Client X CronLab Spam Filter Technical Training Presentation 19/09/2015

Technical information 1 Detailed Information 1. Rate Control Controls spam high volume, by giving a soft reject to IP numbers with too high volumes of per minute If the is valid, the sender will try again This feature helps to keep legitimate s passing through, even when servers are under spam attacks 2. Address Verification Verifies the address is valid by checking with the receiving server During recipient of the first to a new address a probe is sent to the receiving server to validate the address This method simplifies the integration with the server and avoids Active Directory or LDAP setup The address status is stored in a database which is updated on a regular basis If the address is invalid, the – along with future s to that address - is rejected. The testing of the address validity is updated every 3 hours If the address is valid, the – along with future s to that address - goes through to further analysis. The testing of the address validity is updated every 7 days Spam Control Flow Incoming Rate control Address verification Virus scanning Spam detection Auto averaging FP prevention Delivery Quarantine User Message Center Delete / Release Stored for deletion Reject Stored for deletion DNS & URL blacklists Hash database comparison Statistic analysis (incl. Bayes) Content analysis Sender Policy Framework verification

Technical information (continued) 2 3. Virus Scanning is scanned for viruses using ClamAV anti-virus engine. BitDefender available as an add-on service. 4. Spam Detection The is analysed for spam in a scoring system and undergoes the following checks against: Sets of commercial and freely available blacklists & whitelists Internal server blacklists and whitelists CronLab proprietary blacklists and whitelist Hash databases Internal content analysis databases SPF records Internal statistical analysis tools, including a Bayes database Detailed Information Spam Control Flow Incoming Rate control Address verification Virus scanning Spam detection Auto averaging FP prevention Delivery Quarantine User Message Center Delete / Release Stored for deletion Reject Stored for deletion DNS & URL blacklists Hash database comparison Statistic analysis (incl. Bayes) Content analysis Sender Policy Framework verification

Technical information (continued) 3 5. Auto Averaging Adjusts scoring of based on historical data This uses a combination of the receiving address and the sender’s IP cluster If the comes from a known valid sender and still looks like spam, the auto-averaging will lower the score based on historical data to allow the to pass through If the comes from a known spammer to the receiving address, the is likely to be stopped even if it looks valid 6. FP Prevention If an is marked as a false positive, the sending server is automatically added to a whitelist, preventing future s from that server to end up in the quarantine 7. Delivery If is deemed to be legitimate it is delivered straight to the receiving server Detailed Information Spam Control Flow Incoming Rate control Address verification Virus scanning Spam detection Auto averaging FP prevention Delivery Quarantine User Message Center Delete / Release Stored for deletion Reject Stored for deletion DNS & URL blacklists Hash database comparison Statistic analysis (incl. Bayes) Content analysis Sender Policy Framework verification

Technical information (continued) 4 8. Quarantine If the is likely to be spam, but its status cannot definitely be established, then the is sent to the quarantine All s in the quarantine are subject to further analysis every hour for potential re-categorization. This minimizes the volume of s in the quarantine The quarantine is user-based. Each user manages his own quarantine login information in a web based message center. Users can also delegate handling of their quarantine to other users of the CronLab spam filter On the first visit message center visit, the user registers for a password which can easily be changed (or reset) More information about message center is available on future slides 9. Stored for Deletion If ed is determined to be spam or to contain a virus, the is stored for 30 days before deletion The 30 day storage of spam allows administrator to retrieve a potential false positive Detailed Information Spam Control Flow Incoming Rate control Address verification Virus scanning Spam detection Auto averaging FP prevention Delivery Quarantine User Message Center Delete / Release Stored for deletion Reject Stored for deletion DNS & URL blacklists Hash database comparison Statistic analysis (incl. Bayes) Content analysis Sender Policy Framework verification

Technical information (continued) Learning and Adapting All actions taken by the system or the user are added back to the internal learning engine Users can report false negatives as spam by clicking on the footer at the bottom of the (unless the user opts out from this feature in the message center) If a user reports an as spam or ham, this will result in updating of internal statistical databases as well as blacklists and whitelists Detailed Information Spam Control Flow Incoming Rate control Address verification Virus scanning Spam detection Auto averaging FP prevention Delivery Quarantine User Message Center Delete / Release Stored for deletion Reject Stored for deletion DNS & URL blacklists Hash database comparison Statistic analysis (incl. Bayes) Content analysis Sender Policy Framework verification

Message Center 6 Detailed Information The message center enables access to the user’s quarantine All s can be reported: As legitimate - after which they are released back to the user. This also updates internal statistical databases as well as blacklists and whitelists As spam - after which they are deleted. This also updates internal statistical databases as well as blacklists and whitelists As ignored - after which they are merely deleted Users receive a notification in the morning if the content of the quarantine has changed Quarantine Search Engine The Postmaster of a domain can access all s received in the last 30 days and release potential false positives back to the relevant user Users can search through their own s, up to 30 days old and release potential false positives The Postmaster can also see mail log extracts for recent s to help search for potential problems footers can be switched on/off Can toggle all footers or footers applied to incoming s only This will prevent the user from reporting s as spam but might be desired for some users nonetheless Phishing filters can be switched on/off Sites that the user deem safe from phishing attacks can be reported Any report results in further analysis by CronLab’s support team Delegation of quarantine Users can delegate the quarantine, e.g. when having multiple addresses or if an administrator is to take care of their quarantine This results in an aggregated quarantine for all the addresses that the delegated recipient is to manage

Outgoing Filter: Send s securely from anywhere, while reducing reputational risk 7 End user station s sent to recipient Spam and Viruses Administrator alerted Encrypted communication to CronLab. Communication to recipient encrypted if possible. Availability: Ensure safe delivery of s no matter where you are. Works on all networks with all servers and clients, including mobile phones Alarms: Alarms are sent to the administrator if a computer starts sending out spam or viruses Security: All communication is handled through strong TLS or SSL encryption Prevents blacklisting: Minimize risk of your domain being blacklisted as spam and viruses are removed before they reach the recipient Validity control: Users can only send s from their own address, using their own accounts. Domain accounts can be set up for authorized relaying servers to allow senders from all domain accounts and even from several domains CronLab’s cluster

Attachment Saver (EAS), an add-on that simplifies sending large files 8 User A sends large file as attachment CronLab cluster replaces attachment with link; saves attachment User B receives with link and downloads file from CronLab luster EAS Benefits The EAS uses a format known to users ( ) - no training or extra programs required It saves network bandwidth and avoids bouncing s It reduces user frustration common when trying (and failing) to transfer large files

Further important technical facts 9 Treatment of potentially dangerous files CronLab’s clusters are redundant and geographically distributed To speed up communications, CronLab chooses not to use greylisting in its filters No s are blocked if receiving address is valid Potentially dangerous files that are still not viruses (e.g. exe-files or bat- files) are removed from the and replaced by a text-file containing information on the danger of the file and, if permitted by postmaster, a link to a website where the user can retrieve the file All domains will receive multiple MX pointers s are scanned by several geographically distributed servers. The servers are however always country-specific CronLab does not apply greylisting to control for spam Significantly speeds up communication As long as the receiving address is valid, an will always be retrieved and analyzed, no matter what the reputation of the IP address is If an has been wrongly classified as spam, the can still be retrieved by the user or the postmaster for a period of 30 days

Thank you! Questions? Full tests of Pro 2000 Anti-Spam Appliance available at Full tests of Light 1100 Anti-Spam Appliance available at 10