Check Point Messaging Security FAQ

Messaging Security Overview

Q: What is “Messaging Security?”

• A: Messaging Security provides a comprehensive solution that offers six dimensions of
protection for a company’s messaging infrastructure. The protections include IP reputation-
based anti-spam, pattern-based anti-spam, administrator defined block/allow lists, mail
antivirus, zero-hour malware detection and email intrusion prevention. This multi-dimension
approach protects the email infrastructure, provides highly accurate spam protection, and
protects organizations from a wide variety of virus and malware threats within email.

Check Point offers comprehensive Messaging Security as part of UTM-1 Total Security™ in
UTM-1 Total Security appliances or VPN-1® UTM Total Security software licenses.

Q: What is unique about Check Point Messaging Security?

• A: There are five unique characteristics that make the Check Point solution best-in-class for
UTM devices:
1. Protection against advanced spam such as image-based and multi-language spam.
2. Antivirus protection through the combination of both zero-hour and signature-based
detection.
3. UTM solution for Messaging Security that is content and language agnostic.
4. Advanced, real-time IP-reputation service.
5. On-session email blocking (emails are checked and blocked during the original
SMTP/POP3 session).

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 1

Classification: [Public]—For everyone
Q: What are the dimensions of Messaging Security?
1. IP-Reputation Anti-spam
Check Point’s unique IP-reputation service checks each email connection request against
a comprehensive database of IP addresses to determine whether a sender is legitimate
or a known sender of spam and malware. If a sender is identified as undesirable, UTM-1
Total Security simply drops the connection before a message is even accepted. This
layer drops around 70 percent of incoming spam and malicious email without the need for
further inspection. The dynamic database of IP addresses is refreshed regularly to ensure
that IP addresses no longer exhibiting bad behavior are not blocked indefinitely.
2. Content-based Anti-spam
Pattern-based anti-spam uses a proprietary algorithm to create unique fingerprint-like
signatures of email messages. When a message comes in, its pattern is calculated and
checked against a database to determine if the message matches a known email pattern.
This approach provides content agnostic protection and effectively blocks spam without
looking at any of the actual message content. This makes UTM-1 highly effective against
advanced forms of spam that utilize multiple languages, complex images, or slices of
images.
3. Block/Allow List Anti-spam
Administrators can easily create a list of IP addresses or domains that they would like to
either always block or always allow. This method provides an added layer of granularity
and ensures that trusted sources are explicitly allowed and unwanted sources are
explicitly denied access. The number of blocked IP addresses and domains appears in
the summary section for the Block/Allow list in the Messaging Security management tab.
4. Mail Antivirus
Beyond blocking many attacks at a sender level, UTM-1 Total Security includes a highly-
rated antivirus engine that scans POP3 and SMTP mail protocols. This layer of protection
blocks a wide range of known virus and malware attacks, and is at the core of the
antivirus defense.
5. Zero-Hour Malware Protection
To address newly developing outbreaks, UTM-1 Total Security includes Check Point’s
unique zero-hour Outbreak Protection. By analyzing large amounts of messages on a
global level, outbreaks are identified along with their corresponding messages. These
message patterns are then flagged as malicious, giving UTM-1 Total Security the most
current information about a given attack. With this information, outbreaks are blocked
before a signature may be available, protecting your network in the critical early period of
attack development.
6. SmartDefense™ Email IPS
UTM-1 Total Security utilizes SmartDefense Email IPS to effectively stop attacks
targeting the messaging infrastructure. Such attacks aim to gain access to the protected
network, bring down a piece of the messaging infrastructure, or utilize the messaging
infrastructure as a resource for launching new attacks. UTM-1 Total Security defends
against a broad range of specific attacks such as DoS and buffer overflows.

2
Classification: [Public]—For everyone
Messaging Security Functionality
Q: Which platforms support the Messaging Security infrastructure?
• A: Messaging Security is supported on the following platforms:

o Check Point UTM-1 Total Security

o Check Point VPN-1 UTM with Total Security on SecurePlatform™

o Check Point VPN-1 UTM Power™ with Total Security on SecurePlatform

o Microsoft IAS (M2) with Total Security, Microsoft IAS (M6, M8) with Power UTM and
Total Security

Note: Support for Messaging Security on Nokia IPSO is currently on Check Point’s
immediate roadmap.

Q: What is a Check Point Detection Center?

• A: Detection Center is a remote server that contains collected information about email
patterns and IP addresses. Several Detection Centers are located around the world. Each
Check Point gateway that offers Messaging Security functionality is simultaneously
connected to three Detection Centers for redundancy and load balancing purposes. A
Detection Center can be queried about the nature of the email pattern or IP address, and
returns a classification, which allows Messaging Security protections to correctly process the
email.

Q: How can I quarantine spam emails instead of rejecting them?

• A: The Messaging Security solution supports third-party quarantine. By flagging the spam
email’s subject or header, mail servers which support quarantine by subject or header can
be configured to quarantine the flagged emails.

To filter by subject, filter according to the configured strings that are added to the subject
line when choosing "Flag subject."

To filter by header, filter either by the "X-Spam-Status: Yes" header line, or by the
"Category=Spam" / "Category=Suspected Spam" strings that are added to the "X-Check
Point" header in the case of spam or suspected spam emails.

Several external tools for MS Exchange Server allow such functionality. For more
information, please see http://www.slipstick.com/addins/content_control.asp.

Filtering of emails can also be done in the user's mail client by adding appropriate rules in
MS Outlook, or adding message filters in Mozilla Thunderbird.

3
Classification: [Public]—For everyone
Q: How does the Content Anti-spam engine classify emails as Spam,
Suspected Spam or Non-spam?
• A: The Content Anti-spam functionality employs unique licensed technology. The Check
Point Messaging Security anti-spam solution classifies spam by analyzing known and
emerging distribution patterns, and doesn’t rely on searching for keywords or on lexical
analysis of email content (a more commonly taken approach in many anti-spam
applications).

The distribution pattern approach is conducted by sending an encrypted pattern, extracted

from each email, to the Check Point Detection Center. The pattern does not contain any
portion of the actual email content. About 75 percent of queries are resolved using the local
cache, thus not requiring the sending of queries.

Q: What is the difference between Spam and Suspected Spam?

• A: The vast majority of Suspected Spam emails are real spam. Usually, Suspected Spam
emails do not originate from a verified or previously known spammer.

Q: How does Zero-Hour Malware Protection work?

• A: By proactively scanning the Internet and identifying massive virus outbreaks as soon as
they emerge, this zero-hour solution provides signature-independent virus and malware
blocking.

A query, similar to the one used in Content Anti-spam, is sent to the Check Point Detection
Center (if both anti-spam and zero-hour layers are enabled, this is the same query). The
result of this query might indicate the presence of a pattern, which belongs to emails that are
known to contain a spreading malware (e.g. a 'worm'). The Detection Center collects
information about such outbreaks and extracts the relevant email patterns.

Q: How does the IP-reputation engine work?

• A:IP-Reputation is an anti-spam mechanism that checks the IP address of the message
sender (contained in the opening SYN packet) against a dynamic database of suspected IP
addresses. If, according to the IP-reputation service, the originating network has a
reputation for sending spam, then the spam session is blocked at connect time. This method
saves the bandwidth that might have been used if the sender was allowed to begin the

4
Classification: [Public]—For everyone
 transfer of the email.

The firewall also keeps an internal cache of IP addresses. So in the majority of connection
attempts, no query is sent to the database (the classification of the address is already
known). The cache approach enables extremely high performance for the IP-reputation
feature.

Q: What is a “Custom Server”?

• A: A customized server can be defined to receive Content Anti-spam and IP-Reputation
queries. This feature is not currently supported in R65 with Messaging Security. Please
contact Check Point solution center if you require this service.

Q: Is Layer 2 (“Bridge Mode”) supported in the Messaging Security

solution?
• A: Yes, Layer 2 configuration is supported. For additional details about Layer 2
configurations, please refer to the NGX R65 Release Notes.

Q: What are the technical advantages of the Check Point Messaging

Security spam solution over other solutions?
• A: There are several important advantages to the Check Point Messaging Security spam
solution, including:
Content-agnostic anti-spam engine - Unlike other anti-spam solutions, which try to identify
spam according to specific keywords in the content of emails, the Check Point anti-spam
engine identifies spam according to patterns belonging to known spam emails. These
patterns are collected from various locations around the globe where spam attacks occur,
and are immediately reported to the Check Point Detection Center. Relying on patterns,
rather than on specific words, makes the Check Point anti-spam classification engine not
only language agnostic, but also content agnostic. Content agnostic anti-spam is very
important in the case of non-textual (e.g. image-based) spam emails, a fast-growing
phenomenon.

Real-time classification and protection – New spam outbreaks can be identified as they
occur by checking the sender’s IP address (using IP-Reputation) and email content patterns
(Content Anti-Spam) against dynamically-updated information in the Check Point Detection
Center. These methods allow true zero-hour malware outbreak protection, unlike other email
antivirus solutions which rely solely on signatures.

5
Classification: [Public]—For everyone
 On-session blocking – Spam emails are checked, and if needed blocked, during the original
SMTP/POP3 session. If the IP-reputation method identifies spam, then the session is
blocked without even initiating a connection to the mail server. This method is superior to
those performed by other products, which scan emails after the original session ends, and
are then required to send a non-delivery report if the email is blocked.

Q: How do I send a test spam message to test the defenses?

• A: Simply send an email with the subject: “RPD Spam test: Spam” (without the quotation
marks). The email should be identified as spam by the Content Anti-spam engine. To test
suspected spam, use "RPD Spam test: Bulk" in the same way.

Q: How do I view IP addresses stored in the IP-Reputation cache?

• A: The local cache is kept in a table called "aspam_syn_cache". The key of the table is the
IP address (in hexadecimal representation) and the first value is a number representing the
action that will be taken when the IP tries to connect:
DROP 0
REJECT 1
ACCEPT 2

The table can be viewed using the "fw tab" command. In the enforcing module, type:
fw tab –t aspam_syn_cache
The result should look like the following:

localhost:
-------- aspam_syn_cache --------
dynamic, id 157, attributes: expires 30, limit 25000, hashsize
16384
<c0a80001; 00000002, 00000000; 594/600>

The above is an entry for IP address 192.168.0.1. The action is ACCEPT, and will expire in
594 seconds.
Note that the table can contain up to 25,000 entries. In order to see all of the entries, add "-
u" to the command.
To check a specific entry, add "-e [IP in hexadecimal format]" to the command.

6
Classification: [Public]—For everyone
Q: How do I block email delivery attempts to non-existing users?
• A: Follow the below steps to configure a list of valid addresses which are allowed to receive
email.
1. Create a list of valid addresses, each in a different line, e.g.:
John@myserver.com
Gil@myserver.com
Guy@myserver.com
Alias_for_guy@myserver.com
Merv@myserver.com
Patrick@sales.myserver.com
William@myotherserver.com
Addresses are case insensitive. Note that this list is not updated automatically by
default. Aliases, if desired, must be explicitly added to the list.

2. Place the list in the following file on the enforcing modules:

$FWDIR/tmp/email_tmp/updates/relay_addresses

3. Edit the $FWDIR/conf/mail_security_config configuration file on the modules. In the

[relay] section, set enforce_addresses=1 and action=reject.

4. Install policy on the modules.

Q: How do I filter emails according to URLs contained in email content?

• A: To configure scanning of email content for URLs, and to match the URLs against the
Web filtering engine and/or an RBL server, access the enforcing module in Expert mode and
edit the following configuration file: $FWDIR/conf/mail_security_config. Before modifying the
configuration file, we recommend creating a backup copy.

To match against the Web filtering engine, in the [Web_filtering] section of the file, change
enforce=0 to enforce=1. Emails will be handled according to the Web Filtering policy
(rejected or monitored).

To check the URLs in RBL repositories (zen.spamhaus.org is the default), find the [rbl]
section and change to enforce_urls=1. Change 'url_action' to the desired action to be taken
upon match ('reject', 'monitor', 'stamp-subject', 'stamp-header'). Save the changes and install
policy on the module.

7
Classification: [Public]—For everyone
Performance
Q: How do I increase the number of active security server processes?
• A: Exit SmartDashoard and run the GuiDBedit utility. Open the "Other" table and inside it,
open the "Content Security" tab. Select "Global_security_server_settings". Change the
values of 'smtp_process_num' and 'pop3_process_num' to the desired values. The
maximum value is 12. Save the changes and install policy.

Q: What is the expected performance of UTM-1 gateways?

• A: There are three UTM-1 models. Model 450 supports 250 users, model 1050 supports 500
users, and model 2050 supports 1,000 users. With IP-Reputation activated, thousands of
emails per second can be processed.

Q: What happens when the email server reaches load capacity?

• A: When the email server reaches load capacity, a "421" SMTP error code is returned to the
sender. Some Mail Transfer Agents (MTAs) will retry to send the email to the server after
several minutes. Other MTAs will try to send the email to a secondary server, as defined in
the server's DNS MX record. The firewall itself can also experience a load that is too heavy
to handle. By default, Content Anti-spam and the IP-Reputation engine are configured to be
bypassed when this happens, though this setting can be modified. In the unlikely scenario
that the email will be rejected with error code 421, another send attempt will be made by the
sending MTA. Under no circumstances will the email be lost.

Tracking
Q: What is an “Email Session ID?”
• A: An Email Session ID is a string that is unique per SMTP/POP3 session. The ID is
generated at the beginning of each session and used for easy tracking of events in that
session. In order to view log records that are related to the same session, right-click a log
record in SmartView Tracker and use "Follow Email Session ID":

8
Classification: [Public]—For everyone
Q: Where can I find the Email Session ID of emails that passed inspection?
• A: A special header is added to every email that passes Messaging Security inspection. The
Email Session ID string appears after the "X-CheckPoint:" header declaration. In MS
Outlook, the header section of the email can be viewed by selecting "Options" from the
"View" menu:

9
Classification: [Public]—For everyone
In Outlook Express, the header and session ID can be viewed by selecting "Properties" from
the "File" menu, and then clicking the "Details" tab.

10
Classification: [Public]—For everyone
In Mozilla Thunderbird, open the email, and from the "View" menu select "Headers" and
"All.”

11
Classification: [Public]—For everyone
Q: Why are there multiple SmartView Tracker log records for each
session?
• A: When the anti-spam 'Non Spam' tracking option is set to any value other than 'None',
every active anti-spam layer generates a tracker log. Also, when the 'SMTP/POP3 Allowed
files' tracking option is set to a value other than 'None', every active antivirus layer also
generates a tracker log. All generated log records will have the same Email Session ID.

Q: What is the order of activation of the Messaging Security protections?

• A: The order of the protection layers is as follows:

SMTP:
IP Block List Æ IP Reputation Æ Sender Block List Æ File Types Æ Mail Antivirus Æ
Zero-Hour Malware Protection Æ
Content-based Anti-spam

POP3:
Sender Block List Æ File Types Æ Mail Antivirus Æ Zero-Hour Malware Protection Æ
Content-based Anti-spam

Q: I see a green (accept) log entry in SmartView tracker for an SMTP

connection. Does it mean the email passed the firewall?
• A: Not necessarily. In order to determine whether an email successfully passed inspection,
make sure "Spam" and "Suspected Spam" track options are set to a value other than 'None'.
These settings will generate a 'Reject' (red) SmartView Tracker record if the message is
rejected. As mentioned before, if the 'Non Spam' tracking option is not 'None', an 'Accept'
(green) record will be added to the log for every layer which is passed successfully. See the
below SmartView Tracker screenshot :

(This window opens after using "Follow Email Session ID". The 'Control' field is not displayed in the default query).

12
Classification: [Public]—For everyone
 The above SmartView Tracker screenshot illustrates a spam email that passed all security
layers except Content Anti-spam. The Content Anti-spam layer identified the email as spam
and blocked it.

Q: In SmartView Tracker, what do log records with a ‘Bypass’ action

indicate?
• A: Certain Messaging Security defense layers are configured to bypass, or allow email to
pass through, when connectivity or network congestion issues exist between the gateway
and the Check Point Detection Center. Bypass is the default setting in the IP-Reputation and
Content Anti-spam defense layers. The 'Reason' field in the record details (viewable after
clicking "More Information") contains a description of the issues encountered.

Q: All of the IP-Reputation and Content-based Anti-spam log records have

a ‘Bypass’ action. Why?
• A: This situation indicates a likely connectivity problem. Make sure that a Domain Name
Server (DNS) is defined, and that the gateway is able to connect to the Internet on port 80.

Q: What causes a ‘Temporary scan failure’ entry in the ‘Reason’ field in a

log record with Bypass (or Reject) action?
• A: In situations where high system load or network congestion exists, a time-out may occur
and a ‘Temporary scan failure’ notice will be generated. This is a temporary situation. If a
bypass action occurs, the email will reach the destination without inspection in the layer
indicated by the log record. If a reject action occurs, a ‘421’ error code is returned to the
sender and the email is resent automatically.

13
Classification: [Public]—For everyone
Troubleshooting

Q: Why was a spam email not blocked? What should I do if I wish to report
this?
• A: In SmartDashboard, verify that the 'Non Spam' tracking option is set to a value other than
'None', thus enabling tracking of emails which are not identified as spam.

Open the SmartView Tracker and find the logs relevant for this email (filter by time or
recipient, or use 'Follow Email Session ID'). Next, verify that the email has not passed
inspection as a result of a Bypass rule. If an "Accept" record exists for the Content Anti-
spam layer, the email was likely misclassified.

The Messaging Security solution identifies 97 percent of all spam, and classifies it as Spam
or as Suspected Spam. To report a misclassification issue to Check Point:

- On the Check Point public Web site, on the Messaging Security page, select “Report
Spam Classification Error” under the Things To Do heading

- Using your User Center credentials, complete the requested Support Center form

Q: Why is the disclaimer missing in some emails? Does this indicate that
the email was not scanned?
• A: The disclaimer can be left off of a scanned email when the MIME format of the message
is not standard or malformed. Also, disclaimers will not be added to text encoded in Base64
or Unicode formats, nor to certain kinds of HTML messages. However, the absence of a
disclaimer does not mean that the messages weren't scanned. To verify that the message
was scanned, look for the 'X-CheckPoint' header in the header section of the email.

14
Classification: [Public]—For everyone
Q: How do I direct spam or virus traffic to a different mail server?
A: The headers of spam emails can be flagged, and the mail server can be configured to direct
the flagged emails to a different server, not to the user's inbox. While such functionality can be
achieved, it cannot be configured directly at the gateway level and may require a special add-on
to the mail server.

Q: How do I configure anti-spam defenses to reject a session (vs. Bypass)

in case of connectivity issues?
• A: Exit SmartDashoard and run the GuiDBedit utility. Open the "Other" table, and then open
the "Content Security" tab. Select "Global_security_server_settings". Change the boolean
attributes "ip_rep_fail_open" and "spam_engine_fail_open" from the default ‘true’ setting to
‘false’. Save the changes, exit GuiDBedit, open SmartDashboard and install the new policy.

15
Classification: [Public]—For everyone