IMGate Background ================= The emphasis of IMgate has always been envelope rejection, before the SMTP DATA command and avoiding expensive queuing to disk. This approach has now become Postfix designer's own preference, that the envelope stage is where defensive policies should be implemented.
Nearly all other commercial products must accept entire message before deciding accept or reject. IMGate Advanced is vastly more efficient, in bandwidth and machine resources, by exploiting thoroughly the envelope information of PTR[IP], MAIL FROM:, RCPT TO:, and HELO. In addition to greatly enhanced envelope policies, the new IMGate Advanced adds full content inspection to provide a complete anti-spam/anti-virus mail firewall. The major IMGate architectural feature is separation of mail defenses from the mail box server to a another machine dedicated as MX appliance, allowing the mailbox server to concentrate exclusively on mailbox storage and mail user services. Adding IMGate as a separate MX noticeably offloads the mailbox server and increases its responsiveness. IMGate's interaction with mailbox servers is exclusively over the SMTP protocol, so IMGate is compatible with any brand of mail box server product. All the software in IMGate is free, open source, meaning no software purchases, no annual subscription fees, no software upgrade fees, while providing total access to the system internals for monitoring, modification, etc. IMGate Advanced 09 Features =========================== IMGate mail defenses are sequence of 4 layers, progressively removing illegitimate mail and abusive IPs at each stage. First Layer: Recipient Validation (unknown recipient rejection) =============================================================== Nothing new here compared with the earlier IMGate Advanced. It should be noted that some commercial anti-spam hardware MX products validate recipients by probing the mailbox server, passing 100s of 1000s of bad recipient SMTP sessions to the mailbox server, a straight-through passage of a denial-of-service attack. IMGate Advanced installation service includes the exporting of mailbox accounts from the mailbox server to a database on the IMGate MX so bad recipients are rejected independently of the mail box server, eliminating the IMGate MX as source of backscatter. Typical rejection rate for unknown recipients is about 50% of all msgs. Second Layer: Selective Greylisting =================================== While greylisting was available in the previous IMGate Advanced, the new configuration of greylisting is highly selective, applied only to suspicious messages, so that sending mail servers with correct PTR and HELO are not greylisted. IPs sending messages with unsuspicious PTR and HELO will still be subject to RBL queries. IMGate Advanced greylist report: 3222 Pass new triplet from white listed IP 7075 Reject early retry 11752 Pass cached triplet 26612 Pass retry 77605 Pass and auto-whitelist IP 1178921 Reject new triplet An IMGate Advanced option for sites with multiple MXs, rather than have each MX run its own greylist database, is a single, shared greylist SQL database server with greylist/SQL clients on each MX. See optional IMGate installation services below. Typical effective rejection rate for greylisting is about 90%+ of all msgs to known recipients. In an actual IMgate greylist report above, the ratio of: ( pass retry / reject new triplet + pass retry ) ... is under 2%, giving a effective greylist reject rate of 98%. 3rd Layer: Envelope Policy Service ================================== A major and totally new addition is an envelope policy server with a set of custom IMGate rules that uses compound conditions, including RBL queries, for making the reject/accept decision at envelope stage. The IMGate policy server runs after greylisting. Envelope policies are applied to all messages, having passed through or bypassed greylisting. An actual report of rejects of the envelope policy service (ACCNET is ACCess NETworks): IMGate Envelopy Policy Report 643 RBL HELO_IP 1359 RBL HELO_ACCNET 1622 RBL HELO_NOTFQDN 5693 RBL PTR_ACCNET 13343 PTR_ACCNET HELO_IP 18845 RBL MULTIPLE MAIN 21001 PTR_ACCNET HELO_NOTFQDN 24111 RBL PTRNUL 38933 RBL MULTIPLE 56244 PTRNUL HELO_NOTFQDN 84763 PTRNUL HELO_ACCNET 146429 PTRNUL HELO_IP 193523 PTR HELO ACCESS_NET Note above that the IMGate envelope policy service performs RBL queries, so the report shows RBL rejects for a) 1 RBL hit + condition (eg, RBL PTRNUL), and b) 2 or more RBLs (eg, RBL MULTIPLE). Typical envelope policies rejection rate at this layer for msgs to known recipients is often is about 50%. (Note: After envelope policy layer, another layer of defense could be SAV, sender address verification, due to the much reduced message volume to be SAV'd, and to IMGate's excellent, caching SAV implementation.) Fourth Layer: Content-Scanning =============================== Another major addition to IMGate Advanced 09 is content-scanning using the widely deployed and highly successful open source products of Spamassassin anti-spam, and ClamAV anti-virus. While content-scanning is an infamous consumer of machine resources, IMGate Advanced's multi-stage filtering dramatically throttles the traffic delivered to content scanning. Spammassassin is configured with Bayes auto-learning, Razor, Pyzor, and carefully selected rulesets updated automatically. Spam can be tagged and passed, quarantined, or rejected. ClamAV is configured with the Clam AV database plus 3rd party databases, automatically updated several times per day. Amavis Global Stats Report: 18 AMAVIS Blocked Spam 186 AMAVIS Blocked Infected 279 AMAVIS Passed Bad-Header 31776 AMAVIS Passed Clean The 3 layers of envelope filtering preceding the content-filtering layer deliver such clean traffic that: (Blocked Spam+Infected) / (Passed Clean + Blocked Spam+Infected) < 1% ... is actually blocked by the content filtering. For the above Amavis report, the specific infected messages blocked by ClamAV: 81 (HTML.Phishing.Bank-520), 39 (Worm.Mydoom.M), 22 (HTML.Phishing.Acc-4), 12 (HTML.Phishing.Auction-61), 7 (Trojan.Delf-5385), 6 (HTML.Phishing.Bank-1165), 4 (HTML.Phishing.Bank-89), 2 (Worm.W32.Agent-1), 2 (HTML.Phishing.Pay-35), 2 (HTML.Phishing.Pay-127), 2 (HTML.Phishing.Bank-863), 2 (HTML.Phishing.Bank-485), 1 (HTML.Phishing.Bank-573), 1 (HTML.Phishing.Bank-483), 1 (HTML.Phishing.Bank-362), 1 (HTML.Phishing.Bank-214), 1 (HTML.Phishing.Bank-213), For more details and pricing, www.IMGate.net Len