SurfControl - RiskFilter (pdf, 374k) - West Coast Labs

ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTFEBRUARY 2006SurfControl Risk Filterwww.westcoastlabs.org

2 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTContentsSurfControl Risk FilterTest objectives and scenario ..................................................................3Test network ............................................................................................4Test methodology....................................................................................5Product test reporting ............................................................................6Certification ..............................................................................................7The product ..............................................................................................8Test report ................................................................................................10Test results................................................................................................16West Coast Labs conclusion ..................................................................17Security features buyers guide ............................................................18West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.orgwww.westcoastlabs.org

SURFCONTROL RISK FILTER 5Test methodologyWCL has a number of domains available which act as honeypots forspam, receiving genuine, not canned spam. These domains receivevarying levels of spam and are intended to mirror different emailenvironments.Within each domain are designated user accounts with a variety of emailpractices and needs - some are subscribed to a variety of newsgroups andmailing lists. Some user accounts actively contribute to mailing lists. Thedomain designated for testing purposes will be that which currentlyreceives spam at a level consistent with the test requirements.For testing in this Technology Report and for the certification of each of theparticipating solutions, we used live mail feeds coming in to various extradomains wholly owned and controlled by West Coast Labs. Each domainused contains a number of individual user accounts with established emailaddresses, along with distribution lists.To maintain the flow of genuine mail, test engineers used several internaland external accounts, to send emails that simulated real life emailtransactions common in business: for example requesting meetings,sending notifications to groups and non-business related social emails.Emails were also sent from web-based accounts to simulate externalusers sending non business-related emails and home workers. Individualuser accounts were subscribed to several mailing lists and dailynewsletters for grey mail purposes.For each solution we configured the device or software to fit in with the testnetwork and placed it into a stream of live mail to see how it would copein an ‘out-of-the-box’ configuration with real-world traffic. However, we dorecognize that a large part of spam detection relies on an initially intensivelearning process. Hence, we will be placing these devices in the mail feedin coming months for longer periods of time, interactively training them,and updating the performance data included in the online White Papers.www.westcoastlabs.org

6 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTProduct test reportingFor each product that we test, we will issue a report which will address thefollowing aspects of the product:1. Management/Administration■ Ease of Setup/Installation■ Ease of Use■ Logging and reporting function■ Rule creation■ Customization■ Content Categories■ Technical Support Available■ Program Help Menu2. Functionality■ Email Processing Steps■ Allow/Blocking of Email■ Quarantine Area■ Additional functionality reporting■ Block Email Addresses■ Blacklist/Whitelist■ Allow Email Addresses3. Performance■ Volume or % of spam detected■ False positive rate■ Spam incorrectly passed through■ Legitimate mail blocked■ Legitimate subscription mail blockedwww.westcoastlabs.org

SURFCONTROL RISK FILTER 7Certification - CheckmarkUpon successful completion of the catch rate testing, participatingsolutions will be accredited to Checkmark Certifications for Anti-Spamsubject to achieving the following catch rates:-Checkmark Anti-Spam CertificationPREMIUM – 97% and over Catch Rate.www.check-mark.comCheckmark Anti-Spam CertificationSTANDARD – 90% and over Catch Rate.www.check-mark.comwww.westcoastlabs.org

8 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTThe productSurfControl RiskFilter - E-mail is compatible with all SMTP-based e-mailsystems and offers a scalable, secure messaging solution fororganisations of all sizes and vertical markets.url : http://www.surfcontrol.com/products/email/riskfilter/SurfControl says about the RiskFilter Business BenefitsSurfControl RiskFilter – E-mail combines the scalability and performanceof hardware with the reliability and accuracy of the best filtering softwarefor the industry’s most effective enterprise e-mail security appliance.Quality content recognition, multi-layered blended threat protection, antivirustechnologies, and ease of use, combined with extensive reportingand analysis, give you the tools and flexibility to protect organizations fromevery form of harmful and inappropriate content in both inbound andoutbound e-mails. Continuous updates from SurfControl’s Adaptive ThreatIntelligence Service provide constant protection against the latestemerging threats.url : http://www.surfcontrol.com/products/email/riskfilter/www.westcoastlabs.org

SURFCONTROL RISK FILTER 9The productSurfControl says about the RiskFilter Technical BenefitsSurfControl RiskFilter – E-mail delivers lightening-fast performance andmaximum uptime thanks to its advanced architecture. With a hardenedLinux kernel, a robust Mail Transfer Agent at its core and secure e-mailconnection management, RiskFilter allows enterprise-ready scalabilityand complete e-mail security. Remote Access via a secure Web browsermakes it simple to delegate administrative rights and to hand offmanagement elements to designated, appropriate managers, providingease of administration, anywhere at anytime. Key administration features,such as updates to the ASA and AVA databases, can be automaticallyscheduled, and once they are set up, you have instant hands freeadministration.url : http://www.surfcontrol.com/products/email/riskfilter/www.westcoastlabs.org

10 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTTest reportIntroductionSurfControl’s RiskFilter is a 1U rackmountable device with a rather nicefeature - the front fascia is on a hinge and swivel mechanism, so that it canbe pulled out, twisted down, and tucked underneath the main body of theunit if necessary without ever having to remove it fully. This gives accessto the main power and reset switches, the CD and floppy drives and theremovable drives. The rear of the unit houses the PS/2 keyboard andmouse connectors, VGA, and serial cable connectors along with two NICs.Also included were several manuals ranging from a two page HardwareSetup Guide to a rather hefty Administrator Guide.The arrival of SurfControl’s RiskFilter hardware solution was preceded bya pre-configuration questionnaire which contained a checklist ofnecessary prerequisites along with sections for the Administrator to fill inwith DNS and IP details relevant to the company. After mailing this back,SurfControl partially preconfigured the device for this test, which will be ofgreat help to any administrator under a heavy workload.www.westcoastlabs.org

SURFCONTROL RISK FILTER 11Test reportInstallation and ConfigurationThe initial configuration of the RiskFilter was simple - the provided StarterGuide gives clear and concise advice, breaking down each step into aseparate procedure. The whole process is accomplished by logging in ata console or terminal for initial configuration of the networking and thenupdating and configuring the application itself using the two secure webinterfaces available to set up relays and build mail routing.Both web interfaces are SSL encrypted and are split to allowadministration of the device itself through one port and of the software onthe other port. This is a neat implementation that allows devolution ofresponsibility for the central Spam management without giving access tothe configuration of the device itself. Further control may be given toindividual end users via a further web interface that deals with End UserSpam Management (EUSM), although that functionality was not tested inthis case. Although there are two interfaces, overall the set up andconfiguration of this device was speedy and the Starter Guide is written insuch a way that ensures that it was trouble free.www.westcoastlabs.org

12 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTThe WebMin InterfaceAs an overlay service that covers the essential system administrationtasks, the Webmin or System Management Console provides an intuitivemethod of setting the parameters for logging, network interfaces, andclustering on the underlying Linux installation without ever getting near theOS itself – this is perfect for those who feel comfortable using a webinterface but not a command line. The subdued greys and blues make thiseasy on the eye and simple to navigate. All the options are well labelledand easy to locate – this means that tasks can be performed intuitively.The options themselves are split into three major sections – WebMin,System and RiskFilter.The WebMin option not only allowsfor searching of the logs by user, bymodule type or by timeframe, butalso for the administrator to addother WebMin servers and toconfigure WebMin itself. This allowsthe user to bind the service to aparticular IP address and port as wellas offering IP access control, theability to add proxy servers, and toset and limit the logging optionsaccording to the needs of theindividual organisation.The System sections offer a lot ofsystem status data including varioushistorical statistics and currentlyrunning processes. There is also theability within this section to performother tasks such as passwordchanging, start up and shutdown,and network configuration tasks.www.westcoastlabs.org

SURFCONTROL RISK FILTER 13The WebMin Interface continuedFinally for this interface, the RiskFilter section offers the user the choice ofManage Riskfilter Email Services, which allows for a quick stop, start, andrestart of the various components without rebooting the entire device,RiskFilter Backup Manager that oversees the scheduling of systembackups, the RiskFilter Cluster Wizard for those institutions that havemore than one appliance, and finally an Update Manager which allows forthe manual upgrade of not only the RiskFilter software but also theinstalled SurfControl OS.The Email Console InterfaceThe RiskFilter - Email Console interface acts to allow alterations to bemade to the SurfControl software installed on the device, with alterationsto the Spam management system being performed via this route. Thisinterface is stylistically similar to SurfControl's website and has the samecolour scheme with shades of blue and touches of red, black, and grey ona mostly white background. This gives a clean uncluttered look to thepresentation and this serves the RiskFilter well, as does the Dashboardoverview that the user is presented with upon initial login to the device.The interface is similarly split into three major groups: System Settings,Policy Manager and Reports & Logs with each section having plenty ofsubsections that are appropriately grouped. It is nice to see that all optionsare exactly where the user expects them to be, especially when there issuch a plethora of choices available. The accompanying Administrator’sGuide provides clear advice for navigating and making changes within theinterface that is enhanced by screen grabs. This ensures that the user isnot left with any doubts as to the potential changes that any alterationsmay have.www.westcoastlabs.org

14 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTThe Email Console Interface continuedSystem Settings has several groups – there are General options at the topwhich allow the user to view the current status of licenses, enable andconfigure a secure email proxy, set directories for logs and quarantines,add extra administrator accounts and enable and configure the EUSMfunctionality.Further sections in System Settings include Security, Update, Mail Routingand Help. Security includes maintenance of black lists and white lists,relay control, connection control Directory Attack Control and exceptionactions to be specified amongst other options. The Update section allowsfor the latest antivirus and anti-spam definitions to be downloaded andalso for scheduling to be enabled for each of these updates.Mail Routing allows control over how mail is delivered to internal serversand allows the user to limit the number of messages coming in per hour,as well as specifying a retry time for undeliverable messages. Finally, theHelp section offers links to contact SurfControl Support via the interfaceand the ability to download a PDF version of the Administrator’s Guide.The Policy Manager section is where an administrator is likely to spendmost of their time creating new policies or altering existing ones. Thesepolicies can be set so that they may be altered by individual users usingthe EUSM facility, or built to be read only. Policies may be set on incomingor outgoing mail and for groups of users defined by their email addresses.Using the rules built in this section, the RiskFilter device quarantines allSpam messages by default, stopping users from seeing the messages intheir inboxes. It is, however, also possible to apply other actions toincoming messages – these include adding a user defined Subjectalteration or X-Header and then delivering the message to an end userregardless of classification. This gives a much increased and appreciatedflexibility during the initial stages of implementation within a corporatestructure.The simplicity of this section of the interface belies its capacity to buildcohesive and complex rules using General or Advanced Content Filtering,an attachment filter, and a Content Guardian filter. These allow the user towww.westcoastlabs.org

SURFCONTROL RISK FILTER 15The Email Console Interfacewww.westcoastlabs.orgreally get down into the fine details of messages and create rules basedupon a variety of parameters rangingfrom subject line and messagecontent to individual IP addresses.SurfControl have provided two basicrules pre built for their Anti-VirusAgent and Anti-Spam Agent on trafficboth in and out of the organisationand a Standard Disclaimer rule foroutgoing mail.Finally, the Reports & Logs sectionof the interface provides a largenumber of information that allows theuser to either see the data in agraphical format or to get intoindividual messages to look at thedata. There is also a link back to theDashboard section that is displayedupon initial login, allowing the userthat is currently logged in to see anoverview of the current state of the device.This section is quite nicely split in the menu – the reports section includesPolicy Reports to show quickly which policies are being violated the most,Virus and Spam Reports, a Connection Report, and System Reports.These are the complimented by the logs which allow the user to displayindividual messages if necessary. Each log deals with a different categoryof message, and the categories of Isolated Messages, Virus Messages,Spam Messages, Archived Messages, and Deferred Messages are alldescriptive enough so that a user can get an idea of what they will see.Within each message classified as spam it is possible to reprocess,release, whitelist the sender or report the message as “Not Spam” – thislatter option sends a copy of the message to SurfControl to allow them toprovide a better service to all their customers.

16 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTResultsType of Mail Delivered as Genuine (%) Delivered as Spam (%)GENUINE 100 0SPAM 10 90The SurfControl RiskFilter box performed well, delivering 100% of thegenuine mail correctly and correctly classifying 90% of the spam mail in astraight out of the box configuration.It is also worth noting that the RiskFilter device delivers a good proportionof grey and list mail as genuine, thus giving users and administratorswithin an organisation the flexibility and opportunity to define policiesduring a training period without missing mail that could be potentiallybusiness critical.www.westcoastlabs.org

SURFCONTROL RISK FILTER 17West Coast Labs conclusionOverall, SurfControl Riskfilter provides a good level ofprotection and an intuitive set of tools to enable theadministrators and users to specify what is classified asspam and what is genuine for the needs of their individualbusiness.The SurfControl RiskFilter device performed consistentlywell in the tests, and therefore West Coast Labs is pleasedto award the SurfControl RiskFilter the Standard level Anti-Spam Checkmark.www.westcoastlabs.orgWest Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.org

18 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTSecurity features buyers guide as stated by SurfControlSPAM FEATURESDoes the product block spam out of box or does it require addition ortuning of rules? Spam is blocked out of the box with default rules and thelatest download of the Anti-Spam Agent.Is user feedback required over initial stage of deployment? Minimal userinput is required during the deployment stage.FILTERINGDoes the product utilise keyword lists? YES - as one of several layers ofspam protection. SurfControl RiskFilter comes with 16 pre-built threatdictionaries, each available in 10 languages, many of which are relevantfor spam capture such as the Spam, Spam Misspellings, Gambling andAdult dictionaries. All the words in the dictionaries are weighted and theseweights add up to trigger a rule. The user can choose to adjust theseweights or add words to or delete words from a dictionary. Administratorscan also create their own dictionaries.Does the product utilise Bayesian filtering? SurfControl RiskFilter does notuse Bayesian filtering techniques. However, SurfControl’s anti-spam andblended threat protection consists of a defence in depth strategy –providing our customers with multiple layers of protection to ensure theattack message is successfully filtered. Statistical analysis methods areused within SurfControl’s Anti-Spam Agent.Can white-lists/black-lists be set? YES - white and black lists can be set toreject or allow e-mail from designated addresses or domains. This can bedone by the administrator at a global level. In addition, SurfControl’sPersonal E-mail Manager (PEM) lets end-users create their own white listand black lists.Does product support RBL? YES - SurfControl RiskFilter can check an e-mail sender's domain against those held in a selected Real-time BlackholeList and reject it if found in the list.www.westcoastlabs.org

SURFCONTROL RISK FILTER 19Security features buyers guide as stated by SurfControlFILTERING continuedDoes the product support the setting of different confidence levels? Canactions be varied at different confidence levels? YES. Different spamcapture techniques have different confidence levels, for instance the spamcaptured by Digital Fingerprint techniques has a higher confidence levelthan spam captured by Heuristics techniques. Rules can be set whichtrigger using different Anti-spam techniques and depending on the rule,different action can be taken. In fact, the default Anti-Spam rules are setup in this manner. In addition, you can specify how sensitive the Heuristicstool is in evaluating e-mails. The higher the sensitivity, the fewer spam-liketraits an e-mail needs in order to trigger the rule.Can actions be varied at different confidence levels? YES - Differentactions can be taken according to the different confidence level of theparticular rule. For instance if an e-mail triggers the Anti-Spam Agent(ASA) Digital Fingerprint Rule then a different action can be taken than sayif it triggers the ASA Heuristics Rule. Typically up to 90% of spam iscaptured by the Digital Fingerprint Layer and because this uses actualfingerprints of spam rather than probability-based techniques this resultsin almost zero levels of false positives. As a result, many of our customersautomatically discard all spam caught by this rule, significantly reducingthe burden on the administrator to manage quarantined spam, whereasadministrators may choose to allow end-users to manage spam caught bythe ASA Heuristics Rule via the Personal E-mail Manager.Can subject line of messages be altered? YES - the subject line ofmessages can be altered.Can email headers be set/amended? YES. RiskFilter allows you to add aspecified X-Header to all messages which triggered a particular rule.www.westcoastlabs.org

20 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTSecurity features buyers guide as stated by SurfControlADMINISTRATIONCan the product be automatically updated? All subscription elements ofthe product can be automatically updated (see below). SurfControlnotifies all customers of all significant service pack and version updatesand it is the administrator's decision whether to apply the upgrade or not.Can filters be automatically updated? YES - E-mail Filter integrates newintelligence on viruses, spam, phishing, blended threat attacks, spyware,and inappropriate Web sites automatically via scheduled updates. Thescheduled update facility updates the Anti-Virus Agent, Anti-Spam Agentand the Internet Threat Database URL Category List.What are the update methods? You can automatically download updatesto the Anti-Spam Agent, Anti-Virus Agent and the Internet Threat Databaseusing the SurfControl RiskFilter scheduled update facility to ensure up-todateprotection against spam, viruses, phishing, blended threat attacks,Spyware, and inappropriate Web sites. Administrators can choose thetime and frequency of the updates. In addition, updates can be runimmediately if chosen.Can suspected spam be quarantined? YES. Suspected spam can bequarantined in isolation folders.If so, what type of quarantine (forward to Q mailbox / saved on device /etc.)? E-mails that are isolated are held in dedicated queue folders on theRiskFilter appliance until they are either discarded, saved or released andsent to their recipient. Remote Access via a secure Web browser meansadministrators can analyse and take action on isolated e-mails quickly andeasily.Also, automatic queue management can be used to automatically takeaction on the isolation queue - deleting, releasing or saving e-mails afterthey have aged a designated length of time for hands free administration.Alternatively, SurfControl RiskFilter’s Personal E-mail Manager enables e-mail users to manage their own suspected spam that has beenquarantined.www.westcoastlabs.org

SURFCONTROL RISK FILTER 21Security features buyers guide as stated by SurfControlEND USER INTERACTIONCan users see reports individual to them? End-users cannot be givenaccess to see only reports individual to them. However, differentadministration levels can be assigned, so for example, an administrator ora manager can be given access to just the Reports and Logs section ofthe RiskFilter Management Console and not the Policy Manager orIsolation Queues.Can users process messages themselves? YES - Personal E-mailManager (PEM) gives individual users responsibility for their own spam e-mail, and helps ensure that they receive legitimate e-mail. ThroughPersonal E-mail Manager, RiskFilter regularly notifies end users of theexistence of isolated spam and directs them to a secure Web interface thatshows their digest of isolated spam messages. End users can then decidewhether to release, delete, whitelist or blacklist the e-mail.Can users review mail marked as spam? YES - Personal E-mail Managergives individual users responsibility for their own spam e-mail, and helpsensure that they receive legitimate e-mail. Through Personal E-mailManager, RiskFilter regularly notifies end users of the existence of isolatedspam and directs them to a secure Web interface that shows their digestof isolated spam messages. End users can then decide whether torelease, delete, whitelist or blacklist the e-mail.Can users free messages from quarantine? YES - Using the PEMdescribed above.Can users set their own white lists/black lists? YES - Using the PEMdescribed above.www.westcoastlabs.org

22 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORTSecurity features buyers guide as stated by SurfControlADDITIONAL SECURITY FEATURES:CONNECTION MANAGEMENT PROTECTION■ Denial of Service Protection ■ Directory Harvest Attack Protection■ Protected Domain Closed Relay■ Reverse DNS Lookup for Spoofed E-mail Protection■ Support for Real-time Blackhole Lists■ Defined Trusted IPs for protection against spammers■ Remote User Authentication ■ Blacklists & Whitelists■ SMTP Greeting DelayRULES LEVEL PROTECTION■ HTML parsing ■ Document decomposition■ Pre-defined and Custom filtering rules ■ Anti-Virus Protection■ Anti-Spam & Anti-Phishing Protection■ Anti-Spyware and Anti-Phishing Protection: Internet Threat Database■ Compliance and Confidentiality Management■ Offensive Content Management: SurfControl Dictionaries■ Message Attachment FilterADAPTIVE THREAT INTELLIGENCE SERVICEDYNAMIC THREAT DATABASES:■ Anti-Spam Agent: Digital Fingerprint, Heuristics and Lexi-RulesDatabases■ Internet Threat Database: URL Category List ■ Anti-Virus Agent■ Pre-populated and weighted dictionaries: 16 Categories in 10Languages■ Automated UpdatesGLOBAL THREAT EXPERTS:■ Team of 60+ Global Threat Experts■ Located in 20 Countriesurl : http://www.surfcontrol.com/products/email/riskfilter/www.westcoastlabs.org