GFI s Mail Security and Mail Essentials for SMTP Servers


GFI's Mail Security and Mail Essentials for SMTP Servers

It's estimated that spam makes up as much as 20 percent of the total traffic moving through the Internet. Spam clogs e-mail boxes, and contains viruses, worms, and offensive language. Spam fills the massive disks on today's mail servers and is a public nuisance. Spam can negatively impact your personal and professional life: just think about how many times you've accidentally ignored an important message because it got lost in a sea of spam in your inbox.

We don't have to convince you that something needs to be done about spam. Many network administrators use Real-time Black Hole Lists to automate spam blocking on their networks. The problem with RBLs is they are maintained by third parties. If there is one thing we learned during the dot com bomb, it's that inappropriate trust in third parties can put your business in jeopardy.

There are several types of RBLs. Legitimate RBLs look for open mail relays on the Internet and blacklist the IP addresses of the open relays. The blacklisting is based on the assumption that eventually, a spammer will find the open relay and use it to send spam. The problem with this approach is that the open relay will be blacklisted even if no spam has ever been sent through it. It's sort of like the police taking you into custody for a shooting because you have two hands, one of which might have held a gun.

The other type of RBL is based on user reports. One user of the service reports that he received mail that he thinks is spam. That user tells three of his friends to make the same report. BANG! The domain from which the alleged spam is sent is blocked by the RBL. Suppose you send someone an e-mail message inviting him to your birthday party. He didn't ask for that message, so he reports you as a spammer, and he gets three of his antisocial friends to send in the same report. A couple of days later, you find that some people aren't getting mail from you. Why? Your domain or account has been blocked by the RBLs that blindly trust user reports.

This type of spam blocking has to be the most egregious form of censorship we've seen in decades. Everyone hates spam, we really hate spam, but we hate the idea of a third party censoring what should be sent to our network. That's our job, our responsibility, and our mail. It's not the job of some anonymous RBL to decide what's legitimate.

The SMTP Message Screener goes a long way to resolving the spam problem. You can block mail based on text strings. The problem is that you don't have much flexibility with the SMTP Message Screener. For example, you can't:

  • Easily save the keyword entries in the Message Screener

  • Check for e-mail viruses using the Message Screener

  • Check for viruses in e-mail attachments using the Message Screener

  • Import a list of keywords from a text file into the Message Screener

  • Check for non-virus-related e-mail exploits with the Message Screener

  • Check for whole words in the Message Screener (you can only check for text strings)

  • Creating conditional content checking rules for e-mail

It's our opinion that the only valid way to control spam is by using a keyword method. We've found that the most effective way to prevent spam from getting to user mailboxes is to create a list of keywords that don't apply to the legitimate business or personal communications. Using this method, you can control over 99 percent of the spam entering your network.

While the ISA Server SMTP Message Screener is better than nothing, we've found that the best tool for this job is GFI Software's MailSecurity, which can be used to block spam in both small and large organizations. MailSecurity is easy to set up, and you can import your spam filter list easily from a text file. It also detects e-mail viruses and attachments, and auto-updates its virus definition list on a daily basis.

MailSecurity Versions

There are two versions of MailSecurity. One plugs into your Exchange 2000 server and inspects the contents of the message store. The other version is for SMTP mail gateways and inspects mail as it moves through the gateway. The main advantage of the Exchange Server version is that it can inspect mail sent between internal users. The main advantage of the SMTP relay version is that it has more information about each e-mail and can decide better what mail is considered inbound and outbound. MailSecurity can be configured to inspect only inbound, only outbound, or both inbound and outbound e-mail.

We typically install an SMTP relay on all networks that have an Exchange 2000 server. For that reason we consider the SMTP gateway version the best choice. Note that you can use both versions. You can install the SMTP gateway version on your SMTP relay, and you can install the Exchange Server 2000 version on your Exchange server and you don't have to buy any more licenses for filtering based on keyword, user, or domain. You do need to pay extra for a maintenance contract and automatic anti-virus updates.

Installing MailSecurity for SMTP Gateways

Installing MailSecurity for SMTP gateways is straightforward:

  1. Download the installation file from www.gfi.com/mailsecurity/index.html and run the mailsecurity.exe installation package. The Welcome to the GFI MailSecurity for Exchange/SMTP Installation Wizard page will be displayed (Figure 28.24). Click Next to continue.

    click to expand
    Figure 28.24: The Welcome Page

  2. The License Agreement page appears. Select the I accept the license agreement option and click Next.

  3. On the User Information page, enter your name, company name, and serial number (if you have one; otherwise, use Evaluation as your key). Click Next.

  4. On the Administrator Email page (Figure 28.25), enter the MailSecurity administrator e-mail address. Notification messages can be sent to the administrator e-mail account you enter here. You can add more administrators or change the one you enter here later. Click Next.

    click to expand
    Figure 28.25: The Administrator Email Dialog Box

  5. On the Destination Folder page, select the location of the program files and click Next.

  6. This brings you to the Mail Server page shown in Figure 28.26. If your SMTP relay is on a DMZ segment, enter the IP address on the external interface of the ISA server used by the SMTP server publishing rule that's publishing the internal network Exchange server.

    click to expand
    Figure 28.26: The Mail Server Information Page

  7. If the SMTP relay is on your internal network, enter the IP address of your Exchange server. The default port TCP 25 will work in the majority of cases. However, if you want MailSecurity to send to an alternate port, just type the alternate port number in the on port text box. The setup program will create a remote domain in the IIS SMTP service for the domain you enter in the Local domain text box. If you are managing multiple mail domains, you should manually create those remote domains after the installation is complete.

  1. Click Next to continue.

  2. Identify the type of mail server that is running MailSecurity (see Figure 28.27). In this example, we're installing MailSecurity on an SMTP relay, so the second option is correct. Click Next to continue, and click Next one more time to start installing the application.

    click to expand
    Figure 28.27: Choosing the Mail Server Type

  3. Click Finish when you get notification that the application has been installed successfully.

  4. Open the Internet Information Services console after you're finished installing MailSecurity. Expand the Default SMTP Virtual Server node and click the Domains node. You'll see that a new remote domain was created and configured to use your internal mail server as a smart host. If you configure MailSecurity on a DMZ SMTP relay, you'll see the IP address used on the external interface of the ISA server in your SMTP server publishing rule. If you host multiple mail domains, create a remote domain for each domain you host and have them use your mail server as a smart host. Make sure that your server is not configured as an open relay by setting the appropriate relay settings on the Default SMTP Virtual Server (Figure 28.28).

    click to expand
    Figure 28.28: Remote Domain Configuration

Configuring MailSecurity

  1. Select Start | Programs | GFI MailSecurity | MailSecurity Configuration. Figure 28.29 shows all the features in an MMC console.

    click to expand
    Figure 28.29: MailSecurity Configuration

  2. Click the Content Checking node in the left pane, then double-click the Default Content Checking Rule. This is where you create your e-mail content checking rules. You can create rules that look for a particular keyword, or you can create rules based on keywords with conditions. In Figure 28.30, you'll see some keyword rules that have conditions. For example, we want to block all mail that has the keywords "special offer." However, we don't want to block special offers from GFI.

    click to expand
    Figure 28.30: Configuring Keywords

  3. Notice that you have the option to check inbound and outbound mails. You can also block PGP encrypted mail. This will prevent mail encrypted with PGP from bypassing your content checking rules. This is a valuable feature, as users might try to use PGP to send out proprietary information about corporate projects. For example, you might be working on a project and use an internal code name for that project. No one on the outside should know the project or its code name. If users sent mail encrypted by PGP, they would get around your keyword filters. You can also check the attachment content. This prevents attachments with forbidden content from reaching users' mailboxes.

  4. You can monitor incoming mail in real time and see what mail was allowed and which ones where caught by the content checking rules. The GFI Monitor (Figure 28.31) shows you mail as it's being processed.

    click to expand
    Figure 28.31: GFI Monitor Displaying Actions in Real Time

  5. The Moderator Client (Figure 28.32) allows you to see the actual messages caught by the content checking rules. When you double-click the blocked message, you'll see the reason why the message was caught, some details about the message, and files associated with the message. You can right-click the content file and open the message. Plain text messages are saved as text files, and HTML messages are saved as HTML files. The HTML files are safe to open because dangerous scripts and viruses are removed.

    click to expand
    Figure 28.32: The Moderator Client

  6. Click the Attachment Checking node in the left pane, and then double-click on the Default Attachment Checking Rule (Figure 28.33) in the right pane. This option allows you to block attachments for inbound or outbound mail (or both). There's a built-in list of attachments that can be blocked, and you can easily add your own custom attachments.

    click to expand
    Figure 28.33: Attachment Checking Options

  7. Now for the best feature of MailSecurity: the virus scanning engines. MailSecurity allows you to scan mail for viruses using multiple scanning engines. If one of the virus scanning engines doesn't catch a virus, it'll try again with another scan engine. This provides a high level of security for both incoming and outgoing e-mail. This redundant virus scanning method unique to MailSecurity.

  8. Notice that you have the option to scan inbound mail, outbound mail, or both. You also can block Word documents that have macros. Word macro viruses are a big problem, so blocking them can go a long way toward protecting your users from Word macro exploits. In Figure 28.34, you see the options for automatically downloading and installing virus definition updates.

    click to expand
    Figure 28.34: The Virus Checking Engines

  9. The system automatically downloads virus definitions, and we've never had a problem getting them to download from behind the ISA server. The system uses FTP to download the updates, so you need to create an FTP protocol rule to allow the mail server to download the updates. If you run MailSecurity on the ISA server, you'll need to create packet filters to allow for PORT mode FTP communications between the ISA server and the GFI FTP server (Figure 28.35).

    click to expand
    Figure 28.35: Configuring FTP Virus Definitions Download Options

  10. Click the E-mail Exploit Engine node in the left pane of the console. In the right pane (Figure 28.36), you'll see an impressive list of e-mail exploits MailSecurity checks for. The e-mail exploit engine is disabled by default, so you have to right-click the node in the left pane of the console and click Enable. We don't see any reason not to run the e-mail exploit engine, so we recommend that you always enable it and allow MailSecurity to check for all of the included exploits. If for some reason you need to disable checking for a particular exploit, you can right-click it and click Disable.

    click to expand
    Figure 28.36: Checking for E-Mail Exploits

  11. Some e-mails are so obviously spam that you don't need to ever look at them. This type of blatant spam can be deleted without you ever needing to review it in the Moderator Client console. The Anti-spam feature allows you to enter keywords that are never included in legitimate e-mails. As with the content checking feature mentioned earlier, you can have MailSecurity check the mail body or subject line for these uniquely inappropriate or offensive keywords. When a message matches the keywords in the Anti-Spam dialog box, the mail can be deleted immediately or put in a folder for later checking (Figure 28.37).

click to expand
Figure 28.37: Whacking Spam with the Anti-Spam Feature

For both content checking and anti-spam rules, you can choose what action to take on the e-mail (See Figure 28.38). For the content checking option, you can quarantine the mail, delete it, or move it to a particular folder for evidence collection. You also have the option to notify users that they sent or received a forbidden mail. You can also inform the user's manager. The manager is defined in the user account properties in the Active Directory.

click to expand
Figure 28.38: Deciding What Action to Take with Filtered Mail

We have found the performance of MailSecurity acceptable. If you have a large number of rules and enable all the virus engines and exploit checking, it might take a few seconds to evaluate a single e-mail. If you have a busy mail server, you'll want to make sure to load it up with RAM and a fast processor. However, if you don't require instantaneous delivery of e-mail from the relay to the main mail server, you're in good shape. The engine doesn't choke or die when it's busy, it just slows. However, all the mail gets checked and cleaned before making its way to your server.

You need to put together a list of keywords that are specific for your organization in order to see the best results with your e-mail checking rules. This can take a week or two. One thing that we find useful is to create a Hotmail account and then subscribe that Hotmail account to a number of different Web sites. You can also post messages to USENET message boards and put that account in the return address. This will get the account quickly subscribed to a large number of spammer lists. You can use the spam sent to your Hotmail inbox for ideas on what keywords to put into the MailSecurity keyword database. If you want to get a head start on your list, check out our list of keywords, which we update weekly, at ftp.tacteam.net/isaserver/spamlist.tx.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net