Until recently, image spam plagued anti-spam filters. Image spam fooled filters because the message's text is embedded in an image found in the body of the email and filters couldn't decipher images. As anti-spam technologies evolved to address image spam over the past year, the proportion of image spam dropped from approximately 52% of all spam in January to less than 18% at present. However, just as the prevalence of image spam began to decline, spammers developed a new email tactic: PDF spam.
PDF spam attempts to evade anti-spam filters by disguising itself in a common format: attachments of the familiar Portable Document Format (PDF) files. Spammers send email messages with an attached PDF file that encourages recipients to purchase stocks. At present, the most common type of PDF spam is pump-and-dump stock spam. The spam message contains one or more PDF files, has a randomly generated subject line and sender name, and a blank message body.
Although PDF spam is less intrusive than image spam, PDF spam could potentially affect the availability of the corporate messaging system causing huge bottlenecks on an organization's email server, reducing the quality and amount of bandwidth available. PDF spam, however, could potentially prove significantly more malicious. According to email security experts, proof-of-concept code exists that demonstrates security vulnerabilities in PDF files. In other words, it is possible that a PDF spam message could carry malware that is secretly downloaded on the recipient's PC and transforms the user's station into a zombie machine.
When PDF spam first emerged, single point solutions simply blocked every email with a PDF attachment, regardless of whether it contained spam or not because they had no other method of addressing the problem of PDF spam. However, since many organizations transfer documents using the PDF format, simply blocking every email with a PDF attachment is not a viable solution. To effectively combat PDF spam then, an anti-spam solution must be proactive instead of reactive, and capable of detecting spam in any format.
By layering a number of autonomous filtering engines, M+Guardian offers a higher level of resistance against PDF spam and solid protection for the corporate messaging system. Our Advanced Pattern Detection technology proactively protects against spam attacks in real time and is highly effective against any mailing that is mass-distributed over the Internet: malware, fraud, and spam in any language or format, including images, HTML, and non-English characters. Instead of evaluating the individual content in mail messages, our Advanced Pattern Detection technology analyzes large volumes of Internet traffic in real-time, recognizing and protecting against new spam outbreaks the moment they emerge. The result is instant protection from new outbreaks-far ahead of signatures or software updates.
The M+Guardian Email Security Appliance continues to build on Messaging Architects' innovative Guardian technology, which is designed to simplify email management, eliminate spam, and help businesses stop data loss. The advanced email firewall complies with industry regulations through a centrally-managed, eDirectory-enabled policy engine to deliver uninterrupted availability of your collaboration system. Built on a modular extensible platform, M+Guardian is compatible with any mail server and integrates cutting-edge multi-layered anti-spam technology with state-of-the-art virus protection, adaptive reputation filters, granular security policies, and outbound scanning to meet regulatory compliance and protection of intellectual property, all ensuring your collaboration system is able to meet the demands of your business.
In addition to our Advanced Pattern Detection technology, the inclusion of the Spamhaus Block List (SBL) provides an extra layer of protection and improves catch rates as malicious email gets caught at the perimeter of the system. The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free option in M+Guardian to help system administrators better manage incoming email streams. The SBL is queriable in real time by mail systems throughout the Internet, allowing email administrators to identify, tag, quarantine, or block incoming connections from IP addresses. This feature greatly improves processing power, server performance and frees up precious bandwidth.
To enable the SBL in M+Guardian, choose Connection Manager > RBL Module and select Use Spamhaus.
Figure 1 - Enabling the SBL (Spamhaus Block List)
Similar to the SBL feature, the RBL feature in M+Guardian allows you to perform lookups on the Realtime Blackhole List (RBL) to verify if the sender of an email message is blacklisted. An RBL is a list of IP addresses of Spam sources. M+Guardian verifies incoming mail against these RBLs. If a sender is listed on an RBL that M+Guardian uses to perform lookups, then the sender will be prevented from sending email to your server.
To enable RBL Lookups, choose Connection Manager > RBL Module and enter the IP address or host name of the RBL list server in the RBL Zone field.
M+Guardian also blocks a significant amount of threatening email at the perimeter of the system through greylisting. As a technique, Greylisting defends organizations against spam by rejecting email with a temporary failure code. Legitimate email servers will simply queue the message to deliver later contrary to most spam scripts, which will not attempt to resend a rejected message.
To enable Greylisting in M+Guardian, choose Connection Manager > M+Verification Module. Select Enable Greylisting, and specify how long you want to delay the mail message before the originating server may try again.
Figure 2 - Enabling Greylisting
M+Guardian's dynamic local IP reputation feature lets you refine the filtering rules to block incoming connections from malicious IP addresses in real time to eliminate traffic spikes caused by target attacks and to block or slow malicious connections from botnets. The M+ Limits Module allows you to limit the number of simultaneous SMTP connections made on your server by a single IP address system-wide or per IP address.
The M+Guardian Extreme Email Firewall appliance comes preconfigured with default connection limits that should be suitable for most organizations. You can make changes to these default connection settings at any time by choosing Connection Manager > M+ Limits Module.
Figure 3 - Connection Manager Limits
PDF spam is additional proof that spammers will continue to develop new and innovative ways to push spam campaigns forward. M+Guardian's Advanced Pattern Detection technology, in addition to its powerful connection management features, provides complete network perimeter protection to allow organizations to proactively respond to evolving email threats.
Request a Free Trial
Download the M+Guardian Datasheet
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.