General Technical Training

1
General Technical Training

• Dallas Engelken
• Lead Product Developer
• Network Management Group, Inc. (NMGI)

2
System Specification

• DoubleCheck System
• Linux 2.4 OS
• Managed via Web Interface
• Self-Updating of Spam, Virus, and Operating
  system.
• Standard Appliance Intel-based 1.8GHz, 256MB RAM
• Average Throughput 1,200 messages/hr.
• Peak Throughput 2,400 messages/hr.
• 1U Rack Pentium 4, 2.4 GHz, 512MB RAM
• Average Throughput 1,800 messages/hr.
• Peak Throughput 3,600 messages/hr.
• Increased throughput with custom hardware.

3
Key DoubleChecking Features

• Spam Filtering
• SMTP Level RBL Checks using built in, or custom
  defined RBL servers.
• Bad Sender and Bad Recipient Rules to reject
  connections at the SMTP Level. DNS Lookups on
  Mail From domain.
• Prevents Unauthorized Relaying by only accepting
  mail for domains listed as Mail Routes or
  Recipient Domains.
• Over 800 heuristic rules and customizable lists.
  Bayesian Classification, Unique Sender History
  tracking, and Checksum clearinghouse support for
  razor2, pyzor, and DCC.
• Filtering using Tag and Deliver, Quarantine,
  or Delete on messages that make it past the
  SMTP Level.
• Global, Per-Domain, and Per-User spam
  preferences.
• Automated updates pulled via HTTP and FTP.
• Virus Protection
• Checks messages for viruses using McAfee
  Antivirus engine.
• Automatic virus definition updates with
  notification option.
• Unpacks all mime content using reformime and
  scans each file or part independently.
• Uvscan engine also unpacks mime content in memory
  while doing a redundant scan. (a double check
  for viruses using two different unpackers).
• Automated updates are pulled via FTP.

4
SMTP Control Diagram
5
Firewall Configuration / Port Access

• Required Ports
• Without the following ports, DoubleCheck will not
  work at all.
• inbound and outbound port 25/tcp - mail traffic
  in/out
• outbound port 53/udp - DNS resolution RBL
  lookups

• Required Ports (for system updates)
• Keeping the system up to date is a must, as new
  spam methods, and new viruses come out weekly.
• Outbound port 21/tcp - virus updates, spam
  updates
• Outbound port 80/tcp - spam updates
• Outbound port 443/tcp operating system updates
  (RHN)

• Optional Outbound ports for network tests
• For increased spam accuracy, the following
  outbound ports are highly recommended.
• Outbound port 24441/udp - pyzor
• Outbound port 6277/udp - DCC
• Outbound port 2703/tcp - razor
• Outbound port 7/tcp razor
• Outbound port 3306/tcp - configuration restore

• Optional Inbound ports for accessing services
• If you want to access the system remotely, you
  will need the following ports opened.
• Inbound port 22/tcp - SSH remote control
• Inbound port 443/tcp - HTTPS DC Admin
• Inbound port 80/tcp (this port redirects to 443).

6
Network Configuration

• Ethernet Interfaces
• Primary eth0
• Secondary eth1 (rack only)
• Multi-Home / Load Balance Multiple ISPs
• Rack only
• Requires eth0 and eth1 be on separate subnets.
  I.e. 192.168.1.1/255.255.255.0 and
  192.168.2.1/255.255.255.0
• Incoming connections go back out the gateway they
  came in on.
• New connections will go out the gateway with the
  higher preference. When the preference is the
  same on each interface, new connections will load
  balance.
• DNS Configuration
• Built-In caching nameserver. No changes to DNS
  entry 127.0.0.1 are required unless necessary.

7
SMTP Configuration

• Setting up Mail Routes.
• Hostname vs. IP SMTP Routing.
• Internal vs External DNS.
• A records vs. MX records.
• SMTP Hostname
• Should be set to the Fully Qualified Domain Name
  (FQDN).
• Normally set to the A record used as the MX
  record of your domain.
• Cannot be set equal to a domain listed in your
  Mail Routes / Recipient Domains.
• Example dc.domain.com NOT domain.com

8
Spam Preferences

• Identification Threshold
• The level at which spam should be tagged and
  delivered onto the end-user for client side
  filtering.
• Quarantine Threshold
• The level at which spam should be quarantined.
  Quarantined mail retains its From and To
  information, as only the envelope is changed to
  reroute the mail to the specified Quarantine
  Address.
• Delete Threshold
• The level at which spam should be deleted.
  Deleted mail is non-recoverable, so it is best to
  set a delete threshold that will produce no
  false-positives.
• Bayesian Classification
• Bayes tokenizes emails to generate a spam
  probability. Bayes constantly auto-learns new
  information, always adapting to your email.
• Razor
• Checksum Clearinghouse. This network test
  requires outbound ports to be opened to work
  properly.
• Pyzor
• Checksum Clearinghouse. This network test
  requires outbound ports to be opened to work
  properly.
• DCC
• Checksum Clearinghouse. This network test
  requires outbound ports to be opened to work
  properly.

9
Spam Accuracy Comparisons
Threshold Spam Accuracy False
Positives Expectancy -----------
--------------------------------------------------
--------------------------------------------------
----------- 5.0 94 0.07 1 in
1,500 6.0 91 0.05 1 in 2,000 7.0 87 0.03
1 in 5,000 8.0 84 0.01 1 in
10,000 9.0 80 0.00 1 in 25,000 10.0 76 0.0
0 1 in 50,000 12.0 68 0.00 1 in
100,000 15.0 58 0.00 1 in 250,000 Does
not include Bayes, Razor, Pyzor, and DCC
Threshold Spam Accuracy False
Positives Expectancy -----------
--------------------------------------------------
--------------------------------------------------
-------- 5.0 99 0.04 4 in 10,000 6.0 98 0.
03 3 in 10,000 7.0 98 0.01 1 in
10,000 8.0 97 0.01 1 in 20,000 9.0 96 0.00
1 in 50,000 10.0 95 0.00 1 in
100,000 12.0 92 0.00 1 in 250,000 15.0 85
0.00 1 in 500,000 Includes Bayes, Razor,
Pyzor, and DCC
10
Virus Settings

• Virus Notifications
• Default Settings
• Silent Viruses
• Virus Engine and DAT Updates
• 4320 Engine Coming Soon
• Automatic Engine Upgrades
• Executable Content Blocking
• Block based on base64 signatures.
• 99 effective at preventing the spread of
  executable worms via email.

11
Virus Notifications

• Virus Notifications
• DoubleCheck V3.10 defaults to only send
  notifications to the Admin email address
  specified in Virus Admin Email.
• Changing Notification recipients is an Advanced
  setting.
• When notifying senders, you should maintain an
  updated Silent Virus list.
• Silent Viruses are those that do not generate
  alerts due to their forging of sender
  information, or just shear number of alerts due
  to mass-spreading.
• When notifying recipients, you should be sure
  that the system is only handling inbound mail, as
  if outbound mail is passed through and the
  recipient is an external newsgroup you subscribe
  to, the result will be all subscribers get that
  notification.
• If you have internal addresses that distribute in
  a distribution list fashion, you will get the
  same effect.

12
Virus Engine and DAT Updates

• v.4320 Engine
• Currently In Release Candidate mode. Expected
  (Q2 2004)
• 4240/4260 AV Engines are scheduled to go End of
  Support (EOS) in 6 months after release.
• New virus signature files (DATs) are no longer
  tested with the old engines.
• Features
• -Scan and clean Microsoft Office 2003 XML files.
• -Enhanced scanning of damaged and non-standard
  ZIP files.
• -Scan files compressed using WinZip's new
  'Deflate' compression format.
• -Scan files compressed using RAR versions up to
  3.20.
• -Internal architectural enhancements required to
  optimize the engine's detection and cleaning
  capabilities.
• Engine updates will occur automatically for all
  system with active maintenance contracts.

13
Content Blocking

• Bad MIME Type checking option (Q2 2004)
• PMVP - Poor Mans Virus Protection.
• 99 effective against fast spreading worms be
  preventing any executable content over SMTP.
• Not only for blocking executables!
• Self-Unpacking Zip Files (Executable Zips)
• Mp3 files
• Anything you want PowerPoint's, Word Documents,
  etc.
• Block content based on MIME Signature (base64
  uuencoded string).
• Most windows executables (.exe) uuencode into a
  common base64 signature.
• Currently there are only two common mime
  signatures that account for 100 of all
  fast-spreading worms seen in the past year.
• There are 9 other known signatures found in
  windows/dos executables not yet seen in active
  virii that can be enabled on the fly.
• Emails matching this criteria are sent a 552
  error code. The SMTP connection is dropped and
  logged as an SMTP Deny.

14
Immediate Development Roadmap

• Operating System Changes
• Evaluating Redhat Enterprise, Debian, or FreeBSD
  (Q3 2004)
• Other Alternatives Porting to Win32 (No ETA)

• Spam Filtering
• 2.70 Engine (Q2 2004)
• SQL-Driven AWL and Bayes (Q2 2004)
• Per-User Bayes and Auto-Whitelists (Q2 2004)

• MTA Changes
• Bad MIME Type checking. (Q2 2004)
• Bad HELO/EHLO checking. (Q2 2004)
• SPF (Sender Permitted From) Integration into
  transport agent as the adoption rate increases.
  (Q2 2004)

• Admin Interface
• Management Interface for SQL-Driven AWL and
  Bayes. Global and Per-User (Q2 2004)
• White/Black List From/To common interface. (Q2
  2004)

15
NMGI DoubleCheck Contact Information

• Steve HarperPresidentsteveh_at_nmgi.com or ext.
  111
• Brian MooreSupport Specialistbrianm_at_nmgi.com or
  ext. 142
• Soni McClellandControllersonim_at_nmgi.com or ext.
  110
• (620) 664-6000 (voice answer)
• (620) 662-2700 (voice mail/ext.)
• doublecheck_at_nmgi.com

• Scott ScroginVP - Professional
  Servicesscotts_at_nmgi.com or ext. 133
• Dallas EngelkenInternet Consultant
  Programmerdallase_at_nmgi.com or ext. 148
• Dan HicksService Consultantdanh_at_nmgi.com or
  ext. 143
• NMGI Reseller Website
• www.nmgi.com/doublecheck/partners/
• User Guide, FAQs, literature, more
• demo.nmgi.com Login admin / demo