Kaspersky Lab KASPERSKY ANTI-SPAM 3.0 ADMINISTRATOR GUIDE

KASPERSKY LAB

Kaspersky® Anti-Spam 3.0

Administrator's Guide

KASPERSKY® ANTI-SPAM 3.0

Administrator's Guide

http://www.kaspersky.com

Revision date: November 2006

Contents

CHAPTER 1. KASPERSKY ANTI-SPAM 3.0................................................................. 6

1.1. What's new in version 3.0 ..................................................................................... 7

1.2. Licensing policy ..................................................................................................... 8

1.3. Hardware and software requirements .................................................................. 9

1.4. Distribution kit ...................................................................................................... 10

1.5. Help desk for registered users ............................................................................ 10

1.6. Conventions......................................................................................................... 11

CHAPTER 2. ARCHITECTURE OF KASPERSKY ANTI-SPAM AND

PRINCIPLES OF SPAM FILTERING........................................................................ 12

2.1. Product structure ................................................................................................. 12

2.2. Recognition technology....................................................................................... 16

2.2.1. Analysis of formal signs................................................................................ 16

2.2.2. Content filtration............................................................................................ 16

2.2.3. Checks using external services.................................................................... 17

2.2.4. Urgent Detection System ............................................................................. 18

2.3. Recognition results and actions over messages................................................ 19

2.4. Content filtration databases................................................................................. 20

2.5. Filtration policies .................................................................................................. 20

2.6. Control Center ..................................................................................................... 21

2.7. Monitoring ............................................................................................................ 21

CHAPTER 3. INSTALLING KASPERSKY ANTI-SPAM.............................................. 23

3.1. Preparing for installation...................................................................................... 23

3.2. Installing Kaspersky Anti-Spam distribution package ........................................ 24

3.3. Configuring access to the Control Center........................................................... 25

3.4. Installing the license key...................................................................................... 26

3.5. Integrating Kaspersky Anti-Spam with your mail server ................................... 27

3.6. Configuring updates of content filtration databases and UDS use.................... 29

CHAPTER 4. MANAGING THE SPAM FILTRATION SERVER................................. 30

4.1. Starting and managing Kaspersky Anti-Spam components.............................. 30

4 Kaspersky Anti-Spam 3.0

4.2. Kaspersky Anti-Spam Control Center................................................................. 31

4.3. Filtration policy management .............................................................................. 32

4.3.1. General filtration policy ................................................................................. 33

4.3.1.1. The General section .............................................................................. 34

4.3.1.2. The DNS & SPF Checks section .......................................................... 36

4.3.1.3. The Headers Checks section ................................................................ 37

4.3.1.4. The Eastern Encodings section ............................................................ 39

4.3.1.5. The Obscene Content section............................................................... 39

4.3.2. Managing the white and black lists .............................................................. 40

4.3.3. Managing the lists of employed DNSBL services ....................................... 42

4.3.4. Managing the list of protected domains ....................................................... 44

4.3.5. Group management ..................................................................................... 45

4.3.6. Managing the group filtration policy ............................................................. 48

4.3.7. Actions over messages ................................................................................ 49

4.4. Updating the content filtration databases ........................................................... 52

4.4.1. Configuring the update parameters ............................................................. 52

4.4.2. Initiating an update........................................................................................ 55

4.5. Configuring the spam filtration server ................................................................. 56

4.5.1. Common filtration server parameters........................................................... 57

4.5.2. Parameters of the filtration master process................................................. 58

4.5.3. Parameters of the filtering processes .......................................................... 59

4.5.4. Spam recognition parameters...................................................................... 60

4.5.5. Client module settings ..................................................................................62

4.5.6. Notifications about rejected messages ........................................................ 64

4.6. Control Center settings........................................................................................ 65

4.7. Managing the license keys.................................................................................. 66

4.7.1. Viewing the license information.................................................................... 67

4.7.2. Installing a new license key.......................................................................... 68

4.7.3. License key removal..................................................................................... 68

4.8. Monitoring the filtration server activity................................................................. 69

4.8.1. General product status information.............................................................. 69

4.8.1.1. Detailed information about the Anti-Spam Engine ............................... 70

4.8.1.2. Detailed information about the updater module.................................... 72

4.8.1.3. Detailed information about the licensing module.................................. 73

4.8.2. Monitoring system messages and reports................................................... 74

4.9. Kaspersky Anti-Spam statistics........................................................................... 75

Contents 5

CHAPTER 5. UNISTALLING KASPERSKY ANTI-SPAM........................................... 77

CHAPTER 6. FREQUENTLY ASKED QUESTIONS................................................... 79

APPENDIX A. ADDITIONAL INFORMATION ON KASPERSKY ANTI-

SPAM 83

A.1. Location of product files in the file system.......................................................... 83

A.2. Client modules for mail servers .......................................................................... 84

A.2.1. Interaction of client modules with the filtering server................................... 84

A.2.2. Global settings of client modules ................................................................. 85

A.2.3. kas-milter – a client module for the Sendmail mail server .......................... 86

A.2.4. kas-pipe – a client module for the Postfix and Exim mail servers .............. 88

A.2.5. kas-exim – a client module for the Exim mail server................................... 94

A.2.6. kas-qmail – client module for the Qmail mail server ................................... 97

A.2.7. kas-cgpro – a client module for the Communigate Pro mail server ........... 98

A.3. Kaspersky Anti-Spam configuration files.......................................................... 100

A.3.1. Main configuration file filter.conf................................................................. 101

A.3.2. Configuration file kas-thttpd.conf ............................................................... 106

A.4. Kaspersky Anti-Spam utilities ........................................................................... 106

A.4.1. kas-htpasswd ............................................................................................. 106

A.4.2. kas-show-license........................................................................................ 107

A.4.3. install-key.................................................................................................... 107

A.4.4. remove-key................................................................................................. 108

A.4.5. kas-restart...................................................................................................109

A.4.6. mkprofiles ................................................................................................... 110

A.4.7. sfmonitoring ................................................................................................ 111

A.4.8. sfupdates .................................................................................................... 111

A.5. Special headers of the filtering module ............................................................ 112

A.6. Configuration using cron service ...................................................................... 115

APPENDIX B. HOW TO SEND SPAM MESSAGES TO SPAM ANALYSTS.118

APPENDIX C. KASPERSKY LAB...................................................................... 120

A.7. Other Kaspersky Lab Products ........................................................................ 121

A.8. Contact Us......................................................................................................... 128

APPENDIX D. THIRD PARTY SOFTWARE..................................................... 129

APPENDIX E. LICENSE AGREEMENT............................................................ 144

CHAPTER 1. KASPERSKY ANTI-

SPAM 3.0

Kaspersky® Anti-Spam 3.0 (hereinafter also referred to as Kaspersky AntiSpam or the product) is a software suite filtering e-mail in order to protect mail

system users from unsolicited mass mail (spam).

Kaspersky Anti-Spam uses administrator-defined rules to process received messages accordingly. Namely, it delivers a message without modifications, blocks it, generates a notification informing that a message could not be received, adds or modifies message header and performs other actions specified by the administrator.

The application checks every e-mail message for the presence of signs typical for unwanted mass mail (spam).

First, it checks various message parameters: the sender's and recipient's addresses (envelope), message size and its various headers (including From and To). In addition, Kaspersky Anti-Spam runs the following checks as a part of its analysis procedure:

• a check of message sender's address (e-mail and / or IP address) using black and white lists;

• the presence of the sender's IP address in a DNS-based real time black hole list (DNSBL);

DNSBL (DNS based black hole list) is a database that lists IP addresses of mail servers used for uncontrolled mass mailing. Such servers receive mail from anyone and deliver it further to arbitrary recipients. Using of DNSBL will allow automatic blocking of mail receipt from that mail server. Various services use different policies for generation of such lists. Please examine carefully the policy of each service before you start using it for mail filtration.

• availability of a DNS record for the sending server (reverse DNS lookup);

• a check of the sender's IP address for compliance with the list of

addresses allowed for a domain based on the Sender Policy Framework (SPF);

• a check of addresses and links to sites in message text using the Spam URL Realtime Blocklists (SURBL) service.

Kaspersky Anti-Spam 3.0 7

Second, the application employs content filtration, i.e. it analyzes the actual message contents (including the Subject header) and attached files

. The product uses to that effect linguistic algorithms based on comparison with sample messages and search for typical terms (words and word combinations).

Kaspersky Anti-Spam also scans attached images comparing them to the signatures of known spam messages. Comparison results are also taken into account when the application decides whether a message should be identified as spam.

Messages with certain signs of unsolicited mail will be processed in accordance with the defined filtration policy (see section 2.3 on page 19).

The administrator can configure the applicable filtration policy using the Control Center interface (see section 2.6 on page 21).

1.1. What's new in version 3.0

Kaspersky Anti-Spam 3.0 preserves all advantages of the previous version featuring also a number of improvements and additions:

1. New version of the Spamtest filtering engine.

The new filtering engine included into Kaspersky Anti-Spam 3.0 offers the following benefits:

• Higher performance and stability.

• Low RAM requirements.

• Low volume of web traffic (updates to the content filtration

databases).

2. Improved filtration methods.

Practically all the spam detection methods employed in earlier versions have been enhanced, including:

• Improved algorithms used for parsing of HTML objects in mail messages (increasing the efficiency of detecting various spammer tricks meant to circumvent filtration systems).

• Extended and improved subsystem that analyzes the headers of mail messages.

• Enhanced subsystem analyzing graphic attachments (GSG).

The application scans attachments in plain text, HTML, Microsoft Word, and RTF formats

(see section 2.2.2 on page 16 for details).

8 Kaspersky Anti-Spam 3.0

• Added support for the use of Sender Policy Framework (SPF) and Spam URL Realtime Blocklists (SURBL) services.

• Included internal Urgent Detection System (UDS), which allows the user to receive information about certain types of spam in real time.

3. An absolutely new user interface.

Kaspersky Anti-Spam 3.0 uses Control Center, which allows you to perform the following operations:

• Configure the product: filtering rules, actions over messages, performance parameters, etc.

• Manage the licenses to use the product: install license keys, view the information about the current license.

• Monitor product activity and view statistical data.

4. Convenient configuration of filtration-related settings.

Version 3.0 of the application uses the intuitively understandable Control Center interface to customize the filtration policies. Its benefits include:

• Easy administration: convenient interface offers the minimum toolset necessary for system administration while providing a lot of ways to customize the system for a specific environment.

• Individual settings for user groups: certain scanning methods can be enabled/disabled individually for every group; you can also define the actions to be performed over e-mail messages.

5. Enhanced tools for integration of the product and customization of its infrastructure:

• Redesigned and improved modules for interaction with such email servers as Sendmail and Communigate Pro.

• A new system has been designed for the delivery of updates to the content filtration databases.

• All settings are combined into a single configuration file making it easier to configure and administer the system.

1.2. Licensing policy

The licensing policy for Kaspersky Anti-Spam 3.0 implies a system of product use limitations based on the following criteria:

• Mail traffic volume.

Kaspersky Anti-Spam 3.0 9

• The number of protected mail accounts.

• The number of mail systems users.

The said limitations will only apply to the messages addressed to the senders within protected domains. The list of protected domains receiving the traffic that the product will filter can be customized in the Control Center (see section 4.3.4 on page 44). E-mail sent to recipients in domains that are not included into the list will not be filtered.

Please specify the list of protected domains before you start using Kaspersky Anti-Spam.

1.3. Hardware and software

requirements

Minimum system requirements for normal operation of Kaspersky Anti-Spam are as follows:

• Intel Pentium III 500 MHz processor or higher.

• At least 512 МB of available RAM.

• One of the following operating systems:

• RedHat Linux 9.0.

• Fedora Core 3.

• RedHat Enterprise Linux Advanced Server 3.

• SuSe Linux Enterprise Server 9.0.

• SuSe Linux Professional 9.2.

• Mandrake Linux version 10.1.

• Debian GNU/Linux 3.1.

• FreeBSD 4.10.

• FreeBSD 5.4.

• One of the following mail servers:

• Sendmail 8.13.5 with Milter API support.

• Postfix 2.2.2.

• Qmail 1.03.

• Exim 4.50.

• Communigate Pro 4.3.7.

10 Kaspersky Anti-Spam 3.0

• Installed bzip2 and which utilities.

• Perl interpreter.

1.4. Distribution kit

You can purchase Kaspersky Anti-Spam either from our dealers (retail box) or online (for example, you may visit http://www.kaspersky.com, and go to E-Store section).

The contents of the retail box package include:

• Sealed envelope with an installation CD, or set of floppy disks, containing the application files.

• Administrator's Guide.

• License key written on a special floppy disk.

• License Agreement.

Before you open the envelope with the CD (or a set of floppy disks) make sure that you have carefully read the license agreement.

If you buy Kaspersky Anti-Spam online, you will download the application from the Kaspersky Lab website. In this case, the distribution kit will include this User's Guide along with the application. The license key will be emailed to you upon the receipt of your payment.

The License Agreement is a legal contract between you and Kaspersky Lab that describes the terms and conditions under which you may use the product that you have purchased.

Please read the License Agreement carefully!

If you do not agree with the terms and conditions of the License Agreement, return the retail box to the Kaspersky Anti-Spam dealer you purchased it from and the money you paid for the product will be refunded to you on the condition that the envelope with the installation CD (or set of floppy disks) is still sealed.

By opening the sealed envelope with the installation CD (or set of floppy disks), you confirm that you agree with all the terms and conditions of the License Agreement.

1.5. Help desk for registered users

Kaspersky Lab offers all registered users an extensive service package enabling them to use Kaspersky Anti-Spam more efficiently.

Kaspersky Anti-Spam 3.0 11

After purchasing a license you become a registered user and during the license period you can enjoy the following services:

• application module and anti-virus database updates;

• support on issues related to the installation, configuration and use of the

application. Services will be provided by phone or via email;

• information about new Kaspersky Lab products. You can also subscribe to the Kaspersky Lab newsletter, which provides information about new computer viruses as they appear.

Kaspersky Lab does not provide support on issues related to the performance and the use of operating systems or other technologies.

1.6. Conventions

In this book we use various conventions to emphasize different meaningful parts of the documentation. The table below lists the conventions used in this document.

Convention Meaning

Bold font

Step 1.

…

Note

Attention

To run a program:

Task:

Solution

Menu titles, commands, window titles, dialog elements, etc.

Additional information, notes.

Critical information.

Actions that must be taken to run a program.

Task statement as an example of parameter definitions, functions, etc.

Solution to the task formulated.

CHAPTER 2. ARCHITECTURE OF

KASPERSKY ANTI-SPAM AND PRINCIPLES OF SPAM FILTERING

This section contains descriptions of the main product components and the principles of filtering as well as the Control Center, the main tool for Kaspersky Anti-Spam administration and configuration.

2.1. Product structure

Kaspersky Anti-Spam 3.0 is a spam recognition and filtering system functioning as an integral part of an appropriate mail server. Kaspersky Anti-Spam 3.0 is not a full-featured mail server able to receive mail, relay it or deliver e-mail to the mailboxes of end recipients. The architecture of Kaspersky Anti-Spam is shown in Fig. 1.

Kaspersky Anti-Spam consists of the following components:

• Client plug-in modules intended for product integration with mail server.

• Anti-Spam Engine – the filtration server component that analyzes e-mail

messages rating and processing them. Filtration server includes a number of auxiliary modules, which provide for its functioning and integration with mail servers:

• Filtration module – the module filtering spam.

• Licensing module – the module that manages product licenses

and the list of protected domains.

• Content filtration databases – a corpus of data that the filtration server uses to rate messages; updates to the content filtration databases are published on the servers of Kaspersky Lab every 20 minutes.

• Updater module for the content filtration databases – a system that provides for automatic downloading of new content filtration databases from updating servers and their installation for further use by the anti-spam engine.

Architecture of Kaspersky Anti-Spam and principles of spam filtering 13

Figure 1. The architecture of Kaspersky Anti-Spam

• Control Center – web-based interface that administrators can use to configure the product, analyze its status and functionality.

• Monitoring system – a system that tracks the status of Kaspersky Anti-Spam and its individual components and notifies system administrator about various problems in product operation.

Client plug-in modules are designed for Kaspersky Anti-Spam integration with various mail servers. Every client plug-in takes into account the peculiarities of a specific mail server and the selected integration method.

14 Kaspersky Anti-Spam 3.0

The distribution package of Kaspersky Anti-Spam includes client plug-ins for Sendmail, Postfix, Exim, Qmail and Communigate Pro.

As a rule, a client plug-in must be installed as a filter providing for receipt of messages to be analyzed from the mail server and for the subsequent return of modified e-mail.

Client plug-in modules are started by their respective mail servers. The sole exception is Sendmail, which does not launch a client plug-in. Mail server can start several client plug-ins for parallel processing of several letters. Please refer to Appendix A.2 on page 84 for details on client plug-in modules and the methods of their integration.

Irrespectively of the individual peculiarities of client modules, each module interacts with the filtration server via a network or a local socket using internal data exchange protocol.

Anti-Spam Engine responds to the requests of clients accessing it, receives from them messages for analysis and returns the results.

The standard installation procedure assumes that the mail server with an integrated client plug-in and the filtration server are installed on the same computer.

However, the anti-spam engine of Kaspersky Anti-Spam can also be installed to a separate server. In that case client modules running on another computer (server) will exchange data with the filtration server through local network using TCP.

Anti-Spam Engine running on a dedicated computer can serve several mail servers at once provided that the performance of the computer it uses is sufficient to process all that e-mail traffic.

Anti-Spam Engine consists of the following components:

• filtration module that performs message analysis

• licensing module, which checks the availability of a valid license key file

and compliance with the limitations specified in the purchased license

• daemon processing SPF requests

• script, which performs automatic downloads of content filtration databases

and compiles them

• Control Center

• Auxiliary programs and scripts.

Filtration master process (ap-process-server) is the main component of the filtering module; it performs the following tasks:

• monitoring of requests from client modules for connection to the filtering process

Architecture of Kaspersky Anti-Spam and principles of spam filtering 15

• initiation of new filtering processes when there are no available processes left

• monitoring the status of running processes

• termination of child processes upon an appropriate signal (e.g., SIGHUP).

If traffic volume is considerable, the number of running filtration processes can reach several dozens. When the mail server load becomes lower, idle filtering processes will terminate. Maximum and minimum number of running filtration processes are defined by the anti-spam engine settings (see Appendix A.3.1 on page 101).

When the filtering process (ap-mailfilter) starts, it loads the existing filtration policies and the content filtration databases. As soon as a connection to a client module is established, the filtering process receives from the module message headers and body, performs their analysis and returns the results to client module.

If message sender has to be checked for compliance with the SPF policy, the filtering process transmits a request to the SPF daemon (ap-spfd), which sends necessary queries to a DNS server and returns the results to the filtering process.

The application analyzes messages and applies to them rules defined in the filtration policies only if there is a valid license key available.

All licensing checks are performed by the licensing module (kas-license) upon a request from a filtration process.

Having finished processing a message, the filtering process does not terminate. Instead, it keeps waiting for a new request. A filtering process terminates after it processes the maximum number of messages specified for a single process (as a rule, 300) or remains idle for a long time.

The script for automated downloading of updates (sfupdates) runs according to its schedule (using the cron service) and provides for downloads of the latest version of the content filtration databases from the update servers, it also builds the current database version and installs it for further use by the filtration server.

Control Center is a web-based interface, which allows the administrator to configure the product and spam filtration policies.

Monitoring system controls the status of Kaspersky Anti-Spam components and notifies system administrator about problems occurring in the operation of the filtration server and other product components.

Kaspersky Anti-Spam 3.0 processes e-mail traffic using the following algorithm:

1. Client plug-in module integrates with an installed mail server.

2. Mail server transfers to the client module messages for analysis by the filtration server.

16 Kaspersky Anti-Spam 3.0

3. Filtration server checks messages scanning them for signs of spam and, depending upon the result, modifies them in accordance with the existing rules.

4. Client plug-in module returns processed messages to the mail server for delivery.

2.2. Recognition technology

Kaspersky Anti-Spam offers powerful tools for spam detection in e-mail traffic. This section contains a brief overview of spam recognition technologies implemented in the product.

2.2.1. Analysis of formal signs

The method uses a set of rules based on examination of certain message headers and their comparison with sets of headers typical of spam messages. In addition to header analysis, the application takes into account message structure, size, presence of attachments and other similar signs.

The method also provides for analysis of data transmitted by the sender during an SMTP session. In particular, the following information is estimated:

• IP address of the server that has sent the message, and whether it is included into white or black lists of recipients

• IP addresses of intermediate relay servers obtained from the Received headers

• e-mail address of message sender and recipients transmitted in SMTP session commands

• presence of the sender's and recipients' addresses in white or black lists

• conformity of the addresses transmitted during SMTP session to the set

of addresses specified in message headers and a number of other checks.

2.2.2. Content filtration

Message analysis employs the algorithms of content filtering: the application uses artificial intelligence technologies to analyze the actual message content (including the Subject header), and its attachments (attached files) in the following formats:

• plain text (ASCII, non-multibyte)

Architecture of Kaspersky Anti-Spam and principles of spam filtering 17

• HTML (2.0, 3.0, 3.2, 4.0, XHTML 1.0)

• Microsoft Word (versions 6.0, 95/97/2000/XP)

• RTF.

The purpose of spam filtering is to decrease the volume of unwanted messages in the mailboxes of your users. It is impossible to guarantee detection of all spam messages because too strict criteria would inevitably cause filtering of some normal messages as well.

The application uses three main methods to detect messages with suspicious content:

• Text comparison with semantic samples of various categories (based on the search for key terms (words and word combinations) in message body and their subsequent probabilistic analysis). The method provides for heuristic search for typical phrases and expressions in text.

• Fuzzy comparison of a message being examined with a collection of sample messages based on comparison of their signatures. The method

helps detect modified spam messages.

• Analysis of attached images.

All the data employed by Kaspersky Anti-Spam for content filtering: classification index (a hierarchical list of categories), typical terms, etc. are stored in its content filtration databases.

The group of spam analysts at Kaspersky Lab works nonstop to supplement and improve the content filtration databases. Therefore, you are advised to update the databases regularly (see section 4.4 on page 52).

You can also send to Kaspersky Lab samples of spam messages, which Kaspersky Anti-Spam has failed to recognize as well as the samples of messages erroneously classified as spam. The data will help us improve the content filtration databases and react in a timely manner to new types of spam. Please refer to Appendix B for details on forwarding sample messages.

2.2.3. Checks using external services

In addition to the analysis of message text and headers, Kaspersky Anti-Spam allows a number of the following checks involving external network services:

18 Kaspersky Anti-Spam 3.0

• availability of a DNS record for message sender's IP (reverse DNS lookup);

• the presence of the sender's IP address in a DNS-based real time black hole list or lists (DNSBL);

• a check of the sender's address for compliance with SPF (Sender Policy Framework) policy for the domain containing the server used to send the message;

• a check of addresses and links to sites in message text for the presence in the Spam URL Realtime Blocklists database – www.surbl.org.

• recognition of e-mail messages using the UDS (Urgent Detection System) technology.

All the checks listed above, except for UDS, are based on the use of the DNS protocol and as a rule they require no additional network configuration.

2.2.4. Urgent Detection System

Urgent Detection System is an original technology of spam detection developed and supported by Kaspersky Lab. It is based on the following principles:

1. A message being analyzed is used to select a collection of properties,

which can be used to identify the message. The set of properties may include header information, text fragments and other information about the message being processed.

2. Filtration server uses the properties thus collected to generate a small

UDS request and sends it to one of UDS servers of Kaspersky Lab.

Since the product does not transmit to external servers any data that could allow viewing the recipients or the text of the processed mail, the use of this method does not pose any risk to the safety or confidentiality of your information.

3. The UDS server checks the received request against a database of

known spam. If the request matches a known spam sample, a message will be sent to the filtration server informing that the e-mail is very likely to be spam. The information will be taken into account during assignment of a certain status to e-mail.

The UDS technology allows filtering of known spam before updates to the content filtration databases become available.

Architecture of Kaspersky Anti-Spam and principles of spam filtering 19

A filtration server interacts with UDS servers of Kaspersky Lab via UDP using port 7060 for communication. In order to use UDS, a filtration server must be able to establish outgoing connections through that port.

Information about available UDS servers is added to the content filtration databases. The choice of an individual UDS to be used for message analysis is performed automatically on the basis of the response time of accessible UDS servers.

2.3. Recognition results and actions

over messages

The analysis procedure results in assignment of one of the following statuses to a message:

• Spam – message recognized as spam with a high degree of reliability.

• Probable Spam – message contains some spam signs; however, it

cannot be unambiguously identified as spam.

• Formal – message is formal. E.g., it is a mail server notification informing about mail delivery or inability to deliver it or about message infection with a virus. The category includes messages sent automatically by mail clients. Such messages are usually not considered to be spam.

• Trusted – message received from trusted sources, for example, from internal mail servers. The administrator must create a list of trusted sources (a white list of senders). Trusted status is also assigned to messages addressed to users whose mail the product does not scan in accordance with the corresponding group policy settings.

• Blacklisted – message received from an address present in a black list. The administrator must create the black list.

• Not detected – a message that has not been recognized as spam.

Each e-mail message can be assigned just one of the above statuses. The application records the status assigned to a message after analysis to a special X-Spamtest-Status-Extended header. Please refer to section A.5 on page 112 for details about the headers added to mail messages after filtering.

After recognition, the application may perform one of the following actions over a message:

• accept the message

• relay the message or a copy thereof to another address

• add a text mark in the message subject field

20 Kaspersky Anti-Spam 3.0

• append a special header to the message

• delete message

• reject message.

System administrator can define which of the listed actions will be performed over messages with a specific status.

Preservation of all useful mail must be the top priority for the system administrator because the loss of a single important message may cause more trouble for the end user than receipt of a dozen of spam messages. To avoid the loss of necessary mail, you are advised to use only non-destructive actions with mail identified after content analysis as spam or probable spam. E.g., append to the Subject header labels, such as [!! SPAM].

2.4. Content filtration databases

The application recognizes spam messages using the records of its regularly updated content filtration databases. These databases contain the sets of rules, terms and message signatures used in the process of filtering.

Content filtration databases can be downloaded from the updating servers of Kaspersky Lab using the updater module. During the procedure, the system reduces the volume of downloaded data loading only those files, which have changed.

Since new samples of spam messages appear every day, normal product functioning requires regular updates to its content filtration databases. Recommended updating frequency: every twenty minutes.

Be sure to update the content filtration databases immediately after product setup on your computer!

2.5. Filtration policies

Kaspersky Anti-Spam employs filtration policies to determine the methods applicable for spam recognition, the actions to be performed over messages and the black and white lists of senders.

The product uses a double-layered system of filtration policies, which consists of a default general filtration policy and group filtration policies. The default filtration policy contains settings common for all groups: methods applicable for spam recognition, and the black and white lists of senders. Group policies, in addition to the mentioned settings, also define the actions performed over messages depending upon their status.

Architecture of Kaspersky Anti-Spam and principles of spam filtering 21

Before configuring group policies, the administrator must create groups described by the lists of addresses of message recipients.

The product applies its policies in accordance with the following rule: general filtration policy defines the default settings for all groups while group settings may either inherit those values or redefine them. Thus, for instance, the product may employ more sophisticated methods of spam recognition and stricter actions can be specified for a group of users that requires more thorough filtration of messages.

The combination of recognition settings is closely connected with the properties of the content filtration databases; it can be extended and modified as new types of spam and rules of their recognition appear. Together with the updates to the content filtration databases, the appropriate settings will be added to the interface provided by the Kaspersky Anti-Spam Control Center.

2.6. Control Center

Control Center is a web-based application, which allows the administrator to configure Kaspersky Anti-Spam and control its activity.

Control Center allows performance of the following tasks:

• Monitoring of the current status of the product and its individual components.

• Installation of license keys and management of the protected domains list.

• Output and export of statistics on processed messages.

• Managing the default and group policies of spam filtering.

• Configuring the filtration server and other product components.

2.7. Monitoring

Kaspersky Anti-Spam includes a monitoring module for control of the filtration server status.

System status information appears in the Monitoring tab of the Control Center.

22 Kaspersky Anti-Spam 3.0

Figure 2. The Monitoring tab of the Control Center

The section contains parameters tracked by the monitoring system and the messages from product modules, which you can use to analyze the current status of Kaspersky Anti-Spam components.

The monitoring system also generates notifications and reports while running. The monitoring script starts regularly and sends to system administrator a message informing about detected problems whenever it finds any issues. The messages are sent once at the moment of problem detection thus ensuring timely notification about situations, which require administrator's intervention.

Later, if a problem is not resolved, the monitoring will keep sending daily reports with a summary of all detected pending issues.

The e-mail address where the monitoring system will send its notifications has to be specified in the Control Center.

CHAPTER 3. INSTALLING

KASPERSKY ANTI-SPAM

This section contains information about the procedure of program installation, integration of client plug-in modules with the host mail server and configuring access to the Control Center, the main product management tool.

3.1. Preparing for installation

Before you proceed with Kaspersky Anti-Spam installation, it is necessary to:

• Make sure that your system meets the hardware and software requirements for Kaspersky Anti-Spam (see section 1.3 on page 9).

• Make sure that you have a license key for Kaspersky Anti-Spam 3.0.

• Ensure that bzip2, perl, and which programs are installed.

• Make sure that the mail server installed in your system functions properly.

• Make backup copies of the mail server configuration file.

• Log on to the system as root.

You are advised to install the product during a period when the mail server load is lowest.

Kaspersky Anti-Spam installation consists of five steps:

1. Installation of Kaspersky Anti-Spam distribution package.

2. License key installation.

3. Integration of the client plug-in modules with the mail server.

4. Configuration of a HTTP server for access to the Control Center.

5. Configuration of content filtration databases update and UDS service

use.

The sections further contain detailed descriptions of these steps.

24 Kaspersky Anti-Spam 3.0

3.2. Installing Kaspersky Anti-Spam

distribution package

Kaspersky Anti-Spam 3.0 is distributed in several installation packages:

• .rpm package for most versions of the Linux operating system (RedHat, SuSe, Mandrake, Fedora, etc.)

• .deb package for Debian Linux distribution

• .tgz package for the FreeBSD 4.10 operating system.

• .tbz package for the FreeBSD 5.4 operating system.

The choice of a specific installation package depends upon the operating system installed on your computer:

To initiate installation of Kaspersky Anti-Spam from the .rpm package, enter the following in the command line:

# rpm –i kas-3-<package version>.i386.rpm

To initiate installation of Kaspersky Anti-Spam from the .deb package, enter the following in the command line:

# dpkg –i

To initiate installation of Kaspersky Anti-Spam from the .tgz package, enter the following in the command line:

# pkg_add

To initiate installation of Kaspersky Anti-Spam from the .tbz package, enter the following in the command line:

# pkg_add kas-3-<package version>.tbz

The installer performs the following actions during the procedure:

• Creation of the mailflt3 user account and group with appropriate privileges that will be used to run Kaspersky Anti-Spam.

• Installation of all programs included into the Kaspersky Anti-Spam suite to the /usr/local/ap-mailfilter3 directory.

• Creation and installation of a script, which will perform automatic launch of the filtration master process (ap-process-server), SPF daemon (ap- spfd), licensing module (kas-license) and HTTP server (kas-thttpd) at the operating system start-up.

• Launch of necessary programs and services

kas-3-<package version>.i386.deb

kas-3-<package version>.tgz

Installing Kaspersky Anti-Spam 25

• Creation of a сron task for the mailflt3 account to run automatically the script downloading updates to the content filtration databases and the script monitoring the filtration server activity.

Having completed the filtration server setup, install the license key and integrate the host mail server with Kaspersky Anti-Spam.

3.3. Configuring access to the

Control Center

Upon completion of product setup, the installer runs the kas-thttpd service, which provides local access to the Control Center. The following settings are used by default:

• Address: http://127.0.0.1:3080/

• User name: admin

• Password: admin

Be sure to change the user name and password for access to the Control Center after Kaspersky Anti-Spam installation. Use of default values may pose a threat to the security of your system.

You are also advised to change the port used to connect to the Control Center.

User name and password are preserved in the .htpasswd file of the /usr/local/ap- mailfilter3/control/www/ Control Center directory for CGI scripts.

You can create a new user or change an existing password using the kas- htpasswd utility included into Kaspersky Anti-Spam. At the utility start, you should specify the path to the file containing passwords and the name of the user being created or an existing user whose password must be modified:

# /usr/local/ap-mailfilter3/bin/kas-htpasswd /usr/local/apmailfilter3/control/www/.htpasswd <user name>

After execution of the command above you will be offered to enter the password for the specified user.

In order to create a new file where the password of the specified user will be stored, use the –c command line option:

# /usr/local/ap-mailfilter3/bin/kas-htpasswd –c /usr/local/ap-mailfilter3/control/www/.htpasswd <user name>

Password changes become effective immediately after modification of the

.htpasswd file.

26 Kaspersky Anti-Spam 3.0

Passwords for access to the Control Center are stored in the .htpasswd file in an encrypted form.

The interface and port number to be used for connection to the Control Center are specified in the /usr/local/ap-mailfilter3/etc/kas-thttpd.conf file using the host and port parameters respectively. E.g., the following values:

host=0.0.0.0

port=3080

mean that the Control Center will listen on port 3080 of all server interfaces expecting incoming connections. By default, the Control Center can only be accessed from the server where Kaspersky Anti-Spam is installed (the host parameter is set to 127.0.0.1).

After modification of port number, reload the Control Center configuration. In Linux distributions, run the following command:

# /etc/init.d/kas3-control-center restart

In FreeBSD distributions, run the following command:

/usr/local/etc/rc.d/kas3-control-center.sh restart

3.4. Installing the license key

Your license key corresponding to the purchased license is bundled with the distribution package of Kaspersky Anti-Spam.

If for some reason you have no license key, contact the Technical Support service of Kaspersky Lab (see section Services/Technical Support of Kaspersky Lab website).

In order to install a new license key using the Control Center, perform the following steps:

1. Use your web browser to connect to the Control Center by entering

http://localhost:3080/ in its address line. Enter admin as the user name for connection, and admin as the password.

2. Open the license keys management page at

License → License Keys.

3. Use the field in the lower part of the page under the Install a New License Key section to specify the path to a license key file or press the Choose button to select the necessary file.

4. Press the Apply button.

Installing Kaspersky Anti-Spam 27

In order to install a new license key locally using the command line, run the following command:

# /usr/local/ap-mailfilter3/bin/install-key <key>

where key stands for a path to the file containing the license key.

If a license key has not been installed or the installed key is invalid, Kaspersky Anti-Spam will not filter mail. Mail server performance will not be affected; its email traffic will just be transferred without analysis.

Please keep in mind that the product will only filter mail for those recipients, whose accounts are added into the list of protected domains.

Before you start using Kaspersky Anti-Spam, be sure to create the list of protected domains.

Please refer to section 4.3.4 on page 44 for details.

3.5. Integrating Kaspersky

Anti-Spam with your mail server

Kaspersky Anti-Spam integration with the host mail server is accomplished through installation of a client plug-in module and addition of necessary changes to the configuration files.

These actions are carried out automatically by the universal configuration script. If integration using the universal script is impossible (e.g., when the mail server has a non-standard configuration) you can use to that effect configuration scripts of that specific e-mail server.

Please refer to the Appendix A.2 on page 84 for details about applicable methods for integration of client plug-in modules into each of the supported mail servers and about the changes introduced into their configuration files.

In order to integrate Kaspersky Anti-Spam with the mail server installed on your server, run the universal configuration script:

# /usr/local/ap-mailfilter3/bin/MTA-config.pl

The script will identify the type of the mail server and add necessary changes to its configuration files.

However, if your mail server is installed in a non-standard location or uses a configuration different from the default, the MTA-config.pl script may fail to find its configuration files. In such case, use the individual configuration script for your specific mail server:

• To integrate Kaspersky Anti-Spam with Sendmail, run the following

command as root:

28 Kaspersky Anti-Spam 3.0

# /usr/local/ap-mailfilter3/bin/config-sendmail.pl <path>

where path stands for the path to the Sendmail configuration file.

• To integrate Kaspersky Anti-Spam with Postfix, run the following

command as root:

# /usr/local/ap-mailfilter3/bin/config-postfix.pl <path>

where path stands for the path to the master.cf Postfix configuration file.

• To integrate Kaspersky Anti-Spam with Exim, run the following command

as root:

# /usr/local/ap-mailfilter3/bin/config-exim.pl <path>

where path stands for the path to the Exim configuration file.

Integration of Kaspersky Anti-Spam with Exim mail server has a few peculiarities in Debian Linux distribution. For correct integration, use the /usr/local/ap-mailfilter3/bin/config-exim- debian.pl script. Please refer to section A.2.4.2 on page 92 for details.

• To integrate Kaspersky Anti-Spam with Qmail, run the following command

as root:

# /usr/local/ap-mailfilter3/bin/config-qmail.pl <path>

where path stands for the path to the Qmail configuration file.

Correct integration with Qmail by running the config-qmail.pl script is possible only if Qmail uses the qmailq account and the qmail group (used by default).

Kaspersky Anti-Spam integration with Exim (using the kas-exim client plug-in module) and with Communigate Pro has to be performed by the administrator manually.

Detailed descriptions of peculiarities for each of the client modules and available integration methods can be found in section A.2 on page 84.

Please refer to Chapter 5 on page 77 for details on rolling back the integration and restoring the original mail server settings.

Installing Kaspersky Anti-Spam 29

3.6. Configuring updates of content

filtration databases and UDS use

By default after installation of Kaspersky Anti-Spam updates to the content filtration databases and UDS are disabled. In order to allow updating of the databases and activate UDS, run the enable-updates.sh script:

# /usr/local/ap-mailfilter3/bin/enable-updates.sh

Restarting as mailflt3 Enabling UDS... uds-rtts finished successfully Enabling automatic updates... Install crontab for user mailflt3 - ok =========================================================== You can adjust automatic updates settings via control center. =========================================================== Automatic updates and UDS are now enabled.

You can also use the Control Center interface to enable updates of the content filtration databases (see section 4.4 on page 52) and activate the UDS service (see section 4.5.4 on page 60).

CHAPTER 4. MANAGING THE

SPAM FILTRATION SERVER

You can use Kaspersky Anti-Spam to protect e-mail traffic from unwanted spam mail. The system of protection is based on performance of tasks representing the main features of the application. The tasks performed by Kaspersky Anti-Spam can be subdivided into three main groups:

• Mail traffic protection against spam.

• Updates of the content filtration databases used for spam detection.

• Monitoring of the anti-spam engine activity.

Each group includes smaller tasks. In this chapter we shall describe in detail the most typical of them. Administrators can then combine these tasks and enhance them in accordance with the needs of their specific organizations.

This document describes configuration and task performance locally from the command line as well as product management using the Control Center.

4.1. Starting and managing

Kaspersky Anti-Spam components

The main components of the filtration server including the filtering master process (ap-process-server), licensing module (kas-license) and the SPF daemon (ap-spfd) are launched at the operating system start-up by a special script, which is named and located differently in Linux and FreeBSD operating systems. The Linux operating system uses the kas3 script located in the /etc/init.d directory while the FreeBSD operating system employs the kas3.sh script in the /usr/local/etc/rc.d directory.

The administrator can use the said scripts with the command line parameters described below to start, stop or restart the main components of the filtration server:

start – start the main components of the filtration server.

stop – stop operation of the main components of the filtration server.

restart – restart the main components of the filtration server; the action is

identical to running the stop and start actions one after another.

+ 119 hidden pages