Professional Documents
Culture Documents
- Version 3.8
9/20/2004
Eric Ng
Fraud
Phishing is a growing threat, undermining consumer confidence in email
Best of TechEd 2004 Awards, Windows Infrastructure Solutions (HW), Windows & .Net Magazine IronPort Systems C60 Gateway Appliance combines spam blocking and anti-virus protection. It combines a number of different sources antito determine if mail is real provides the best support for spam, and minimizes an enterprises exposure to threats that arrive via email. email.
David Chernicoff, judge and Senior Contributing Editor for Windows & .NET Magazine http://www.winnetmag.com/Article/ArticleID/42789/42789.html
Revolutionary MTA Platform for High Availability Threat Prevention with IronPort Reputation Filters Content Scanning for Policy Enforcement Spam Detection with Brightmail Anti-Spam Virus Detection with Sophos Anti-Virus
IronPort Customers
IronPort C60
IronPort C-Series
IronPort C30
IronPort C10
1 2 3
IDENTITY
Advanced authentication standards A holistic view of a senders traffic patterns reveals their trustworthiness Intelligently apply filtering techniques based on the apparent threat
REPUTATION
POLICY
illicit content
IronPort AsyncOS
IronPorts purpose-built Operating System
Stackless Threads yield over 10,000 simultaneous connections I/O Based Scheduler efficiently assigns resources to proper threads AsyncFS: Database-like file system that ensures throughput does not drop as queues build Hardened OS is highly secure no stack overflow problems, no open ports, all non-essential services removed
See what was happening with our customers system. (which was being DoS-attacked!)
Equal treatment of mail regardless of source Concerns with false positive require lowering of antispam filter sensitivity Reduced sensitivity results in lower capture rates
Blacklists
Other Data
Fortune 1000 status, length of sending history, location, whether domain accepts email, etc.
Reputation Established
SenderBase
Leading Email Reputation Service
Free and open service to anti-spam community Provides credit report on senders Data from 20,000 networks Open, Transparent and Objective Tracks 30 million IP addresses, 600,000 domains Used by 30,000 mail administrators Data tightly integrated with IronPort C-series appliances
-10
+10
IronPort solution:
Reputation filters block over 19M messages per day 5.5M messages per day scanned by Symantec Brightmail Replaced 68 servers with 8 IronPort C60s
Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced as much as 75%
IronPort has increased the quality and reliability of our network operations, while reducing our costs.
-- Tim Helmsetetter
Manager, Global Collaborative Systems Engineering and Service Management, Dell Corporation
10
SBRS In Action
SBRS -5.5
11
E.g.:
Bad reputation senders (SBRS < -4) 1 message per connection 1 recipient per message 2 recipient per hour 1KB message size No other concurrent email connection Unknown 1 message per connection 5 recipient per message 10 recipient per hour 1MB message size No other concurrent email connection
Enhances network security with perimeter based policies Tailor mail flow policies to meet the diverse needs of large corporations
12
BLOCK THROTTLE
Joe-Jobbing
Spammer From: target@acme.com To: bill@goat.com goat.com To: target@acme.com No such user, heres your *original* message 1. 2. 3. 4. Spam is sent with target@acme.com as a forged envelope sender address target@acme.com is the victim! Spam is sent to an invalid email address which the server will bounce the original message to the forged envelop sender target@acme.com received the spam as bounced message target@acme.com sees that the spam is from goat.com
Victim target@acme.com
13
Internet emails
User mailbox Email drops if the recipient name doesnt exist in the LDAP directory
14
Actions include: remove inappropriate attachments, notify appropriate personnel, return to sender, archive Distinct policies for internal groups through LDAP
IronPorts content scanning engine is the most scaleable weve ever tested.
-- SG Cowen
15
Filter Samples
Filter rule to identify emails that spoof my domain:
catch_my_domain_spoof: If ((mail-from == my_domain.com) AND (remote-ip != 192.168.1.1)) { strip-header(Subject); insert-header([My_Domain_Spoof] $Subject); alt-rcpt(admin@acme.com); deliver(); }
Filter Samples
Filter rule to drop attachments for an LDAP group
no-attach_group: If (rcpt-group == CN=no-attch,CN=Users,DC=acme,DC=com) { drop-attachments-by-filetype(Executable); drop-attachments-by-filetype(Media); drop-attachments-by-filetype(compressed); }
16
Flexible options
Positioned in the Leaders Quadrant Magic Quadrant for Enterprise Spam Filtering
17
Filter action to skip Brightmail scanning Brightmail Quarantine Server Exchange / Notes Folder Agent Use of virtual gateway and LDAP group function for multiple spam scanning policy
Brightmail Quarantine
Brightmail Quarantine provides users with Web access to spam messages that the Brightmail software has quarantined for them.
Users can browse, search, and delete their spam messages and also re-deliver misidentified messages to their standard inbox. An administrator account provides access to all quarantined messages.
18
Quarantine View
19
Clean emails
Messages assigned
HTTP
Client Access
LDAP
Authentication
20
Ease of management
Automatic updates and administrative control is centralized
21
22
Reporting
Mail Flow Monitoring
Real-time and historical data about who has connected to your mail server and what they have sent to you
Periodic Reports
Basic mail flow data reports on a schedule
Logs
All the details
Spamtowho
Offline mail log digestion tool
Automatically-generated reporting
Manage your mail flow policies Share data with IT staff and management
23
Periodic Reports
In any or all of three formats, each having independent distribution lists
Plain text HTML CSV (Comma Separated Values)
Logs
Retrievable or automatically upload to designated file server by FTP / SCP Detail email activities on Text Mail Logs
And Delivery Logs, Bounce Logs, Status Logs, Systems Logs, CLI Audit Logs, FTP / HTTP Logs, Brightmail Logs, Antivirus Logs, LDAP Debug Logs
Wed Jul 7 14:39:54 2004 Info: New SMTP ICID 7509805 interface 192.168.1.1 (192.168.1.1) address 211.75.36.67 reverse dns host unknown verified no Wed Jul 7 14:39:54 2004 Info: ICID 7509805 SBRS -1.1 Wed Jul 7 14:39:56 2004 Info: Start MID 5488328 ICID 7509805 Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 From: <bad.guy@spammers.com> Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 RID 0 To: <user@acme.com> Wed Jul 7 14:39:56 2004 Info: MID 5488328 Message-ID '<OF7B3DC7C1.6249FE2DON48256ECA.001AC4FB@spammers.com>' Wed Jul 7 14:39:56 2004 Info: MID 5488328 Subject I found you Wed Jul 7 14:39:56 2004 Info: MID 5488328 ready 2301 bytes from <bad.guy@spammers.com> Wed Jul 7 14:39:56 2004 Info: ICID 7509805 close Wed Jul 7 14:39:56 2004 Info: MID 5488328 Brightmail positive Wed Jul 7 14:39:56 2004 Info: MID 5488328 rewritten to 5488329 by antispam filter 'unknown'
24
spamtowho
An offline tool that reports all necessary details e.g. how many spam / virus-infected emails a user received for a period of time Not officially supported tho (its written by our Support Engineer)
Inbound Message Deliveries Begun Messages received Messages received on 192.168.1.1 Per destination rcpt aaa@my_domain.com bbb@my_domain.com ccc@my_domain.com ddd@my_domain.com eee@my_domain.com 12,936 11,750 11,750 Total Mail 11 10 13 12 11 Spam 1 1 2 2 2 % Spam 9.09 10 15.38 16.66 18.18 Viruses 1 1 2 2 2
25
Message Tracking
Detail Reporting
26
Domain reports highlight the sources of bad and good email by domain Trend analysis to show the progress in keeping email secure
Centralized scheduled reporting: never sort through logs again No manual white or black lists needed
27
Revolutionary MTA Platform for High Availability Threat Prevention with IronPort Reputation Filters Content Scanning for Policy Enforcement Spam Detection with Brightmail Anti-Spam Virus Detection with Sophos Anti-Virus
28