The Anti-virus Times

Friday, February 17, 2017

In our publication "Who issues the spam verdict", we touched on the fact that email filtering on PCs isn’t perfect, but it is reasonably effective (we estimate that Dr.Web filters out 98% of unwanted emails). Regardless of the filtering technologies it employs, an anti-spam relies on the spam-related information it receives from virus analysts in order to do its job. Together with other updates, the information is delivered to user machines that have the Dr.Web anti-spam installed on them.

Can anti-spam filtering be 100% effective?

Sometimes employees who come to work early and open the morning email get their systems infected. When others eventually arrive and read messages, nothing bad happens. That’s because by that time their anti-viruses have already received the latest update and can detect new threats. The same is true of the anti-spam: spam gets into mailboxes because the corresponding update hasn't yet arrived.

The only way to get rid of a message that was received before an anti-virus update and didn’t get marked as spam is to delete it manually. An anti-virus cannot easily make changes ex post facto to emails that are sitting in customer inboxes, and anti-viruses that protect desktops don’t rescan previously received emails (something that could make opened messages disappear from the screen).

Is there a solution? Sometimes. Let's see how an anti-spam works on mail servers—this is where messages are processed before they get into mailboxes. Of course, that’s provided your system administrator or ISP has an anti-spam installed on their servers.

The first thing you should know is that an anti-spam on a server always works as a plugin that connects to the server. It requires an operational mail server. And this is both good and bad. On the plus side, the product for servers is not so complex—for example, it doesn't need to solve problems that involve sending and receiving emails that don't comply with established standards—this task is performed by the mail server. On the other hand, a plugin is limited by the server's functionality. Sounds logical, right? And many server features are changed regularly without notice.

Let's use a simpler example. Surely, many of you have installed browser plugins and found yourselves in a situation where a new browser version turned out to be incompatible with the plugins. On my PC this happens once a week with the Sharebutton plugin for Pinterest (by the way, here's a Dr.Web page on Pinterest).

The situation with mail servers is exactly the same. Regardless of which mail server is in use—MS Exchange, Domino, Postfix (there are a lot of them)—plugins can only operate using a mail server API. Alas, the API can be changed and sometimes the changes are for the worse, but we'll grumble about that some other time.

To prove our words, let's look at the Dr.Web for MS Exchange documentation. Why this product? Only because it’s quite popular with Doctor Web's customers.

Skipping ahead: careful readers have probably already noticed that different mail server versions are specified for the three integration methods—and there is no guarantee that the next version won't offer another way to integrate plugins with the server.

But let's get back to the features of anti-virus solutions for mail servers. Having to operate over an API somewhat limits their capabilities. No matter which developer comes up with a solution for MS Exchange, the basic functionality will be the same. A mail server will receive emails, check whether the messages comply with certain standards, and then let the plugin do its job. The plugin will examine the received information and decide whether a message is spam or whether it contains malware. The mail server will get the verdict and use its settings to perform certain actions with the message (forward it to a certain address, delete it, notify the sender, etc.).

The advantages of using an anti-spam on a mail server are quite obvious:

• Emails are checked faster
• PC resources aren’t wasted
• Situations involving users clicking on links and getting their systems infected are less likely to happen.

However, the limited capabilities of mail servers place a limit on plugins too. For example, in the case of MS Exchange, most plugins can use only a very narrow set of technologies to filter out spam and detect malware.

"It appears that anti-spam filtering on a mail server isn't really much better than an anti-spam on PCs. Why would I need one then?" — think some system administrators who use neither an anti-virus nor an anti-spam on their mail servers!

And as far as mail server traffic-filtering is concerned, the administrators are VERY wrong. But that's a story for another Anti-virus Times issue.