The Best Spam and Virus Protection for Domino Servers

SpamSentinel Technical Overview

“It Just Works”More than a slogan…

SpamSentinel Technical Overview

High Performance and High Availability Protection

Higher Performance means the ability to process as many as 4 million messages per day on a single server without upgrading hardware.

Fault Tolerance means if any problem occurs with processing, the spam check will be retried without releasing spam into your mail system.

SpamSentinel 7 Duo

Discrete Component Architecture (DCA) describes the 7 unique components that comprise “SpamSentinel”.

Each performs a separate task that contributes to high performance and high availability.

Individual components can be updated without restarting the server in almost all cases.

Discrete Component Architecture

Four Types of Mail• We categorize mail into four types:

– Category A: Valid Mail.– Category B: Spam-B, or “Suspect Spam”. It is not considered

Spam, rather one of the two engines suspect it could be spam whereas the other does not. Spam-B can be delivered to the end users Junk Mail folder in real-time for immediate verification.

– Category C: Spam-C, or “Confirmed Spam”. Both engines agree the message is Spam. This mail appears in the daily report to end users for verification.

– Category D: Spam-D, “Deletion Recommended” Spam. 100% Guaranteed Spam. Both engines strongly agree the message is Spam. This type of message we can silently Delete or Reject at the gateway. It does not require end user verification.

• Category D/Spam-D will average 90%+ of total spam volume daily.

The SpamSentinel Interceptor (ssintercept) is a Domino Extension Manager DLL file that intercepts all inbound SMTP mail and determines if a message should be deleted or rejected at the SMTP level using the SMTP Silent Delete/Reject options (Spam-D).

Mail that is not rejected or deleted is written to the scan.box for further scanning.

Using this method we can eliminate more than 90% of all spam before it enters your mail environment.

All mail is now processed in scan.box before being routed to mail.box, significantly cleaning up mail.box

For an additional license fee, our optional anti-virus add-on offers a second layer of protection even when another anti-virus tool is in use.

1 - SpamSentinel Interceptor

The SpamSentinel Scanner (SScanner) is a Windows service that reads mail in Scan.box and checks the messages for spam against our two anti-spam engines. It also checks attachments for viruses.

Next it performs all other checks, such valid recipient processing, attachment restrictions, etc.

It marks the message as complete and waits for the SpamSentinel Router to process them. (Good Mail, Spam-B, Spam-C, Spam-D)

Sample Log Entries: (Note: Good Mail is not reflected on the console)01/16/2008 12:49:39 PM SScanner: (Spam-C) IMPORTANT NOTICE01/16/2008 12:49:40 PM SScanner: (Spam-D) Doctor Approved And Recommended01/16/2008 12:49:40 PM SScanner: (Spam-B) Get out of debt - act now for free debt relief

consultation01/16/2008 12:49:41 PM SScanner: (Spam-D) veinbrre

2 – SpamSentinel Scanner

05/28/2008 04:23:41 PM SScanner: Found configuration file D:\Spamsentinel\SScanner\Partition1\SpamSentinel.ini05/28/2008 04:23:42 PM SScanner: Using Notes INI file 'D:\Lotus\Domino\notes.ini'05/28/2008 04:23:42 PM SScanner: Reading INI file D:\Spamsentinel\SScanner\Partition1\SpamSentinel.ini05/28/2008 04:23:42 PM SScanner: Opening administration database: Local:SpamSentinel\SpamSentinelAdmin.nsf05/28/2008 04:23:42 PM SScanner: Reading configuration document for CN=XIMILE/O=CORP05/28/2008 04:23:42 PM SScanner: SpamSentinel version number: 7.5.3.105/28/2008 04:23:42 PM SScanner: SpamSentinel license Code: 11112008575d6bae6205/28/2008 04:23:42 PM SScanner: Watching scan database: SpamSentinel\Scan\Scan1.box05/28/2008 04:23:42 PM SScanner: Watching scan database: SpamSentinel\Scan\Scan2.box

What it looks like…SScanner Common Log Entries

The SpamSentinel Router (SSRouter) is a Domino task that watches the Scan.box for processed messages. SSRouter can directly deposit spam into a perimeter database that never enters the mail system.

SSRouter also automatically creates a new perimeter Quarantine once the size reaches 500 megabytes, using a convention of: Quarantine_D_1, Quarantine_D_2, Quarantine_D_3 etc.

If a Scan box does not exist, it creates it while the Domino server is running.

Good messages are placed in mail.box for normal Domino Router processing.

Sample Log Entries:05/16/2008 12:49:41 PM SSRouter: Moved 3 messages to Quarantine D05/16/2008 12:49:43 PM SSRouter: Moved 1 messages to mail.box05/16/2008 12:49:43 PM SSRouter: Moved 2 messages to Quarantine D

3- SpamSentinel Router

05/28/2008 04:18:45 PM SSRouter: Initializing version 2.5.2.705/28/2008 04:18:45 PM SSRouter: Reading configuration document for CN=XIMILE/O=CORP05/28/2008 04:18:45 PM SSRouter: Watching mailbox: mail.box05/28/2008 04:18:45 PM SSRouter: Watching scan database: SpamSentinel\Scan\Scan1.box05/28/2008 04:18:45 PM SSRouter: Watching scan database: SpamSentinel\Scan\Scan2.box05/28/2008 04:18:45 PM SSRouter: Version 2.5.2.7 started

> load ssrouter

What it looks like…SSRouter Common Log Entries

SSDuoE1 and SSDuoE2 are Windows services that work with the SScanner to check messages.

These two services create redundancy. Only one of the two Duo services are necessary, so a failure of either engine will not impact spam and virus processing.

These engines use both the Community approach (Cloudmark) to blocking spam and the Sender Reputation approach (CommTouch), providing 99.44% block rates.

They also perform anti-virus checks with Norman anti-virus against all attachments. The anti-virus feature is an option. It is not required.

4 - SSDuoE1 & SSDuoE2

The SpamSentinel Monitor (SSMon) Domino task ensures all components are running cleanly and correctly. The components it will start are: SScanner, SSRouter, SSMgr, SSDuoE1, SSDuoE2, and SpamSentinel Reporter

The Monitor will alert MayFlower if there is any problem.

The Monitor now does the anti-virus downloads in the background, transparently.

5- SpamSentinel Monitor

05/28/2008 04:23:37 PM SSMonitor: Initializing version 2.5.1.705/28/2008 04:23:37 PM SSMonitor: Reading administration database LOCAL:SpamSentinel/SpamSentinelAdmin.nsf.05/28/2008 04:23:37 PM SSMonitor: Reading configuration document for CN=XIMILE/O=CORP05/28/2008 04:23:39 PM SSMonitor: Check-in log sent to MayFlower.05/28/2008 04:23:40 PM SSMonitor: Anti-virus definitions are up to date.05/28/2008 04:23:40 PM SSMonitor: version 2.5.1.7 started05/28/2008 04:23:41 PM SSMonitor: Waiting for SpamSentinel engines to start...05/28/2008 04:23:42 PM SSMonitor: Started service SScanner105/28/2008 04:23:42 PM SScanner: Check-in log sent to MayFlower.05/28/2008 04:23:42 PM SSMonitor: Started service SpamSentinel Reporter

> load ssmon

What it looks like…SSMonitor Common Log Entries

01/16/2008 11:58:31 AM SSMonitor: Downloading anti-virus update file.01/16/2008 12:00:47 PM SSMonitor: Anti-virus update file received successfully.01/16/2008 12:00:48 PM SSMonitor: Applying anti-virus update. Stopping SpamSentinel services.01/16/2008 12:00:48 PM SScanner: Paused for 10 minutes. Anti-virus update in progress.01/16/2008 12:02:34 PM SSMonitor: Stopped service SpamSentinelE101/16/2008 12:02:41 PM SSMonitor: Stopped service SpamSentinelE201/16/2008 12:02:41 PM SSMonitor: Copying files from C:\NORMAN\Nse\bin to C:\NORMAN\Nse\bin\

Updates01/16/2008 12:02:41 PM SSMonitor: Updated anti-virus file C:\NORMAN\Nse\bin\Nvcbin.def01/16/2008 12:02:42 PM SSMonitor: Anti-virus updates applied. Starting SpamSentinel services.01/16/2008 12:02:42 PM SSMonitor: Restarting SpamSentinel Duo Engines.01/16/2008 12:02:42 PM SSMonitor: Started service SpamSentinelE101/16/2008 12:02:43 PM SSMonitor: Started service SpamSentinelE201/16/2008 12:03:03 PM SScanner: Resumed01/16/2008 12:03:04 PM SSMonitor: Anti-virus update complete.

What it looks like…SSMonitor Anti Virus Definition

Update

The SpamSentinel Updater (SSMgr) is a key Domino task to Auto-Update SpamSentinel software.

SSMgr contacts our Data Center (www.maysoft.com) for new updates and patches and fixes and installs them.

Ensures that you have the latest engine and templates

Minimizes Administrative Effort and can be scheduled to meet your needs

> ‘tell ssmgr update’05/16/2008 01:08:59 PM SSMgr: Checking for new

updates

6 – SpamSentinel Updater

SpamSentinel Update Usage MayFlower controls what is updated and when by

default. Requests for updates are available by contacting us. We regularly release updates as-needed in the case

of an error condition, or, in batches of 25 to 50 servers on average for major releases daily.

If you have not opted out of auto-updates you are eligible to be updated at any time.

You control the frequency which available updates are checked.

7 - End User Reporting Using the End User Report is optional and the administrator

can choose who gets the report and who does not. By default, the End User Report shows Spam-B and Spam-C

including Sender, Subject, Date/Time. The End User Report allows users to click on document links

to review messages quarantined more closely. The End User can release, forward, or privately whitelist

senders and/or domains without calling the Help Desk. (Optional) Spam-B and/or Spam-C can be routed to the

user’s Junk Mail folder. End User reports can be customized in many ways.

End User Report Example

End User View of a message in Quarantine

Anti-Virus

Anti-virus is an additional license fee We use Norman Data Defense Systems anti-virus software (www.norman.com) Be sure to exclude the Norman\Avscan directory from any file system anti-virus software. Windows Domino servers can use SpamSentinel's Anti-virus in addition to any other third-party anti-virus. SpamSentinel anti-virus checks only inbound, outbound, and (optionally) Notes-to-Notes mail.

…Database Server Process MonitorSpamSentinelScanner v7.5.3.0 - Blocking spam and virusesSpamSentinelMonitor v2.5.1.7 - Monitoring all SpamSentinel

componentsSpamSentinelRouter v2.5.2.7 - Mail: 1 Spam-D: 1 Spam-C: 0 Spam-

B: 0SpamSentinel Update v2.5.0.8- Loads the latest SpamSentinel

updatesLDAP Server Listen for connect requests on TCP Port: 389…

> show tasks

Show Tasks

Available to Windows Domino servers.SpamSentinel Monitor (SSMon) will restart components in the case of errors. Each component checks in to our server during startup and shutdown and in the case of errors. Our staff is constantly refining our ability to respond to errors, often before a customer is aware that an error condition exists.

Checking in to maysoft.com

> load ssmon01/16/2008 11:58:18 AM SSMonitor: Check-in log sent to MayFlower.01/16/2008 11:58:19 AM SScanner: Check-in log sent to MayFlower.

01/16/2008 11:58:28 AM SSMonitor: Initializing version 2.5.1.701/16/2008 11:58:29 AM SSMonitor: Check-in log sent to MayFlower.

01/16/2008 11:58:34 AM SScanner: Check-in log sent to MayFlower.> tell ssmon quit

Check-in Entries in Log.nsf

Maysoft Monitoring DB

Monitoring SpamSentinel

Customer Checkin Status

SpamSentinel Admin Database

Contains all settings

Dashboard utility shows current statistics and information

Whitelists and Blacklists (Senders and Domains)

Quarantine settings (Auto-Delete, SMTP Silent Delete, etc.)

SpamSentinel Dashboard

SpamSentinel Quarantines

Perimeter Quarantines accept mail from SSRouter directly. The mail router is not used.

Mail-In Quarantines accept mail from the mail router.

Perimeter Quarantines are created on demand by SSRouter as needed.

Mail-In Quarantines are not created on demand.

Internet

SMTP Listener

SSInterceptor

Scan.boxMail.box

Good MailSpam B

Spam DSpam C

Mail\user.nsf

Inbox = Good Mail

Junk Mail = Spam BSpamSentinel

Domino Default

Mail.boxSPAM

Mail\user.nsf

Inbox = Good Mail

Inbox = SPAM

Additional Implementations of SpamSentinel

Linux, AS400, and Solaris are also supported with a Windows PC installed with a Lotus Notes client that remains on 24/7.

Software runs on the client machine and checks mail in mail.box

We use a mail rule (Domino 6 and greater) to hold mail for processing.

Uses a separate installer found at the bottom of www.maysoft.com/ss

Backscatter Prevention For all licensed users of SpamSentinel, the Scanner checks for

backscatter. Stops between 80%-90% of Backscatter. It deletes backscatter during the SMTP session. Backscatter prevention does not generate non-Delivery reports, or

reject messages, as that would just add to the Backscatter problem. We offer a version for non-SpamSentinel users called: SpamSentinel

NoBS (No Backscatter) in the form of a nobs.dll interceptor. The separate NoBS product has No license fees and No expiration date

(and no support - except via email on a best efforts basis). Both versions compatible with all Lotus Domino Anti-Virus products.

Support Resources

For a 30 day trial email

sales@rivettassociates.com

For more informationSearch www.google.com for

“Vaughan Rivett’s Blog”

Vaughan Rivett+64 21 206 2500

Skype id:vrivett

Email:sales@rivettassociates.com

Mobile phone numbers

Completely Rebuilt for the Best Spam and Virus Protection for Domino Servers

It Just Works

SpamSentinel Technical Briefing