|
|
 |
|
 Technical details
How e-mail works
To help you understand how spam is sent and how Emergic Cleanmail blocks it, let us explain the basics of how email is sent on the Internet.
Let us assume that your email address is john@yourdomain.com and that someone sends you an email message.
The sender's server will query the public DNS (Domain Name Service) system for the "MX" records for the domain yourdomain.com.
The sender's server will query the public DNS (Domain Name Service) system for the "MX" records for the domain yourdomain.com.
The answer to the query will typically consist of a single "MX" record, such as:
yourdomain.com MX priority=10 mail1.bighost.net
In this example, the domain yourdomain.com is probably being hosted by the company Bighost.net and mail1.bighost.net is the hosting company's mail server. Basically, this record is telling the public that all email for the domain of yourdomain.com should be delivered to the mail server mail.bighost.net, which has been assigned to handle email for the domain.
The sender's mail server then connects to mail1.bighost.net and sends it the message. The Bighost.net mail server then delivers the message locally to your john@yourdomain.com inbox and holds the message until you log in and check your email.
Going into a bit more detail, mail servers do not connect using names such as mail1.bighost.net, but rather using IP addresses (such as 64.123.38.149). So the sending mail server actually first does an "A" record DNS look up for mail1.bighost.net. This "A" record will contain the IP address of the mail1.bighost.net server. Internet traffic can only be routed by IP address, the names are just for us humans.
The receiving mail server records in the header of your email message the IP address of the sending mail server. It also records the sender's supposed email address.
Spammers often use a fake reply email address and even a fake name for their mail server. However, they cannot fake the IP address of their mail server.
More about "MX" records
If your domain's web and email is hosted by a third party company, then more than likely that hosting company has set up your MX records for you. If your domain's web or email is hosted on your own servers, then the person (probably you) in charge of them or the IT department, set up the MX records.
While most domains have just one "MX" record, your domain can have multiple MX records. After you sign up for our service and receive our confirmation, you activate the service by adding three more MX records to your domain.
The MX records might then be:
yourdomain.com MX priority=5 yourdomaincom.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomaincom.relay1b.spamh.com
yourdomain.com MX priority=10 mail1.bighost.net
yorudomain.com MX priority=20 yourdomaincom.relay1c.spamh.com
When a mail server sends email to your domain, it first attempts to send it according to the MX record with the highest (lowest number) priority. If the two servers fail to establish a connection, the sending mail server tries the next highest priority MX record, until it goes through all of the MX records.
In the example above, "yourdomain-com.relay1a.spamh.com" has the highest priority and will therefore receive all mail (unless there is a connection failure). As described later, this is our mail "relay" which filters your email for spam. After we filter your email, it is then relayed back to your actual mail server, "mail1.bighost.net" in this example, set in the Dashboard. Because your actual mail server is a private configuration setting, it doesn't even need to be in the MX records, as you will read later.
A nice feature of MX records is built-in "auto-failover". If the highest priority mail server goes off-line, mail is automatically sent to the next highest priority mail server.
Therefore, if the primary anti-spam relay for your domain should go off-line due to a system failure, maintenance, or any other reason, the backups automatically take over. In the unlikely event the primary two relays for your domain went off-line, email would be sent directly to your "real" mail server. So you wouldn't lose any email, it just wouldn't be filtered for spam.
When our service is activated, you will have to change, or authorize the change of your MX records. We cannot do that for you; only you and possibly your hosting company have (legal) access to your MX records.
When changing MX records, keep in mind that the changes do not take place instantly because many DNS servers will have cached the old entry. Therefore, the changes must "propagate" through out the Internet's many DNS caches. The suggested time to cache a record "look up" is set by the "TTL" (Time-To-Live) value for your MX records but some senders' DNS caches will take a bit longer to update. A typical TTL value is 43200 seconds (12 hours) or 86400 seconds (24 hours). After the MX record changes are complete, some email will start being filtered immediately. Even more will be filtered after the TTL is past but the majority might not be filtered for up to 72 hours. This is because some DNS caching servers don't honor TTL values, but cache records for up to 72 hours.
If you don't know how to change your MX records, that is no problem. This probably just means that someone else takes care of that for your domain. We will email you the necessary information and you can simply forward the request to them (probably your email hosting company or IT department).
More about the anti-spam relays
The page "How it works" describes how our service blocks spam based on URLs, content, countries and black-lists. This is an explanation of how the relays work.
When your service is activated, you will be assigned three "relays" (servers) which must be added to your MX records. One is the "primary" relay and the others are the "backup" relays.
Since spam filtering is certainly desirable, but not mission critical, you might think that having a backup relay is overkill. There are several reasons why every customer gets backup relays:
• It allows us to perform maintenance work on one relay without disrupting your service.
• As described later, for maximum spam blocking, you can remove your "real" mail server from the MX records. In that case, a backup relay is needed for maximum reliability.
• For your peace of mind and ours. We recognize that email is now critical to any business.
• To allow us to do some load balancing.
Each relay is a dedicated server that we rent from large data centers with redundant fiberoptic internet connections, 24/7 monitoring, UPS and generator backup and physical security. For maximum reliability, the primary and backup relays assigned to each customer will reside in different data centers, owned by different companies, in United States and India.
In addition to the primary and backup relays, we also have ready-to-run standby servers. Therefore, if a primary/backup relay fails, another server will quickly take its place.
When using our service, the weakest link in your email reliability is probably the reliability of the DNS servers that hold your MX records. Domains are supposed to have two DNS servers, but unfortunately both servers are often in the same room on the same Internet connection.
The Cleanmail.in website is database driven and resides on another dedicated server, separate from the relays. This server handles all account information, including any changes you make via the "Members" Dashboard. Every five minutes, this server automatically updates the databases on the relay(s).
Suggested Configuration Settings
There are four actions that you can take on email that is caught by our filters as spam. These are configurable in the Domain Dashboard after signing up.
1. Deliver
In this action, all the spam mails will be tagged as SPAM and will be delivered to the end users.
2. Forward
In this action, all the spam mails are forwarded to a specified e-mail account, tagged as spam and are not received by any end user.
3. Forward & Deliver
In this action, all the spam mails are tagged and delivered to the end users, and also on a specified e-mail account.
4. Quarantine
In this action, all the Spam mails are spooled on our server and the System Admin can log in and check. If quarantine contains your genuine mail then you can release it.
Spam Digest : When you choose Quarantine as an action for your spam mails, we also offer Spam Digest, which is email notification containing a summary of spam mails blocked for a specific user. Spam Digest can be sent daily or weekly to users whose spam mails have been quarantined. Each individual user can check the mails quarantined for his email id and release if a genuine mail is blocked.
Mechanisms Emergic Cleanmail uses to Block Spam
Scoring Mechanism (Heuristics & Bayesian):- We have over 3000+ rulesets updated constantly to detect the recent outbreak of spam. This is Supported by Bayesian technology which uses artificial intelligence to classify mails as spam. This technique assigns a score to the mail based on the detections made by Heuristics and classifies mails as spam based on the cumulative score.
Realtime Blacklist Filtering :- Several organizations and companies are constantly identifying the mail servers which are actively sending spam. They create "real-time blacklists" (RBL) of the IP addresses of these mail servers which are updated daily, even hourly. We have chosen five of the better known RBLs for selection within the Emergic Cleanmail service. (By default, all are selected.) Our main criteria was to choose RBLs which are least likely to block legitimate email.
Fingerprint Checks (Recurrent pattern detection, DCC):- This technique is used for bulk mail classification. This is based on the concept that at a given point of time the larger the number of copies of an e-mail floating on the Internet, the greater is the probability of it being a spam.
URL Checks:- This system analyses the embedded urls in the mails and checks it against a known database of spammer domains. This technique also identifies phishing scams as well as spam.
DNA Checks (Razor):- Spammers generally modify the spam contents to skip detections. This technique identifies the change and matches the variation with a database of known spam.
Content Filtering :-
• Allows/denies attachments based on filename, providing implementation of any email security policy.Easily used to block attachments which are common ways of disguising viruses, e.g.
ReadMe.doc.exe These can be varied for different users.
• HTML-Based Attacks
• Scans for common signs of attack such as and HTML tags. Both have been used many times to exploit vulnerabities in Outlook(&Express) and Internet Explorer.
• Dangerous HTML content can be stripped. Checks and traps added for all known Outlook,Outllok Express,Internet Explorer and Eudora security vulnerabilities
Whitelists and Blacklists :
While our service requires no "tuning" or " learning", and is unlikely to block legitimate email, you can ensure that important clients and contacts are never blocked by adding them to your domain-specific Whitelist. This is especially useful if you have a few clients in countries that you mostly want to block.
For example, some of our customers have many contacts in China. They have chosen to add these contacts to their Whitelist and otherwise block all email from China.
You can whitelist by email address, domain name, IP address or content.
To further reduce the chance that mail from legitimate companies is blocked, we maintain a Global Whitelist for all customers. Companies with large customer mailing lists sometimes get blacklisted just due to their volume of email. We add these and other reputable companies to the global white-list. We will gladly consider customer suggestions, which can be submitted from the Control Panel.
The custom Blacklist can be used to, e.g., block someone who is harassing your employees. Or you might want to block recruiters, mailing lists or anyone else that you don't want contacting your employees. You can blacklist by email address or by IP address.
We prefer that customers not attempt to block any remaining spam themselves (unlike other anti-spam systems). Instead, it should be forwarded to us and our staff will immediately create the most appropriate filter for it.
The "Dictionary Checks" can handle any special needs. For example, if your company makes a product called " MasterWidget" you can add a Whitelist filter to accept any email that contains "MasterWidget" anywhere within it.
Options to stop even more spam
(Optimal MX Records)
Adding our anti-spam relays to your MX records will typically stop 95% of all spam. By implementing the options described here, you can typically stop 98% - 99% of all spam.
Some "sneaky" spam is not sent to the highest priority MX records, but rather to the lowest priority MX records. This is an attempt to bypass spam filters, such as ours, since the "real" mail server is typically listed in the lowest priority MX record. (This probably can't happen with open relays, but only with spammers that have modified the mail server software just for this purpose.) This is often the most offensive, vulgar spam of all.
One method of reducing this sneaky spam is to "sandwich" your real mail server between our relays as in the following example MX records
yourdomain.com MX priority=5 yourdomaincom.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomaincom.relay1b.spamh.com
yourdomain.com MX priority=10 mail1.bighost.net
yorudomain.com MX priority=20 yourdomaincom.relay1c.spamh.com
Notice that both the lowest and highest priority MX records point to our service. This is the intial configuration that we recommend when signing up.
While this "sandwiching" helps, some sneaky spam will still bypass our service and hit the real mail server directly.
The solution to stopping this spam, is to remove your "real" mail server from the MX records, leaving only our relays, as in the following example MX records:
yourdomain.com MX priority=5 yourdomaincom.relay1a.spamh.com
yourdomain.com MX priority=6 yourdomaincom.relay1b.spamh.com
yorudomain.com MX priority=20 yourdomaincom.relay1c.spamh.com
Note: If your domain uses an ISP's mail server, the ISP may not allow you to remove their mail server from your MX records. Making these changes might interfere with the successful handling of your email by your ISP's mail server. You should check with them before attempting it.
Since your email depends entirely on our servers, you will appreciate that we provide all customers with both a primary and backup relays. While our service is designed to provide the highest reliability, for your protection, we still ask that you follow these guidelines:
• Wait at least for 1 day after activating our service before removing your mail server from the MX records. (Please Note: Spams may escape due to the MX Record of the Mailserver.
• While the change shouldn't cause even a single email to be lost, plan on making the MX change during a quiet period. Then make the change, wait for amount of time set by the TTL value (typically 12 hours), and test by sending email from another domain, e.g. Yahoo or Hotmail. If it doesn't seem to work, please call us for technical support and/or restore the original MX records.
• Remove existing MX entries(after smooth activation of the service) and replace the existing MX records with our MX Records to make sure Emergic Cleanmail performs fullflegded for your domain.
It is not necessary to contact us or even to make any changes to your Emergic Cleanmail Dashboard when removing your mail server from the MX records.
Another "trick" which a few spammers are using is to assume that the "real" mail server has the same IP address as the domain's web server. This is typically true only for small businesses that have a single in-house server or are using a "virtual private server" at a hosting company. If you fall in this category, you may want to look into the feasibility of using separate IP addresses for your web and mail servers, or using a firewall - see below. (Technical: we are assuming here that your domain's "A" record points to your web server.)
To completely stop aggressive spammers from directly hitting the mail server, some of our customers have configured their firewall to only accept mail (TCP port 25 traffic) from our servers. If you wish to do this, please contact us for a list of all IP addresses that should be added to your firewall. Besides the primary and backup relays, we have additional ready-to-run servers on standby; if a primary/backup relay fails, another server will quickly take its place. Therefore, your firewall must contain the IP addresses of the primary, backup and standby servers.
|
|
|
|
|
| PRESENTATIONS |
| |
View the Flash presentations to
learn more about our services: |
|
|
|
