Defending against spam with IronPort c170

Foreword

Everyone knows what e-mail is. Also, everyone knows what spam is. The global spam volume reaches 140 billion messages daily and such a huge amount of spam simply does not allow using mail more or less efficiently without any spam filtering system. While one of the most important factors is the avoidance of errors.

For a long time, many anti-spam systems were perelopacheno and somehow all did not fully satisfy the need. But once offered to consider ironport from Cisco. Initially, I was skeptical, I thought that the Western piece of iron, and even without a Bayesian filter, would not be able to effectively screen out Russian spam, besides avoiding errors. Well, the price! By questioning people in a friendly conversation, I was told completely different numbers, which reached millions of rubles. This scarecrow, few people want to give that kind of money for filtering only unwanted content. In addition, to my surprise, there is very little information on this system on the Internet. Even on Wikipedia, there is only a scant article in English, and there is nothing in Russian at all. And so, what ironport is and why I will recommend it for medium business mail systems and above, I will try to answer here.

Typical picture:

Less than 60 letters out of 10,000 reach the addressee.
')

IronPort C170

IronPort is a piece of hardware. In the simplest version, this is a single-server server, as if on a DELL hardware. Detailed configuration cisco does not disclose and, however, it is not required. This configuration uses 2 disks in a 250GB software mirror. Disks are used mainly for quarantine and logs.


Connection interfaces are not many, but many of them are not required. 2 gigabit interfaces, one RS232. There are also 2 USB ports, the purpose of which I did not understand. Present only in the younger model, C170. There are no USB ports in the older models.

Licensing

An interesting licensing model is used. The minimum number for configuring an ESA (Email Security Appliance) is 100 licenses. The minimum period is 1 year. The most unprofitable license for antispam is about $ 30 per share for 1 year. There are licenses for 3 and 5 years, which are more profitable somewhere up to 60% and renewal, which is sold even cheaper. Plus, the cost of the license when buying from 250 pieces less somewhere else by a third. As a result, for example, a 3-year license for 250 users can cost $ 30-35 apiece and $ 20-25 for its renewal, these prices are voiced by our supplier, there is a chance that prices can be found lower. But it’s very interesting with the hardware itself, you don’t pay anything for the server itself, it goes along with any number of licenses and remains with you even after the licenses expire, if you suddenly didn’t want to filter spam using Ironport. Depending on the number of licenses, you get C170 up to 1000 users, more powerful C370 - from 2000 up to 10,000 users, etc. It is unlikely that the server can be effectively used for any other purposes, but I like the approach itself.

Filtration technology

The basic anti-spam system is the so-called reputation filter. Ironport verifies the source of the letters with the base given SenderBase and places the so-called SenderBase Reputation Score, which is measured in the range from -10 to 10. The base of SenderBase itself is replenished in accordance with some tricky conditions and guarantee not only the exclusion of bona fide senders from it, but and a high level of spam filtering during the SMTP session setup. They promise to filter spam based on reputation at least 80% of email traffic. In fact, this value is at the level of 98%.
However, this is not all. Further letters, especially those that had a low reputation, but were nevertheless missed, are checked directly by the anti-spam module. A special context analysis system is used, analyzing by a variety of parameters, including for signs of circumvention of antispam protection, links that are present in the letter and pictures in the attachment. Usually about half of the letters that have passed the reputation filter are cut on this protection. No errors have been noticed yet.
Ironport runs on its own AsyncOS OS, which is designed specifically for this device, has a special file system and a non-stack connection model, guaranteeing up to 10,000 simultaneous connections.

What does it look like in reality?

IronPort can be configured even in a configuration when messages to it will be relayed from another mail server. Often this setup may be necessary, for example, if you have an provider's mail server installed as secondary mx servers. Ironport will find the source server's address in the email header and check it for presence in SenderBase. If the configuration is not performed, then ironport will try to find not a source server, but a repeater. Not finding it in the database, will miss the spam letter. And this is decent, given that during normal operation, up to 99% of spam is filtered and even a minute of spam can result in hundreds or thousands of emails.

In fact, it all comes down to the fact that Ironport opens the port to wait for the smtp session.
If the ip address of the sender is contained in the database as not being respectable, then the session is terminated, informing at the same time that he does not trust this sender.
A short message is written to the log:


Error log if the user is not found in the ldap directory. If the ldap server is unavailable, you can specify what to do: skip the message or refuse delivery. Compound requests are supported, and if ironport serves several domains with different ldap directories, then the request can be combined and verified will be carried out sequentially on the available directories until it finds a match, or refuses delivery to the addressee if there is no such address in the directories.


After checking the directory ldap, the text of the letter is analyzed for the presence of suspicious information. This letter is a loser. To his regret, it is worthy only of quarantine.


Regarding quarantine, by the way, is also very good. You can allocate up to 5GB of quarantine and set any period of storage. But the most interesting in the personal quarantine. With the proper settings for the ldap request and quarantine, an ordinary user can go to ironport and see which emails have been eliminated with anti-spam, unlock them or delete them permanently. With the specified frequency, a notification can be sent to the mail, telling how many and which emails are in the spam quarantine. I think it's a beautiful thing.

Mailings do not fall under antispam. Mailing servers have a decent rating and are not cut.


In general, the system has quite flexible functionality. There is almost no configuration where ironport could not be used. There are also fault tolerant configurations.

Alternatives

Of the alternatives, I would single out Microsoft Forefront. By cost, it turns out about the same. But in terms of efficiency, I can only compare it with positive reviews and my personal account at office365, where spam became ... slightly less than zero after transferring my mailbox from Yandex to 365.

As a result, in Ironport, I can especially highlight the operation of the device as a gateway with the SenderBase filter. Using it as an anti-spam filter is not very effective. And if you run the entire stream of letters without filtering by SenderBase, then the filtering quality will be depressing.