MailScanner

1
MailScanner

• Making the Interneta safer place
• Julian FieldUniversity of Southampton

2
The Problem

• Spam accounts for 50 of all mail traffic
• -age of incoming mail is even higher
• About 1 in 120 messages contains a virus
• So a site processing 50,000 messages per day
  wastes time and resources on 25,000 spams and
  risks a virus outbreak over 330 times every day

3
ECS E-Mail Volume
4
ECS E-Mail numbers

• Total e-mails increased from 15k/day to over
  70k/day in 12 months
• Real e-mail grown from 8k/day to 42.5k/day
• Five-fold increase in real e-mail in 12 months!

5
ECS Virus Volume
Now detecting 2500 viruses per day
6
What Is MailScanner?

• It is an e-mail security system deployed on your
  e-mail gateways and servers
• It will capture every known virus passing through
  your e-mail servers
• It will identify and handle well over 95 of all
  the spam
• It will implement your sites email policy

7
What Is MailScanner (cont.)

• Checks for most common attacks on
  previously-exploited security vulnerabilities
• Highly configurable to provide different settings
  for any arbitrary group of users or domains
• It is very fast, robust and secure much lighter
  load than other systems
• Many other features!

8
Without MailScanner
9
With MailScanner
10
Spam Scanning

• Most of the spam scanning is done with the help
  of SpamAssassin
• DNS blacklists
• over 850 heuristic rules
• Bayesian probability system
• Distributed network-based checks such as Razor,
  DCC, Pyzor which track the frequency of messages
  around the world to identify spam

11
MailScanner and SpamAssassin versus RBL blacklists
Spam breakdown of our incoming mail for April
May 2003 Total messages 791,000
12
Spam Handling

• Subject line is tagged so users can filter easily
• Message may be tagged, delivered, deleted,
  archived, bounced, encapsulated, notified and/or
  stripped to plain text
• Stripping to plain text and encapsulation are
  extremely effective against the rising tide of
  pornographic spam
• 1 in 500 messages

13
Virus Scanning

• Scans all e-mail passing through it for viruses
  using any combination of the supported anti-virus
  engines
• Many sites run 2 or 3 different engines for
  better coverage and resistance against brand new
  viruses

14
Anti-Virus Engines

• 17 are supported, including all the major market
  leaders
• ClamAV is free and has greatly improved recently
• eTrust is 129 per server regardless of number of
  users
• Sophos is very good and has excellent academic
  discounts

15
Virus Handling

• Attachments containing viruses or other security
  problems are removed
• All safe content is delivered untouched
• Recipients and senders may get a warning
  explaining what happened and who they should
  contact for help
• System admin notified of basic details of message
  and what viruses were found

16
Attachment Filenames Contents

• Allows/denies attachments based on filename and
  file content, providing implementation of any
  email security policy. Easily used to block
  attachments which are common ways of disguising
  viruses, e.g. ReadMe.doc.exe
• These can be varied for different users

17
HTML-based Attacks

• Scans for common signs of attack such as ltIFramegt
  and ltObject Codebasegt HTML tags
• Both have been used many times to exploit
  vulnerabilities in Outlook ( Express) and
  Internet Explorer
• Dangerous HTML content can be stripped

18
Other Attacks

• Denial of Service attacks such as the Zip of
  Death and DNS blocks
• Looks for, and will optionally ban
• messages with external bodies
• partial or fragmented messages
• Attempts to scan these would open up system to
  Denial of Service attacks
• Quietly fixes Eudora/Cyrus IMAP incompatibilities

19
Encrypted E-Mail

• Can selectively enforce or ban use of encrypted
  email between addresses
• Will save public keys from email messages
  allowing future automatic encryption to be
  implemented if needed

20
Highly Configurable

• Virtually all configuration parameters can be set
  using fixed values, rulesets or Custom
  Functions
• Rulesets allow different values for any users or
  domains you specify
• Reports are supplied in 15 languages
• Language can be different for different domains
  and users

21
Custom Functions

• These allow implementation of any other
  configuration model you choose, including
  external databases of user options
• Many useful examples are provided
• Minimal Perl knowledge needed

22
You Could Go Commercial

• If you have the money to pay people like
  MessageLabs, Trend or Brightmail, then you are
  very rich!
• As an example, 3 years ago Trend quoted us about
  50,000 per year to virus check mail coming into
  our University
• At recent InfoSec show, 56,000 would buy a PC in
  a 2U case running a very naïve anti-spam system
  a choice of 2 virus scanners

23
Reputation

• Protects over 750 million messages per day at
  about 40,000 sites in over 45 countries on all 7
  continents (The 7th is the British Antarctic
  Survey)
• Used by US Navy Central War Command, US Army and
  government departments
• Used by European Commission, WIPO, UCLA, Harvard,
  MIT, Siemens, HP, BAe, UK Research Councils,
  Cambridge University and many other commercial
  and non-commercial sites
• Over 200,000 downloads, currently15,000 per month

24
MailScanner is Free

• Many sites can run it on existing hardware.
• 1 PC can fully process up to 1.5 million messages
  per day.
• You will probably want an anti-virus engine or
  two

25
Very Easy To Install

• Current record is 10 minutes for a complete
  system installation including all Perl modules
  and a virus scanner
• Installation script automates most of the process
  for you
• Installs all required Perl modules
• Configures RPM build options
• Fixes POD (Perl Documentation) problems

26
Very Easy To Configure

• All configuration options are set to sensible
  defaults
• Only 1 configuration option needs to be changed
  from the default the virus scanner
• Easy-to-follow installation guides provided for
  sendmail, Exim, Postfix and ZMailer systems.
  Qmail to follow soon
• No sendmail.cf changes at all

27
Installation

• MailScanner Download and install rpm version
• SpamAssassin Use CPAN to install
  MailSpamAssassin
• Also consider installing
• Razor2
• Pyzor
• DCC
• Caching DNS Server

28
Configuration

• For example, getting SpamAssassin going
• Set Use SpamAssassin yes in MailScanner.conf
• Thats all that is required
• No messing around with external scripts,
  spamc/spamd or procmail
• Spamd daemon not used
• Its Perl API is called directly for maximum
  efficiency and speed

29
Recent Additions

• Content scanning of all the text in a message
  looking for keywords and phrases (aimed at
  corporate market)
• Automatic IP blocking of sites flooding you with
  viruses and/or spam
• Spam can be converted into an attachment of the
  original message, forcing user to click through
  to the spam message

30
Recent Additions

• Can use virus name in rulesets
• Easy upgrading of MailScanner.conf file
• Per-domain/user spam whitelists blacklists
• Support for Sophos SAVI library
• much faster than Sophos sweep
• Logging to SQL database
• Retrieval of options from SQL database
• Support for Qmail coming very soon

31
Further Information

• www.mailscanner.info
• Contact me at mailscanner_at_ecs.soton.ac.uk
• Mailing list at
• www.jiscmail.ac.uk/lists/mailscanner.html
• Just want announcements?
• www.jiscmail.ac.uk/lists/mailscanner-announce.html
  

32
Generously supported by