Technical Presentation

- Version 3.8

World Class Products for ISPs, Enterprises, and SMBs

9/20/2004

Eric Ng

The Email Security Crisis is Real

Spam
Growth in volume remains unabated The protocol that has defined e-mail for more than two decades may have a fatal flaw: It trusts you. Paul Festa, CNET

Email borne threats constantly evolve

New viruses, worms, and DoS attacks continue to appear

Fraud
Phishing is a growing threat, undermining consumer confidence in email

The root cause is the anonymity of Simple Mail Transfer Protocol

The ease of forgery prevents reliable identification of senders 20 year old protocol with no mechanism for sender authentication

Best of TechEd 2004 Awards, Windows Infrastructure Solutions (HW), Windows & .Net Magazine IronPort Systems C60 Gateway Appliance combines spam blocking and anti-virus protection. It combines a number of different sources antito determine if mail is real provides the best support for spam, and minimizes an enterprises exposure to threats that arrive via email. email.
David Chernicoff, judge and Senior Contributing Editor for Windows & .NET Magazine http://www.winnetmag.com/Article/ArticleID/42789/42789.html

Revolutionary MTA Platform for High Availability Threat Prevention with IronPort Reputation Filters Content Scanning for Policy Enforcement Spam Detection with Brightmail Anti-Spam Virus Detection with Sophos Anti-Virus

IronPort Customers

IronPort C-Series Products

IronPort C60

IronPort C-Series

Messaging Gateway Appliances

IronPort C30

IronPort C10

IronPort: Fixing Email

The vulnerability exposed by spam, viruses, phishing is inherent to the email protocol, SMTP IronPort is rebuilding the worlds email infrastructure with:

1 2 3

IDENTITY

Advanced authentication standards A holistic view of a senders traffic patterns reveals their trustworthiness Intelligently apply filtering techniques based on the apparent threat

REPUTATION

POLICY

IronPort C-Series = Server Consolidation

BEFORE IRONPORT AFTER IRONPORT

ROI of the IronPort C-Series Appliance

Effective spam filtering
Enhances user productivity, reduces load on network infrastructure

High throughput performance and high availability features

Protection from email based DDoS attacks

Server consolidation and ease of management

The intelligence of the IronPort C60 reduces administrative burden by as much as 75%, allowing IT staff to do more with less

Reputation filters prevent threats from entering your network

Enhancing network security from worms, viruses and

illicit content

The IronPort C-Series offers consolidated email security

IronPort AsyncOS Platform

IronPort AsyncOS
IronPorts purpose-built Operating System
Stackless Threads yield over 10,000 simultaneous connections I/O Based Scheduler efficiently assigns resources to proper threads AsyncFS: Database-like file system that ensures throughput does not drop as queues build Hardened OS is highly secure no stack overflow problems, no open ports, all non-essential services removed

Next generation Mail Transport Agent (MTA)

Built for todays needs: security, performance, and ease of use No legacy vulnerabilities lurking under the covers

IronPort Revolutionary MTA Platform

Evolving threats such as MyDoom and Bagel cripple legacy MTAs AsyncOS: built for email Availability
Threading model, scheduler, and file system designed
for the mail gateway IronPort C60 is capable of 140 messages per second, 10x that of traditional MTAs

10,000 simultaneous connections, 50x traditional MTAs

See what was happening with our customers system. (which was being DoS-attacked!)

801 inbound connections!

. and what would had happened with others?

IronPort Reputation Filters

Traditional Mail Gateways Treat All Mail the Same Way

Reduced capture Traditional MTA Contents Filter False Positives

Equal treatment of mail regardless of source Concerns with false positive require lowering of antispam filter sensitivity Reduced sensitivity results in lower capture rates

Reputation Filtering Stops 75% of Hostile Mail at the Door.

Known good is delivered Suspicious is throttled & spam filtered Known bad is deleted/tagged

IronPort uses identity & reputation to apply policy

Trusted Known senders bypass spam filters Suspicious Unknown senders are throttled & filtered Hostile senders are deleted or tagged

Sophisticated Response to Email Threats

SenderBase: Email Traffic Monitoring Network

SpamCop,SpamHaus (SBL), NJABL Extensive network of invalidaccounts SpamCop, ISP abuse data, BondedSender abuse data Message size, number of attachments, attachment types

50,000 contributing organizations

3rd party email accreditation

Spamtraps & Complaint Data

Blacklists

3 billion queries daily >25% of worlds Internet email

Message Composition Data

Open Proxy Data

SORBS, OPM, DSBL

50,000 organizations (25% of all email)

Global Volume Data

Other Data

Fortune 1000 status, length of sending history, location, whether domain accepts email, etc.

Authenticated Unknown Sender

Reputation Established

SenderBase
Leading Email Reputation Service
Free and open service to anti-spam community Provides credit report on senders Data from 20,000 networks Open, Transparent and Objective Tracks 30 million IP addresses, 600,000 domains Used by 30,000 mail administrators Data tightly integrated with IronPort C-series appliances

Visit SenderBase today: www.senderbase.org

IronPort Reputation Filtering

SenderBase Reputation Service returns a score based on the probability that a message from a given source is spam
The SenderBase Reputation Score (SBRS) is a numeric value assigned to an IP address based on information from the SenderBase Reputation Service

-10

SenderBase Reputation Score (SBRS)

+10

Objective data in the Mail Flow Monitor user interface

Allows mail administrators to get a more complete picture of who is sending them email

Action applied to SBRS ranges

Drop, accept, add footprint, etc

Intelligent Protection for Dell

Dells challenge:
Dell currently receives 26M messages per day Only 1.5M are legitimate messages 68 existing gateways running Spam Assassin were not accurate

IronPort solution:
Reputation filters block over 19M messages per day 5.5M messages per day scanned by Symantec Brightmail Replaced 68 servers with 8 IronPort C60s

Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced as much as 75%

IronPort has increased the quality and reliability of our network operations, while reducing our costs.
-- Tim Helmsetetter
Manager, Global Collaborative Systems Engineering and Service Management, Dell Corporation

10

SBRS In Action

SBRS -5.5

This IP is listed in multiple blacklists / open proxy lists

11

Email Traffic Control - Throttling

Base on SenderBase Reputation Score (SBRS) or Domain / IP:
Max messages per session Max recipients per message Max recipients per hour Max message size Max concurrent connections

E.g.:
Bad reputation senders (SBRS < -4) 1 message per connection 1 recipient per message 2 recipient per hour 1KB message size No other concurrent email connection Unknown 1 message per connection 5 recipient per message 10 recipient per hour 1MB message size No other concurrent email connection

IronPort Appliances Apply Policy Based on Sender Reputation

Customers: 10MB atch, no filters Vendors: 2MB atch, no filters, TLS Unknown: 1MB atch, spam filters, throttle Hostile: TCP refuse

Enhances network security with perimeter based policies Tailor mail flow policies to meet the diverse needs of large corporations

12

Phased Approach to Reputation Filter

SBRS -10 to -7 -6 to -2 -1 to 5 6 to 10
Applied Policy Phase 1 Phase 2

THROTTLE Default Default TRUSTED

BLOCK THROTTLE

Joe-Jobbing
Spammer From: target@acme.com To: bill@goat.com goat.com To: target@acme.com No such user, heres your *original* message 1. 2. 3. 4. Spam is sent with target@acme.com as a forged envelope sender address target@acme.com is the victim! Spam is sent to an invalid email address which the server will bounce the original message to the forged envelop sender target@acme.com received the spam as bounced message target@acme.com sees that the spam is from goat.com

Victim target@acme.com

13

Misdirected Bounces / Joe-Job

This is a DDoS attack using a normal company' email system as a s launch site for NDRs. The company' email servers would do the right thing for nons existent recipients, that is to bound them back to the MAIL FROM. If you put the DDOS target' email address there, you could use this s companys server to flood that target with NDRs. Hundreds or thousands per second.

Email Acceptance by LDAP

Lookup to the LDAP directory server Determine if the email is sent to a valid recipient Drop or bounce emails to those invalid recipients
LDAP Directory

Internet emails

User mailbox Email drops if the recipient name doesnt exist in the LDAP directory

14

Policy Management and Content Scanning

Content Scanning for Policy Enforcement

High performance content scanning engine
Standard content scanning systems cripple gateways

Flexible message scanning

Scan headers, bodies, attachment type, size, encryption Open and recursively scan attachments Powerful regular expression searches find any matching content

Actions include: remove inappropriate attachments, notify appropriate personnel, return to sender, archive Distinct policies for internal groups through LDAP
IronPorts content scanning engine is the most scaleable weve ever tested.
-- SG Cowen

15

Filter Samples
Filter rule to identify emails that spoof my domain:
catch_my_domain_spoof: If ((mail-from == my_domain.com) AND (remote-ip != 192.168.1.1)) { strip-header(Subject); insert-header([My_Domain_Spoof] $Subject); alt-rcpt(admin@acme.com); deliver(); }

Filter rule to block emails that have nothing in From:

block_null_addresses: if (header("From") == "^$|<\\s*>") { drop(); }

Filter Samples
Filter rule to drop attachments for an LDAP group
no-attach_group: If (rcpt-group == CN=no-attch,CN=Users,DC=acme,DC=com) { drop-attachments-by-filetype(Executable); drop-attachments-by-filetype(Media); drop-attachments-by-filetype(compressed); }

Filter rule to quarantine outgoing email with profanity

quarantine_profanity: if (dictionary-match(bad.words)) { bcc(admin@acme.com) }

16

Brightmail Spam Detection

Symantec Brightmail is Technology Leader

99.9999% accurate, catches over 95% of spam
17 technologies for robust, multi-layered defense Anti-spam filters updated every 10 minutes BLOC is unmatched for detecting spam and rule distribution BLOC delivers the most complete and up to date set of filters Over 30,000 new rules per day automatically updated No operator intervention required Quarantine of individual user mail Operator configurable spam threshold

The most extensive anti-spam operations center

IronPort combines Brightmails solution with its own reputationbased filter, resulting in even better detection while maintaining the extremely low false-positive rate
-- Forrester Research

Flexible options

Positioned in the Leaders Quadrant Magic Quadrant for Enterprise Spam Filtering

- Gartner Research, 2004

17

Brightmail / IronPort Integration

Selectable Brightmail action to spam / suspect spam
Deliver / Drop / Quarantine Append / Prepend mark Add custom header to email Alter recipient / mail server

Filter action to skip Brightmail scanning Brightmail Quarantine Server Exchange / Notes Folder Agent Use of virtual gateway and LDAP group function for multiple spam scanning policy

Brightmail Quarantine
Brightmail Quarantine provides users with Web access to spam messages that the Brightmail software has quarantined for them.
Users can browse, search, and delete their spam messages and also re-deliver misidentified messages to their standard inbox. An administrator account provides access to all quarantined messages.

18

Quarantine Server Features

Spam stored centrally at gateway; not passed through network End users notified daily/weekly about new spam Expunger - Centralized message purging after x days Can release quarantined msgs to user(s) inbox End users can access quarantine at any time Search functionality for both administrators and end-users

Quarantine View

19

IronPort - Quarantine Server Integration

Brightmail updates via HTTPS

Clean emails

IronPort C-Series CSMTP SMTP

SMTP Quarantined action

SPAMS

Messages assigned

HTTP
Client Access

LDAP

Brightmail Quarantine Server

Authentication

Why Brightmail on IronPort?

"The IronPort platform is a proven email security appliance solution that, in combination with Brightmail' market leading anti-spam technology s effectively and accurately protects customers. Brightmail' partnership with IronPort has allowed our s combined solution to protect tens of millions of mailboxes worldwide, and with our expanded collaboration we will protect millions more."
Enrique Salem, president and CEO of Brightmail
Brightmail Press Release: Brightmail and IronPort Systems Strengthen Strategic Partnership - June 7, 2004 (http://www.brightmail.com/pressreleases/060704_pr1.html)

20

Ironport C-Series Architecture

Virus Protection at the Gateway

Multi-layered, multi-vendor approach addresses security shortcomings
Need integrated virus scanning at the gateway

Ease of management
Automatic updates and administrative control is centralized

Reduces burden on mail servers

Scanning at a high performance gateway reduces demands on groupware servers and remaining infrastructure Dropping messages at the gateway reduces bandwidth requirements in the network

Multi-layer, multi-vendor strategy.

-- Gartner Group

21

IronPort C-Series with Sophos Anti-Virus Protection

Integrated Sophos anti-virus engine
High performance in-line scanning

Easy to deploy and manage

Intuitive user interface Single view with Mail Flow Monitor Auto updates Lower TCO with integrated solution

Sophos Anti-Virus Integration

Different settings based on the source of email Clean messages are delivered, others are handled according to administrator settings Optional notification of administrator, sender, or recipient

22

Reporting
Mail Flow Monitoring
Real-time and historical data about who has connected to your mail server and what they have sent to you

Periodic Reports
Basic mail flow data reports on a schedule

Logs
All the details

Spamtowho
Offline mail log digestion tool

Mail Flow Central (TBA Q3 04)

Full feature reporting portal

Mail Flow: Secure, Visible, & Integrated

Security through insight
Highlights anomalies Identifies senders and receivers and tracks historical data Enables access control on Port 25

IronPort Mail Flow Monitor

Reduced administrative burden

Single view into all applications Eliminate time searching for data

Automatically-generated reporting
Manage your mail flow policies Share data with IT staff and management

23

Periodic Reports
In any or all of three formats, each having independent distribution lists
Plain text HTML CSV (Comma Separated Values)

Archival of previous generations

Visibility into trends On-demand viewing

Logs
Retrievable or automatically upload to designated file server by FTP / SCP Detail email activities on Text Mail Logs
And Delivery Logs, Bounce Logs, Status Logs, Systems Logs, CLI Audit Logs, FTP / HTTP Logs, Brightmail Logs, Antivirus Logs, LDAP Debug Logs
Wed Jul 7 14:39:54 2004 Info: New SMTP ICID 7509805 interface 192.168.1.1 (192.168.1.1) address 211.75.36.67 reverse dns host unknown verified no Wed Jul 7 14:39:54 2004 Info: ICID 7509805 SBRS -1.1 Wed Jul 7 14:39:56 2004 Info: Start MID 5488328 ICID 7509805 Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 From: <bad.guy@spammers.com> Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 RID 0 To: <user@acme.com> Wed Jul 7 14:39:56 2004 Info: MID 5488328 Message-ID '<OF7B3DC7C1.6249FE2DON48256ECA.001AC4FB@spammers.com>' Wed Jul 7 14:39:56 2004 Info: MID 5488328 Subject I found you Wed Jul 7 14:39:56 2004 Info: MID 5488328 ready 2301 bytes from <bad.guy@spammers.com> Wed Jul 7 14:39:56 2004 Info: ICID 7509805 close Wed Jul 7 14:39:56 2004 Info: MID 5488328 Brightmail positive Wed Jul 7 14:39:56 2004 Info: MID 5488328 rewritten to 5488329 by antispam filter 'unknown'

Sample Text Mail Logs

24

spamtowho
An offline tool that reports all necessary details e.g. how many spam / virus-infected emails a user received for a period of time Not officially supported tho (its written by our Support Engineer)
Inbound Message Deliveries Begun Messages received Messages received on 192.168.1.1 Per destination rcpt aaa@my_domain.com bbb@my_domain.com ccc@my_domain.com ddd@my_domain.com eee@my_domain.com 12,936 11,750 11,750 Total Mail 11 10 13 12 11 Spam 1 1 2 2 2 % Spam 9.09 10 15.38 16.66 18.18 Viruses 1 1 2 2 2

Sample spamtowho result spamtowho

IronPort Mail Flow Central (Q3 04)

External software that runs on a Windows 2000 or Windows 2003 server Message Tracking, Reporting

25

IronPort Mail Flow Central (Q3 04)

Message Tracking

Detail Reporting

Mail Flow Central - Message Tracking

Answers the difficult questions
I sent a contract to the law firm yesterday and they never received it. What happened? I must have received 20 spam messages today! I thought you were doing something about this?

Saves administration time

Simple and advanced search Track messages from one machine or all machines simultaneously

Powerful search engine

Finds messages during a specified time Finds messages from an individual to an individual

26

Mail Flow Central Reporting

Summary Reports demonstrate Return on Investment (ROI)
Reports show the number of spam messages blocked and the number of viruses blocked over time

User Reports show the individual granularity

Which individuals would have been affected by spam or viruses Which individuals have been sending the most mail

Domain reports highlight the sources of bad and good email by domain Trend analysis to show the progress in keeping email secure

IronPort Reduces Administration Time

Advanced technology automates manual tasks
Multi-master centralized management: make changes only once Stops virus outbreaks even before signatures are available Anti-spam updates: 30,000 rules per day, every 5-10 minutes

Industrys lowest false positive rate eliminates support calls

No tuning or training required

Centralized scheduled reporting: never sort through logs again No manual white or black lists needed

Automatic rate limiting prevents Denial of Service without intervention

Visually test configuration changes without making them effective

These IronPorts run themselves

Joe Chodi, CTO of Major League Baseball

27

 Revolutionary MTA Platform for High Availability Threat Prevention with IronPort Reputation Filters Content Scanning for Policy Enforcement Spam Detection with Brightmail Anti-Spam Virus Detection with Sophos Anti-Virus

28