DS200 User s Guide

7/29/2019 DS200 User s Guide

1/26

Deep Six Technologies SASDS200 Users Guide

Revision Date : 6 July 2007Version : 0.3


2/26

DS200 Users guide Page 2 of 26Copyright 2007 by Deep Six Technologies SAS All Rights Reserved

Contents

DS200 Administration Menu and Features ....................................................... 4

[1] Configure IP Address ........................ ............................ ............................ ......... 5[2] Configure DNS: DNS Server Configuration Menu................................. 6

[3] Configure Gateways........................... ............................ ............................ ......... 7

[4] Configure Mail Servers ........................... ........................... ......................... ....... 8

[5] Configure Management Port ........................... ........................... ..................... 9

[6] Configure Management Users........................ ............................ .................. 10

[7] Configure Http Log Servers.......................... ............................ ..................... 11

[8] Configure Lists ........................... ......................... ............................ ..................... 12[W] Configure White List ........................................................................................................ 13

[B] Configure Black List ......................................................................................................... 14

[9] System Management ........................... ............................ ......................... ..... 15[D] Set Date/Time ..................................................................................................................... 15

[G] Set Custom Reject Message ........................................................................................ 15[A] Set Maximum Accept Score ......................................................................................... 15

[S] Set Missing Reverse DNS Score ................................................................................ 16

[Y] Set Session Delay Parameter ..................................................................................... 16

[A] Set Maximum Log Size ................................................................................................... 16

[O] Configure Syslog Servers.............................................................................................. 16[Z] Power off device ..................................................................................................................... 16

[B] Reboot Device...................................................................................................................... 16

[R] Restart Filter Process...................................................................................................... 16

[F] Flush Log Buffer to Disk ................................................................................................ 16

[E] Emergency Lock-Down................................................................................................... 16[M] Main Menu.............................................................................................................................. 16

[W] Watch Activity ............................ ............................ ........................... ................ 17

[S] Statistics ......................... ............................ ............................ ........................... ..... 18

Updating the DS200...................................................................................................... 19

DS200 Scoring Process ............................................................................................... 20


3/26


False Positives ......................... ............................ ............................ ............................ .......... 20

How to White List and Black List.......................................................................... 22

Quarantines and Email Withdrawal Syndrome............................................. 25


4/26


DS200 Administration Menu and Features

[ I ] Configure IP Address

[ D ] Configure DNS[ G ] Configure Gateways

[ M ] Configure Mail Servers[ P ] Configure Management Port

[ U ] Configure Management Users

[ H ] Configure Http Log Servers[ L ] Configure Lists

[ T ] Configure Toolkit Sockets[ E ] Configure E-mail Web Gate

[ Y ] System Management[ W] Watch Activity

[ S ] Statistics[ L ] Logout

Admin Menu


5/26


[1] Configure IP Address

[L] List Configured IP AddressesSelect this option to see the configured IP addresses as configured by the admin instep 2 of this menu.

[A] Add IP AddressAllocate IP Address for the DS200. This is the IP Address that you want the DS200

to be associated with in communication with your network.

[D] Delete IP Address

Allows the deletion of a configured IP address.

[M] Main Menu

Return to the Main Menu.


6/26


[2] Configure DNS: DNS Server Configuration Menu

[L] List Configured DNS ServersSelect this option to see the configured DNS Server that was configured by theadmin in step 2 of this menu.

[A] Add DNS ServerAllocate the DNS Server address, for the DS200 that is associated with your

network.

[D] Delete DNS Server

Allows the deletion of a configured DNS Server address.

[M] Main Menu



7/26


[3] Configure Gateways

[L] List Configured GatewaysSelect this option to see the configured gateway address as configured by theadmin in step 2 of this menu.

[A] Add Gateway AddressAllocate gateway address for the DS200.

[D] Delete Gateway AddressAllows the deletion of a configured gateway address.

[M] Main MenuReturn to the Main Menu.


8/26


[4] Configure Mail Servers

[L] List Configured Mail ServersSelect this option to see the configured mail servers as configured by the admin instep 2 of this menu.

[A] Add Mail ServerAllocate the mail server address for the DS200. You will be prompted for a

common name, a listening address and port, a forwarding address and port, and a

log directory. The common name is the name you want to refer to the mail server.The listening address is the assigned address that mail is received through your

firewall. The forwarding address is the internal address you have already assigned

to the DS200.

For Example:Name: Listening Address: Forwarding Address: Log Directory:

Yourhost 65.204.159.38:25 65.204.159.38:26 /deep6/

[D] Delete Mail Server

Allows the deletion of a configured mail server address.



9/26


[5] Configure Management Port

[L] List Configured Management PortsSelect this option to see the configured management port addresses as configuredby the admin in step 2 of this menu.

[A] Add Management PortAllocate management port, for the purpose of securely logging in remotely. We

recommend a management port of 8484.

[D] Delete Management Port

Allows the deletion of a configured IP address.

[M] Main Menu



10/26


[6] Configure Management Users

[L] List Management UsersSelect this option to see the management users as configured by the admin in step2 of this menu.

[A] Add Management UserAssign User ID and passwords for management users. This option allows remote

users to connect to the admin menu and communicate over the console. It is

recommended that you set up a new user and password, before deleting thedefault user and password.

[D] Delete Management UserAllows the deletion of a configured management user for the DS200 console.

[M] Main Menu



11/26


[7] Configure Http Log Servers

[L] List HTTP Log Server PortsSelect this option to see the configured log server address and port as configuredby the admin in step 2 of this menu.

[A] Add HTTP Log Server Port (Address)Allocate HTTP log server address and port.

[D] Delete HTTP Log Server PortAllows the deletion of a configured HTTP log server and port.



12/26


[8] Configure Lists

The Lists feature allows advanced access into the White List and Black List processthat the DS200 utilizes to accept or reject spam. It is important to get a firmunderstanding of the list process for manual implementation of IP Addresses thatshould be Whitelisted legitimate email (false positives) or to specifically black list

spam that was not caught by the DS200 process.

[W] Configure White List

[B] Configure Black List

[S] Statistics

[M] Main Menu


13/26


[W] Configure White List

The White List feature is used to manually legitimate a connecting IP address that

is, or has potential to be, blocked by the filter process. In the custom rejection

message a legitimate email sender that is rejected by the filter can receiveinstructions on how to white list their IP address to come through the spam filter.

[L] List White List Table

[A] Add White List Record

[D] Delete White List Record

[F] Find White List Record

[E] Edit White List CIDR Value

[C] Show Netmask to CIDR Table

[B] Back to Lists Menu

[M] Main Menu


14/26


[B] Configure Black List

The Black List feature is the opposite of white listing, and therefore blocks a given

mail sending IP address from passing through the filter. This feature is most

efficiently used when specific spam messages get through the filter consistentlyand a user would like the DS200 to block future occurrences.

[L] List Black List Table

[A] Add Black List Record

[D] Delete Black List Record

[F] Find Black List Record

[E] Edit Black List CIDR Value

[C] Show Netmask to CIDR Table

[B] Back to Lists Menu

[M] Main Menu


15/26


[9] System Management

[D] Set Date/Time

Configure the date and time for the system. It is recommended that you configurethis setting correctly before full activation for proper logging and dataaccumulation, as the default time will not be accurate.

[G] Set Custom Reject MessageThere is no default reject message. Select this to designate a custom reject

message to place a phone number, web address or other means of communication

with you when a legitimate email sender attempts to contact you and has had theirsent email rejected by the DS200.

[A] Set Maximum Accept ScoreA score is a number that affects the aggressiveness of the DS200s spam filteringand can be adjusted to fit the needs of your business. The preconfigured score isset at 10, but could be lessened or heightened depending on your businesss

individual situation. The DS200 utilizes a variety of online sources that contributea score for their acceptance or rejection of the incoming message. A score then

determines if the incoming connection is a spam email or a legitimate email. If the

connection comes back with a higher score then what is configured here, a

standard or custom rejection message is returned to the sender instructing themon the procedure to become white listed on their server.


16/26


[S] Set Missing Reverse DNS Score

A missing reverse DNS score is the number associated with a connection that has

false DNS information from its original destination. The DS200 runs a background

trace on the incoming connection and matches that to the information provided inthe connection. If the reverse DNS trace fails to match the DNS information onthe connection, the message is likely to be rejected as spam. Spam vendors often

send falsified information through a connection to hide their tracks, however, it ispossible that a legitimate email could be seen as spam if the users server is notproperly configured. The preconfigured standard score on reverse DNS is 10, butcan be adjusted here to fit your businesss needs.

[Y] Set Session Delay Parameter

[A] Set Maximum Log Size

[O] Configure Syslog Servers

[Z] Power off deviceSafely power down the device to be rebooted or unplugged.

[B] Reboot DeviceThe device will restart after selecting this option. Caution: Once this option is

selectedthe system will immediately reboot, the mail protection will be

disabled for 20-30 seconds and at the completion of the reboot you will be asked

to enter your management user ID and password. If you have recently added newsettings and the changes are not properly taking effect, you may want to try this

option as a way of starting the system out fresh with the new settings in place.

[R] Restart Filter ProcessThis option restarts the filter process and returns the user to the login screen. You

must use this option or reboot the device to restart filtering after activating the

emergency lock-down feature.

[F] Flush Log Buffer to Disk

[E] Emergency Lock-Down

This feature is a safety precaution that will immediately lock down the server fromaccepting any new email connections. This feature is important for the unforeseen

needs of the customer. Potential uses could be if a virus is running rampant

through a business and the system needs to be locked down to prevent furtherspreading of the virus. Another use could be if a need arises after normal businesshours and an IT manager needs to lock down the system from home pending the

installation of new Microsoft security updates. While a number of reasons exist for

having this option, it is specifically for the needs that we cannot predict ahead oftime, that this feature is incorporated into the product.



17/26


[W] Watch Activity

The Watch Activity feature is one of the most exciting that the DS200 has to offer. WatchActivity allows the live feed of the system process of scoring, reverse DNS tracing andrejecting or accepting incoming connections as they arrive. The feature allows you to seefirst hand the actions of the DS200 and the relief that it is providing your businesss email

as it rejects a multitude of spam messages. As you watch the activity it will show:1. Incoming connection2. Accept/reject from online scoring sources

3. Score associated with connection

4. Whether the server was blocked or the connection was accepted


18/26


[S] Statistics

The statistics feature allows for the accumulation of data in a number of key interestareas.

[S] Protected Host Status

[N] Network Statistics

[E] Memory Statistics

[C] CPU Statistics

[P] Process Statistics

[A] All Device Statistics

[F] Filter Statistics

Not anti-spam accuracy rate

[V] Volume Statistics

[R] View Fatal Error Log

[W] Watch Activity



19/26


Updating the DS200The DS200 has the capability of updating by connecting to Deep Six Technologies,

downloading an update and immediately installing. This process is initiated by the customerby typing UPDATENOW into the console menu, and only will take a few minutes. After the

update is downloaded and installed, the box will reboot and you will need to log in again.

During an update you do not lose any functionality of the box or the mail processes.

Instead the mail will hold pending for the short time it takes to download and install theupdate. Deep Six will inform their customers by email when updates are available, and it is

the customers prerogative to install them. If a critical update is necessary, Deep Six will

instruct customers to install and explain why it is critical to update.

Messaging Capabilities on the DS200 Console

You are able to message on the DS200 Console. You may wish to do this if multipleindividuals are utilizing the box through remote access


20/26


DS200 Scoring ProcessThe scoring process is a critical component to the success of the DS200s spam rejection

technology. The DS200, through a variety of methods and observations, calculates ascore for each individual mail connection transmitted to your server. You control themaximum score ceiling for connections that are allowed to move through the DS200 andinto your mail server. The DS200 has a default score setting of 20, a conservative

threshold. In combination with explicit whitelisting, this score can be lowered to moreaggressive levels while keeping false positives at a minimum.

Deep Sixs method of scoring is based on evaluating sending servers for various markers

of legitimacy and indicators of negative behavior. These factors are combined in a patent-pending algorithm.

After the DS200 inspects the connection and calculates a score, the message will be

rejected if it is at or above the maximum accept score. Alternately, the DS200 will accept

the connection and pass it through to the receiving email server if the score is below themaximum accept score. If a legitimate connection is rejected, the sending server will

place a rejection notice in the senders inbox. This rejection notice will contain a customreject message configured by the DS200s administrator. This custom reject message can

inform the sender why the email was rejected and what action is needed.

The administrator/user of the DS200 can alter the custom reject message and maximum

accept score in the configuration menu. (Main Menu Y)

False PositivesThe most important consideration for many customers is the balance of eliminating spamand preventing false positives. False positives are legitimate emails sent to your domain

that are rejected as spam. While no anti-spam solution can truly claim zero falsepositives, Deep Sixs approach to spam rejection minimizes the amount of false positiveoccurrences. Further, Deep Sixs unique approach immediately notifies the sender of the

rejection. The DS200 differs from other solutions that file spam away into the abyss of a

quarantine folder, where messages may stay for days without the knowledge of eithersender or recipient.

The DS200s system of rejecting spam connections relieves and protects your servers

from the massive barrage of spam proliferated in todays Internet environment. While theDS200 is not an anti-virus solution, it can significantly reduce inbound email-borne

Scoring

2


21/26


viruses. Real-world testing indicates that sources of spam are often sources of virus

attachments, and the DS200 rejects many of those sources.


22/26


How to White List and Black ListThe DS200 provides you the ability to accept or deny specific email sources. Whitelisting

bypasses the normal score investigation and automatically accepts any IP addressspecified in the white list. This is typically used to allow a legitimate sender that has

previously been rejected in other words to correct a false positive. Blacklisting is theopposite in that it automatically blocks a specific IP address. At times if you encounter a

spam sender that is not detected by the DS200, you may wish to blacklist the source,

automatically denying email from that sending email server. The following areinstructions for whitelisting and blacklisting specific IP addresses and ranges of IP

addresses:

Whitelist an IP Address or IP Address Range

1) At the main menu of the DS200 and select Lists by typing L and pressing enter.

2) Select Configure White List by typing W and pressing enter.

3) Select Add White List Record by typing A and pressing enter.

4) Enter the IP Address to white list as received by the rejected sender.

5) Enter the CIDR Value in white listing the IP Address. This value, valid from 1 to

32, determines the range of IP addresses that you are white listing. For example a

CIDR value of32 will white list only that specific IP address as typed, but a CIDRvalue of 24 would white list 256 addresses around the IP address that you

entered. For example, whitelisting 123.123.123.123 with a CIDR value of 24would whitelist all IP addresses in the range 123.123.123.xxx. You can see a table

illustrating each CIDR value by entering C at the White List Configuration menu.

Be careful not to go too low on the CIDR value when white listing because a spamsender may have a similar address to the address you are white listing. If in doubt

about an appropriate CIDR value for whitelisting, a reasonable value is 28.6) You have now successfully whitelisted an individual IP address. The formerly

rejected sender should now be able to get through consistently. In the unlikely

case that the problem recurs intermittently, this is because the sender uses an ISP

with a large number of outgoing email servers, which use a large, contiguous blockof IP addresses. In this case, edit the CIDR value for that IP address to a lower

value, such as 26 or even 24.

Blacklist an IP Address or IP Address Range

1) At the main menu of the DS200 and select Lists by typing L and pressing enter.

W/B List

3


23/26


2) Select Configure Black List by typing B and pressing enter.

3) Select Add Black List Record by typing A and pressing enter.

4) Enter the IP Address to black list as received by the rejected sender.

5) Enter the CIDR Value in black listing the IP Address. This value, valid from 1 to32, is the range of the IP Address that you are black listing. For example a CIDR

value of32 will black list only that specific IP address as typed, but a CIDR value

of24 would black list 256 addresses around the IP address that you entered. For

example, blacklisting 123.123.123.123 with a CIDR value of 24 would blacklist allIP addresses in the range 123.123.123.xxx. You can see a table illustrating eachCIDR value by entering C at the Black List Configuration menu. If in doubt about

an appropriate CIDR value for blacklisting, a reasonable value is 30. A moreaggressive value is 24, which blocks a larger range of IP addresses. This maycarry the risk of false positives. However, any false positives can be eliminated by

increasing the CIDR value, or by explicitly whitelisting a rejected legitimate sender,as described above in the whitelisting instructions. The white list always takesprecedence over the blacklist if an IP address is in both lists, the white list will be

the deciding list.

6) You have now successfully black listed an IP Address. Email from this source nowbe rejected irrespective of the DS200s anti-spam scoring. If the black listed spamcontinues check the IP address again to determine if your CIDR value needs to be

lowered.

How to Identify the Right IP Address to Whitelist or Blacklist

You can find an IP Address through Microsoft Outlook by right-clicking of the email and

choosing options. The IP address will be at the top of the headers and will appear similar tothis example:

Received: from sampleip [11.111.11.111] by mail.sample.com

This method is most efficient for blacklisting individual spam. You can use this method for

whitelisting, however, if a newsletter or similar item no longer comes to a recipient at your

business. To whitelist a newsletter, simply look at the headers in the last newsletter received.

To whitelist a rejected sender you will need to have the senders IP address that was rejected.You can do this by locating the IP address in the rejection message. The IP address iscontained in the rejection message to the email sender. Here is a sample rejection note:

550-Rejected 111.222.333.44 - blocked by anti-spam policies - Your message

was rejected as spam. . 550-Blocked

by local Black List 550 Rejected 111.222.333.44 - blocked by anti-spam

Conservative and Aggressive Strategy

The default setting allows for a maximum accept score of 20. The maximum accept scoreis left at a conservative setting to minimize initial false positives. Over time, we

recommend decreasing this score to 15 in combination with whitelisting the few false

positives that you may see at this level. If you have a particularly high percentage of


24/26


spam (90% or more), you may prefer to lower the maximum accept score to 10, again in

combination with whitelisting of false positives. This should enable you to arrive at a

steady state of very accurate spam rejection, with minimal false positives. In general, the

higher the maximum accept score, the more spam may pass through the DS200 to youremail server, but with a lower likelihood of false positives. This approach is helpful in theinitial stage of implementation, but the IT administrator in charge of this DS200 will need

to determine what approach to take forward from this point.

A conservative approach will allow the email users at the protected business to slowlyease into the new anti-spam solution. The conservative approach lessens the immediate

burden of false positives, and may be needed in an office environment that is highlysensitive to that temporary inconvenience, even at the extremely low false positive ratesof the DS200. This approach is designed to take a longer span of time in lowering the

score, with the possibility of more spam in the near-term, but less possibility of false

positives from the start. Again, this can be important for a good reception to the newanti-spam solution.

A good example of a sensitive organization comes from a Deep Six customer who initiallyset the maximum accept score to an aggressive value. This customer initially experienced12 false positives in the first week, out of over 190,000 email connections. Approximately

90% of these connections were from spam sources. The DS200 rejected about 170,000spam messages, for a false positive rate of 0.007% (12 divided by 170,000). This rate is

far superior to other anti-spam products. However, this organization was very sensitive

to false positives. Therefore the DS200 administrator rapidly whitelisted the 12 rejected

IP addresses, and raised the maximum accept score to a more conservative value. Overtime, as only a few more false positives were encountered and whitelisted, the maximum

accept score was again reduced to the former aggressive value.

The most aggressive approach would be to set a low maximum accept score of 15, oreven 10. This typically forces the bulk of false positives to occur within the first two

weeks after installation of the DS200, enabling the rejected IP addresses to be whitelisted

quickly. This allows the administrator to reach a steady state of excellent anti-spamaccuracy and minimal false positives, with little ongoing administration effort. However,

the organization must be properly prepared for this strategy.

With either conservative or aggressive strategies, its best to notify users in advance

that a new anti-spam solution will be implemented, along with letting them know whatthey should do if contacted by a rejected legitimate sender. A simple, efficient approach

is to designate a fax number to which rejected legitimate senders can fax their rejection

notices. The DS200 administrator can then read the rejected IP address from eachnotice, and whitelist it. This fax number can also be included in the custom rejectmessage that legitimate users will see in their inbox after being rejected.

Either way you approach this, the long-term goal is the same: to eliminate spam as aproblem for your company, with the least amount of inconvenience to your employees

and anyone contacting your company. With the current explosive state of spam and the

creative methods spammers are using, finding a solution is becoming more and morecritical The DS200 is created to ease this burden and give powerful tools to the ITdepartment to keep spam from interfering in your business environment.


25/26


Quarantines and Email Withdrawal SyndromeIf used to an anti-spam solution that uses quarantine folders, some users may find itsurprising that they cannot look at rejected messages. There are two kinds of rejectedmessages:

1) SpamIn this case, looking at spam in a quarantine folder provides no value, and in fact steals

time and productivity. There is no benefit to placing true spam in a quarantine folder.

The DS200s method rejecting connections from sources of spam prevents spam fromconsuming bandwidth, storage, and scalability in your email network.

2) Legitimate Email

Although the DS200 typically yields a very low false positive rate, some do occur. Itshow the DS200 handles a false positive that matters. Other anti-spam solutions put false

positives in a quarantine folder along with true spam. Neither the sender nor intendedrecipient knows that a specific, legitimate email message is in the quarantine folder untilthe intended recipient checks the quarantine folder. Most users do not check this folder

every day. When they do, they face a difficult task finding legitimate messages among a

large amount of spam messages. In contrast, because the DS200 rejects at the SMTP

connection level, a legitimate rejected sender is notified of the rejection by their email

server right away. Further, if the DS200 administrator has configured a custom rejectmessage, the rejected sender knows exactly what action to take in order to bewhitelisted. From then on, the rejected sender will no longer be rejected. Because of this

simple, fast process, there is no need for a quarantine folder.

Despite this logic, many users are used to quarantine folders, and may need to be

assured that email is not being lost. Further, those with poor anti-spam solutions (ornone at all) are also used to receiving a large amount of spam messages. As a result,they have become accustomed to messages arriving to their inbox every few minutes.When the DS200 is properly configured, it rejects a very high percentage of spam,

thereby dramatically reducing the frequency of email messages arriving in users inboxes.Some users may see this reduction in traffic and be concerned that email is not workingwell. They may even report that email is being lost. Without concrete reports from

rejected senders, this is not likely to be the case. If it turns out to be true, the DS200

administrator can simply whitelist the appropriate IP address and eliminate the problem.

Syndrome

4


26/26

26

DS200 User s Guide

Documents

Transcript of DS200 User s Guide