This article explains how ARMed SMTP helps make inbound email scanning more efficient and effective by analyzing the reputation of the sending IP and email address, performing content checks, and applying policies to detect and block spam, malware, and unwanted emails efficiently.
Also see Security & Efficacy - Security Recommendations.
Introduction
Checks are performed when Mimecast processes an inbound email, to ensure only legitimate emails are accepted. Part of this processing includes Mimecast's proprietary ARMed SMTP (Advanced Reputation Management). ARMed SMTP helps make inbound email scanning more efficient and effective by looking at the reputation of the sending IP and email address.
Mimecast uses a combination of Policies, reputation checks, anti-spam, and virus systems to detect and, if necessary, reject unwanted emails. The implementation of the ARMed SMTP protocol also allows the for the following:
- Analysis of anomalies.
- Comparison of shared and individual reputations.
- Detection of malware.
Policies always apply to the From and To addresses matched to the email. However, if the receiving address used is a Distribution List, then User-Managed Sender Policies may not take effect, as they apply to a member address of the distribution list.
Understanding ARMed SMTP
Understanding the order of the checks applied is significant. It will assist you when troubleshooting delayed or failed inbound and outbound emails. Mimecast also recommends that you review Security Recommendations.
Mimecast ARMed SMTP occurs during the communication between the sending email server and the receiving MTA (Mail Transfer Agent) in the Mimecast architecture. Therefore, email is analyzed inside the protocol or "on the wire" before they are accepted or rejected. In addition, this prevents the unnecessary transfer of unwanted emails to the customer infrastructure.
ARMed SMTP Blocks 98.5% of all dark SMTP traffic. Including spam, DoS attacks, directory harvest attacks, and malformed SMTP packets.
How does ARMed SMTP work?
ARMed SMTP consists of a combination of Policies and reputation checks that work on a protocol level for delivery pattern recognition - coupled with Mimecast's MTA, which helps emails to be processed more efficiently. If detection occurs, then those emails will be rejected in the protocol.
The following diagram represents the steps in processing an inbound email, briefly explaining each point below. Unfortunately, a definitive model is hard to display due to the speed with which some processes occur and that some occur almost simultaneously.
| Organization Setup | Recommended Authentication Context | Expected behavior |
|---|---|---|
| Anti-Spoofing Policy | This Policy blocks spoof attempts. If a spammer falsifies their sending address to masquerade as an internal Domain address, Mimecast rejects the email. | Rejects Email |
| Blocked Senders Policy | These Policies reject the connection, and as with all other rejections, the established link is terminated in the protocol. Unfortunately, this means that the email data cannot be released or retrieved, as it is not present in Mimecast. | Rejects Email |
| Permitted Senders Policy | Permitted Sender Policies bypass all spam reputation and content-based checks, not anti-virus checks. An email will be rejected if an email address or domain is in a Permit and Block Policy because the Blocked Senders Policy is applied first. For example, an end-user may have permitted an email address, but the Administrator has blocked that entire Domain at a global level. The email will be rejected in this case because the Domain Block Policy is applied first. | Bypasses Spam Checks |
| Auto Allow Policy and Managed Senders |
When an internal user sends an email, Mimecast adds the recipient’s email address to an Auto Allow database. When the recipient sends an email to the internal user, Mimecast checks their email address against this database. If a match is found, the email is allowed through without applying additional spam reputation and content checks. Similar to the Permitted Sender Policy, virus checks are still performed. User Managed Sender entries can manually bypass spam checks with a Permit entry or create a Block entry that takes preference over Permit and Auto Allow. An Auto Allow Policy is applied where the message is between the sender and recipient only, or the sender and multiple internal recipients, unless an additional policy has overridden it. |
Bypasses Spam Checks |
Reputation Checks
| ARMed SMTP Step | Description | If Triggered |
|---|---|---|
| IP Reputation Checks (Bypassed by Auto Allow and Permitted Senders Policies) | Block lists are applied next. These contain the IP addresses of known malware senders. Mimecast utilizes its proprietary block list with other commercial DNS block lists. The additional IP reputation check functions as a global network outbreak detection system. This enables Mimecast to be the first responder in many known and unknown malware threat detections. This reputation service also temporarily defers connections if they are suspected of having a bad reputation. Updated checks will periodically be made, after which the connection is either accepted, deferred, or rejected. | Rejects Email |
| Greylisting (Bypassed by Auto Allow and Permitted Senders Policies) | Compliance checks against the sender's mail server (based on the sender's email address, IP address, and recipient's email address) for all connections not previously seen before by Mimecast. Mimecast gives a busy signal, prompting the sending server to retry the email delivery after 1 minute. The connection request will be accepted if the sender's mail server complies within the allotted time-frame. If the email is not retried within 12 hours, the email connection is dropped and rejected. | Temporarily Defers the Connection (Sender must retry) |
| Recipient Validation | Recipient validation is used to prevent inbound emails with invalid recipient addresses. To be effective, spammers send out numerous emails, most of which are guessed or a result of directory harvesting. Mimecast uses different types of recipient validation configured against each Domain in Mimecast. | Rejects Email |
| DNS Authentication | DNS Authentication combines three industry-standard email authentication technologies that allow domain owners to control who sends on behalf of their domains. It also validates the authenticity of inbound messages. | Rejects Email or Ignores Auto Allow or Permitted Sender entries. |
Content Scanning
| ARMed SMTP Step | Description | If Triggered |
|---|---|---|
| Spam/Virus Scanning: Spam Scanning is bypassed by Auto Allow and Permitted Senders Policies. (VIRUS SCANNING CAN NOT BE BYPASSED) |
Spam scanning: Mimecast uses multiple content-based heuristic scanning engines. These examine the content of emails and look for key phrases and other identifiers commonly used by spammers. These include content matching rules, DNS-based, checksum-based, and statistical filtering definitions. Then, depending on the policy configured, the email is held for review if a match is found. Virus scanning: Mimecast combines its proprietary software (ZHARA - Zero Hour Adaptive Risk Assessor) and market-leading Commercial software. Providing Malware protection software with collective intelligence gathered from millions of commercial and freeware users. Mimecast's engines combine signature and heuristic malware detection technologies. These detection systems work on the wire, allowing Mimecast to shut off viral and intrusive transmissions early. Additionally, any email matching a malware signature is rejected. |
Spam Scanning: Rejects Email if Spam Content is High or Holds email for Review Virus Scanning: Rejects Email |
| Content Examination | If Content Policies have been configured, emails are scanned for text-based matches. In addition, Content Policies can be configured to examine the content of an email for a word, phrase, or combination thereof. A detected email can then be held for review, encrypted, or sent using Mimecast's Secure Messaging, amongst other features. | Several actions could be selected. |
| Attachment Management |
Attachment Policies are configured to look for certain attachment types and sizes. If found, the following actions can take place:
|
Emails could be Held for review, or Attachments could be removed while the email body is delivered (with or without notification) |
Ultimately, emails that pass these checks will be accepted and moved to the Delivery Queue for final delivery to the recipients' mail service. If an email does not reach the intended destination, use the Tracking tools provided by Mimecast to determine the email delivery issue.
Comments
Please sign in to leave a comment.