Symantec Enterprise Security WHITE PAPER Overview of Intelligent Message Filter Integration by David Scott Sr. Product Manager Symantec Mail Security Symantec Corporation INSIDE Overview of the IMF Increasing effectiveness through integration Symantec Mail Security for MicrosoftExchange Conclusion
Contents Introduction...................................................................................3 Overview of the IMF.............................................................................3 Increasing effectiveness through integration.....................................................3 Symantec Mail Security for Microsoft Exchange-Integration with IMF..............................4 Handling different SCL values...............................................................4 Score-based spam handling................................................................5 Conclusion.....................................................................................5
Introduction Microsoft recently released the Intelligent Message Filter (IMF), a new heuristics-based antispam engine for Exchange 2003. This engine is available to all Exchange 2003 customers and is a free download from Microsoft s Web site. The IMF is an effective antispam engine that minimizes the amount of spam received by an organization. It is not intended as a comprehensive spam prevention solution but rather another tool in the fight against spam. The IMF is most effective when tightly integrated into a multi-layered spam solution. Overview of the IMF The IMF performs heuristics-based analysis of messages to determine whether an email is legitimate mail or spam. Similar to Symantec s Mail Security antispam engine, the IMF leverages the new Spam Confidence Level (SCL) ratings in Exchange 2003 to add a rating between 0 (not spam) and 9 (almost definitely spam) to each message. Typically, the IMF is installed on an Exchange server setup as a gateway at the perimeter of the network or on a bridgehead server. Once scanned by the IMF, messages are either rejected (spam), passed to the end user s junk folder (probably spam), or delivered to the end user s inbox (not spam). Increasing effectiveness through integration The IMF can add value to a broader spam solution by providing an additional layer of spam analysis. For example, a message scanned by the IMF can be reevaluated by another spam engine prior to entering the end user s mailbox. The SCL value assigned to the message by each engine can be compared and if both agree, the message can be rejected. If the engines assign different values, an integrated solution should provide a method for the administrator to choose which SCL value to use. Administrators that choose to be aggressive against spam should be able to use the higher SCL value regardless of engine. Administrators can choose the lower SCL value if they want to minimize false positives. The IMF is also limited in how it classifies and disposes of spam. It has just three ways of classifying a message spam, not spam and junk mail. A more comprehensive solution provides granular options to handle messages based on the likelihood that it is in fact, spam. Disposition options, based on value, should include: Reject the message Prevent delivery to the intended recipient Send to an alternate recipient or quarantine Add an X-Header to the message Append the subject line with text to indicate spam (i.e. "Add "Spam:") Log only By making each option dependent on the SCL value of the message, there is less chance of false positives because there are more options to deal with questionable messages. 3
Symantec Mail Security for Microsoft Exchange-Integration with IMF Symantec Mail Security 4.5 for Exchange is tightly integrated with the IMF to maximize the effectiveness of both solutions. The IMF adds value to Mail Security for Microsoft Exchange by providing additional heuristic analysis of each message. Mail Security s heuristic engine is Neural Net based while the IMF uses Support Vector Analysis to determine spam content. Combining these two technologies increases confidence when rejecting a message as spam. The IMF scans a message first and assigns an SCL value before the message reaches Symantec Mail Security s antispam engine. Symantec s engine then rescans the message and assigns an SCL value. If both the IMF and Symantec s spam engines rate the message above a specified SCL value, the message is rejected (See Figure 1). Figure 1 Screen shot of IMF integration to reject a message when both engines exceed threshold. This combined method results in fewer false positives and allows administrators to use a lower blocking threshold. HANDLING DIFFERENT SCL VALUES If the two engines assign different SCL values, Symantec Mail Security integrates further to allow the administrator to choose the method for arriving at the final SCL value. Options for handling different SCL values include: Use the higher value regardless of vendor (if you want to be aggressive against spam) Use the lower of the two (if you want to minimize false positives) Use an average of both spam engines Always use the IMF s rating when the engines don t agree Use Symantec s antispam engine rating when the engines don t agree The final SCL value will be used to determine if a message should be routed to the end user s Junk Folder and/or if it should be handled using one of the six different score-based spam-handling options within Symantec Mail Security. 4
SCORE-BASED SPAM HANDLING Symantec s Mail Security provides the administrator with granular options to deal with spam based on the SCL value. Mail Security s score-based spam handling dispositions include: Reject the message Add an X-header to the message Append the subject line to indicate spam (i.e. add SPAM: to the beginning of the subject line) Prevent delivery to the original recipient Send to an alternate recipient Log the message and deliver These options take effect depending on the SCL value of a message. Multiple options can apply to a single message (i.e. you can prevent delivery to the original recipient and send to an alternate recipient). Figure 2 Score-based spam handling 5
Conclusion The IMF is an effective antispam engine that provides incremental value when used with the multi-layered spam prevention already available in Symantec Mail Security 4.5 for Microsoft Exchange. Symantec Mail Security for Microsoft Exchange integrates with the IMF to leverage this additional spam prevention layer. Exchange 2003 administrators should strongly consider the IMF as a part of their overall spam solution. 6
7
SYMANTEC, THE WORLD LEADER IN INTERNET SECURITY TECHNOLOGY, PROVIDES A BROAD RANGE OF CONTENT AND NETWORK SECURITY SOFTWARE AND APPLIANCE SOLUTIONS TO INDIVIDUALS, ENTERPRISES AND SERVICE PROVIDERS. THE COMPANY IS A LEADING PROVIDER OF CLIENT, GATEWAY AND SERVER SECURITY SOLUTIONS FOR VIRUS PROTECTION, FIREWALL AND VIRTUAL PRIVATE NETWORK, VULNERABILITY MANAGEMENT, INTRUSION DETECTION, INTERNET CONTENT AND EMAIL FILTERING, AND REMOTE MANAGEMENT TECHNOLOGIES AND SECURITY SERVICES TO ENTERPRISES AND SERVICE PROVIDERS AROUND THE WORLD. SYMANTEC'S NORTON BRAND OF CONSUMER SECURITY PRODUCTS IS A LEADER IN WORLDWIDE RETAIL SALES AND INDUSTRY AWARDS. HEADQUARTERED IN CUPERTINO, CALIF., SYMANTEC HAS WORLDWIDE OPERATIONS IN 35 COUNTRIES. FOR MORE INFORMATION, PLEASE VISIT WWW.SYMANTEC.COM WORLD HEADQUARTERS 20330 Stevens Creek Blvd. Cupertino, CA 95014 U.S.A. 408 517 8000 800 721 3934 For Product Information In the U.S., call toll-free 800 745 6054 Symantec, the Symantec logo are trademarks of Symantec Corporation. All other brands and products are trademarks of their respective holder/s. 2004 Symantec Corporation. All product information is subject to change without notice. All rights reserved. Printed in the U.S.A. 07/04 10288959 www.symantec.com Symantec has worldwide operations in 35 countries. For specific country offices and contact numbers, please visit our Web site.