Protecting Your Network with GFI’s MailSecurity
By Thomas W Shinder
Note: A Full, 60-day working version of GFI MailSecurity for Exchange/SMTP can be downloaded here.
Have you noticed the volume of spam, unwanted attachments and email viruses seems to have exploded in the last six months? I used to get spam very rarely to my "protected" or private email addresses. A couple of months ago I started getting spam at these addresses, probably because I used these addresses at e-commerce sites who decided to make a quick buck by selling me out.
I don’t know about you, but I really HATE spam. It drives me nuts, and it drives me even more nuts to hear the complaints from my clients. I run a web and mail hosting environment for several domains and many of my customers have asked me to do something about spam. We decided to take the bull by the horns and do something about it. Blocking spam from users’ email boxes became our holy mission!
What product should we use? After some research, I decided to check out an evaluation version of GFI software’s MailSecurity. This product allows you to control inbound and outbound mail messages by checking message content and attachments. It also whacks viruses. This is exactly what I was looking for!
GFI MailSecurity Versions
There are two versions of GFI MailSecurity. One of them plugs into your Exchange 2000 Server and inspects the contents of the message store. The other version is for SMTP mail gateways and inspects mail as it moves through the gateway. The main advantage of the Exchange Server version is that it can inspect mail sent between internal users. The main advantage of the SMTP relay version is that it has more information about each email and can decide better what mail is considered inbound and outbound (GFI MailSecurity can be configured to inspect only inbound, only outbound, or both inbound and outbound email).
Since I typically install an SMTP relay on all networks that have an Exchange 2000 server, the SMTP gateway version seemed like the best choice. Note that you can use both versions. You can install the SMTP gateway version on your SMTP relay, and you can install the Exchange Server 2000 version on your Exchange Server. You don’t have to buy any more licenses! You do need to pay extra for maintenance and automatic anti-virus updates.
Installing GFI MailSecurity for SMTP Gateways
Installing GFI MailSecurity for SMTP Gateways is straightforward. Download the installation file from http://www.gfi.com/mailsecurity/ and run the mailsecurity.exe installation file. The installation Wizard Welcome page pops up. Click Next to continue.
The License Agreement page appears. Select the I accept the license agreement option and click Next. On the User Information page put in your name, company name and serial number (if you have one, otherwise use Evaluation as your key). Click Next.
On the Administrator Email page, enter the GFI MailSecurity administrator email address. Notifications can be sent to the administrator you put in here. You can add more administrators or change the one you enter here later. Click Next.
On the Destination Folder page select the location of the program files and click Next. This brings you to the Mail Server page seen below. If your SMTP relay is on a DMZ segment, put in the IP address used by your SMTP Server Publishing Rule. If the SMTP relay is on your internal network, put in the IP address of your Exchange Server. The default port TCP 25 will work in the majority of cases. However, if you want GFI MailSecurity to send to a different port, type in the alternate port here. The setup program will create a Remote Domain in the IIS SMTP service for the domain you enter in the Local domain text box. Click Next to continue.
You configure the type of mail server you’re running on the next Mail Server page seen below. In this case we’re installing on a SMTP relay, so the second option is the correct option. Click Next to continue and click Next one more time to start installing the application. Click Finish when you get notification that the application has been installed successfully.
Open the Internet Information Services console after GFI MailSecurity is installed. Expand the Default SMTP Virtual Server node and click on the Domains node. You’ll see a new Remote Domain was created and configured to use your internal mail server as a Smart Host. If you configure GFI MailSecurity on a DMZ SMTP relay, you’ll see the IP address used in your SMTP Server Publishing Rule as the Smart Host. If you host multiple mail domains, create a Remote Domain for each domain you host and have them use your mail server as a Smart Host. Also, make sure that you server does not act as an open relay by configuring the relay options on the SMTP server.
Now that GFI MailSecurity is installed, and the SMTP Service on the relay is configured with a Remote Domain for your email domain, we’re ready to look at how to configure GFI MailSecurity to protect your network.
Configuring GFI MailSecurity
Click Start, click Programs and then click GFI MailSecurity. Click on MailSecurity Configuration to get started. Here you can see all the features in an MMC console.
Click on the Content Checking node in the left pane and then double click on the Default Content Checking Rule. This is where you create your email content checking rules. I found the content checking rules work like a champ! You can create rules that look for a particular keyword, or you can create rules based on keywords with conditions. Some examples of keyword and conditional rules are seen in the graphic below.
Notice that you have the option to check inbound and outbound mails. You can also block PGP encrypted mail. This will prevent mail encrypted with PGP from bypassing your content checking rules. You can also check the attachment content. This prevents attachments with forbidden content from reaching users’ mailboxes.
You can monitor incoming mail in real time and see what mail was allowed and which ones where caught by the content checking rules. The GFI Monitor (as seen in the figure below) shows you mail as its being processed.
The Moderator Client allows you to see the actual messages caught by the content checking rules. When you double-click on the snagged message, you’ll see the reason why the message was caught, some details on the message and files associated with the message. You can right click on the content file and open the message. Plain text messages are saved as text files and HTML messages are saved as HTML files. The HTML files are safe to open because dangerous scripts and viruses are removed.
Click on the Attachment Checking node in the left pane and then double click on the Default Attachment Checking Rule in the right pane. This option allows you to block attachments for either inbound or outbound mail (or both). There’s a built-in list of attachments that can be blocked, and you can easily add your own custom attachments.
Now for the best feature of GFI MailSecurity – the virus scanning engines. That’s right! GFI MailSecurity allows you to scan mail for viruses using multiple scanning engines. If one of them doesn’t catch a virus, then it’ll try again with another scan engine. Not even your scummiest virus sender can’t get through this wall! Well, I suppose if there is a new virus, and it hits your servers before the automatic updates take place, it might get you. However, the other features, such as attachment blocking, should be able to save your bacon in that event.
Notice that you have the option to scan either inbound mail, outbound mail, or both. You also can block Word documents that have macros. Word macro viruses can be a big problem, so blocking them can be helpful. In the second graphic below you see the options for automatically downloading and installing virus definition updates. The system downloads the automatically and I’ve never had a problem getting them to download from behind the ISA Server.
Click on the E-mail Exploit Engine node in the left pane of the console. In the right pane you’ll see an impressive list of email exploits GFI MailSecurity checks for. The email exploit engine is disabled by default, so you have to right click the node in the left pane of the console and click Enable. I don’t see any reason not to run the email exploit engine, so I recommend that you always enable it and allow MailSecurity check for all of the included exploits. If for some reason you need to disable checking for a particular exploit, you can right click it and click Disable.
Some emails are so obviously spam you don’t need to ever look at them. This blatant and wonton spam should can be deleted without you ever being bothered with it. This kind of salacious and fraudulent spam never needs review and can be summarily whacked. The Anti-spam feature allows you to enter obvious key words that are never included in legitimate emails (unless you happen to be a certain well-known Cisco guru). Like the content checking feature mentioned earlier, you can have GFI MailSecurity check the mail body or subject line for these particular inappropriate or offensive keywords.
For both the content checking and the anti-spam rules, you can choose what action to take on the email. For the content checking option, you can quarantine the mail, delete the mail, or move the mail to a particular folder for evidence collection. You also have the option to notify users that they sent or received a forbidden mail. You can also inform the user’s manager. The manger is defined in the user account properties in the Active Directory.
I found the performance of GFI MailSecurity to be acceptable. If you have a large number of rules and enable all the virus engines and exploit checking, it can take a few seconds to evaluate a single email. If you have a busy mail server, you’ll want to make sure to load it up with RAM and a fast processor. However, if you don’t require instantaneous delivery of email from the relay to the main mail server, you’re in good shape. The engine doesn’t choke or die when its busy, it just slows down. But all the mail gets checked and cleaned before making its way to your server.
I’m still using GFI MailSecurity for SMTP Gateways and find it a solid SMTP mail filtering solution. My customers are happy, and since they’re happen, I’m happy! In viruses had made their way into or out of our network operations center. My customers are also very happy not to be receiving annoying and offensive spam any longer.
If there’s one drawback to GFI MailSecurity, it’s that you can’t filter mail by source address or mail domain. I typically solve this problem by combining GFI MailSecurity with the SMTP Message Screener included with ISA Server. The two mail filtering systems compliment each other well, and I feel like I’m getting my money’s worth out of ISA Server because I can still take advantage of the Message Screener component!