Client XCronLab Spam Filter

Technical Training Presentation21/04/23

Technical information

2

Detailed Information

1. Rate Control

Controls spam high volume, by giving a soft reject to IP numbers with too high volumes of email per minute

• If the email is valid, the sender will try again

• This feature helps to keep legitimate emails passing through, even when servers are under spam attacks

2. Address Verification

Verifies the email address is valid by checking with the receiving email server

• During recipient of the first email to a new address a probe is sent to the receiving email server to validate the address

• This method simplifies the integration with the email server and avoids Active Directory or LDAP setup

• The email address status is stored in a database which is updated on a regular basis

• If the address is invalid, the email – along with future emails to that address - is rejected. The testing of the email address validity is updated every 3 hours

• If the address is valid, the email – along with future emails to that address - goes through to further analysis. The testing of the email address validity is updated every 7 days

Spam Control Flow

Incoming email

Rate control

Address verificatio

n

Virus scanning

Spam detection

Auto averaging

FP preventio

n

DeliveryQuarantin

e

User Message Center

Delete / Release

Stored for deletion

Reject

Stored for deletion

• DNS & URL blacklists• Hash database comparison• Statistic analysis (incl. Bayes)• Content analysis• Sender Policy Framework

verification

1

2

3

4

5

6

7 8

8

9

9

10

Technical information (continued)

3

3. Virus Scanning

Email is scanned for viruses using ClamAV anti-virus engine. BitDefender available as an add-on service.

4. Spam Detection

The email is analysed for spam in a scoring system and undergoes the following checks against:

•Sets of commercial and freely available blacklists & whitelists

•Internal server blacklists and whitelists

•CronLab proprietary blacklists and whitelist

•Hash databases

•Internal content analysis databases

•SPF records

•Internal statistical analysis tools, including a Bayes database

Detailed InformationSpam Control Flow

Incoming email

Rate control

Address verificatio

n

Virus scanning

Spam detection

Auto averaging

FP preventio

n

DeliveryQuarantin

e

User Message Center

Delete / Release

Stored for deletion

Reject

Stored for deletion

• DNS & URL blacklists• Hash database comparison• Statistic analysis (incl. Bayes)• Content analysis• Sender Policy Framework

verification

1

2

3

4

5

6

7 8

8

9

9

10

Technical information (continued)

4

5. Auto Averaging

Adjusts scoring of email based on historical data

• This uses a combination of the receiving email address and the sender’s IP cluster

• If the email comes from a known valid sender and still looks like spam, the auto-averaging will lower the score based on historical data to allow the email to pass through

• If the email comes from a known spammer to the receiving email address, the email is likely to be stopped even if it looks valid

6. FP Prevention

If an email is marked as a false positive, the sending email server is automatically added to a whitelist, preventing future emails from that server to end up in the quarantine

7. Delivery

If email is deemed to be legitimate it is delivered straight to the receiving email server

Detailed InformationSpam Control Flow

Incoming email

Rate control

Address verificatio

n

Virus scanning

Spam detection

Auto averaging

FP preventio

n

DeliveryQuarantin

e

User Message Center

Delete / Release

Stored for deletion

Reject

Stored for deletion

• DNS & URL blacklists• Hash database comparison• Statistic analysis (incl. Bayes)• Content analysis• Sender Policy Framework

verification

1

2

3

4

5

6

7 8

8

9

9

10

Technical information (continued)

5

8. Quarantine

If the email is likely to be spam, but its status cannot definitely be established, then the email is sent to the quarantine

• All emails in the quarantine are subject to further analysis every hour for potential re-categorization. This minimizes the volume of emails in the quarantine

• The quarantine is user-based. Each user manages his own quarantine login information in a web based message center. Users can also delegate handling of their quarantine to other users of the CronLab spam filter

• On the first visit message center visit, the user registers for a password which can easily be changed (or reset)

• More information about message center is available on future slides

9. Stored for Deletion

If emailed is determined to be spam or to contain a virus, the email is stored for 30 days before deletion

• The 30 day storage of spam allows administrator to retrieve a potential false positive

Detailed InformationSpam Control Flow

Incoming email

Rate control

Address verificatio

n

Virus scanning

Spam detection

Auto averaging

FP preventio

n

DeliveryQuarantin

e

User Message Center

Delete / Release

Stored for deletion

Reject

Stored for deletion

• DNS & URL blacklists• Hash database comparison• Statistic analysis (incl. Bayes)• Content analysis• Sender Policy Framework

verification

1

2

3

4

5

6

7 8

8

9

9

10

Technical information (continued)

6

10. Learning and Adapting

All actions taken by the system or the user are added back to the internal learning engine

• Users can report false negatives as spam by clicking on the footer at the bottom of the email (unless the user opts out from this feature in the message center)

• If a user reports an email as spam or ham, this will result in updating of internal statistical databases as well as blacklists and whitelists

Detailed InformationSpam Control Flow

Incoming email

Rate control

Address verificatio

n

Virus scanning

Spam detection

Auto averaging

FP preventio

n

DeliveryQuarantin

e

User Message Center

Delete / Release

Stored for deletion

Reject

Stored for deletion

• DNS & URL blacklists• Hash database comparison• Statistic analysis (incl. Bayes)• Content analysis• Sender Policy Framework

verification

1

2

3

4

5

6

7 8

8

9

9

10

Message Center

7

Detailed Information

• The message center enables access to the user’s quarantine

• All emails can be reported:• As legitimate - after which they are released

back to the user. This also updates internal statistical databases as well as blacklists and whitelists

• As spam - after which they are deleted. This also updates internal statistical databases as well as blacklists and whitelists

• As ignored - after which they are merely deleted

• Users receive a notification in the morning if the content of the quarantine has changed

Quarantine

Search Engine

• The Postmaster of a domain can access all emails received in the last 30 days and release potential false positives back to the relevant user

• Users can search through their own emails, up to 30 days old and release potential false positives

• The Postmaster can also see mail log extracts for recent emails to help search for potential problems

• Email footers can be switched on/off• Can toggle all email footers or footers applied

to incoming emails only

• This will prevent the user from reporting emails as spam but might be desired for some users nonetheless

• Phishing filters can be switched on/off

• Sites that the user deem safe from phishing attacks can be reported

• Any report results in further analysis by CronLab’s support team

• Delegation of quarantine• Users can delegate the quarantine, e.g. when

having multiple email addresses or if an administrator is to take care of their quarantine

• This results in an aggregated quarantine for all the email addresses that the delegated recipient is to manage

Outgoing Filter: Send emails securely from anywhere, while reducing reputational risk

8

End user station

End user station

End user station

Emails sent to recipient

Spam and Viruses

Administrator alerted

Encrypted communication to CronLab. Communication to recipient encrypted if possible.

• Availability: Ensure safe delivery of emails no matter where you are. Works on all networks with all email servers and clients, including mobile phones

• Alarms: Alarms are sent to the administrator if a computer starts sending out spam or viruses

• Security: All communication is handled through strong TLS or SSL encryption

• Prevents blacklisting: Minimize risk of your domain being blacklisted as spam and viruses are removed before they reach the recipient

• Validity control: Users can only send emails from their own email address, using their own accounts. Domain accounts can be set up for authorized relaying servers to allow senders from all domain accounts and even from several domains

CronLab’scluster

Email Attachment Saver (EAS), an add-on that simplifies sending large files

9

User A sends large file as

email attachment

CronLabcluster replaces attachment with

link; saves attachment

User B receives email with link and downloads

file from CronLab luster

EAS Benefits•The EAS uses a format known to users (email) - no training or extra programs required

•It saves network bandwidth and avoids bouncing emails

•It reduces user frustration common when trying (and failing) to transfer large files

Further important technical facts

10

Treatment of potentially dangerous

files

CronLab’s clusters are redundant and geographically

distributed

To speed up communications,

CronLab chooses not to use greylisting in its

filters

No emails are blocked if receiving email address is valid

• Potentially dangerous files that are still not viruses (e.g. exe-files or bat-files) are removed from the email and replaced by a text-file containing information on the danger of the file and, if permitted by postmaster, a link to a website where the user can retrieve the file

• All domains will receive multiple MX pointers

• Emails are scanned by several geographically distributed servers. The servers are however always country-specific

• CronLab does not apply greylisting to control for spam

• Significantly speeds up email communication

• As long as the receiving email address is valid, an email will always be retrieved and analyzed, no matter what the reputation of the IP address is

• If an email has been wrongly classified as spam, the email can still be retrieved by the user or the postmaster for a period of 30 days

Thank you! Questions?

Full tests of Pro 2000 Anti-Spam Appliance available at http://www.itpro.co.uk/630691/cronlab-pro-2000-anti-spam-appliance-review, http://www.scmagazineuk.com/cronlab-pro-2000-anti-spam/review/3421/

Full tests of Light 1100 Anti-Spam Appliance available at http://www.pcpro.co.uk/reviews/security-appliances/365746/cronlab-light-1100-anti-spam-appliance

11