In this the third and final installment we’ll go through the security options available to admins through SecurityGateway. This is going to be a good bit of information to cover. Let’s get started!
All options noted below can be found by first logging into SecurityGateway as an admin and then clicking the ‘Security’ button in the bottom left hand corner.
Anti-Spam Sub Menu
“Outbreak Protection” is a spam and virus filtering component, developed by Cyren, that is different from your traditional signature, or rule-based anti-spam filter. Outbreak Protection uses “Recurrent Pattern Detection” technology to detect spam or viruses. This approach to filtering allows for the quick identification of new threats. Instead of having to wait for vendors to release new rules, or signatures to detect new threats the Outbreak Protection can start identifying them within minutes. Outbreak Protection is considered a “zero hour protection” filter since new threats can be detected so quickly.
Heuristics and Bayesian
This is the core spam filtering component of SecurityGateway. This portion of SecurityGateway’s spam filter uses the highly popular SpamAssassin. SpamAssassin uses heuristics rules to find and classify emails. SpamAssassin rules, when triggered, are set to add a certain number of points to a message’s spam score. If the score reaches a certain threshold, or higher, the email is then classified as spam.
Bayesian Classification, in a nut shell, uses a learning approach to spam filtering.This component works by recording key words found in good emails and key words found in bad, or spam, emails. Based on this information a mathematical algorithm is then used to determine whether an email is spam or ham (ie good email).
DNS Blacklists (DNSBL)
SecurityGateway will check connecting IP addresses with blacklist services that maintain lists of servers known to relay spam. Although you can add any number of different blacklist servers that you wish, Spamhaus and SpamCop are two servers added by default on a new installation of SecurityGateway.
URI Blacklists (URIBL)
This filtering component will lookup web links found in the bodies of emails. As URLs, or domains, are found in links of spam emails they will be added to a database that SecurityGateway can query. We can then either outright block emails with blacklisted URLs or add points to the message’s spam score.
This is an anti-spam option that inserts an intentional delay on inbound emails from unknown senders. Emails servers, using greylisting, do this by initially giving a 400 series type SMTP error. Any sending server encountering a 400 series type error will retry sending the email according to it’s own retry settings. The main premise of this feature is that typically spammers don’t retry sending their emails if they encounter an error during delivery. They simply blast out as many emails as they can and hope for the best!
Email Certification is a process by which a source, that you trust, vouches for the behavior of an authenticated identity (the sender’s domain) associated with a message. Certification allows you to treat inbound email differently when doing certain security lookups. A sending domain that has been certified, can then be either exempt from spam filtering, or we can elect to subtract points from the message’s spam score.
Spammers are known for spoofing who an email is from and if a receiving email server rejects a message then the real user gets the bounce message notification. This is known as backscatter. SecurityGateway prevents these bounced messages from being delivered to your users by protecting the Return-Path header by appending an encryption key to the local user’s email address. This encryption key is added on to every email going to an external source. If a bounce message is returned to SecurityGateway, and the encryption key is missing, we can then reject the email since SecurityGateway didn’t send the original email.
As noted above, “Heuristics and Bayesian” filtering use a scoring system to determine whether a message is spam. The options in this section are used to define a threshold for this scoring. Emails that receive a score above a certain threshold can be rejected. Another threshold can be set to quarantine an email that gets a certain score or higher.
Anti-Virus Sub Menu
Virus scanning options in SecurityGateway inlcude the Clam AntiVirus email scanning engine and Cyren’s Anti-Virus. Clam AntiVirus is your traditional signature based virus scanner. Cyren uses it’s own Recurrent Pattern Detection technology to detect virus.
You decide how often that SecurityGateway should check for new virus signatures!
Anti-Spoofing Sub Menu
SecurityGateway can do PTR lookups, lookups on the HELO/EHLO given value, and the domain name passed in the MAIL FROM command during the SMTP session. By default SecurityGateway does not reject any emails based on these lookups but it is available to us if needed.
By default SecurityGateway will verify DKIM signed email. DKIM (DomainKeys Identified Mail) is a security method of signing an email, using a private/public key process, that verifies the identity of the sender as well as the message content. DKIM helps ensure that messages coming from a certain domain are in fact coming from that domain (ensuring it’s not spoofed) and that the content of the message was not tampered with.
There’s a great read explaining what DKIM is by Message Exchange titled “How to explain DKIM to your grandmother“.
Use these options to configure SecurityGateway to start signing outbound emails using DKIM. There is not much to configure here except the turning on of the signing of emails using DKIM, and what domain to sign emails for. The longest part of this process is adding DNS records to your domain.
SecurityGateway can verify if senders are valid users who can receive email. A large number of spam emails have forged “From” addresses that may not actually exist. SecurityGateway can verify that the sending email address is a legitimate one. We do this by connecting to the sender’s email server and giving their email address in the RCPT TO command. SecurityGateway is either looking for a “Recipient OK” or a “Unknown User” response.
Anti-Abuse Sub Menu
Out-of-the-box, SecurityGateway will not allow the relaying of any emails. Although we can allow certain hosts to be able to relay based on their connecting IP address or host name.
SecurityGateway by default requires authentication during the SMTP session if email is is reportedly from a local user.
This security feature works by pairing a domain name with an IPaddress or, IP address range. If an inbound email is claiming to be from a local domain, or a domain listed here, then SecurityGateway expects the email to be coming from the supplied IP/IP range. This is a great feature to weed out those emails where a spammer has spoofed your local users email address in the From header. Here’s a link to another blog article I wrote on the IP Shield feature found in MDaemon. While GUI options may look a bit different the IP Shielding feature works the same in both products.
These options allow SecurityGateway to track the behavior of connecting IP addresses while they attempt to deliver email. If they behave in a suspicious way (i.e. producing too many failed RCPT TO command during the SMTP session (indicates they may be trying to guess valid addresses), too many failed authentication attempts (password guessing), or too many RSET commands) SecurityGateway will ban the IP address from connecting for a default of 10 minutes. This limits how effective their email address or password guessing can be.
Tarpitting is the act of inserting a delay in the processing of SMTP commands. Spam sending bots typically just try to send out as many emails as possible while not caring about any responses they get back. By inserting this delay in SMTP command processing may “trip” up the spam sending bots. If they start sending commands out of sequence SecurityGateway will reject the email and close the session.
Use these options if you wish to restrict how much bandwidth SMTP sessions are allowed to use. A handy feature for sites that many be forced to use slower internet connections, ie due to the location of the company.
Account Hijack Detection
In an ideal world we would all use secure pass phrases for passwords that would be very hard to guess. In the real world though, even when using strong passwords/pass phrases, account credentials do get compromised. Once a spammer has an account’s credentials figured out they will start to send as much spam as they possible can before an admin notes and corrects the problem. This feature limits the amount of email that can be sent from a local user within a certain time frame. Therefore limiting the amount of damage done and hopefully prevents your server from being blacklisted. When this limit is breached SecurityGateway will prevent the account from sending any more new email, although the account will still receive email.
Filtering Sub Menu
Here you can create content filter rules that will trigger on messages based on header, IP address, or the information found in the body of an email. Once detected the content filter can then act upon the message. For example we can simply reject a message, send the email to a quarantine, or maybe redirect the email to another email address.
Here an admin can choose what type of email attachments are acceptable to be received by local users. We can opt to have certain attachments blocked outright or we can opt to have them quarantined.
Blacklists Sub Menu
Use these options to block or quarantine emails from email addresses, hosts, and/or IP addresses.
Whitelists Sub Menu
Use these options to allow certain senders to be exempt from a number of security features in SecurityGateway. Most security features have the ability to exempt senders who have been whitelisted.
Advanced Sub Menu
Sieve is a powerful email filtering language which you can do a lot with! I could probably create an entire blog article that only talked about Sieve. (let me know if this is something you’d like to see!) Many admins will simply use the GUI driven “message filter” in SecurityGateway due to its simplicity compared to Sieve. If you are interested in creating your own sieve scripts this information will help get you started.
And there you have it! I hope you have found this 3 part series helpful in understanding the robust security options available when using SecurityGateway.
If you have any questions please send us an email to firstname.lastname@example.org.