4
The VSAPI interface is currently used for antivirus scan and rule-based protection.
1.2.2 Message filtering on the SMTP server level
SMTP server-level filtering is secured by a specialized plugin. In Microsoft Exchange Server 2000 and 2003, the plugin
in question (
Event Sink
) is registered on the SMTP server as a part of Internet Information Services (IIS). In Microsoft
Exchange Server 2007/2010, the plugin is registered as a transport agent on the
Edge
or the
Hub
roles of the Microsoft
Exchange Server.
SMTP server-level filtering by a transport agent provides protection in the form of antivirus, antispam and user-
defined rules. As opposed to VSAPI filtering, the SMTP server-level filtering is performed before the scanned email
arrives in the Microsoft Exchange Server mailbox.
1.3 Types of protection
There are three types of protection:
1.3.1 Antivirus protection
Antivirus protection is one of the basic functions of the ESET Mail Security product. It guards against malicious system
attacks by controlling file, email and Internet communication. If a threat with malicious code is detected, the Antivirus
module can eliminate it by first blocking it and then cleaning, deleting or moving it to quarantine.
1.3.2 Antispam protection
Antispam protection integrates several technologies (RBL, DNSBL, Fingerprinting, Reputation checking, Content
analysis, Bayesian filtering, Rules, Manual whitelisting/blacklisting, etc.) to achieve maximum detection of email
threats. The antispam scanning engine’s output is the spam probability value of the given email message expressed as
a percentage (0 to 100). Values of 90 and above are considered sufficient for ESET Mail Security to classify an email as
spam.
Another component of the antispam protection module is the Greylisting technique (disabled by default). The
technique relies on the RFC 821 specification, which states that since SMTP is considered an unreliable transport, every
message transfer agent (MTA) should repeatedly attempt to deliver an email after encountering a temporary delivery
failure. A substantial part of spam consists of one-time deliveries (using specialized tools) to a bulk list of email
addresses generated automatically. A server employing Greylisting calculates a control value (hash) for the envelope
sender address, the envelope recipient address and the IP address of the sending MTA. If the server cannot find the
control value for the triplet within its own database, it refuses to accept the message, returning a temporary failure
code (temporary failure, for example, 451). A legitimate server will attempt a redelivery of the message after a variable
time period. The triplet’s control value will be stored in the database of verified connections on the second attempt,
allowing any email with relevant characteristics to be delivered from then on.
1.3.3 Application of user-defined rules
Protection based on user-defined rules is available for scanning with both the VSAPI and the transport agent. You can
use the ESET Mail Security user interface to create individual rules that may also be combined. If one rule uses multiple
conditions, the conditions will be linked using the logical operator AND. Consequently, the rule will be executed only if
all its conditions are fullfilled. If multiple rules are created, the logical operator OR will be applied, meaning the
program will run the first rule for which the conditions are met.
In the scanning sequence, the first technique used is greylisting - if it is enabled. Consequent procedures will always
execute the following techniques: protection based on user-defined rules, followed by an antivirus scan and, lastly, an
antispam scan.
