DS200 User S Guide

Deep Six Technologies SAS DS200 Users Guide
Revision Date Version
: :
6 July 2007 0.3
Contents
DS200 Administration Menu and Features ....................................................... 4
[1] [2] [3] [4] [5] [6] [7] [8]
[W] [B]
Configure IP Address ......................................................................................... 5 Configure DNS: DNS Server Configuration Menu ................................. 6 Configure Gateways ............................................................................................ 7 Configure Mail Servers ...................................................................................... 8 Configure Management Port ........................................................................... 9 Configure Management Users ...................................................................... 10 Configure Http Log Servers ........................................................................... 11 Configure Lists ..................................................................................................... 12
Configure White List ........................................................................................................ 13 Configure Black List ......................................................................................................... 14
[9]
[D] Set Date/Time ..................................................................................................................... 15 [G] Set Custom Reject Message ........................................................................................ 15 [A] Set Maximum Accept Score ......................................................................................... 15 [S] Set Missing Reverse DNS Score ................................................................................ 16 [Y] Set Session Delay Parameter ..................................................................................... 16 [A] Set Maximum Log Size ................................................................................................... 16 [O] Configure Syslog Servers .............................................................................................. 16 [Z] Power off device ..................................................................................................................... 16 [B] Reboot Device...................................................................................................................... 16 [R] Restart Filter Process...................................................................................................... 16 [F] Flush Log Buffer to Disk ................................................................................................ 16 [E] Emergency Lock-Down ................................................................................................... 16 [M] Main Menu.............................................................................................................................. 16
System Management ..................................................................................... 15
[W] [S]
Watch Activity ................................................................................................... 17 Statistics ................................................................................................................. 18
Updating the DS200 ...................................................................................................... 19 DS200 Scoring Process ............................................................................................... 20

DS200 Users guide Copyright 2007 by Deep Six Technologies SAS All Rights Reserved Page 2 of 26
False Positives ....................................................................................................................... 20
How to White List and Black List .......................................................................... 22 Quarantines and Email Withdrawal Syndrome ............................................. 25
DS200 Users guide Copyright 2007 by Deep Six Technologies SAS All Rights Reserved
Page 3 of 26
Admin Menu
DS200 Administration Menu and Features

[I ] [D ] [G ] [M] [P ] [U ] [H ] [L ] [T ] [E ] [Y ] [ W] [S ] [L ] Configure IP Address Configure DNS Configure Gateways Configure Mail Servers Configure Management Port Configure Management Users Configure Http Log Servers Configure Lists Configure Toolkit Sockets Configure E-mail Web Gate System Management Watch Activity Statistics Logout
Page 4 of 26
[1]
Configure IP Address
[L] List Configured IP Addresses Select this option to see the configured IP addresses as configured by the admin in step 2 of this menu. [A] Add IP Address Allocate IP Address for the DS200. This is the IP Address that you want the DS200 to be associated with in communication with your network. [D] Delete IP Address Allows the deletion of a configured IP address. [M] Main Menu Return to the Main Menu.
Page 5 of 26
[2]
Configure DNS: DNS Server Configuration Menu

[L] List Configured DNS Servers Select this option to see the configured DNS Server that was configured by the admin in step 2 of this menu. [A] Add DNS Server Allocate the DNS Server address, for the DS200 that is associated with your network. [D] Delete DNS Server Allows the deletion of a configured DNS Server address. [M] Main Menu Return to the Main Menu.
Page 6 of 26
[3]
Configure Gateways
[L] List Configured Gateways Select this option to see the configured gateway address as configured by the admin in step 2 of this menu. [A] Add Gateway Address Allocate gateway address for the DS200. [D] Delete Gateway Address Allows the deletion of a configured gateway address. [M] Main Menu Return to the Main Menu.
Page 7 of 26
[4] Configure Mail Servers

[L] List Configured Mail Servers Select this option to see the configured mail servers as configured by the admin in step 2 of this menu. [A] Add Mail Server Allocate the mail server address for the DS200. You will be prompted for a common name, a listening address and port, a forwarding address and port, and a log directory. The common name is the name you want to refer to the mail server. The listening address is the assigned address that mail is received through your firewall. The forwarding address is the internal address you have already assigned to the DS200. For Example: Name: Listening Address: Yourhost 65.204.159.38:25 Forwarding Address: 65.204.159.38:26 Log Directory: /deep6/
[D] Delete Mail Server Allows the deletion of a configured mail server address. [M] Main Menu Return to the Main Menu.
Page 8 of 26
[5]
Configure Management Port

[L] List Configured Management Ports Select this option to see the configured management port addresses as configured by the admin in step 2 of this menu. [A] Add Management Port Allocate management port, for the purpose of securely logging in remotely. We recommend a management port of 8484. [D] Delete Management Port Allows the deletion of a configured IP address. [M] Main Menu Return to the Main Menu.
Page 9 of 26
[6]
Configure Management Users

[L] List Management Users Select this option to see the management users as configured by the admin in step 2 of this menu. [A] Add Management User Assign User ID and passwords for management users. This option allows remote users to connect to the admin menu and communicate over the console. It is recommended that you set up a new user and password, before deleting the default user and password. [D] Delete Management User Allows the deletion of a configured management user for the DS200 console. [M] Main Menu Return to the Main Menu.
Page 10 of 26
[7]
Configure Http Log Servers

[L] List HTTP Log Server Ports Select this option to see the configured log server address and port as configured by the admin in step 2 of this menu. [A] Add HTTP Log Server Port (Address) Allocate HTTP log server address and port. [D] Delete HTTP Log Server Port Allows the deletion of a configured HTTP log server and port. [M] Main Menu Return to the Main Menu.
Page 11 of 26
[8]
Configure Lists
The Lists feature allows advanced access into the White List and Black List process that the DS200 utilizes to accept or reject spam. It is important to get a firm understanding of the list process for manual implementation of IP Addresses that should be Whitelisted legitimate email (false positives) or to specifically black list spam that was not caught by the DS200 process. [W] [B] [S] [M] Configure White List Configure Black List Statistics Main Menu
Page 12 of 26
[W]
Configure White List The White List feature is used to manually legitimate a connecting IP address that is, or has potential to be, blocked by the filter process. In the custom rejection message a legitimate email sender that is rejected by the filter can receive instructions on how to white list their IP address to come through the spam filter. [L] [A] [D] [F] [E] [C] [B] [M] List White List Table Add White List Record Delete White List Record Find White List Record Edit White List CIDR Value Show Netmask to CIDR Table Back to Lists Menu Main Menu
Page 13 of 26
[B]
Configure Black List The Black List feature is the opposite of white listing, and therefore blocks a given mail sending IP address from passing through the filter. This feature is most efficiently used when specific spam messages get through the filter consistently and a user would like the DS200 to block future occurrences. [L] [A] [D] [F] [E] [C] [B] [M] List Black List Table Add Black List Record Delete Black List Record Find Black List Record Edit Black List CIDR Value Show Netmask to CIDR Table Back to Lists Menu Main Menu
Page 14 of 26
[9]
System Management
[D] Set Date/Time Configure the date and time for the system. It is recommended that you configure this setting correctly before full activation for proper logging and data accumulation, as the default time will not be accurate. [G] Set Custom Reject Message There is no default reject message. Select this to designate a custom reject message to place a phone number, web address or other means of communication with you when a legitimate email sender attempts to contact you and has had their sent email rejected by the DS200. [A] Set Maximum Accept Score A score is a number that affects the aggressiveness of the DS200s spam filtering and can be adjusted to fit the needs of your business. The preconfigured score is set at 10, but could be lessened or heightened depending on your businesss individual situation. The DS200 utilizes a variety of online sources that contribute a score for their acceptance or rejection of the incoming message. A score then determines if the incoming connection is a spam email or a legitimate email. If the connection comes back with a higher score then what is configured here, a standard or custom rejection message is returned to the sender instructing them on the procedure to become white listed on their server.
Page 15 of 26
[S] Set Missing Reverse DNS Score A missing reverse DNS score is the number associated with a connection that has false DNS information from its original destination. The DS200 runs a background trace on the incoming connection and matches that to the information provided in the connection. If the reverse DNS trace fails to match the DNS information on the connection, the message is likely to be rejected as spam. Spam vendors often send falsified information through a connection to hide their tracks, however, it is possible that a legitimate email could be seen as spam if the users server is not properly configured. The preconfigured standard score on reverse DNS is 10, but can be adjusted here to fit your businesss needs. [Y] [A] [O] Set Session Delay Parameter Set Maximum Log Size Configure Syslog Servers
[Z] Power off device Safely power down the device to be rebooted or unplugged. [B] Reboot Device The device will restart after selecting this option. Caution: Once this option is selected the system will immediately reboot, the mail protection will be disabled for 20-30 seconds and at the completion of the reboot you will be asked to enter your management user ID and password. If you have recently added new settings and the changes are not properly taking effect, you may want to try this option as a way of starting the system out fresh with the new settings in place. [R] Restart Filter Process This option restarts the filter process and returns the user to the login screen. You must use this option or reboot the device to restart filtering after activating the emergency lock-down feature. [F] Flush Log Buffer to Disk
[E] Emergency Lock-Down This feature is a safety precaution that will immediately lock down the server from accepting any new email connections. This feature is important for the unforeseen needs of the customer. Potential uses could be if a virus is running rampant through a business and the system needs to be locked down to prevent further spreading of the virus. Another use could be if a need arises after normal business hours and an IT manager needs to lock down the system from home pending the installation of new Microsoft security updates. While a number of reasons exist for having this option, it is specifically for the needs that we cannot predict ahead of time, that this feature is incorporated into the product. [M] Main Menu Return to the Main Menu.
Page 16 of 26
[W] Watch Activity

The Watch Activity feature is one of the most exciting that the DS200 has to offer. Watch Activity allows the live feed of the system process of scoring, reverse DNS tracing and rejecting or accepting incoming connections as they arrive. The feature allows you to see first hand the actions of the DS200 and the relief that it is providing your businesss email as it rejects a multitude of spam messages. As you watch the activity it will show: 1. Incoming connection 2. Accept/reject from online scoring sources 3. Score associated with connection 4. Whether the server was blocked or the connection was accepted
Page 17 of 26
[S]
Statistics
The statistics feature allows for the accumulation of data in a number of key interest areas.
[S] [N] [E] [C] [P] [A]
Protected Host Status Network Statistics Memory Statistics CPU Statistics Process Statistics All Device Statistics
[F] Filter Statistics Not anti-spam accuracy rate [V] [R] [W] Volume Statistics View Fatal Error Log Watch Activity
[M] Main Menu Return to the Main Menu.
Page 18 of 26
Updating the DS200

The DS200 has the capability of updating by connecting to Deep Six Technologies, downloading an update and immediately installing. This process is initiated by the customer by typing UPDATENOW into the console menu, and only will take a few minutes. After the update is downloaded and installed, the box will reboot and you will need to log in again. During an update you do not lose any functionality of the box or the mail processes. Instead the mail will hold pending for the short time it takes to download and install the update. Deep Six will inform their customers by email when updates are available, and it is the customers prerogative to install them. If a critical update is necessary, Deep Six will instruct customers to install and explain why it is critical to update. Messaging Capabilities on the DS200 Console You are able to message on the DS200 Console. You may wish to do this if multiple individuals are utilizing the box through remote access
Page 19 of 26
2
DS200 Scoring Process
Scoring
The scoring process is a critical component to the success of the DS200s spam rejection technology. The DS200, through a variety of methods and observations, calculates a score for each individual mail connection transmitted to your server. You control the maximum score ceiling for connections that are allowed to move through the DS200 and into your mail server. The DS200 has a default score setting of 20, a conservative threshold. In combination with explicit whitelisting, this score can be lowered to more aggressive levels while keeping false positives at a minimum. Deep Sixs method of scoring is based on evaluating sending servers for various markers of legitimacy and indicators of negative behavior. These factors are combined in a patentpending algorithm. After the DS200 inspects the connection and calculates a score, the message will be rejected if it is at or above the maximum accept score. Alternately, the DS200 will accept the connection and pass it through to the receiving email server if the score is below the maximum accept score. If a legitimate connection is rejected, the sending server will place a rejection notice in the senders inbox. This rejection notice will contain a custom reject message configured by the DS200s administrator. This custom reject message can inform the sender why the email was rejected and what action is needed. The administrator/user of the DS200 can alter the custom reject message and maximum accept score in the configuration menu. (Main Menu Y)
False Positives
The most important consideration for many customers is the balance of eliminating spam and preventing false positives. False positives are legitimate emails sent to your domain that are rejected as spam. While no anti-spam solution can truly claim zero false positives, Deep Sixs approach to spam rejection minimizes the amount of false positive occurrences. Further, Deep Sixs unique approach immediately notifies the sender of the rejection. The DS200 differs from other solutions that file spam away into the abyss of a quarantine folder, where messages may stay for days without the knowledge of either sender or recipient. The DS200s system of rejecting spam connections relieves and protects your servers from the massive barrage of spam proliferated in todays Internet environment. While the DS200 is not an anti-virus solution, it can significantly reduce inbound email-borne
Page 20 of 26
viruses. Real-world testing indicates that sources of spam are often sources of virus attachments, and the DS200 rejects many of those sources.
Page 21 of 26
W/B List
How to White List and Black List

The DS200 provides you the ability to accept or deny specific email sources. Whitelisting bypasses the normal score investigation and automatically accepts any IP address specified in the white list. This is typically used to allow a legitimate sender that has previously been rejected in other words to correct a false positive. Blacklisting is the opposite in that it automatically blocks a specific IP address. At times if you encounter a spam sender that is not detected by the DS200, you may wish to blacklist the source, automatically denying email from that sending email server. The following are instructions for whitelisting and blacklisting specific IP addresses and ranges of IP addresses: Whitelist an IP Address or IP Address Range 1) At the main menu of the DS200 and select Lists by typing L and pressing enter. 2) Select Configure White List by typing W and pressing enter. 3) Select Add White List Record by typing A and pressing enter. 4) Enter the IP Address to white list as received by the rejected sender. 5) Enter the CIDR Value in white listing the IP Address. This value, valid from 1 to 32, determines the range of IP addresses that you are white listing. For example a CIDR value of 32 will white list only that specific IP address as typed, but a CIDR value of 24 would white list 256 addresses around the IP address that you entered. For example, whitelisting 123.123.123.123 with a CIDR value of 24 would whitelist all IP addresses in the range 123.123.123.xxx. You can see a table illustrating each CIDR value by entering C at the White List Configuration menu. Be careful not to go too low on the CIDR value when white listing because a spam sender may have a similar address to the address you are white listing. If in doubt about an appropriate CIDR value for whitelisting, a reasonable value is 28. 6) You have now successfully whitelisted an individual IP address. The formerly rejected sender should now be able to get through consistently. In the unlikely case that the problem recurs intermittently, this is because the sender uses an ISP with a large number of outgoing email servers, which use a large, contiguous block of IP addresses. In this case, edit the CIDR value for that IP address to a lower value, such as 26 or even 24. Blacklist an IP Address or IP Address Range 1) At the main menu of the DS200 and select Lists by typing L and pressing enter.
Page 22 of 26
2) Select Configure Black List by typing B and pressing enter. 3) Select Add Black List Record by typing A and pressing enter. 4) Enter the IP Address to black list as received by the rejected sender. 5) Enter the CIDR Value in black listing the IP Address. This value, valid from 1 to 32, is the range of the IP Address that you are black listing. For example a CIDR value of 32 will black list only that specific IP address as typed, but a CIDR value of 24 would black list 256 addresses around the IP address that you entered. For example, blacklisting 123.123.123.123 with a CIDR value of 24 would blacklist all IP addresses in the range 123.123.123.xxx. You can see a table illustrating each CIDR value by entering C at the Black List Configuration menu. If in doubt about an appropriate CIDR value for blacklisting, a reasonable value is 30. A more aggressive value is 24, which blocks a larger range of IP addresses. This may carry the risk of false positives. However, any false positives can be eliminated by increasing the CIDR value, or by explicitly whitelisting a rejected legitimate sender, as described above in the whitelisting instructions. The white list always takes precedence over the blacklist if an IP address is in both lists, the white list will be the deciding list. 6) You have now successfully black listed an IP Address. Email from this source now be rejected irrespective of the DS200s anti-spam scoring. If the black listed spam continues check the IP address again to determine if your CIDR value needs to be lowered. How to Identify the Right IP Address to Whitelist or Blacklist You can find an IP Address through Microsoft Outlook by right-clicking of the email and choosing options. The IP address will be at the top of the headers and will appear similar to this example: Received: from sampleip [11.111.11.111] by mail.sample.com This method is most efficient for blacklisting individual spam. You can use this method for whitelisting, however, if a newsletter or similar item no longer comes to a recipient at your business. To whitelist a newsletter, simply look at the headers in the last newsletter received. To whitelist a rejected sender you will need to have the senders IP address that was rejected. You can do this by locating the IP address in the rejection message. The IP address is contained in the rejection message to the email sender. Here is a sample rejection note: 550-Rejected 111.222.333.44 - blocked by anti-spam policies - Your message was rejected as spam. <custom reject message>. 550-Blocked by local Black List 550 Rejected 111.222.333.44 - blocked by anti-spam Conservative and Aggressive Strategy The default setting allows for a maximum accept score of 20. The maximum accept score is left at a conservative setting to minimize initial false positives. Over time, we recommend decreasing this score to 15 in combination with whitelisting the few false positives that you may see at this level. If you have a particularly high percentage of DS200 Users guide Copyright 2007 by Deep Six Technologies SAS All Rights Reserved Page 23 of 26
spam (90% or more), you may prefer to lower the maximum accept score to 10, again in combination with whitelisting of false positives. This should enable you to arrive at a steady state of very accurate spam rejection, with minimal false positives. In general, the higher the maximum accept score, the more spam may pass through the DS200 to your email server, but with a lower likelihood of false positives. This approach is helpful in the initial stage of implementation, but the IT administrator in charge of this DS200 will need to determine what approach to take forward from this point. A conservative approach will allow the email users at the protected business to slowly ease into the new anti-spam solution. The conservative approach lessens the immediate burden of false positives, and may be needed in an office environment that is highly sensitive to that temporary inconvenience, even at the extremely low false positive rates of the DS200. This approach is designed to take a longer span of time in lowering the score, with the possibility of more spam in the near-term, but less possibility of false positives from the start. Again, this can be important for a good reception to the new anti-spam solution. A good example of a sensitive organization comes from a Deep Six customer who initially set the maximum accept score to an aggressive value. This customer initially experienced 12 false positives in the first week, out of over 190,000 email connections. Approximately 90% of these connections were from spam sources. The DS200 rejected about 170,000 spam messages, for a false positive rate of 0.007% (12 divided by 170,000). This rate is far superior to other anti-spam products. However, this organization was very sensitive to false positives. Therefore the DS200 administrator rapidly whitelisted the 12 rejected IP addresses, and raised the maximum accept score to a more conservative value. Over time, as only a few more false positives were encountered and whitelisted, the maximum accept score was again reduced to the former aggressive value. The most aggressive approach would be to set a low maximum accept score of 15, or even 10. This typically forces the bulk of false positives to occur within the first two weeks after installation of the DS200, enabling the rejected IP addresses to be whitelisted quickly. This allows the administrator to reach a steady state of excellent anti-spam accuracy and minimal false positives, with little ongoing administration effort. However, the organization must be properly prepared for this strategy. With either conservative or aggressive strategies, its best to notify users in advance that a new anti-spam solution will be implemented, along with letting them know what they should do if contacted by a rejected legitimate sender. A simple, efficient approach is to designate a fax number to which rejected legitimate senders can fax their rejection notices. The DS200 administrator can then read the rejected IP address from each notice, and whitelist it. This fax number can also be included in the custom reject message that legitimate users will see in their inbox after being rejected. Either way you approach this, the long-term goal is the same: to eliminate spam as a problem for your company, with the least amount of inconvenience to your employees and anyone contacting your company. With the current explosive state of spam and the creative methods spammers are using, finding a solution is becoming more and more critical The DS200 is created to ease this burden and give powerful tools to the IT department to keep spam from interfering in your business environment.
Page 24 of 26
Syndrome
Quarantines and Email Withdrawal Syndrome

If used to an anti-spam solution that uses quarantine folders, some users may find it surprising that they cannot look at rejected messages. There are two kinds of rejected messages: 1) Spam In this case, looking at spam in a quarantine folder provides no value, and in fact steals time and productivity. There is no benefit to placing true spam in a quarantine folder. The DS200s method rejecting connections from sources of spam prevents spam from consuming bandwidth, storage, and scalability in your email network. 2) Legitimate Email Although the DS200 typically yields a very low false positive rate, some do occur. Its how the DS200 handles a false positive that matters. Other anti-spam solutions put false positives in a quarantine folder along with true spam. Neither the sender nor intended recipient knows that a specific, legitimate email message is in the quarantine folder until the intended recipient checks the quarantine folder. Most users do not check this folder every day. When they do, they face a difficult task finding legitimate messages among a large amount of spam messages. In contrast, because the DS200 rejects at the SMTP connection level, a legitimate rejected sender is notified of the rejection by their email server right away. Further, if the DS200 administrator has configured a custom reject message, the rejected sender knows exactly what action to take in order to be whitelisted. From then on, the rejected sender will no longer be rejected. Because of this simple, fast process, there is no need for a quarantine folder. Despite this logic, many users are used to quarantine folders, and may need to be assured that email is not being lost. Further, those with poor anti-spam solutions (or none at all) are also used to receiving a large amount of spam messages. As a result, they have become accustomed to messages arriving to their inbox every few minutes. When the DS200 is properly configured, it rejects a very high percentage of spam, thereby dramatically reducing the frequency of email messages arriving in users inboxes. Some users may see this reduction in traffic and be concerned that email is not working well. They may even report that email is being lost. Without concrete reports from rejected senders, this is not likely to be the case. If it turns out to be true, the DS200 administrator can simply whitelist the appropriate IP address and eliminate the problem.
Page 25 of 26
26

DS200 User S Guide

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DS200 User S Guide

Transféré par

Droits d'auteur :

Formats disponibles

Deep Six Technologies SAS DS200 Users Guide

Revision Date Version

6 July 2007 0.3

System Management ..................................................................................... 15

Watch Activity ................................................................................................... 17 Statistics ................................................................................................................. 18

Updating the DS200 ...................................................................................................... 19 DS200 Scoring Process ............................................................................................... 20

False Positives ....................................................................................................................... 20

DS200 Administration Menu and Features

Configure DNS: DNS Server Configuration Menu

[4] Configure Mail Servers

Configure Management Port

Configure Management Users

Configure Http Log Servers

[W] Watch Activity

[S] [N] [E] [C] [P] [A]

[M] Main Menu Return to the Main Menu.

Updating the DS200

How to White List and Black List

Quarantines and Email Withdrawal Syndrome

Vous aimerez peut-être aussi