainty and Doubt

5
Hardware appliances

• Barracuda and Fortinet
• Appear simple to deploy
• Relatively simple systems
• You cant get remote help with management
• They often hugely over-estimate their systems
  capacity

6
Software

• Mail Marshal and many other closed-source
  proprietary systems
• Many of these systems incredibly simple and naïve
  under the hood and have poor performance despite
  their marketing claims
• Also very limited choice of virus scanners
• Open-source solutions
• amavisd-new (amavis split into 4 separate
  branches!)
• SMGateway and MailScanner

7
Benefits of Open Source Solutions

• There can be no security by obscurity
• All the bad guys can read the code if they want
  to
• Source code can be audited for its security and
  performance
• Must do what it claims to
• No marketing hype
• MailScanner has been audited several times

8
What MailScanner Can Do

• Remove all viruses, worms etc.
• Block over 95 of all spam
• False positive rate is roughly nil, many sites
  auto-delete all definite spam at the gateway
• Detect phishing fraud
• Detect attacks on security vulnerabilities in
  common email applications
• Enforce email usage policy

9
Heritage

• Launched in 2000, continuously developed for 5
  years, ½ million downloads
• Over 40,000 sites running in at least 70
  countries
• Users include US Government, US Army, US Navy,
  SPAWAR, NASA
• Large corporations include HSBC, HP, Siemens
• Institutions include United Nations, MIT,
  Harvard, Cambridge University
• Used from Transylvania to Antarctica !

10
Mail Transport Agent (MTA)

• Collects mail messages via SMTP
• Works out where to send them
• Delivers them
• Supports sendmail, Postfix, Exim, ZMailer and
  Qmail directly

11
Split the MTA into 2
12
Integration with Microsoft Exchange
13
Robust and Reliable Service

• Email systems have to survive accidents without
  ever losing a message
• Must survive failures in
• Power
• Network
• Hardware
• Software
• MailScanner never owns a message

14
Removing Viruses

• Multiple different virus scanners can be used
  together
• We recommend you use 2 or 3 at least
• Over 20 different scanners supported
• All the major commercial and free scanners
• All viruses are removed but any uninfected
  message contents are still delivered
• Silent Viruses can delete worms quietly

15
Filtering Filenames File Contents

• Anti-virus vendors take a few hours to publish
  their detection signatures for a new virus
• In that time you are vulnerable unless you do
  this
• Use it to also implement your email usage policy
• For example, ban movies and programs
• Most other systems only block filenames (e.g.
  Exchange and Outlook)
• Easy to subvert, just rename the file

16
HTML (Graphical Email) Checks

• Known dangerous tags can be blocked or disarmed
• Disarming results in a readable message but with
  features disabled such as forms and executable
  code
• Web Bugs

17
Finding Spam

• Many different tools are used
• Large toolkit approach is essential as spammers
  learn to bypass individual tools on their own
• Blacklists of senders
• Heuristic rules (over 1,200 of them)
• Blacklists of spam-advertised web sites
• Collaborative databases of known bulk email
• Results collected by scoring each hit

18
Spam Detection Levels

• All the hits have their own score
• All rules are supplied with values computed by
  testing against a large spam corpus using a
  perceptron (neural network) engine
• This leads to labels for a message non-spam,
  normal spam, high-scoring spam
• Each level has its own separate actions

19
Spam Actions

• Many different actions supported, can be used in
  any combination
• Deliver, forward to new address, store in
  archive, deliver as RFC822 attachment, bounce to
  sender (discouraged!), delete, add custom
  headers, strip tags from HTML, deliver short
  notification to recipient
• Popular setup is to delete high-scoring spam, tag
  deliver normal spam

20
Vulnerability Checking

• Outlook and some other applications implement
  features which have suffered from numerous
  security holes
• Are all your systems totally up to date with all
  application patches?
• Is the same true for every laptop that ever
  connects to your network?
• Some features have no place in email
• Executable code in an email message !?!

21
Phishing

• Phishing is pursuading a user to submit
  personal data to a clone of a banking or shopping
  web site
• Very successful attack
• Costs the US banks over 100m p.a.

22
Phishing Net

• MailScanner has a uniquely successful solution
• No signatures or other updates required
• Works out if the link in the email is genuine or
  not
• Highly rated by security consultants in UK
• www.phishingnet.info

23
Configuration

• One main configuration file (well documented)
• All settings supplied with sensible defaults
• Only need to change 1 setting to start
• List of names of virus scanners you are using
• Integration of SpamAssassin achieved by
• Install SpamAssassin from CPAN
• Set Use SpamAssassin yes
• No daemons or commands to configure

24
Advanced Configuration

• Complex configurations can be developed with
  rulesets applying different settings for
  different configuration options, similar to
  firewall rulesets, for example
• incoming / outgoing mail apply disclaimer to
  only outgoing mail
• different users only allow management to mail
  large attachments
• Perl code plugins can be used to calculate
  configuration values
• Many examples provided

25
Performance and Deployment

• MailScanner on a dual 2.4GHz Xeon
• 700,000 messages per day
• Small organisations can just use a spare machine
• Recommend 512MB RAM per CPU
• Load-balanced clusters trivial to deploy with
  multiple DNS MX records

26
SMGateway

• Based around the core of MailScanner
• There is only 1 version of MailScanner itself
• Provides several benefits
• Web interface for configuration and management
• Report generation
• Message tracking
• Quarantine management
• Standard support contract packages available

27
Using SMGateway

• Very easy to use, web interface
• Full step by step installation instructions
  provided
• starting from a totally blank PC
• No prior Linux or product knowledge required at
  all
• Range of support contracts available

28
Summary

• MailScanner and SMGateway provide a complete
  solution in 1 package
• Well proven and trusted long track record
• Full commercial support contracts from Fortress
• Highly robust and reliable
• Proved to scale to 10s of millions of
  messages/day
• No marketing hype or FUD
• We have only happy customers and are pleased to
  provide references

29
Handouts

• Case Study
• Seven Seventeen Credit Union
• San Antonio City Employees Federal Credit Union
• SMGateway
• MailScanner

30
Thank you

• Thank you for listening
• Any questions?
• I am staying in the hotel should you wish to
  discuss further Room 812, and in reception 5-6pm
  (free wine!)
• www.mailscanner.info
• www.fsl.com
• Julian.Field_at_fsl.com