ITA Secure Messaging Rules Engine is the main component that processes all emails arriving into your network. Rules Engine processes emails based on our exclusive patent-pending state-of-the-art technology CuRE (Custom Rules Engine). Most anti-spam products in the market are designed to be re-active to new techniques, tricks, or built-in holes exploited by spammers in bypassing filters. ITA Secure Messaging Rules Engine uses CuRE technology and becomes pro-active and can distinguish not only the already well known spammer tricks but also guards against potential new variations that spammers might develop to fool the deployed anti-spam technology. This makes ITA Secure Messaging much more effective compare to other anti-spam products and also reduces considerable management burden for IT administrators. The diagram below explains the internal workings of the Rules Engine and how it processes a new email arriving into your network. ITA Secure Messaging provides a multi staged rules-based approach to filter out spam. ITA Secure Messaging allows pre and post processing of email for content filtering. This method allows administrators to create custom filtering rules that are aligned with a company's policy. On each stage of the process, Rules Engine assigns scores to messages based on unique characteristics such as sender's IP address, sender's domain name validity, email message header, email body content, and more. At every stage certain points are assigned to the email and at the end of the process, a final score is derived. This final score is then compared against the defined threshold. When a message score reaches or exceeds a defined threshold, it is flagged as a spam and is blocked from reaching the mail server and archived immediately. Message characteristics we evaluate and score include: IP Validation SPF Lookup Domain Validation Virus detection Phishing detection Message size filter Adaptive Filtering Content Filtering Attachment filters Body filters Sender filters Subject filters Header filters Custom filters for Rules Engine (CuRE) Domain Validation This method checks and verifies that the arriving email domain name is valid and its DNS zone contains a valid MX record. Spam emails often have non existent domain names or MX records in order for spammers to hide their identity. SPF Lookup Sender's IP address is checked against SPF entries in the DNS for that domain, which prevents email forgery. Using SPF you can reduce spam, drastically reduce email borne virus and phishing attacks. Message Size ITA Secure Messaging allows you to filter messages based on the size of the email. You have a choice of: Do nothing with large messages Bypass filtering Reject IP Validation ITA Secure Messaging also uses Real Time Black Hole Lists (RBL). ITA Secure Messaging checks the IP address in the email header against various RBLs to verify that sending server is not black listed as a known spammer or an open relay servers. Normally secure mail server should refuse to relay email from an external sender who is not part of their domain. Unfortunately there are many mail servers which are not properly configured and are used by spammers to send mail. ITA Secure Messaging uses a default set of most reliable RBL services. ITA Secure Messaging can be easily custom configured to use, add, or delete these services and allows for capability to use more than one services at a time. ITA Secure Messaging does not rely entirely on RBLS as some legitimate emails can be blocked using these services. ITA Secure Messaging assigns a score to the message using RBL that can also be custom configured to suit your needs. White/Black Lists You can create your own White/Black list of IP Addresses. This guarantees that an email from a particular vendor or customer will always be allowed in or it will be blocked from a particular competitor. This is also useful in cases when you get attacked by a virus-infected computer on the internet or certain server sending you large amount of messages and needs to be blocked. User Specific Black/White Lists Besides a global list, every user have their own black/white list. Invdividual users can modify this list without affecting other users on the system. Adaptive Filtering Adaptive filter is another term for self-learning filter. These filters analyze every email that comes into the system and fine-tunes itself. Initially these filters have no affect on determining a message category. Once enough emails have been analyzed, these filters automatically turn themselves on and assign a score to the email. There are two types of adaptive filters currently available in ITA Secure Messaging: Bayesian Analysis Auto-Learn Sender Bayesian Analysis The Bayesian filter analyzes complete email looking for hammy (good words) as well as spammy words in an email. It then computes the probability of a message being spam or ham. This filter considers the type of emails that you have received in the past to determine. When ITA Secure Messaging is installed, this filter runs in a learning mode and parses every message that comes in into the system. After a certain number (5000 by default) of emails have been analyzed this filter switches its mode to running and adds its own score to the email. Please note that even if Bayesian Analysis if turned off, ITA Secure Messaging can block over 99% of your spam emails due to other filters in the system. Auto-Learn Sender Whenever an in-house user sends an email to someone on the Internet ITA Secure Messaging puts the name of the recipient in its white list. This way when the person on the Internet replies to your message again, it never gets blocked. Content Filtering ITA Secure Messaging Rules Engine uses sophisticated algorithms to parse the email content, specially looking for spammer tricks and techniques used in order to bypass anti-spam filters. Spammers use many techniques and tricks to avoid their emails from being captured by spam filtering software. Our CuRE technology within Rules Engine prevents this. The content filters within the Rules Engine use some of the following techniques to filter emails. Header filter Extracts different elements from the email header such as IP Address Pre-Post processing Many spammers use embedded HTML comments to avoid being caught. For instance the following characters are displayed as Viagra on the email reader of the user but can easily confuse an anti-spam filter looking for the actual word Viagra. V<!--abcd -->i<!-- nonsense -->a<!--X-->gr<invalidtag>a Rules Engine is capable of extracting embedded words within HTML comments and invalid HTML tags thus capturing this kind of spam as well. Regular Expression The Rules Engine uses powerful regular expressions to search for words. For instance Viagra is caught in all of the following examples: Viagra V i a g r a V*i*a*g*r*a V1agr@ Note that the words written above are interpreted correctly by a human being but is tricky for anti-spam filters unless they contain all variations of the spellings a spammer may use, in some cases it may be impossible. ITA Secure Messaging with regular expression usage option can eliminate this possibility. Base 64 Spammers often use an uncommon characters set to elude the spam filtering programs. Use of Base64 is a common technique. Most email readers like Outlook and Netscape convert these characters into human readable format before displaying, however they can be confusing for anti-spam filters not designed to address this possibility. ITA Secure Messaging looks out for this spammer technique as well. ITA Secure Messaging Rules Engine applies filtering techniques to all parts of the email: Header Sender Subject Message Body Custom Filtering Custom Filters contained in the Rules Engine are designed to enhance and improve the effectiveness of ITA Secure Messaging. They are written for example to address a specific type of attack spammers may use, block certain type of virus laden email attack, block a new technique spammers may have developed in their constant battle to defeat anti-spam filters. Custom Rules allow tremendous flexibility to an organization who want to extend the functionality of the product. It allows a business to write their own Custom Rules in an industry standard language. ITA Secure Messaging Research Team keeps pace and beats the spammers through writing Custom Rules for ITA Secure Messaging. These new Custom Rules can be automatically applied immediately to your own deployment of ITA Secure Messaging in your organization through ITA Secure Messaging automatic online update feature. Out of the box, ITA Secure Messaging comes with a set of custom filters that are used to detect spam upon. Block specific types of adult content Block a particular email-borne virus. Block large email messages to prevent excessive bandwidth usage Examples of ITA Secure Messaging Custom Filters Embedded HTML comment detector Spammers users HTML comments to break words that would normally get caught by a normal spam filtering software. An example is: Via<!--comment-->gra Via<invalidTag>gra Here the word Viagra is broken into pieces and therefore, might slip through a regular content filtering program. This custom filter not only removes unnecessary comments from the code but penalizes the email for using such techniques. Garbage Detector Many spam emails contain meaningless words, which are used to confuse pattern based spam filtering software. ITA Secure Messaging detects use of such words and increases the overall score of the email. Date verification filter Some spammers use dates which are either very far in the future or past. When users open these messages they always appear either on the top or bottom of all other messages in the INBOX. This custom rule detects these messages and assigns a score External Pages Sometimes spammers don't put any content in the email message itself. Instead, the message body refers to an external HTML page that usually contains the actual message. This custom rules detects these cases and assigns a score UUEncoded Message Email messages in the past were sometimes sent as UUEncoded messages. UUEncoded messages contain hexadecimal codes which then is interpreted by an email reader in the human readable format. Spammers take advantage of this by sending UUencoded messages to bypass anti-spam filters. Normal emails nowadays should never be sent as Uuencoded. ITA Secure Messaging detects UUencoded messages and assigns a score if it detects such messages. Foreign Characters Set This rules checks for Non-English characters in the email message. If you only expect your messages to be in English, turning on this rule can eliminate emails that are sent in any language other then English.