Anti-spam gateway function of anti-spam gateway

Generally speaking, the simplest function of an anti-spam gateway is to block unwanted emails from entering the network and reaching the mail server. This is typically achieved through a multi-layered filtering solution. Some anti-spam gateways only use a single technology to clean spam, but because spammers can easily bypass single-technology anti-spam gateways, we do not recommend single technologies. An example of a more professional anti-spam gateway: TurboGate email gateway. As a software gateway product under the brand email server TurboMail email system, TurboGate email gateway can help corporate and government email systems resist the latest spam, phishing emails, and fraudulent emails. , spyware emails, virus emails and other types of email threats, it is the software gateway product with the highest customer satisfaction on the market. The anti-spam efficiency of this product's actual project application is stable at over 98%, with no misjudgments. The functional modules included are as follows: TurboGate product core functional modules: TurboGate value-added functional modules: 1. Anti-spam engine 9. Sending and receiving restriction management 2. Anti-virus email engine (ClamAV) 10. Email monitoring 3. SMS interface 11. Multi-level email Audit 4. Statistical analysis 12. Mailing list 5. Advanced relay (international mail) 13. System log 6. Mail archiving 14. Mail transfer station 7. System monitoring 15. System integration (exchange, Domino, etc.) as shown in Figure 8. Mail Intelligent filtering 16. Integrate the standard API development package with the exchange mail system

Ways to implement anti-spam

TurboGate mail gateway also supports sending authentication (smtp-auth) and blacklist and system-level spam filtering functions to provide triple protection for user mailboxes. Users can obtain blacklist files from domestic and foreign anti-spam organizations at any time and import them into the mail system, thereby turning the mail administrator from passive to active. TurboGate email gateway blacklist function supports fuzzy matching, which can block a domain or only a user in the domain. In addition, it provides a variety of spam filtering functions to prevent accounts from being hijacked to send spam, prevent email attacks, etc., and ensure the security of the mail server in an all-round way. The first layer: Empirical analysis of the network control layer. Servers that send spam generally send large batches of spam to multiple accounts in certain domains at the same time. These methods of sending spam can be effectively controlled by setting a certain network access frequency. of obstruction. TurboGate email gateway provides two setting methods to deal with this attack, and can automatically classify IPs that send spam into the spam IP (SpamIP) list. Through the SMTP service layer, obvious SMTP connections that send spam are rejected, greatly reducing the burden on the background delivery system and anti-spam engine. Through statistical analysis, we found that many SMTP connections that send spam have the following characteristics. 1. The number of simultaneous SMTP connections from the same IP is very large. 2. Within a period of time with the same IP, the frequency of SMTP connections is very high. Generally, the occurrence of these two situations indicates that the source sender is very likely to send spam. By setting the following two parameters, you can control this type of SMTP connection to cut off the source of spam: System Settings - "SMTP Service -" Number of accesses allowed by the same IP in one minute. At the same time, set: System Settings - "SMTP Service -" Enable smart anti-spam IP function parameters, and automatically add IP addresses that meet the above two conditions to the system's smart anti-spam IP list (SmartSpamIP). When the system encounters these IP connections in the future , refuse directly. Can be accessed through: System Monitoring-"Intelligent anti-spam IP list. View the system’s current smart anti-spam IP list. Note: When the Internet is connected to the mail system through the anti-spam gateway, since all SMTP connections of the mail system come from the anti-spam gateway, anti-spam based on the Smtp service will no longer work. Here you need to set the above two parameters to - 1. To avoid system SMTP service failure.

Second level: source analysis Based on the geographical location of the spam sender's IP, check the result with APNIC's IP information database to see if the source is authentic. If it is authentic, pass it, otherwise it may be a suspicious email. This anti-spam strategy is more effective because the IP source cannot be disguised. The third layer: blacklist. Through the blacklist, TurboGate email gateway can be set to block any IP or network segment; it can also block any sender or domain. Real-time blacklist (RBL) mainly uses RBL resources published on the Internet to determine whether an email is spam. RBL generally provides a way to determine whether a certain IP or domain name is the source of spam through DNS query. In addition, since most foreign RBLs have "discrimination" against people from China, we cannot completely rely on RBL to judge whether an email is spam. We can only judge whether the email is likely to be spam based on the RBL query results. sex. You can set the following parameters to customize RBL:

RBL server, specify the RBL query domain name suffix. DNS query type, specify the DNS query record type according to specific RBL requirements. Matching expression, specify the matching mode of RBL query results. The expression format adopts perl regular expression. If it is empty, it means that if the RBL result can be found, it means that the conditions are met. The fourth layer: greylist Greylist technology originates from: greylist The basic assumption of greylist technology is that viruses and spam are usually one-off, and if an error is encountered, it will not be retried. Some software that sends spam basically do not make any retries on the errors returned by the mail server, but simply record the sending failure in the log. Mail storms caused by viruses will not recognize the errors returned by the mail server, because these viruses simply send mails and do not pay attention to the status of the server when sending. The design of Greylist is generally based on a retry principle, that is, when it sees an IP for the first time and wants to send a letter to a recipient, it will simply return a temporary error (4xx) and reject the request. , a normal mail server will resend the email within a period of time (such as half an hour). Greylist found that the IP address and recipient were still the same as before. It believed that this IP came from a legitimate server and allowed it to pass. If it is an abnormal email, it will either never be retried, or it will be retried frantically but rejected because the interval is too close. Therefore, as long as Greylist sets a suitable release interval, it can have good immunity to this type of spam to a large extent. A major feature of Greylist is that it will not lose letters. Regular mail servers believe that 4xx errors are only temporary and soft errors, and will try again after a period of time, so the mail can still be delivered successfully. But one of the major drawbacks of Greylist is the immediate delay, which can range from a few minutes to a few hours. For some customers who are very concerned about the timeliness of emails, Greylist may not be a good choice. Level 5: Trend Analysis The principle of trend analysis is that all spam emails have targets. For example, drug-selling advertising emails will specify the phone number, email, or website of selling drugs in the email content. If this information is not specified, spam will be sent. It makes no sense. The trend analysis method is to determine whether the email is spam by analyzing the phone number, email or website link content in the email, and judging its direction through matching. The sixth layer: Determining the source of the email mainly determines the possibility of spam by analyzing the source of the email, such as: sender IP, sender, sending domain, etc. The seventh layer: SpamFilter content filtering Through email content keyword analysis, emails that meet the content analysis results can be assigned corresponding spam scores. The judgment conditions of this type of rules are similar to the system's filtering rules. You can refer to the filtering rule settings to set the filtering score content. At the same time, we will also collect customer feedback on the characteristics of spam and organize it into rule content, and regularly notify customers of updates. Layer 8: Topic Analysis Engine The principle of topic analysis is based on the fact that most of the contents of the same type of spam are similar, and the similarity is analyzed to determine whether it is spam.

For example, spam emails about issuing invoices on behalf of others contain words such as "issuing on behalf of others", "invoice" and "tax" in the content. Through statistical analysis of the same type of spam emails, the main keywords of this type of spam emails can be summarized. Use keyword matching to confirm whether it is spam. Layer 9: TMSpamCheck engine TMSpamCheck technology is an anti-spam technology based on cloud computing. TurboGate email gateway collects spam feedback from end users, conducts unified analysis, and summarizes it into a central spam rule library in real time. At the same time, when the client server initially detects that the email may be spam, it calculates the feature summary of the email and compares it with the central rule base to determine whether it is spam.