Friday Jan 19, 2007

Messaging Server: Security Issues with Anti-Spam and Anti-Virus Deployments

When planning to deploy anti-spam or anti-virus technology with Sun Java System Messaging Server, keep in mind that an incorrect deployment can defeat your security measures. The following figure shows an incorrect deployment of an anti-spam/anti-virus filter solution.

The next figure shows a correct deployment of an anti-spam/virus filter solution.

The Messaging Server MTA performs certain functions well, including:

  • Rejecting messages as early as possible
  • Per-user configuration and policy
  • Email security and routing policy
  • Mail queue management

The anti-spam/virus filter is good at determining if an email is spam or has a virus, but is generally not nearly as good at doing the things expected of a good MTA. Thus, do not depend on an anti-spam/virus filter to do those things. Your deployment is more "correct" when the anti-spam/virus filter is well integrated with the MTA, which is the case with Messaging Server. Messaging Server spam filter plug-in support provides all the potential reasons to reject a message early and applies all reasons at the same time.

A robust MTA, such as Messaging Server's, contains security features (SSL/TLS, traffic partitioning by IP address, early address rejection to reduce denial-of-service attacks, connection throttling by IP address/domain, and so on), which are defeated when an anti-spam/virus filter is deployed in front. Furthermore, anti-spam/virus filters that communicate by using the SMTP protocol often do not follow the robustness requirements of SMTP and thus lose email when they shouldn't. A correct deployment should have the anti-spam/virus filter working in conjunction with a robust MTA.

Wednesday Nov 29, 2006

Spam, Spam, Spam, Spam...

Sun Java System Messaging Server: Anti-Spam and Anti-Virus Solutions


Updated 11/30/06
The following table gives an overview of anti-spam and anti-virus solutions that are "integrated" to varying degrees with Sun Java System Messaging Server. There are various types of integration, some tighter than others; see the bottom of this page for a description of these. This is not an exhaustive list of solutions. There are certainly other filtering products that will work with Messaging Server, but they are likely SMTP proxy types of solutions and thus not ideal.

Vendor/product Point of integration Features Notes
Symantec/Brightmail AntiSpam Integrated in MTA Anti-spam, Anti-virus Our first integrated solution. It allows for per-user/per-domain and other flexible ways of enabling filtering. A farm of Brightmail servers can be used to scale up easily. Brightmail is licensed and sold separately by Symantec who acquired Brightmail in 2004. See Configuring Brightmail with Sun Java System Messaging Server for more information.
Opensource/SpamAssassin Integrated in MTA Anti-spam Different actions can be taken on the message based on scores returned by SpamAssassin. It is freeware, so the installation and maintenance of it is the customer's responsibility. SpamAssassin can be more resource-intensive than commercial products.
Opensource/ClamAV Integrated in MTA Anti-virus See this document for details http://sunsolve.sun.com/search/document.do?assetkey=1-9-79481-1. Note: From the comments section: "Integration with ClamAV is easier and more efficient with a ClamAV library available as patch or in MS 6.3." See this Sun Forum entry for more information.
Symantec/Symantec Anti-virus Scan Engine (SAVSE) Integrated in MTA Anti-virus Requires the customer to purchase SAVSE from Symantec separately. It has all the same integration benefits as Brightmail, except it filters for virus only. SAVSE can be configured to do some anti-spam, or rejecting messages based on subject/sender/attachment name/size and so on, but it is not a general anti-spam filter.
Sophos (Activestate)/PureMessage MTA SDK channel Anti-spam, Anti-virus, Policy Enforcement Sophos writes a channel using our SDK to implement this solution. In the upcoming Sun Java System Messaging Server 6.3 release, the milter interface can also be used to integrate Sophos.
Trend Micro/InterScan Messaging Security Suite  SMTP Proxy Anti-spam, Anti-virus, Policy Enforcement Multiple scan and policy servers controlled from central administrator GUI, also has delegated administration for end-user.
Proofpoint/Messaging Security Gateway SMTP Proxy or via milter  Anti-spam, Anti-virus, Policy Enforcement, Regulatory Compliance Available as an appliance. Prior to the upcoming Messaging Server 6.3 release, it does not integrate directly into our MTA but can be used alongside or in front of our MTA like any SMTP proxy. In the upcoming Messaging Server release (6.3), it can be integrated via the milter interface.
MessageGate MTA SDK channel Anti-spam, Anti-virus, Policy Enforcement, Regulatory Compliance Centralized management via browser, "intelligent archiving" meaning they can set headers or mark the message so the archiving software from elsewhere can catalog the messages accordingly.
Process Software/PreciseMail Anti-Spam Gateway, PreciseMail Filtering Service MTA SDK channel Anti-spam, Anti-virus, Policy Enforcement Works with the PMDF software as well as Messaging Server.
Cloudmark Integrated in MTA (work done by Cloudmark) Anti-spam, Anti-virus, Anti-phishing Targets large SPs, uses a combination of fingerprinting and real-time reporting.
Borderware MXtreme SMTP proxy Applicance, Anti-spam (Spamassasin), Anti-virus, Anti-phising Appliance solution

Notes

There are several ways of "integrating" with Messaging Server.

  • Integrated in the MTA: Either the vendor or Sun has done work to bake the solution into our MTA. These solutions typically have the best performance, although there are many variables here.
  • MTA SDK Channel: The vendor has written a channel program based on the published MTA channel SDK.  Mail is passed through this channel for filtering.  Although a good solution, this approach does have more overhead than being directly integrated into the MTA.
  • Milter. Milter is a de facto standard for writing filtering applications for sendmail. With the upcoming Messaging Server 6.3 release, our messaging server supports this interface. Thus any milter-compliant solution will work with our messaging server.
  • SMTP Proxy. The least common denominator approach, and isn't really integration at all.  An SMTP proxy sits in front of our MTA and filters mail before handing the mail to our system.  This is not a preferred solution, as we would rather have our MTA, with all of its flexibility and capabilities, handling all of the mail.  However, since this approach is based on the SMTP standard, any compliant proxy-based solution will work.  This includes appliances such as those sold by IronPort, Borderware, Sendio, and others.
About

Reporting about Unified Communications Suite Documentation, including news, Comms 101, documentation updates, and tips and tricks.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today