|
|
PerfectMail contains many unique features and capabilities from those found
in competing products. In fact, we successfully challenge conventional
wisdom on a number of fronts.
Use the links below to find out more about our unique approach to Spam protection.
General Questions
Supported Mail Servers
Languages Questions
E-mail Scoring Issues
Antivirus Capabilities
Product Questions
Security Questions
Implementation Questions
Sizes and Limitations
General Questions
In a word - No, so PerfectMail would not normally block commercial e-mail.
There is a fundamental difference between bulk spam (Unsolicited Bulk E-mail or UBE) and commercial e-mail
(Unsolicited Commercial E-mail or UCE). UBE mail is truly evil spam. It includes herbal medicines, adult content,
stock pump & dump messages, get rich quick scams, Nigerian bank scams, fake lottery scams, etc.
PerfectMail has been designed to eliminate this trash from your in basket.
Commercial e-mail (or UBE) is different. UBE is distinct from UCE because, unlike bulk spammers, the sender:
-
Clearly identifies themselves, their message and their organization
-
May be contacted to request removal from their mailing lists
-
Is promoting a product or service that is moral, legal and ethical
-
Is bound by the laws of the jurisdiction in which they conduct business
You know you are receiving commercial e-mail because the senders' identity is easily determined. If you do not wish
to receive further communications from this sender, you can safely follow the senders opt-out instructions.
If the sender refuses to honor your opt-out request, you can instruct PerfectMail to refuse all messages from
the sender by adding them to PerfectMail's black list.
⇑ Top
PerfectMail deals with e-mails the instant they arrive. Each
e-mail is scanned and is subject to one of three possible outcomes:
- Accept
The e-mail is passed through to the recipient instantly and
without modification.
- Tag
If, after performing its full range of tests and after
consulting its historical databases, PerfectMail is still unable to
determine the status of an e-mail, it tags the E-mail
with a short keyword to indicate that the e-mail might be spam.
The default policy is to prepend the subject line with the phrase
[SPAM?]
The messages is forwarded (with this warning) to the
intended recipient where it can accepted, filed or discarded by
easy-to-implement quarantine rules within a e-mail reader (such as Outlook
Express, Outlook, Eudora, Pegasus or ThunderBird). Because it is so easy for e-mail clients to implement quarantine
and/or filter rules on uncertain e-mails, PerfectMail contains no quarantine
of its own.
Under normal circumstances, PerfectMail tags no more than 0.5% to 1.5%
of all inbound e-mail. Tag percentages will vary with
traffic but usually don't exceed 1.0%.
- Reject
The e-mail is refused. PerfectMail returns a
reject code to the sending e-mail server indicating that the
e-mail is unwanted. PerfectMail reserves this treatment for
obviously unwanted e-mail such as; viruses & worms, heavily
obfuscated e-mail and e-mail where the sender has
intentionally tried to hide their identity.
In our experience, a typical business might see
25% or more of all e-mail safely rejected by
PerfectMail. In an organization with about 100 e-mail users,
this can mean as many as 2,500 fewer
e-mails for staff to handle in just one day!
⇑ Top
PerfectMail employs an E-mail Archive rather than a Quarantine. Simply stated, an E-mail Archive is much safer
requires much less user and administrator intervention, and lets first-level help desk personnel fix problems
much more quickly and effectively than do traditional E-mail Quarantines.
The benefits of
E-mail Archives over Quarantines
was the topic of a recent PerfectMail newsletter.
Click
here
to read the article. Be warned, once you read the article, you will never want to use a product that relies on Quarantines again!
⇑ Top
Unlike most competing products, PerfectMail offers effectively zero false
positives1.
PerfectMail contains a very efficient, real-time reputation engine.
PerfectMail tracks many aspects of an e-mail exchange including sender activity,
MTA activity, prior history and much more. All of this activity is added to PerfectMail's reputation system, and is
used to help PerfectMail correctly recognize wanted messages from repeat senders.
Whenever an e-mail is received, PerfectMail reviews the senders' reputation.
If the sender has a history of sending legitimate messages then PerfectMails' reputation system adjusts
the scoring to ensure that the senders' messages are always delivered2.
As a result, PerfectMail can claim zero false positives on the e-mail that matters most;
the e-mail between yourself and your e-mail partners. This feature could easily be viewed as an
automatic white list (but in reality it is much more sophisticated than a simple list).
⇑ Top
For the most part, PerfectMail self-trains. That is, it looks at mail traffic patterns to learn
your mail peers as well as legitimate vs. malicious mail servers. PerfectMail uses a Bayesian
filter and other techniques to help recognize unwanted content.
All of this training helps PerfectMail make the right decisions on the e-mail that matters most;
e-mail from your regular peers (see False Positives above).
However, there are circumstances where PerfectMail may allow unwanted content through. You will
see this in two cases:
- Correcting False-Positive Rejects
PerfectMail rarely rejects wanted messages. However, there are some types of messages, typically
e-mail newsletters from poorly configured mail servers, that fail our validation and
verification tests. In extreme cases, these wanted messages may be rejected as unwanted.
This presents a problem because recipients never reply to newsletters or one-way e-mail blasts;
so PerfectMail's reputation system cannot learn to recognize an e-mail peer relationship. To fix
this issue, add the senders domain or IP address to PerfectMail's White list:
- Logon to PerfectMail
- Click
Domain Admin
- Click
B/W List
- Add the domain name (e.g.:
oneWaySender.com) or the IP address of the mail server
to the White list
- Click
Update
And you are done.
Note that Black and White lists are global properties that impact all users so use them
sparingly.
- Blocking Persistent Unwanted Senders
Persistent unwanted senders are otherwise legitimate organizations
who refuse to honor opt-out requests.
To get off the bulk mailers mailing list, you must add the offenders
domain name or IP address to PerfectMail's Black list. To do this:
- Logon to PerfectMail
- Click
Domain Config
B/W Lists
- Add either the senders domain (e.g.:
pushySender.com)
or the sending mail servers'
IP address from the message header of an offending e-mail (the
second Received: from header) and add it to the Black List.
- Click
Update
And you are done. For help updating Black or White lists, please click Help in
the upper right hand corner of the screen.
Warning: Black lists impact everyone on the PerfectMail server. By adding a host to the
Black List, you are banishing that host from ever sending mail to anyone behind the PerfectMail
server, ever again.
- Training Perfect to Recognize Spam
Spammers often hose your staff with their trash. To help PerfectMail block this unwanted content,
simply tell everyone to forward unwanted mail to
spam@pm.yourDomain.com. In this example,
pm.yourDomain.com should be
substituted with host name and domain name of your appliance. For example, your domain name
was aCompany.com and your PerfectMail appliance was
pm.aCompany.com, then you would
forward the unwanted mail to spam@pm.aCompany.com.
When you do this, PerfectMail trains on the message content content, making
PerfectMail more likely to block this sort of content in the future.
You do not need to make a legitimate e-mail account on your server with the address
spam@yourDomain.com. PerfectMail treats this account as a
virtual account and will intercept any messages sent to it.
- Training Perfect to Recognize Wanted Mail
Occasionally wanted mail will end up tagged. To help PerfectMail learn that this is wanted content,
tell your users to forward legitimate mail to
ham@pm.yourDomain.com. In this example,
pm.yourDomain.com should be
substituted with host name and domain name of your appliance. For example, your domain name
was aCompany.com and your PerfectMail appliance was
pm.aCompany.com, then you would
forward the unwanted mail to ham@pm.aCompany.com.
Ham is e-mail speak for wanted mail. Sending mail to ham@... helps
PerfectMail adjust its filters to better recognize legitimate traffic.
When you do this, PerfectMail trains on the message content content, making
PerfectMail more likely to block this sort of content in the future.
We have posted detailed procedures on how to review and tune PerfectMail appliances. Please
read
PerfectMail Tuning How-To
to get detailed information on tuning PerfectMail.
⇑ Top
The short answer to this question is - not directly.
Here's why.
The user interface Release function was put in to take the risk out of using PerfectMail.
The intent was to give administrators the ability to correct any errors in PerfectMail's filtering
by allowing admins to release any message that was improperly Rejected. PerfectMail does this by
holding on to a copy of all e-mail, including Rejected e-mail, for 24 hours (soon to be 6-12 weeks).
Tagged e-mail is actually delivered to the intended recipient(s), but with the word
[SPAM?]
(or some other phrase you set) prepended to the subject line. This is intended to warn the user
that the message may be unwanted. The key point here is that the message is delivered to the user.
Since the message was delivered, there is no need to Release it through the user interface
because the message was already delivered.
Messages that are Rejected are not delivered to the intended recipient.
Instead, PerfectMail returns an SMTP reject code (and explanation) to the sender.
If PerfectMail makes an erroneous reject decision, you can Release the message and it will
be delivered to the intended recipient, even after we have told the sender that we don't want
the message.
But, PerfectMail does not automatically update its reputation system to record the fact that the e-mail was manually released.
Here is why it shouldn't be an issue...
PerfectMail records all incoming activity along with the score.
When PerfectMail sees a reply to the message (regardless if the message was originally
Tagged or Rejected/Released), it assumes that the original recipient is giving
implied permission for the sender to continue sending messages. To that end,
PerfectMail awards a bonus score to any message coming from known e-mail peers.
The more e-mail that is exchanged, the higher the bonus.
While it may take a couple of e-mail exchanges before the bonus score is so high that e-mail is never rejected, often one exchange is sufficient to allow most messages through
⇑ Top
Supported Mail Servers
PerfectMail supports Microsoft Exchange. We do recommend specific PerfectMail and Exchange settings
depending on the version of Exchange you are running. Please note that there are additional recommendations
at the end of this entry for Exchange clusters.
- Exchange 5.5
- MS Exchange 5.5 is supported with the following caveats:
- SMTP Validation
(more here) is not supported. Please ensure this feature is
disabled
in PerfectMail. To do this, click:
Domain Admin → Select Your Domain → SMTP Validation
- uncheck. Also ensure that Reject non-validated E-mail is unchecked. Be sure to do this for all
defined domains.
- List Validation is fully supported. We strongly recommend you copy and paste a complete list of valid addresses
into PerfectMail (
Domain Admin → Valid Addresses). If you do this, you should check Reject
non-validated E-mail.
-
Disable Non-Delivery Reply e-mail responses in Exchange.
To disable Non-Delivery Reply messages in Exchange 5.5, please complete the following steps:
-
Open up Exchange Administrator and go to Organization, Site, Configuration, Connections, Internet Mail
Service and select Properties.
-
Select the Connections Tab.
-
Under Message Delivery, select Forward all messages to host: and enter the IP address of
the PerfectMail appliance or service as [192.168.100.10]. Please include the square brackets, and
substitute the IP address of your PerfectMail appliance or service for the IP address in the example.
-
You will get a dialog box asking you to restart the Exchange Internet Mail services.
You can do that by going into the Services section via
Start→Settings→Control Panel→Services if using NT or
Start→Settings→Control Panel→Administrative Tools→Services for Win2K
or greater). Select Microsoft Exchange Internet Mail Service from the list,
right-click and choose Stop. When the service stops, right click and choose Start.
- Exchange 2000
-
- MS Exchange 2000 is fully supported. We recommend the following configuration changes to maximize PerfectMail's
effectiveness:
- Please disable Non-Delivery Report message generation in Exchange.
- Configure Exchange to provide immediate and accurate SMTP return codes for valid e-mail recipients. Please
consult your MS Exchange 2000 Administrators documentation to determine how to complete this step.
- SMTP Validation
(more here) is supported. Once you have configured Exchange so
that it
provides accurate return codes, please enable this feature.
To do this, click:
Domain Admin → Select Your Domain → SMTP Validation
- check. Be sure to do this for all defined domains.
- Also ensure that
Reject non-validated E-mail is checked.
- List Validation is fully supported. We strongly recommend you copy and paste a complete list of valid addresses
into PerfectMail (
Domain Admin → Valid Addresses). That way, PerfectMail will not need to bother
your Exchange server about e-mail addresses that it knows are valid.
- Please check
Reject non-validated E-mail.
- Exchange 2003
- Please follow the instructions for Exchange 2000 (above).
- Exchange 2007
-
To be determined.
- Exchange Clusters
-
PerfectMail can protect Microsoft Exchange clusters. To configure PerfectMail to protect a cluster,
follow the steps for the appropriate version of Exchange in use (above). Then:
- Please ensure that the IP address provided for the protected domain(s) is the Virtual IP address of your
Exchange cluster, not the IP address of an individual node in the cluster (
Domain Admin →
Select Your Domain → Internal Mail Host).
- Add the individual cluster node IP addresses to PerfectMail in the Relay form (
Domain Admin →
Relays). If you don't add the individual cluster node IP addresses in the Relay form, you will not be
able to test for correct mail handling as discussed
here.
- Perform a mail delivery test from each cluster node. Below is some example code to show how to do this
(commands you type are in bold purple).
c:\> telnet 10.0.1.2 25
Trying 10.0.1.2...
Connected to 10.0.1.2.
Escape character is '^]'.
220 scorpion.aei.on.ca ESMTP Sendmail 8.12.9/8.12.3; Thu, 4 Jan 2007 08:44:21 -0500
HELO someHost.someDomain.com
250 scorpion.aei.on.ca Hello scorpion.internal.aei.on.ca [10.0.1.2], pleased to meet you
MAIL FROM: <>
250 2.1.0 <>... Sender ok
RCPT TO: lkarnis@xpmsoftware.com
250 2.1.5 lkarnis@xpmsoftware.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: This is a test
From: Larry Karnis
To: Larry Karnis
This is the body of the message. There must be one
blank line between the To: header and the body. End
the message with a single '.' on a line by itself
.
250 2.0.0 l04DiK9p007473 Message accepted for delivery
QUIT
221 2.0.0 scorpion.aei.on.ca closing connection
Connection closed by foreign host.
c:\> _
⇑ Top
Lotus Domino™ is fully supported with no issues or custom configurations required. For optimum filtering
performance, please:
- Enable SMTP Validation (
Domain Admin → Select Domain → SMTP Validation - check).
- List Validation is not necessary. Pasting a list of valid e-mail addresses into
Domain Admin →
Valid Addresses will reduce the number of connections PerfectMail makes to the back end mail server.
- Reject non-validated E-mails should be checked.
⇑ Top
Novell GroupWise™ and Novell NetMail™ are fully supported with no issues or custom configurations required.
For optimum filtering performance, please:
- Enable SMTP Validation (
Domain Admin → Select Domain → SMTP Validation - check).
- List Validation is not necessary. Pasting a list of valid e-mail addresses into
Domain Admin →
Valid Addresses will reduce the number of connections PerfectMail makes to the back end mail server.
- Reject non-validated E-mails should be checked.
⇑ Top
IMail™, a popular Windows mail server, is fully supported with no issues or custom configurations required. For optimum filtering
performance, please:
- Enable SMTP Validation (
Domain Admin → Select Domain → SMTP Validation - check).
- List Validation is not necessary. Pasting a list of valid e-mail addresses into
Domain Admin →
Valid Addresses will reduce the number of connections PerfectMail makes to the back end mail server.
- Reject non-validated E-mails should be checked.
⇑ Top
QMail is supported with the following caveats:
- SMTP Validation
(more here) is not supported. Please ensure this feature is
disabled
in PerfectMail. To do this, click:
Domain Admin → Select Your Domain → SMTP Validation
- uncheck. Also ensure that Reject non-validated E-mail is unchecked. Be sure to do this for all
defined domains.
- List Validation is fully supported. We strongly recommend you copy and paste a complete list of valid addresses
into PerfectMail (
Domain Admin → Valid Addresses). If you do this, you should check Reject
non-validated E-mail.
-
Please disable Non-Delivery Report e-mail responses.
⇑ Top
Languages Questions
Yes. We have customers located in non-English locales, including Quebec Canada and Greece, who are
quite happy with their PerfectMail experience. Additionally, many PerfectMail users routinely
exchange e-mail with English and non-English speaking peers with no problems.
Here's why:
PerfectMail uses a combination of antispam techniques to determine the proper disposition of an
e-mail. Factors that determine a messages outcome include; sender reputation,
SMTP relay reputation, sender/recipient peer relationships, verifiable envelope and header
information, embedded web site references and finally content. So, unlike most competitors,
content is not critical to making a correct Accept/Tag/Reject decision.
Finally, PerfectMail self-trains on wanted vs. unwanted content irrespective of the actual
language used. Consequently, it is effective on messages composed in any language.
⇑ Top
At this time, our Administrator interface is available in English only. However, our
Administrator interfaces is
constructed on a framework that should support multiple languages. If you work with PerfectMail and
want to help us support your preferred language, please
contact us.
⇑ Top
Scoring Issues
An RBL block is a Real-time Black Hole List block. There are many reputable Internet
sites that maintain lists of known, persistent spam sources. If you receive a complaint that a message
was blocked because of an RBL Block, then the senders' mail server is on an RBL list.
PerfectMail uses the
SpamHaus RBL list because it is a high quality, well researched
and well maintained list. If you end up on
SpamHaus' list, you really do have a problem with your site
sending spam.
A RBL reject message looks like this:
From: Mail Delivery Subsystem <mailer-daemon@recipientDomain.com>
Date: Nov 21, 2006 4:46 PM
Subject: Delivery Status Notification (Failure)
To: theSender@senderDomain.com
This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
recipient@recipientDomain.com
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 9): 550 5.1.1 <recipient@recipientDomain.com>... RBL Block:
spamhaus.org 1.2.3.4
Note the IP address directly above... This is the IP address of the blocked mail server.
PerfectMail only uses
SpamHaus for RBL lists. You can query
SpamHaus directly by entering the following URL into a web browser:
http://www.spamhaus.org/query/bl?ip=1.2.3.4
To see if you are listed in any of 250+ other popular RBL list sources, please try:
http://www.dnsstuff.com/tools/ip4r.ch?ip=1.2.3.4
Substitute 1.2.3.4 with the IP address of the blocked mail server.
If your IP address is on
SpamHaus' RBL lists (SBL or XBL), please follow the instructions on SpamHaus'
web site to remove your IP address. Generally, you will have to:
- Audit your e-mail infrastructure looking for spam problems (PC's with spam zombies, etc.)
- Close any open relays you have on your mail server
- Verify that none of your users are blasting out marketing e-mail that might get reported as spam
Once you have solved the problem, visit SpamHaus again and ask
to have your mail server removed from their block list.
When working with black lists, please keep the following in mind:
-
It may take a day or more from the time you ask to have your site removed to the time
your mail server is removed from a black list. Consequently, you need to act quickly to ensure minimal
interruption to your e-mail service.
-
Do not remove your site from a black list unless you are certain that you are no longer
forwarding spam. Most black list sites have a 3 strikes rule. They will let you remove yourself
3 times without question. After that, you will have to prove that you are no longer a spam
source.
- Mail servers, and antispam products, use many different black lists to determine if a
message may be unwanted. Removing yourself from
SpamHaus is necessary but may not be enough to fully
unblock your server.
- Most mail servers use some sort of RBL protection. If you do not get your server off of
popular RBL lists, you will not be able to send mail to most businesses and about 50% of the rest
of the Internet.
PerfectMail prepends the phrase [SPAM?] to messages that score above the Tag
threshold but below the Reject threshold. This is intended to indicate that PerfectMail was uncertain as
to the real disposition of the message (wanted or unwanted) and so it chose to forward the message with a
warning to the recipient.
There are a number of things you can do to address this situation:
- Nothing
Yes, doing nothing is an effective solution! PerfectMail will continue to watch your e-mail
traffic and record activity between you and your senders. If a sender continues to e-mail you
from the same location, with the same e-mail address, then PerfectMail will quickly recognize a 1-way
mail relationship and will score messages more favorably. The result is that the [SPAM?] warning usually goes away on its own within a few days to weeks.
This works especially well for e-mail newsletters and other 1-way correspondence.
- Reply to the Sender
When you reply to the sender, PerfectMail assumes that you are giving the sender implicit permission to
continue sending you e-mail. This behavior is in line with e-mail Best Practices, as users are
strongly encouraged to never reply to Spammers or opt out of Spam mail.
It usually takes just one reply to cause PerfectMail to drop the [SPAM?] warning.
Note: You must reply from your original e-mail account, not an e-mail relay account.
If your mail, once it is filtered, is relayed to a new e-mail address then PerfectMail will not handle
the return message.
- White-List the Sender
The last, and least desirable, alternative is to find the sending server's e-mail address and add it to
PerfectMail's white list. This will cause PerfectMail to automatically accept everything (except Viruses and
unwanted attachments) from that server.
This step can only be performed by the PerfectMail administrator.
⇑ Top
PerfectMail does not always accept e-mail messages on the first delivery attempt.
PerfectMail performs additional tests (possibly including
TempFail)
whenever:
- The sender has never been seen before
- The message scored above the Tag threshold but below the Reject threshold
The SMTP protocol allows destination mail servers to tell sending servers that they
are busy by returning a TempFail status code.
When this happens, a legitimate mail server will resend the message
(usually in 5 to 10 minutes).
Legitimate mail servers respond to
TempFail
by re-queuing the message for delivery.
When the message is resent, PerfectMail matches it to the
TempFailed
message, detects the resend and lets the message through.
Most spam engines do not honor
TempFailed
messages. They simply see that the mail went undelivered and then move on
to their next spam victim.
A quick review of the
TempFail
logs will show that the vast majority of
TempFailed
messages are spam - and that
TempFail
is an effective strategy for separating legitimate e-mail from spam.
And, because PerfectMail ensures that
TempFail
only happen to a small number of first-time connections, the impact of
TempFail
on legitimate senders is minimized.
⇑ Top
Antivirus Capabilities
PerfectMail includes the excellent
Clam Antivirus product in all versions of PerfectMail. ClamAV is an
excellent antivirus product that includes a fast scanning engine, very frequent updates, anti-Phishing
capabilities and much more. PerfectMail appliances check for updates hourly so you are always protected.
PerfectMail also includes a Server Admin → Update administrative link that lets you check for the very latest signatures on the fly.
⇑ Top
PerfectMail rejects all e-mails that contain a virus, a worm, a Phishing scam or an unwanted e-mail
attachment.
We do this because, try as we may, we could not think of any possible
circumstance where the recipient would want to receive such a message.
PerfectMail immediately responds an SMTP reject code to the sender along with text that clearly
indicates:
- That the message was rejected
- That the message contains a worm, virus or phishing threat
- Which worm, virus or phishing threat we found in the message
We also encourage PerfectMail administrators to include additional text instructing the sender to contact
the recipient's help desk for assistance.
⇑ Top
PerfectMail can scan both .zip and password protected .zip files for viruses.
Our ability to peer into password protected .zip files ensures that your users are not
tricked into opening a .zip file that contains malicious programs.
Below is an example from PerfectMail's log file that shows PerfectMail scanning a password protected
.zip file:
2007/01/04 04:17:18 - Rejected Virus: Worm.Bagle-zippwd-26 72.226.65.103 "Xyip" yaaxaap@someDomain.com price_new04-Jan-2007
2007/01/04 10:39:42 - Rejected Virus: Worm.Bagle-zippwd-26 72.226.65.103 "Xyip" yaaxaap@someDomain.com price 04-Jan-2007
2007/01/04 12:47:47 - Rejected Virus: Worm.Bagle-zippwd-24 221.153.32.90 "Kgrego" victim@someDomain.com price_new05-Jan-2007
⇑ Top
Product Questions
In new installations, it is not uncommon for the Top Spammers and/or Top Legitimate graphs
to contain partial data, or no data at all. The reason the graphs are (partially) empty is that PerfectMail
has yet to see enough offending or legitimate traffic to slot a sending MTA into either category.
- Top Legitimate
To be regarded as a legitimate up-stream MTA, PerfectMail must see over 50 connections from an MTA
and 95% or more of these connections must score below the Accept threshold.
Since it is not uncommon for active legitimate
MTA's to occasionally score badly, PerfectMail doesn't insist on absolutely perfect behavior.
Only the top 50 MTA's are reported on the Top Legitimate list.
- Top Spammers
Senders have to work fairly hard to end up on our Top Spammer list. To qualify, the sender must have
connected to your server 50 or more times and, 95+% of those connections must be considered unwanted.
To be considered unwanted, the sender must either connect from a Real-Time Black Hole (RBL)
listed network or attempt to send e-mails to non-existent accounts
(i.e.: engage in brute-force guessing attempts in the hope of discovering new e-mail targets to spam).
There may be many MTAs on the Spammer list, but only the top
50 MTA's make it to the Top Spammers list.
⇑ Top
Security Questions
Many things actually. Here are some of the top things we've done to ensure that your appliance is
(and stays) secure:
- We use a hardened version of Linux
XPMsoftware has been working with Linux since 1993 - so Linux is our choice for
the base operating system on all PerfectMail appliances. We start with a stock Linux kernel and
then customized it to remove all unnecessary features (if it isn't there, it can't be abused).
- We strengthened Linux' firewall
Linux includes the excellent Netfilter IPTables
firewall. We rebuilt the Linux kernel to include the latest version of IPTables, and then added the
Tarpit ruleset as an selectable firewall target. I'll save the details - suffice to say that
anyone port-scanning a Tarpit enabled PerfectMail box is going to have a very bad day! Note:
Tarpit interferes with the remote machine that is attempting to port scan us. It is so effective that the use of Tarpit in your jurisdiction may be illegal!
- We built custom firewall rules
We developed and tested a complete set of firewall rules that ensure your e-mail traffic is not at
risk due to malicious network traffic. All unneeded ports are blocked (either Reject, Drop or
Tarpit). All port scan attempts are logged (for future reference). All badly formed packets
are dropped. All attempts at IP address spoofing are rejected.
- Firewall rules are updated dynamically
We enhanced PerfectMail with the ability to block exhaustion attacks.
PerfectMail counts connection attempts from the same IP address on the Secure Shell (port 22).
After a modest number of incorrect attempts, the attacking machine is
dynamically firewalled from further connection attempts.
- Maintenance can only be done from our Network
XPMsoftware owns 3 Class-C netblocks (207.219.44/24, 209.89.117/24 and 204.225.114/24). We
configure every PerfectMail appliance so that maintenance connections are only accepted from these
network address ranges. People from other networks can try to connect - but they won't succeed even
if they did know valid user names and passwords.
- We PUSH updates
At XPMsoftware, we push updates to your appliance as soon as they are ready. There is no need to
check our site for the latest patches or updates and apply them yourself. That way, there is no
time interval between when a fix is available and when it is applied.
- We only open 3 ports
PerfectMail appliances only listen on port 25 (SMTP), port 80 (WEB) and port 22 (Secure Shell). All
other ports are closed. If the port isn't open, it can't be abused.
- All maintenance connections are encrypted
XPMsoftware uses strong public key encryption for all maintenance connections to your machine. Each
PerfectMail appliance is supplied with XPMsoftware's public encryption key. That way, we
connect to your appliance (only from our network) with a key that will only work with our
maintenance server.
All interactive sessions and all file transfers use encrypted connections - so there is no worries
about data capture on traffic between XPMsoftware and your appliance.
- We place our own PerfectMail appliances directly on the Internet
We recommend that you place your PerfectMail appliance(s) on a De-Militarized Zone or behind your
firewall. But, we place our systems right on the Internet!
We let hackers and crackers have a go at our systems to ensure that we've done a good job in locking
it down.
We take your security very seriously. We are constantly looking at new ways to further harden
PerfectMail appliances.
⇑ Top
Implementation Questions
There are a number of reasons why the amount of Spam you receive does not go down immediately
after implementing PerfectMail.
Here are the most common reasons along with suggestions on how to fix the problem:
- You may be receiving e-mail from unprotected mail accounts
It is quite common for people to have multiple e-mail accounts. Modern mail clients (e.g.: Outlook) can poll for
mail from many sources and consolidate it into a single in-basket. PerfectMail will block Spam from your
protected accounts but not from unprotected accounts.
If all of your e-mail accounts are on local servers, then you can solve the problem in one of 2 ways:
-
Be sure that PerfectMail filtering is configured for all of your domains. To do this, create domain records in
PerfectMail for all local mail servers and all of their respective domains. Be sure to indicate that each
domain has filtering enabled (Domains -> Your Domain -> Filtering Enabled is checked).
-
Ensure that all mail is directed to your PerfectMail server. This may involve updating DNS mail exchanger
(MX) records so that they direct mail to your new PerfectMail server or changing the SMTP port forwarding
rules at your firewall to direct all traffic to your PerfectMail appliance.
- You may be receiving e-mail from remote mail servers
PerfectMail can only protect e-mail traffic directed to local mail servers. Often people use a mix of e-mail
accounts on both local and remote mail servers. PerfectMail cannot protect remote mail servers or popular
Web based mail services like HotMail, MSN or Yahoo Mail.
- You may have insecure mail relays
PerfectMail can be told to accept all e-mail from a trusted source. If this trusted mail server also accepts
mail from the Internet, then you are providing a back door through which Spam may arrive.
To solve this problem, ensure that your internal trusted mail relays do not accept e-mail directly from the
Internet. Stated another way, all internal relays must be outbound only mail relays, not inbound mail relays.
- Spammers may continue to use your old IP address
A common implementation strategy is to provide PerfectMail with a new IP address and then redirect e-mail to the
new address via DNS MX record updates. This strategy works well for legitimate senders but may result in no
immediate decrease in Spam.
Our research has shown that Spam engines do not do DNS queries for each message they send. Instead, they query
DNS once and then remember (cache) the answer - sometimes for months. Since DNS queries take time and mail
servers rarely change IP addresses, caching IP addresses helps Spammers send out much higher volumes of junk mail.
Often, the old IP address is still a legitimate pathway to your mail server. If true, and spammers have cached
your mail servers' IP address, then Spam will continue to show up in your inbox.
You can solve this problem by migrating all of your domains to PerfectMail as quickly as possible.
Once this is done, configure your firewall to shut down mail handling on the old IP address.
Another solution is to configure your local mail server so that protected domains may only communicate
with the mail server from the IP address assigned to PerfectMail (as that is their only legitimate pathway).
The local mail server should not accept SMTP traffic for protected domains directly from the firewall.
⇑ Top
To function at its peak, PerfectMail needs to know the e-mail addresses of the users it is protecting.
There are many ways of determining which recipients are valid, such as:
- Static Lists of valid e-mail addresses. This is called List Validation and is supported in
PerfectMail through
Domain Admin → Valid Addresses.
- Query Active Directory (or some other directory service such as LDAP). This feature is not available in
in PerfectMail
- Ask the protected mail server if an e-mail address is valid. This is called SMTP Validation.
Of all of the possible options, simply asking the protected mail server if a recipient is valid is the
simplest and most effective - if your mail server supports this feature. Unfortunately, not all mail
servers support SMTP validation.
Sendmail, IMail, EXIM, Scalix, NetMail, GroupWise and Domino all support SMTP validation by default.
Exchange 5.5 cannot support SMTP Validation. Exchange 2000 and 2003 can support SMTP validation but require
a configuration change to do so. QMail does not support SMTP Validation.
⇑ Top
SMTP Validation works by opening an e-mail connection to the protected mail server. Using the newly open
connection, PerfectMail announces itself to the mail server, declares its intention to send mail to the
target recipient and then checks the return code for that recipient. PerfectMail then records the success
or fail code for the recipient in question.
It is easy to query a mail server to see if a recipient is valid. The trick is to telnet
directly to the mail server on the SMTP port (port 25) and dialog with it.
Here is a block of code that accomplishes this task (commands typed in are in
bold purple):
C:\> telnet 10.0.1.2 25
Trying 10.0.1.2...
Connected to 10.0.1.2.
Escape character is '^]'.
220 scorpion.aei.on.ca ESMTP Sendmail 8.12.9/8.12.3; Wed, 3 Jan 2007 20:37:26 -0500
HELO someServer.someDomain.com
250 scorpion.aei.on.ca Hello scorpion.internal.aei.on.ca [10.0.1.2], pleased to meet you
MAIL FROM: <>
250 2.1.0 <>... Sender ok
RCPT TO: invalidUser@aei.on.ca
550 5.1.1 invalidUser@aei.on.ca... User unknown
QUIT
C:\> _
If your mail server supports SMTP Validation, and you provide an invalid local e-mail address to the RCPT
TO: command, your mail server will respond with an SMTP 550 error code. However, if you supply an
invalid e-mail address to the RCPT TO: command and your mail server returns an SMTP 250 success
code, then your mail server does not support SMTP Validation, and you should not use this feature.
⇑ Top
To function at peak effectiveness, PerfectMail needs to determine
which e-mail addresses in the protected domains
are valid and which addresses are invalid. PerfectMail uses this information to ensure that messages to valid
users are handled correctly and to block e-mail address harvesting attempts (guessing e-mail addresses).
Stopping e-mail address harvesting attempts is a critical because, on average,
50% to 95% of all e-mail connections are e-mail address guessing and/or e-mail relay attempts.
PerfectMail can verify that a protected e-mail address is correct through either
SMTP Validation or List Validation. Currently, PerfectMail does
not do LDAP or MS Active Directory validation.
Most organizations have a relatively static list of valid e-mail users. If this is true of your company,
enabling List Validation will speed up mail filtering and will reduce the workload of your back end mail
server.
To enable List Validation, please do the following:
- Create a text file of all of the valid e-mail addresses for your organization. You can usually copy and
paste this information from your mail server.
- Remove any proper names from your e-mail address list. E-mail addresses should look like
user@domain.com and not <user@domain.com>,
"Jane Doe" jane.doe@domain.com or Jane Doe <jane.doe@domain.com>
- Copy and paste the valid user list into PerfectMail (
Domain Admin → Valid Addresses).
- Click
Update to activate the valid user list.
Note that List Validation is always on (Domain Admin → Select Your Domain → E-mail
List Validation). You do not need to restart PerfectMail or reboot the appliance for List Validation
to take effect.
Once you have created your valid e-mail addresses list, PerfectMail will consult this list before contacting
the protected mail server(s). This eliminates the e-mail traffic associated with e-mail address validation.
This may result in a noticeable reduction in load on your back end mail server.
Note: If your mail server cannot (or is not configured to) do
SMTP Validation,
we strongly recommend you enable List Validation.
List Validation is the only remaining way for PerfectMail to defend against e-mail address harvesting and
e-mail relay attacks.
⇑ Top
In a word - no.
PerfectMail is designed to protect local mail servers only. PerfectMail works by accepting, filtering and
forwarding e-mail before it arrives at your local mail server.
Since we have not (yet) sold PerfectMail to any of the (above) service providers, you cannot protect
accounts on these services with PerfectMail.
⇑ Top
Sizes and Limits
No. You are free to protect as many users as you like.
We size our machines to meet various performance and redundancy requirements. We then make recommendations
on a reasonable user population for each appliance. Our customers can, and often do exceed our
recommendations by as much as 500%.
We make conservative recommendations because mail servers have no control over the
volume of traffic they receive. For example, we've seen malicious activity jump by 1,000% or more
even on our smallest appliances. Our
appliances are sized to handle large increases in traffic without impacting the delivery of legitimate
mail.
We recommend that you use our user population guidelines as a starting point
and then consider higher or lower end
models as your budget, redundancy requirements, etc. dictate. If you are uncertain,
call us and we will help
you with your selection.
⇑ Top
No. PerfectMail appliances are configured to limit the number of concurrent messages they handle to fit
within their hardware capabilities. Any excess number of connections are simply told to try again
later. Our approach is 100% compliant with SMTP standards and will work with any mail server. This
guarantees that, while mail may be delayed during extreme loads, your appliance won't crash and mail
will be delivered as soon as possible.
⇑ Top
Yes. Outbound mail is normally delivered as soon as it is seen. If, however, you are sending a large
e-mail blast, PerfectMail will queue any traffic it cannot handle immediately and will send it as soon
as possible. Normally, delays (if any) are minimal.
⇑ Top
No. Protect as many domains as you like.
Many of our ISP clients protect 300 to 1,000 or more domains on a single
appliance. PerfectMail is extremely popular with ISPs because we do not
set license restrictions on the number of domains, users
users or mail servers.
⇑ Top
As many as you like.
There are no license or other artificial
limits on the number of mail servers you can protect with PerfectMail.
To protect a new mail server, simply identify it by IP address when you add a new domain to PerfectMail.
Once PerfectMail knows about your mail server, it will act as a mail relay - forwarding clean, filtered
e-mail through to the appropriate server.
⇑ Top
__________
[1] PerfectMail false positive claims are valid for e-mails exchanged between
auto-discovered e-mail peers (ongoing exchange between sender and recipient).
For inbound only senders (recipient never replies to the sender) PerfectMail typically
achieves accuracy in excess of 99%.
[2] PerfectMail will continue to reject unwanted file attachments and viruses. Otherwise, an
auto-discovered e-mail peer relationship is scored so strongly that the senders' messages will
never be rejected.
|
Link to Us
Bookmark Page
Print
