IMGate Background
=================
The emphasis of IMgate has always been envelope rejection, before the
SMTP DATA command and avoiding expensive queuing to disk. This
approach has now become Postfix designer's own preference, that the
envelope stage is where defensive policies should be implemented.
Nearly all other commercial products must accept entire message
before deciding accept or reject. IMGate Advanced is vastly more
efficient, in bandwidth and machine resources, by exploiting
thoroughly the envelope information of PTR[IP], MAIL FROM:, RCPT TO:,
and HELO.
In addition to greatly enhanced envelope policies, the new IMGate
Advanced adds full content inspection to provide a complete
anti-spam/anti-virus mail firewall.
The major IMGate architectural feature is separation of mail defenses
from the mail box server to a another machine dedicated as MX
appliance, allowing the mailbox server to concentrate exclusively on
mailbox storage and mail user services. Adding IMGate as a separate
MX noticeably offloads the mailbox server and increases its responsiveness.
IMGate's interaction with mailbox servers is exclusively over the
SMTP protocol, so IMGate is compatible with any brand of mail box
server product.
All the software in IMGate is free, open source, meaning no software
purchases, no annual subscription fees, no software upgrade fees,
while providing total access to the system internals for monitoring,
modification, etc.
IMGate Advanced 09 Features
===========================
IMGate mail defenses are sequence of 4 layers, progressively removing
illegitimate mail and abusive IPs at each stage.
First Layer: Recipient Validation (unknown recipient rejection)
===============================================================
Nothing new here compared with the earlier IMGate Advanced. It should
be noted that some commercial anti-spam hardware MX products validate
recipients by probing the mailbox server, passing 100s of 1000s of
bad recipient SMTP sessions to the mailbox server, a straight-through
passage of a denial-of-service attack. IMGate Advanced installation
service includes the exporting of mailbox accounts from the mailbox
server to a database on the IMGate MX so bad recipients are rejected
independently of the mail box server, eliminating the IMGate MX as
source of backscatter.
Typical rejection rate for unknown recipients is about 50% of all msgs.
Second Layer: Selective Greylisting
===================================
While greylisting was available in the previous IMGate Advanced, the
new configuration of greylisting is highly selective, applied only to
suspicious messages, so that sending mail servers with correct PTR
and HELO are not greylisted. IPs sending messages with unsuspicious
PTR and HELO will still be subject to RBL queries.
IMGate Advanced greylist report:
3222 Pass new triplet from white listed IP
7075 Reject early retry
11752 Pass cached triplet
26612 Pass retry
77605 Pass and auto-whitelist IP
1178921 Reject new triplet
An IMGate Advanced option for sites with multiple MXs, rather than
have each MX run its own greylist database, is a single, shared
greylist SQL database server with greylist/SQL clients on each
MX. See optional IMGate installation services below.
Typical effective rejection rate for greylisting is about 90%+ of all
msgs to known recipients. In an actual IMgate greylist report above,
the ratio of:
( pass retry / reject new triplet + pass retry )
... is under 2%, giving a effective greylist reject rate of 98%.
3rd Layer: Envelope Policy Service
==================================
A major and totally new addition is an envelope policy server with a
set of custom IMGate rules that uses compound conditions, including
RBL queries, for making the reject/accept decision at envelope
stage. The IMGate policy server runs after greylisting.
Envelope policies are applied to all messages, having passed through
or bypassed greylisting.
An actual report of rejects of the envelope policy service (ACCNET is
ACCess NETworks):
IMGate Envelopy Policy Report
643 RBL HELO_IP
1359 RBL HELO_ACCNET
1622 RBL HELO_NOTFQDN
5693 RBL PTR_ACCNET
13343 PTR_ACCNET HELO_IP
18845 RBL MULTIPLE MAIN
21001 PTR_ACCNET HELO_NOTFQDN
24111 RBL PTRNUL
38933 RBL MULTIPLE
56244 PTRNUL HELO_NOTFQDN
84763 PTRNUL HELO_ACCNET
146429 PTRNUL HELO_IP
193523 PTR HELO ACCESS_NET
Note above that the IMGate envelope policy service performs RBL
queries, so the report shows RBL rejects for a) 1 RBL hit + condition
(eg, RBL PTRNUL), and b) 2 or more RBLs (eg, RBL MULTIPLE).
Typical envelope policies rejection rate at this layer for msgs to
known recipients is often is about 50%.
(Note: After envelope policy layer, another layer of defense could be
SAV, sender address verification, due to the much reduced message
volume to be SAV'd, and to IMGate's excellent, caching SAV implementation.)
Fourth Layer: Content-Scanning
===============================
Another major addition to IMGate Advanced 09 is content-scanning
using the widely deployed and highly successful open source products
of Spamassassin anti-spam, and ClamAV anti-virus.
While content-scanning is an infamous consumer of machine resources,
IMGate Advanced's multi-stage filtering dramatically throttles the
traffic delivered to content scanning.
Spammassassin is configured with Bayes auto-learning, Razor, Pyzor,
and carefully selected rulesets updated automatically. Spam can be
tagged and passed, quarantined, or rejected.
ClamAV is configured with the Clam AV database plus 3rd party
databases, automatically updated several times per day.
Amavis Global Stats Report:
18 AMAVIS Blocked Spam
186 AMAVIS Blocked Infected
279 AMAVIS Passed Bad-Header
31776 AMAVIS Passed Clean
The 3 layers of envelope filtering preceding the content-filtering
layer deliver such clean traffic that:
(Blocked Spam+Infected) / (Passed Clean + Blocked Spam+Infected) < 1%
... is actually blocked by the content filtering.
For the above Amavis report, the specific infected messages blocked by ClamAV:
81 (HTML.Phishing.Bank-520),
39 (Worm.Mydoom.M),
22 (HTML.Phishing.Acc-4),
12 (HTML.Phishing.Auction-61),
7 (Trojan.Delf-5385),
6 (HTML.Phishing.Bank-1165),
4 (HTML.Phishing.Bank-89),
2 (Worm.W32.Agent-1),
2 (HTML.Phishing.Pay-35),
2 (HTML.Phishing.Pay-127),
2 (HTML.Phishing.Bank-863),
2 (HTML.Phishing.Bank-485),
1 (HTML.Phishing.Bank-573),
1 (HTML.Phishing.Bank-483),
1 (HTML.Phishing.Bank-362),
1 (HTML.Phishing.Bank-214),
1 (HTML.Phishing.Bank-213),
For more details and pricing, www.IMGate.net
Len
