Dr.Web Mail Gateway

Buy online Buy from partners Renew license

Dr.Web Mail Gateway is a comprehensive modular solution that processes and filters incoming and outgoing traffic of servers under Unix-like systems (Linux/FreeBSD/Solaris(x86). Dr.Web Mail Gateway can be installed in a demilitarized zone (DMZ) or integrated with an existing mail system. Placing a protected server in the demilitarized zone and a mail server not connected to the Internet directly prevents a hacker from accessing sensitive information even if he manages to compromise a server. The product provides a full scan of SMTP/LMTP traffic. Using corresponding plugins Dr.Web Mail Gateway can check messages for viruses, filter out spam and other unsolicited e-mails. Licence options: anti-virus, anti-virus+anti-spam.

With corresponding plugins loaded Dr.Web Mail Gateway can perform the following tasks: scan messages for viruses and filter out unwanted e-mails. All components of a message are scanned regardless of their nesting level. A processed e-mail can be allowed, blocked or modified. Dr.Web Mail Gateway features a unique anti-spam filter that doesn't require configuration or training but starts working as soon as the first message arrives. Since no connection to an external database or server is required for operation of the filter, solution's traffic remains low. The filtering system features such technologies as heuristic analysis, anti-scamming analysis, technical spam faltering and bounces analysis; archive all incoming messages; modify processed messages in accordance with established policies; use black and white filtering lists; parse e-mails to break them into components for further analysis; process correctly most known types of archives including self-extracting (SFX) archives; send scan reports at recipient addresses as well as at other specified addresses; Reports are generated using templates that make provided information easy to read; keep statistics regarding operation of the system; protect its own modules from failures; cure or remove any malware including rootkits, worms, file viruses, Trojans, stealth viruses, polymorphic viruses, bodiless viruses, macro-viruses, viruses infecting MS Office documents, script-viruses, spyware, password stealers, key loggers, paid dialers, adware, riskware, hack tools, backdoors, jokers, spam, bounces, phishing- and pharming-messages. Wide range of supported OS Dr.Web Mail Gateway is compatible with Linux (glibc 2.2 or later), FreeBSD 4.x, or later, Solaris 10 (Intel only). The architecture of Dr.Web Mail Gateway provides compatibility of the solution with all known mail systems. Dr.Web Mail Gateway processes incoming mail prior to its receipt by a mail server and therefore has a wider set of features compared with Dr.Web for Unix mail servers. Unlimited number of loaded plugins New features can be added into Dr.Web Mail Gateway without any restrictions. Dr.Web Mail Gateway is based on the open system of loadable plugins. Any user with a sufficient skill can implement a desired feature as a new plugin using the SDK supplied with the software. Flexible configuration and easy administration The flexible configuration system of Dr.Web Mail Gateway enables an administrator to specify virtually any required set of rules. Dr.Web Enterprise Suite 5.0 allows administering Dr.Web Mail Gateway using its administration console providing new opportunities for control and monitoring of complex anti-virus protection. With several control interfaces systems administrators can install, configure and maintain the solution with minimum effort. Mail processing rules of any complexity can be created for each message allowing to process incoming and outgoing mail in accordance with established corporate standards and to ensure compliance with correspondence rules. Collection of statistics and generation of reports for a desired period of time using available templates provide an administrator with easy-to-read information whenever he needs it. An administrator can access the quarantine using a web-interface or a special utility to restore message that have been accidentally deleted by users. With administration messages a user can control the quarantine without interrupting his current work. Guaranteed message delivery Guaranteed delivery of all messages makes configuring a mail server easier. Even if a user is unavailable for a long period of time and can’t receive a message, the e-mail will be stored in a special directory. Compliance with international laws and regulations Compliance certificates from the Russian Federal Service for Technical and Export Control and Federal Security Service allow using the solution in systems with higher security requirements including anti-virus subsystems of personal information storage systems level K1. With archiving of all e-mail messages the solution can be employed in the information system of a bank. Scalability The product with its flexible configuration, stable operation and capabilities to process huge amounts of data meets demands of small companies utilizing one mail server as well as requirements of multi-national telecom providers that need to scan unlimited e-mail traffic. Dynamic load balancing optimizes performance of a server without resorting to additional manual tests. The configuration testing and service control interface enables on the fly configuration of operation of services simplifying the system’s maintenance and reducing deployment time. Filtering server and quarantine settings can now be stored in an object of any type ranging from ordinary files to an Oracle database object. Services supporting LDAP integrated with the directory service are used to store settings and makes administration of the solution easier. High performance and stability Dr.Web Mail Gateway features multi-thread scan allowing it to process large volumes of e-mail simultaneously. Modularity of the solution makes it impossible for an intruder to disrupt operation of the anti-virus, while its low system requirements allow Dr.Web Mail Gateway to run on any server hardware. Unique technologies With the unique spam filtering technologies there is no need for blacklists. No company will be discredited by deliberately adding it to such a list. Dr.Web Mail Gateway can change its behaviour if it detects blocking objects.

Dr.Web smtp-proxy is a component of Dr.Web Mail Gateway

Present-day corporate e-mail filtering solutions integrated with e-mail systems have limited options to counteract spammers’ attacks. Dr.Web smtp-proxy installed on a separate server increases stability of the e-mail filtering system and considerably improves general security of the corporate network. Dr.Web Mail Gateway can be installed in a demilitarized zone (DMZ) or integrate with an existing mail system. A protected server placed in the demilitarized zone with a mail server not connected to the Internet directly prevents a hacker from accessing sensitive information even if he manages to compromise a server. Placing the smtp-proxy outside the company’s network won’t allow a third party to receive information about applications installed on the server yet contributing to better overall security.

Active counteraction to spam attacks
Apart from an e-mail messages itself, parameters of an SMTP-session can also help identify a spam message. Typical features of a spam e-mal (or a spam attack) are lots of recipients, a large number of messages sent from one IP-address or a forged sender address.

With Dr.Web smtp-proxy a system administrator can restrict the following parameters of an SMTP-session:

• maximum number of recipients;.
• maximum number of SMTP-connections per one IP-address;
• maximum number of messages per session;
• maximum number of the Received headers in a message;
• maximum number of errors per session;.
• maximum message size.

IP validation
A fake IP-address is one of the properties of a spam message. Spammers have to hide their servers (or spam-bots – compromised user workstations) to avoid blacklisting.

Dr.Web smtp-proxy can validate an IP address and provide:

• sender authentication;
• sender host lookup in the ProtectedDomains list using PTR and A requests;
• Connection IP-address lookup in IP and domain black and white lists;
• checking if a sender or recipient hosts and IP addresses have corresponding DNS A and MX entries;
• comparison of the host IP-address with the host the connection was made from;
• Search for an address in RBL/DNSBL lists.

Protection from spam and hack attacks
Dr.Web smtp-proxy provides defence against typical attacks on a mail server including passive PLAIN and LOGIN attacks and active dictionary attacks.

Protection against spam traps
To identify spammer e-mal addresses spam traps are set in the Internet .Dr.Web smtp-proxy allows to check if a recipient address is a spam trap and help avoid such a trap.

Protection from malformed messages
It is well known that some mail clients do not form mail messages in a proper way. Spam programs have the same flaw. Dr.Web smtp-proxy can block messages with the empty sender field but correctly processes messages that violate standards due to malforming by certain mail clients.

Internet traffic cost saving.
Dr.Web smtp-proxy allows saving substantially on Internet traffic, which is especially useful for businesses where employees often carelessly send e-mail messages with large attachments disrupting normal operation of Internet servers as well as for businesses regularly attacked by spammers. Besides, Dr.Web Mail Gateway can start analyzing whether a message is spam by its header only; this helps save on traffic as well.

Restricted relay
If a company needs to use an open mail relay server, Dr.Web smtp-proxy will help an administrator to restrict a list of domains the server will relay messages to, so the rely-server won’t be exploited by spammers.

IMPORTANT! If you are updating installed Dr.Web Mail Gateway, the existing configuration file won't be replaced with a new one. Instead a new file with the .new extension will be created. All configuration parameters in the file are set to default. If the system is started using the old configuration file, all parameters not present in the new configuration file will be ignored.

Dr.Web Mail Gateway is designed as a group of simultaneously operating program modules. The range of tasks performed by the solution is determined by loaded plug-ins (libraries, responsible for processing of e-mails).

E-mail messages are processed by modules of the e-mail daemon as follows: incoming messages are received by the Receiver module and forwarded to the Checker module (drweb-maild). The Checker module uses plug-ins one by one to analyze the messages.

Messages successfully checked by the plug-ins are sent to the e-mail system by the Sender module. During the operation of the e-mail daemon different reports on results of a message check can be generated by the Notifier module (drweb-notifier). Reports can be mailed to senders or recipients of a corresponding message as well as to a system administrator. Processing of e-mails by the e-mail daemon can be flexibly regulated by rules.

In accordance with effective security policies messages that are filtered out can be placed in the quarantine. If necessary an administrator can perform all actions (search, removal of messages from the quarantine, archiving) using the web-interface, a special utility or administration messages. Quarantine management with administration messages is also available to users.

Rules set in the mail daemon configuration file allow adjusting operational parameters of the mail daemon depending on the contents of processed messages. The current version of the mail daemon allows creating rules for sender and recipient addresses and for particular types of malicious objects found in a message.

Dr.Web Mail Gateway can archive all incoming and outgoing messages allowing restoring accidentally deleted e-mails and determining how an infection spread over a network.

Spam filtering technologies

The anti-spam technologies consist of several thousands of rules which can be divided into several groups.

Heuristic analysis
A highly intelligent technology that empirically analyzes all parts of a message: header, message body, etc. Not only the message itself, but its attachment is analyzed. The heuristic analyzer is being constantly improved; new rules are frequently added.

Counter-reaction
The counter-reaction technique is one of the most advanced and efficient technologies of Dr.Web anti-spam. It helps counteract techniques and tricks used by spammers to avoid detection.

HTML-patterns
Messages containing HTML code are compared with a list of known patterns from the anti-spam library. Such comparison, in combination with data on sizes of images typically used by spammers, helps protect users against spam messages featuring HTML-code, which often contains online images.

Semantic analysis
During a semantic analysis words and phrases of a message are compared with words and phrases typical of spam. A special dictionary is used for the analysis. All words, phrases and symbols are analyzed – both those visible to the human eye and those masqueraded by the technical tricks of spammers.

Anti-scamming technology
Scam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam, including the so-called “Nigerian” scams, loan scams, lottery and casino scams and false messages from banks and credit organizations. A special module of Dr.Web anti-spam is used to filter scams.

Technical spam filtering
So-called bounces are delivery-failure messages sent by a mail server. An actual recipient of a bounce is not necessarily a sender of an undelivered message; such a message could be sent by a mail worm. Therefore bounces are as unwanted as spam A special module of Dr.Web anti-spam filters such messages as unwanted.

Components

• Receiver
  The Receiver component is responsible for the receipt of e-mails, either directly from e-mail systems, or on SMTP/LMTP protocols, and their subsequent transfer to the drweb-maild component. Depending on the e-mail systems and protocols used, the functions of the Receiver component are performed by different modules (drweb-receiver, drweb-milter, drweb-cgp-receiver, etc.), and simultaneous operation of several modules of the Receiver component is supported, which allows to receive and process e-mail from several sources simultaneously. Certain modules of the Receiver component support modification/sending of received messages based on the check results received from the drweb-maild component. For example, the drweb-milter module has the functionality, which allows it to return the results of check of messages to the SendMail system before an SMTP session ends.
• drweb-maild
  This is the main component for processing e-mails. The drweb-maild component performs the mime-parsing of messages, transfers the messages for processing to plug-ins and stores messages in the database.

  The processing of e-mails is made by plug-ins to the drweb-maild module. Plug-ins can be launched and unloaded at any time, without terminating the drweb-maild module. The messages are processed by plug-ins according to the processing order specified by the administrator. The plug-ins are assigned to two queues – BeforeQueueFilters and AfterQueueFilters.

  Immediately after the message is received, it is processed by the plug-in from the BeforeQueueFilters queue. Then, if the AfterQueueFilters queue is empty, the processing results of the message are sent to the Receiver component. If the AfterQueueFilters queue has some other plug-ins, the message, after it is processed by the plug-in from the BeforeQueueFilters queue is forwarded to the database and then is sent to the internal queue of the drweb-maild module and the return code of the successful check is sent to the Receiver component. Then the message is checked by the plug-ins from the AfterQueueFilters queue.

  The check results are either sent to the Receiver component (if such possibility exists, for example, if the check result time-out has not expired yet), or to the Sender component. All the messages generated by plug-ins are also sent via the Sender component. Certain plug-ins require support of the database in order to function. Such plug-ins cannot be assigned to the BeforeQueueFilters queue.

• drweb-notifier
  The module generates reports on the operation of the complex. Additionally, installed plug-ins can add their own types of notifications. Request for generation of reports can be sent to both by plug-ins (for example, when a virus is found), as well as other components of the system. For example, the drweb-maild module can send requests to generate a statistics report of all plugged in components and the Sender component can send a request to generate a DSN report when a message cannot be delivered.
• Sender
  This component sends messages either directly to different e-mail systems, or on SMTP/LMTP protocols. Depending on the e-mail systems and protocols used, the functions of the Sender component are performed by different modules (drweb-sender, drweb-cgp-sender, etc.). The Sender component can receive requests to send messages from drweb-maild, drweb-notifier and drweb-monitor components.
• drweb-agent
  The drweb-agent module provides the option to process e-mails both autonomously and being integrated with Dr.Web Enterprise Suite. All components of the system, except for drweb-monitor, receive their configuration files via the drweb-agent module, that is why it should be launched before other components. The drweb-agent module checks the license and collects statistics on the operation of the components of the system: names of detected blocked objects, the volume of the traffic checked, etc.
• drweb-monitor
  An auxiliary component which launches and terminates the modules of the system in the specified order and controls their operation. In case some module of the system fails to operate drweb-monitor re-launches it and, if it is specified in settings, notifies the administrator about this.

Plug-ins

At present the following plug-ins are available.

• DrWeb
  This plug-in checks e-mails for viruses by the Dr.Web engine. The scanning is made by the drWebd module. The messages are sent to drWebd being already parsed, that is why support of mime-parsing in the engine or in drWebd is not necessary. The plug-in is highly productive and its detection rate is very high.

  Stable operation
  Due to modular structure of Dr.Web for Unix mail servers and a special module responsible for the system efficiency it is almost impossible to disable the plug-in.

  High response speed
  Due to multi-threaded scanning technology the system’s response speed is very high. The files are scanned “on-the-fly” not waiting until earlier received messages are processed. This means end users receive e-mails almost in a moment!

  High protection level
  Huge virus database and constantly perfecting heuristic analyzer leave no chances for viruses, including micro viruses, Trojan Horses and other malware to penetrate into users’ computers via e-mails. Plug-in detects ill-intentional programs written for all platforms — Windows, Unix, DOS, including the objects which can infect files of Microsoft Office. Administrators can choose the types of files to be scanned, as well as reaction to detected threats — reporting, curing of infected objects, moving of suspicious objects to quarantine, renaming.

  Correct check of archives and packed files
  The DrWeb plug-in correctly checks the majority of existing formats of packed files and archives with any nesting level, including multi-volume and self-extracting, which is extremely important for e-mail systems. Dr.Web can process more than 1000 types of archives and packers.

  Quarantine
  The detected infected and suspicious files detected by the plug-in can be moved to the quarantine. Later they can be additionally scanned, cured or deleted.

  Ease of administration
  The flexibility of configuration files allows to customize parameters of the plug-in. Any action made by the plug-in is reflected in the log-files, which later can be analyzed. Handy alerting system allows administrators to quickly react to emerging threats.

  Open source solution
  Due to open structure of the product users can themselves develop additional modules using the DrWeb plug-in with the help of the open SDK and detailed documentation.

• headersfilter
  This plug-in filters messages by headers. It filters not only the message itself, but the attachments as well, if any. An administrator can add rules for filtering of e-mails. Regular expressions can be used when filtering rules are specified.

  Flexible settings of plug-in allow to implement any number of rules. Plug-in is almost invisible to the system and never overloads it functioning almost instantaneously.

  Easy to use
  Usage of regular expressions allows to adjust the system both to skip e-mails and to filter them. As the number of rules is unlimited, the system can be easily customized.

  Open source solution
  Due to open structure of the product users can themselves develop additional modules using the headersfilter plug-in with the help of the open SDK and detailed documentation.

  Stable operation
  Due to modular structure of the product and a special module responsible for the system efficiency it is almost impossible to disable the headersfilter plug-in.

• Modifier
  The Modifier modifies processed e-mails using established rules allowing to process incoming and outgoing messages in accordance with corporate standards. Rule-based modification and archiving can be used to prevent information leaks. Analysis of filtered messages can be performed via a quarantine management utility.

  Easy usage
  Flexible configuration allows performing an unlimited number of modifications with processed messages, so a system administrator can create an unlimited number of rules to ensure compliance with e-mail security policies. The Modifier can be set to process messages before other modules as well as to be the last module in the filtering line to perform an additional check using work data from other modules.

  Easy administration
  Flexible rules that can be created using regular expressions allow setting e-mail processing in accordance with an effective corporate security policy. A prompt notification system allows a system administrator to perform necessary actions in a timely manner.

  Open solution
  With open architecture of MailD any user with a sufficient skill can implement a desired feature as a new plugin using the SDK and corresponding documentation supplied with the software.

  Stable operation
  The modular architecture and a special failure control module ensure exceptional stability of the plugin. It is practically impossible to disable the plugin for a long period of time.

  Rapid response
  Minimal consumption of system resources combined with high performance provide a rapid response of the software allowing instant processing of messages and undelayed receipt of messages by users.

• Vaderetro
  Vaderetro is the spam filtering plug-in that uses a library of its own (Vade Retro).
  Depending on the analysis each message receives the score from the VadeRetro library – an integer ranging from -10000 to +10000. The less the score is, the more likely the message is to be "legitimate", i.e. not spam. The threshold is set by the SpamThreshold parameter of the plug-in the configuration file (if the score equals to the value of the SpamThreshold parameter or if it is greater than this value the message is considered to be spam).

  Depending on its configuration the plugin may add one of the following headers to a message after analysis:

  • X-Drweb-SpamScore: n. n – the score given by the VadeRetro library.
  • X-Drweb-SpamState: b. b – yes for spam and messages with viruses and no for non-spam messages and bounces.
  • X-Drweb-SpamState-Num: s. s – classification results of the VadeRetro analysis. s can take the following values: 0, 1, 2 and 3. 0 – a message is not spam, 1 – a message is spam, 2 – a message contains a virus, 3 – a message is a bounce. This header is added if the value for the ddXDrwebSpamStateNumHeader parameter of the vaderetro plug-in configuration file is set to yes.
  • X-Drweb-SpamVersion: version. version – the version of the VadeRetro library. This header is added if the value for the AddVersionHeader parameter of the vaderetro plug-in configuration file is set to yes.
  Additionally, at the beginning of the "Subject:" field of messages classified as spam, or those containing a virus, the vaderetro plug-in can add the following:
  • X-IS-SPAM, value YES/NO
  • X-SPAM-SCORE, a number of points given to the message by VadeRetro
  • X-SPAM-AGENT, the version of the VadeRetro library
  • X-SPAM-DETAILS, a detailed description of spam returned by the VadeRetro library
  • X-SPAM-STATE, current status of a message.

Spam filtering technologies

The anti-spam technologies consist of several thousands of rules which can be divided into several groups.

Heuristic analysis
A highly intelligent technology that empirically analyzes all parts of a message: header, message body, etc. Not only the message itself, but its attachment is analyzed. The heuristic analyzer is being constantly improved; new rules are frequently added.

Counter-reaction
The counter-reaction technique is one of the most advanced and efficient technologies of Dr.Web anti-spam. It helps counteract techniques and tricks used by spammers to avoid detection.

HTML-patterns
Messages containing HTML code are compared with a list of known patterns from the anti-spam library. Such comparison, in combination with data on sizes of images typically used by spammers, helps protect users against spam messages featuring HTML-code, which often contains online images.

Semantic analysis
During a semantic analysis words and phrases of a message are compared with words and phrases typical of spam. A special dictionary is used for the analysis. All words, phrases and symbols are analyzed – both those visible to the human eye and those masqueraded by the technical tricks of spammers.

Anti-scamming technology
Scam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam, including the so-called “Nigerian” scams, loan scams, lottery and casino scams and false messages from banks and credit organizations. A special module of Dr.Web anti-spam is used to filter scams.

Technical spam filtering
So-called bounces are delivery-failure messages sent by a mail server. An actual recipient of a bounce is not necessarily a sender of an undelivered message; such a message could be sent by a mail worm. Therefore bounces are as unwanted as spam A special module of Dr.Web anti-spam filters such messages as unwanted.

Licensing

The product is licensed per number of protected addresses and servers. License options: Anti-virus&Anti-spam, Anti-virus, Anti-spam^*.

Types of the license

• Any other number of addresses over 5.
• Per server license – scan unlimited mail traffic of one server with the number of protected addresses limited by 3000.

Licensing of SDK
SDK is distributed free of charge. Plug-ins developed on its base by third-party developers are free of charge for non-commercial distribution. For commercial distribution such plug-ins should be certified and it is subject to a charge.

Licensed components

• Dr.Web Daemon – anti-virus daemon that processes scan and curing requests.
• Dr.Web Smtp-proxy module.
• The basic part of the program, monitoring and external interaction utilities.
• Automatic updating utility.
• Console scanner Dr.Web for Unix.
• SDK for development of extra plugins.

License options

Dr.Web Mail Gateway Anti-virus&Anti-spam The licence secures e-mail filtering for viruses, spam, scamming, phishing, pharming and bounce messages. Compare products

Buy online Buy from partners Promotions Renew license

Dr.Web Mail Gateway Anti-virus The licence secures e-mail filtering for viruses and malicious objects. Compare products

Buy online Buy from partners Promotions Renew license