technical overview

MessageLabs Hosted Email AntiSpam

Technical Product Overview

www.messagelabs.com
info@messagelabs.com
technical overview

Overview

Approximately 80-90% of all email traffic is unsolicited bulk email, or spam, according to analysis performed
by MessageLabs Intelligence.1 Both a nuisance and an outright threat, spam consumes valuable bandwidth
resources, inhibits productivity, and often harbors links to malicious websites.

Blocking spam effectively and accurately can be a significant challenge. Spammers are constantly evolving
their techniques in an effort to evade the latest defenses. As a result, attacks are increasingly targeted and
sophisticated, making them more difficult than ever to detect. Newer tactics include the use of URL shortening
services, automated translation, and links to reputable sites that have been infected with malware.
Failure to adequately address spam can result in productivity loss as employees spend valuable time sifting
through quarantines or searching for blocked emails. Even worse, inadequate spam defenses can lead to a
security breach that damages customer confidence.

MessageLabs Hosted Email AntiSpam, a Symantec Hosted Service, blocks spam in the cloud, helping you reclaim
valuable bandwidth while helping to protect your organization from denial of service and directory harvest
attacks. Using a combination of traffic shaping, commercial scanners, and proprietary heuristics, MessageLabs
Hosted Email AntiSpam is able to deliver upon an industry-leading service level agreement (SLA) that includes
money back remedies if we are unable to stop 99% of spam with no more than 0.0003% false positives.

This white paper outlines the technical approach we use to deliver our MessageLabs Hosted Email AntiSpam
service and meet our aggressive service level targets.

Global Infrastructure

MessageLabs Hosted Email AntiSpam uses infrastructure managed in the cloud to block spam before it
reaches your network. The service is delivered through a global infrastructure of 14 highly available data
centers located across 4 continents. These data centers are load balanced and housed in highly secure, well-
established telecommunications centers located at major Internet exchange points.

Redundancy within and across data centers enables us to meet our service level agreement target of 100%
service uptime. In addition, we aim to run our email servers at 33 percent of their maximum capacity,
providing ample headroom to handle any unexpected spikes in traffic.

Symantec also maintains an extensive array of decoy email addresses or “honeypots”, which receive several
million spam messages each day. Specifically designed software and automated processes analyze the mail
flowing through these addresses to identify new spam samples and techniques.

At the time of writing this document, MessageLabs infrastructure is processing more than 3 billion email
connections per day on behalf of more than 21,000 customers ranging from Fortune 500 to small businesses.
Handling such a large amount of email traffic for such a broad range of global customers enables us to identify
and block new emerging spam techniques faster.

1
MessageLabs Intelligence Report, Q3 September 2009

www.messagelabs.com
info@messagelabs.com
technical overview

The MessageLabs Platform

MessageLabs Hosted Email AntiSpam service uses a sophisticated multi-layer architecture that combines
multiple commercial and proprietary scanning engines. The following techniques are used at the perimeter of
our platform to provide a first layer of spam defense:

Traffic Management
Traffic management uses techniques that analyze traffic patterns at the TCP/IP protocol level to evaluate
potentially malicious IP addresses. IP’s that are considered a threat are identified, and the number of
connections allowed to the MessageLabs email infrastructure is reduced. This dramatically shrinks
malicious email volumes while enabling legitimate email to reach its destination.

MessageLabs traffic management technology analyzes IP interaction over a period of time after
connection limiting steps are taken. It is known that standard business mail servers have different
patterns of connections than those of a Bot that is delivering either malicious code or spam. Taking
a holistic approach that goes beyond evaluating current known reputations and includes studying
connection patterns over time allows the system to more intelligently determine how many connections
should be accepted by the infrastructure.

Connection Management
Connection management works at the SMTP connection layer using techniques to verify legitimate
SMTP conversations. Multiple component technologies are deployed in this layer of the platform to
study the methodologies used by different servers connect to our infrastructure. Using SMTP heuristics
and signaturing components at the connection layer allows for MessageLabs to proactively shut down
illegitimate SMTP conversations.

www.messagelabs.com
info@messagelabs.com
technical overview

User Management

User management uses Registered User Address Validation to reduce the overall volume of emails for
registered domains and discards connections for which the recipient addresses are identified as invalid
or non-existent. In addition to reducing the volume of illegitimate email, this helps to block dictionary
attacks to a customer’s mail infrastructure.

Collectively, traffic management, connection management, and user management dramatically reduce the
volume of mail that hits the antivirus scanning layer of the MessageLabs Hosted Email AntiSpam service. This
allows us to apply in-depth analysis techniques at the spam scanning layer without compromising mail delivery
times.

Multi-Layered Spam Filtering

MessageLabs Hosted Email AntiSpam service uses multiple layers of filtering techniques so that the accuracy
of our spam detection is not overly dependent on a single method.

Commercial signature-based spam detection technology is used to compare incoming email against a
vast knowledgebase of spam messages currently in circulation. This enables exact matching of spam and
significantly reduces the chance that real business mail might be halted. Using this technology, mail is
inspected and lookups are performed by name, address, text and data characteristics.

MessageLabs Hosted Email AntiSpam service also uses proprietary heuristic technology called Skeptic™ to
identify and block spam.

www.messagelabs.com
info@messagelabs.com
technical overview

Skeptic™ Heuristic Technology

Skeptic™ is the unique, heuristic technology used by MessageLabs Hosted Email AntiSpam to provide
protection against new and emerging spam threats before they get near your corporate network.

Skeptic™ learns from every message it sees, updating and evolving with every new threat. Operating in the
cloud, Skeptic™ scans billions of messages each week and leverages intelligence gathered from a variety of
sources including our global network of honeypots, our Web and instant messaging security services, and the
Symantec Global Intelligence Network.

Skeptic™ combats spam by examining each email and forming a decision based on the summation of scores
from several analysis techniques. If the score reaches a set threshold, the email will be identified as spam. The
following are a few of the techniques deployed by our service in this scoring process:

Soft Heuristics

This is a list of several thousand individually scored rules which are used for defining spam. Some
examples of these rules include background detection, excessive use of hypertext links, forged email
headers and unsubscribe links.

Hard Heuristics

Examples of hard heuristics include the ability to identify email that has been sent to non-RFC compliant
addresses and heuristics which identify email sent by a compromised machine.

Training

To optimize accuracy and effectiveness, each part of the rules-based process used by MessageLabs
Hosted Email AntiSpam must be continuously evaluated and refined. The evaluation process is carried
out by the Skeptic™ team and consists of testing the service with large volumes of known spam and
legitimate email as well as refining the process should a new spam tactic be detected.

IP Reputation

Skeptic™ has several means of identifying information about the source IP address of an email. For
example, there are certain types of computers on the Internet that should simply never send email,
or which are only used to send spam. These include: known spam sources, open proxies on consumer
internet connections and certain types of open relay and hijacked network blocks. If Skeptic™ discovers
IP addresses matching these criteria it will take action to stop mail as spam if it comes from these
addresses.

This list represents just a few of the several means used by Skeptic to determine if a particular email is spam or
not.

www.messagelabs.com
info@messagelabs.com
technical overview

Block Lists, Approved Lists and Spam Databases

In order to further aid in detecting and preventing Spam, MessageLabs Hosted Email AntiSpam comes with a
range of configurable lists and spam databases which can be deployed with the service. The client controlled
approved senders list allows a client to build a list of IP addresses, email addresses and domain names from
which email will be accepted even if that email would otherwise be identified as spam by another part of the
service. Any email that matches an entry on this list will be delivered directly to the end user without being
processed by any of the other components of the spam service.

The private blocked senders lists works in a similar way, but in reverse order from the approved senders list. A
client is able to build a list of IP addresses, email addresses or domain names from which email will always be
identified as spam. This list allows a client to supplement spam detection techniques used by the service or to
block unwanted emails from specific individuals or domains even if that email is not spam.

MessageLabs also offers the use of multiple public block-list databases. These DNS-based spam databases
offer network-layer spam blocking which is focused on stopping spam at its source.

Spam Actions

Detection methods for incoming email and resulting actions for suspected spam can be configured as
necessary. These settings can be set to apply globally or for a specific domain or group.

Once spam has been identified, a number of actions may be carried out:

Block and delete

Email deleted by this technique will not be transmitted to the client’s email server and cannot be
recovered.

Quarantine

Spam Manager quarantines messages identified as spam in a location accessible for review by an
organization’s end users. Using Spam Manager, end users are able to preview and release messages
to their regular email inboxes, delete messages, and manage individual notification, email address
and password options. Multiple spam quarantine languages are provided in order to accommodate
customers with a global workforce who wish to empower users to manage their spam quarantines.

Append a header and redirect to a bulk email address

This action will divert the spam to an email account specified by the client. It will also add an x-header
to the email envelope to indicate that it has been identified as spam. This technique is useful for
companies that are concerned with possible false positives, as it will allow them to either examine each
piece of spam or at least store the spam for a time in case end users claim that they are missing an
email.

Append a header but allow email through

This technique is useful for companies that only wish to tag spam and to use email client based filtering
techniques to move the spam to another email folder. It will add the x-header but will take no other
action

Whichever action is chosen a record of the spam will be made within ClientNet, the MessageLabs Hosted Email
AntiSpam management interface.

www.messagelabs.com
info@messagelabs.com
technical overview

Key Reporting Capabilities

Dashboard, summary, detailed and scheduled reporting options are included and configurable to provide
visibility, accountability and confidence in the service’s effectiveness.

The dashboard provides a quick view of the current service performance levels and notable activities
while detailed reports on spam volume and blocked spam are available for more in depth. Dashboard
graphs and charts show statistics for selected periods of time.

Summary reports provide status updates and metrics in a convenient PDF format. View graphs, tables,
and key statistics on email volume and service performance down to the domain level. Reports can be
customized to reflect fixed or custom date ranges. Data for these reports is available for the last 12
months of service use.

Detailed reports are useful for in-depth service data analysis. CSV files can be generated, which contain
detailed service statistics. Spreadsheet data on the performance of individual services can also be
exported for detailed analysis. Reports can be customized by sender or recipient, a fixed or custom date
range, domain, and service criteria. The data used for the detailed reports is available for the last 30
days of service use.

Scheduled reports are available in order to supply information about the performance of the service.
These reports are sent by email and can be configured to supply information either globally or by
domain.

Our Industry-Leading Service Level Agreement

MessageLabs Hosted Email AntiSpam is backed by a highly aggressive and comprehensive Service Level
Agreement (SLA) that includes money back remedies if the following performance levels are not met:

• AntiSpam Effectiveness – 99% spam capture (95% for email with Asian characters)
• AntiSpam Accuracy – no more than 0.0003% false positives
• Email Delivery – 100% email delivery
• Latency – average email scanning time within 60 seconds
• Availability – 100% service uptime
• Technical Support - specific response times for critical, major, and minor calls.

These performance levels have been selected because we have a track record of meeting or exceeding these
targets.

MessageLabs Hosted Email Security: A United Defense

MessageLabs Hosted Email AntiSpam can defend organizations from the problems created by unsolicited
email. However, it is also important to protect against other email related threats including malware, data
leaks, and lawsuits caused by distribution of inappropriate content.

MessageLabs offers a comprehensive set of hosted email security offerings that filter inbound and outbound
emails and attachments for viruses, spam, and sensitive information. These services are available in a single,
integrated management console that simplifies administration while improving control and visibility into
service effectiveness. MessageLabs hosted email security offerings can also be deployed in larger solutions
that address hosted security across email, Web, and instant messaging traffic or hosted email management
through email encryption, archiving, and continuity.

www.messagelabs.com
info@messagelabs.com
technical overview

Summary

By deploying MessageLabs Hosted Email AntiSpam service, you can block unwanted mail before it reaches your
network without deploying hardware or software on-site. Key advantages of our service offering include our
extensive investment in Skeptic™ heuristics to provide enhanced protection against new and emerging spam
techniques, global infrastructure footprint, industry-leading service level agreement, and extensive portfolio of
hosted security and email management offerings.

Begin a free trial of MessageLabs Hosted Email Security Services:

http://www.messagelabs.com/trials/hosted_email_security_services

About Symantec Hosted Services

Symantec Hosted Services is the world’s leading provider of hosted services for securing and managing
email, Web, and IM traffic (or communications). Over 21,000 organizations and over 9 million end users in 99
countries employ Symantec Hosted Services to protect against viruses, spam, phishing, inappropriate Internet
use, spyware and other organization-damaging threats.

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help
consumers and organizations secure and manage their information-driven world. Our software and services
protect against more risks at more points, more completely and efficiently, enabling confidence wherever
information is used or stored. More information is available at www.symantec.com

Copyright ©2009 Symantec Corporation. All Rights Reserved. MessageLabs and the MessageLabs logo are registered trademarks and Be
certain is a trademark of MessageLabs Ltd. and its affiliates in the United States and/or other countries. Other products, brands, registered
trademarks and trademarks are property of their respective owners/companies.

www.messagelabs.com
info@messagelabs.com
technical overview
>EUROPE
>HEADQUARTERS
1270 Lansdowne Court
Gloucester Business Park
Gloucester, GL3 4AB
United Kingdom
Tel +44 (0) 1452 627 627
Fax +44 (0) 1452 627 628
Freephone 0800 917 7733
Support: +44 (0) 1452 627 766
>LONDON
3rd Floor
40 Whitfield Street
London, W1T 2RH
United Kingdom
Tel +44 (0) 20 7291 1960
Fax +44 (0) 20 7291 1937
Support +44 (0) 1452 627 766
>NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801
Support +44 (0) 1452 627 766
>BELGIUM/LUXEMBOURG
Symantec Belgium
Astrid Business Center
Is. Meyskensstraat 224
1780 Wemmel,
Belgium
Tel: +32 2 531 11 40
Fax: +32 531 11 41
>DACH
Humboldtstrasse 6
Gewerbegebiet Dornach
Munich, Aschheim 85609
Germany
Tel +49 (0) 89 94320 120
Support :+44 (0)870 850 3014
© MessageLabs 2009
All rights reserved
Confidence in a connected world.
>AMERICAS >ASIA PACIFIC
>HEADQUARTERS >HONG KONG
512 Seventh Avenue Room 3006, Central Plaza
6th Floor 18 Harbour Road
New York, NY 10018 Tower II
USA Wanchai
Tel +1 646 519 8100 Hong Kong
Fax +1 646 452 6570 Main: +852 2528 6206
Toll-free +1 866 460 0000 Fax: +852 2526 2646
Support +1 866 807 6047 Support: + 852 6902 1130
>CENTRAL REGION >AUSTRALIA
7760 France Avenue South Level 13
Suite 1100 207 Kent Street,
Bloomington, MN 55435 Sydney NSW 2000
USA Main: +61 2 8200 7100
Tel +1 952 886 7541 Fax: +61 2 8220 7075
Fax +1 952 886 7498 Support: 1 800 088 099
Toll-free +1 877 324 4913
Support +1 866 807 6047 >SINGAPORE
6 Temasek Boulevard
>Canada #11-01 Suntec Tower 4
170 University Avenue Singapore 038986
Toronto, ON M5H 3B3 Main: +65 6333 6366
Canada Fax: +65 6235 8885
Tel :1 866 460 0000 Support: 800 120 4415
>Japan
Akasaka Intercity
1-11-44 Akasaka
Minato-ku, Tokyo 107-0052
Main: + 81 3 5114 4540
Fax: + 81 3 5114 4020
Support: + 852 6902 1130
www.messagelabs.com
info@messagelabs.com