INTRODUCTION
Figure 1.1 below shows the Email Flow:
**Right-click on image > open image in a new tab for a high-resolution overview
The email enters Dualog from the Internet
- The firewall verifies that the Email conforms to RFC822 standard (SMTP) or rejects it
The email enters the Dualog MailDefence filter
Domain Checks
- Checks if the sender domain exists.
- If it does not exist, the Email is discarded as not coming from a legitimate domain
- Checks if the original sending server is blacklisted on Spamhaus.
- If it is listed it will be rejected. This is a list with good reputation.
- Check the SPF, DKIM and DMARC status. Depending on the set of rules (customized), one of the following happens for SPF/DMARC failures:
- Reject Email
- Add 7 to the spam score
Virus Checks
- Sends the Email with attachments to 5 separate virus scanners (more will be added). Some of these scanners will scan for other malicious content as well.
- Quarantine the attachment if a virus is found. Notify the receiver if configured to do so. The default action is to silently quarantine to avoid spamming the receiver with virus notifications.
Spam Checks
- Machine learning to analyze sender reputation.
- Anti-spam engine analyzes the Email generating a spam score based on a multitude of pattern checks tailored to the maritime industry
- Sends the Email checksum (the “fingerprint” of the email) to multiple real-time updated lists determining if they see it as spam.
- If the total spam score reaches a set threshold (above 4), we will add a {SPAM?} tag as the start of the message. If it reaches a high spam score (default set to 10, we are certain it’s spam), we will block the message.
- Check with multiple online spam lists whether the sending domain is blacklisted or not.
- If listed on at least 3 of these lists the mail will be tagged as spam.
- Custom detection, as well as custom score values for customers possible.
Phishing Checks
- Checks against an updated list of known phishing senders.
- Sends the Email checksum (the “fingerprint” of the email) to multiple real-time updated lists determining if other has marked it as phishing
- Sends the Email checksum (the “fingerprint”) to a list to see if this email has been broadcasted to multiple recipients across many domains (mass email phishing).
- Goes through all links in the Email to check if any of the link’s point to a known bad website
- Check if the link in the Email points to where it says it points.
- Will warn inline in the mail if the link does not correspond with the text
- If we are certain that it is phishing, we will add {PHISHING} to the subject line
Attachment Verification
- Check if the filename extension is allowed (for instance .exe). This is a preventive measure to stop zero-day attacks (not detected by virus scanners). If the filename extension is blacklisted it will be put in quarantine.
- Check if the file type is allowed (block for instance executable files, regardless of filename). This is to prevent zero-day attacks. Put in quarantine if blacklisted.
- Do the above checks for archived/compressed files as well. Unpack the archive and check the content.
- If configured to do so, block password-protected archives from non-whitelisted senders. Malware tends to avoid virus scanning by password-protecting the attachment. The default action is to allow password-protected attachments.
- Check for allowed filenames even within password-protected zip files.
- Custom white and blacklists for customers.
Size Checks
- Check global size limitations. If it is too big it will be rejected, and the sender notified.
The email enters Connection Suite shore side
- Check company-specific size limitations. If it is too big according to configured vessel restrictions it will be put in quarantine and the receiver notified.
The email enters the vessel
- It will be virus-scanned with Dualog Endpoint (ESET) if installed.
- If Dualog Protect is installed the user will have protection against malicious links while clicking on them in the Email.
Comments
Article is closed for comments.