Dualog MailDefence - Introduction

INTRODUCTION

Figure 1.1 below shows the Email Flow:Life-of-a-message_illustration-2021-w-headline.png

**Right-click on image > open image in a new tab for a high-resolution overview

The email enters Dualog from the Internet

  1. The firewall verifies that the Email conforms to RFC822 standard (SMTP) or rejects it

The email enters the Dualog MailDefence filter

Domain Checks

  1. Checks if the sender domain exists.
    • If it does not exist, the Email is discarded as not coming from a legitimate domain  
  2. Checks if the original sending server is blacklisted on Spamhaus.
    • If it is listed it will be rejected. This is a list with good reputation.
  3. Check the SPF, DKIM and DMARC status. Depending on the set of rules (customized), one of the following happens for SPF/DMARC failures:
    • Reject Email
    • Add 7 to the spam score 

Virus Checks

  1. Sends the Email with attachments to 5 separate virus scanners (more will be added). Some of these scanners will scan for other malicious content as well.
    • Quarantine the attachment if a virus is found. Notify the receiver if configured to do so. The default action is to silently quarantine to avoid spamming the receiver with virus notifications. 

Spam Checks

  1. Machine learning to analyze sender reputation.
  2. Anti-spam engine analyzes the Email generating a spam score based on a multitude of pattern checks tailored to the maritime industry
  3. Sends the Email checksum (the “fingerprint” of the email) to multiple real-time updated lists determining if they see it as spam.
  4. If the total spam score reaches a set threshold (above 4), we will add a {SPAM?} tag as the start of the message. If it reaches a high spam score (default set to 10, we are certain it’s spam), we will block the message.
  5. Check with multiple online spam lists whether the sending domain is blacklisted or not.
    • If listed on at least 3 of these lists the mail will be tagged as spam.
  6. Custom detection, as well as custom score values for customers possible.

Phishing Checks

  1. Checks against an updated list of known phishing senders.
  2. Sends the Email checksum (the “fingerprint” of the email) to multiple real-time updated lists determining if other has marked it as phishing
  3. Sends the Email checksum (the “fingerprint”) to a list to see if this email has been broadcasted to multiple recipients across many domains (mass email phishing).
  4. Goes through all links in the Email to check if any of the link’s point to a known bad website
  5. Check if the link in the Email points to where it says it points.
    • Will warn inline in the mail if the link does not correspond with the text
  6. If we are certain that it is phishing, we will add {PHISHING} to the subject line 

Attachment Verification

  1. Check if the filename extension is allowed (for instance .exe). This is a preventive measure to stop zero-day attacks (not detected by virus scanners). If the filename extension is blacklisted it will be put in quarantine.
  2. Check if the file type is allowed (block for instance executable files, regardless of filename). This is to prevent zero-day attacks. Put in quarantine if blacklisted.
  3. Do the above checks for archived/compressed files as well. Unpack the archive and check the content.
  4. If configured to do so, block password-protected archives from non-whitelisted senders. Malware tends to avoid virus scanning by password-protecting the attachment. The default action is to allow password-protected attachments.
  5. Check for allowed filenames even within password-protected zip files.
  6. Custom white and blacklists for customers.

Size Checks

  1. Check global size limitations. If it is too big it will be rejected, and the sender notified. 

The email enters Connection Suite shore side

  1. Check company-specific size limitations. If it is too big according to configured vessel restrictions it will be put in quarantine and the receiver notified.  

The email enters the vessel

  1. It will be virus-scanned with Dualog Endpoint (ESET) if installed.
  2. If Dualog Protect is installed the user will have protection against malicious links while clicking on them in the Email. 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.