PineApp OSG Anti-Spam Engines & Values

The control over the OSG Anti-Spam /Anti-Botnet engines

By Clicking on the above Edit icon Admin will allow engine activation and deactivation

Enable SMTP Traffic Bypass

When active the system will act as a router and push any incoming packet forward .

1. IP rate limit
The system allows you to limit maximum messages and sessions per source IP per
Min/Hr/Day
PineApp OSG accept TCP connection
PineApp OSG consult it's database about following parameters:
o Number of allowed TCP connections from clients source IP per Min/Hr/Day
o Number of exists TCP connections from clients source IP per Min/Hr/Day
If Number of exists TCP connections from clients source IP per Min/Hr/Day exceeds the
numbers of allowed, incoming connection will be dropped.

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
2. Real time Blackhole list

A DNSBL (DNS-based Blackhole List, Block List, or Blacklist; see below) is a list of IP
addresses published through the Internet Domain Name Service in a particular format.
DNSBLs are most often used to publish the addresses of computers or networks linked to
spamming; most mail server software can be configured to reject or flag messages which
have been sent from a site listed on one or more such lists.
This use case is relevant for inbound emails only.
Settings:
PineApp OSG accept TCP connection
PineApp OSG read from database DNSBL's domain name say dnsbl.example.net.
PineApp OSG detect client's IP addresssay, 192.168.42.23
PineApp OSG reverse the order of octets, yielding 23.42.168.192
PineApp OSG appends the DNSBL's domain name: 3.42.168.192.dnsbl.example.net.
Look up this name in the DNS as a domain name ("A" record).
DNS Server returns address. It indicates that the client is listed in Black list.
PineApp OSG drop connection

3. IP Reputation
The Reputation Service utilizes Commtouch's Recurrent Pattern Detection (RPD)
technology.
RPD is network-based malware detection and filtering solution for protecting against
modern attacks that are often launched as massive outbreaks in which millions of email
messages containing malware (e.g., spam, phishing, viruses, and worms) are distributed
during the short window of opportunity before malware signatures become available.
Settings:
PineApp OSG accept TCP connection
PineApp OSG pass to Commtouch software source IP address
Commtouch software return IP reputation (category)
Commtouch return GOOD IP reputation
PineApp OSG continue normal flow

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
4. Greeting delay
A greeting delay is a deliberate pause introduced by an SMTP server before it sends the
SMTP greeting banner to the client. The client is required to wait until it has received this
banner before it sends any data to the server. (per RFC 5321 3.1). Many spam-sending
applications do not wait to receive this banner, and instead start sending data as soon as
the TCP connection is established. The server can detect this, and drop the connection.
Settings:
PineApp OSG accept TCP connection
PineApp OSG consult with DNS about IP type
DNS Server informs that it is dynamic IP.
PineApp OSG delay greeting to X sec.
PineApp OSG continue normal flow
5. Helo/EHLO Check
Per RFC 2821, the first SMTP command issued by the client should be EHLO (or if unsupported,
HELO), followed by its primary, Fully Qualified Domain Name. This is known as the Hello greeting. If
no meaningful FQDN is available, the client can supply its IP address enclosed in square brackets:
"[1.2.3.4]". This last form is known as an IPv4 address "literal" notation.

6. Pipelining checking
When a client SMTP wishes to employ command pipelining, it first issues the EHLO command to the
server SMTP. If the server SMTP responds with code 250 to the EHLO command and the response
includes the EHLO keyword value PIPELINING, Then the server SMTP has indicated that it can
accommodate SMTP command pipelining. Once the client SMTP has confirmed that support exists
for the pipelining extension,
The client SMTP may then elect to transmit groups of SMTP commands in batches without waiting
For a response to each individual command. In particular, the commands RSET, MAIL FROM, SEND
FROM, SOML FROM, SAML FROM, and RCPT TO can all appear anywhere in a pipelined command
group. The EHLO, DATA, VRFY, EXPN, TURN, QUIT, and NOOP commands can only appear as the
last command in a group since their success or failure produces a change of state which the client
SMTP must accommodate

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
7. SSP
Simple Sender Policy in a mechanism that allows system to limit maximum messages generated by
a specific email sender and provides a penalty blacklisting for the sender.
Mail From, Penalty will be give to the specific sender that exceeded the number of allowed
mail emails he is allowed to send per give time frame.
Unique Mail From, Penalty will be give to the specific Ip address that exceeded the number of
allowed mail sender's emails he is allowed to host per give time frame.

SSP - MF Black List Time (In Second(

SSP - UMF Black List Time (In Second(
SSP - Enable Greylisting (On/Off(
SSP - MF Rate Limit per Hour/Minute/Second.
SSP - UMF Rate Limit per Hour/Minute/Second.

The Greylisting Mechanism

The SMTP protocol allows for temporary rejection of incoming messages. Greylisting is the
technique to temporarily reject messages from unknown sender mail servers. A temporary rejection
is designated with a 4xx error code that is recognized by all normal MTAs, which then proceed to
retry delivery later.
Greylisting is based on the premise that spammers and spambots will not retry their messages but
instead will move on to the next message and next address in their list. Since a retry attempt
means the message and state of the process must be stored, it inherently increases the cost
incurred by the spammer. The assumption is that, for the spammer, it's a better use of resources to
try a new address than waste time re-sending to an address that's already exhibited a problem. For
a legitimate message this delay is not an issue since retrying is a standard component of any
legitimate sender's server.
Settings:
PineApp OSG parses MAIL FROM directive
PineApp OSG consult it's database about pair: source IP; source e-mail
Pair source IP; Source e-mail not exist.
PineApp OSG add this pair to its database
PineApp OSG send temporarily reject message to sender MTA

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
8. Validate MX record

A mail exchanger record (MX record) is a type of resource record in the Domain Name System that
specifies a mail server responsible for accepting email messages on behalf of a recipient's domain
and a preference value used to prioritize mail delivery if multiple mail servers are available. The set
of MX records of a domain name specifies how email should be routed with the Simple Mail Transfer
Protocol.
Settings:
PineApp OSG extracts sender's domain name from MAIL FROM directive
PineApp OSG query MX record from DNS server
MX record for domain not exists.
PineApp OSG drop clients connection.
MX record for domain exists.
PineApp OSG continue it normal flow

9. Validate sender SPF

Validate sender IP by comparing source IP with allowed SPF record.

o PineApp OSG get:
o IP address of the SMTP client that is emitting the mail.
o Domain portion of the "MAIL FROM identity.
o PineApp OSG build SPF DNS query and send it to DNS server
o PineApp OSG gets response and parses it.
o PineApp OSG get all allowed hosts and perform forward lookup to DNS server (get A record
for each server)
o Compare source IP address with IPs from step 4.
o None of IPs is not equal.
o PineApp OSG drop TCP connection
Source IP equal with IPs from step 4.
PineApp OSG continue it normal flow
o SPF record not found
o PineApp OSG continue it normal flow

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
10. RCPT Tarpitting
Tarpitting will increase the delay between recipients within the same envelope, the more recipients
within the envelope, the bigger the delay is. The purpose of Tarpitting is to decrease mail from
spammers who very often use many recipients in one envelope.
Settings:
PineApp OSG extract RCPT TO directive
PineApp OSG count RCPT TO directive
Counter exceeded X
PineApp OSG postpones transmitting this directive to destination MTA for X second.

11. DHA attack:

A Directory Harvest Attack or DHA is a technique used by spammers in an attempt to find
valid/existent e-mail addresses at a domain by using brute force. The attack is usually carried out
by way of a standard dictionary attack, where valid e-mail addresses are found by brute force
guessing valid e-mail addresses at a domain using different permutations of common usernames.
These attacks are more effective for finding e-mail addresses of companies since they are likely to
have a standard format for official e-mail aliases (i.e. jdoe@example.domain,
johnd@example.domain, or johndoe@example.domain).
Settings:
PineApp OSG get RCPT TO email address and pass it to destination MTA
Destination MTA return that recipient not exist
PineApp OSG increment number of invalid recipients.
Number of invalid recipients more than some configurable value
PineApp OSG drop TCP connection
PineApp OSG save client IP in its dynamic black list and stops responding during some
configurable time.

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com
12. DoS attack
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an
attempt to make a computer resource unavailable to its intended users. One common method of
attack involves saturating the target (victim) machine with external communications requests, such
that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively
unavailable. In general terms, DoS attacks are implemented by either forcing the targeted
computer(s) to reset, or consuming its resources so that it can no longer provide its intended
service or obstructing the communication media between the intended users and the victim so that
they can no longer communicate adequately.
Settings
Maximum concurrent connections per source IP
Maximum mails per single open connection.
Max recipients per mail
Max total concurrent connections

13. PineApp Recurrent Pattern Detection

PineApp Recurrent Pattern Detection (RPD) technology, based on the identification and
classification of message patterns, delivers the highest threat detection capabilities. The objective of
this document is to discuss the characteristics of such threats and the challenges facing
technologies that aim to mitigate these often malicious attacks, in addition to describing how the
RPD solution protects against all types of email-borne threats.
14. Helo rate limit
Per RFC 2821, the first SMTP command issued by the client should be EHLO (or if unsupported,
HELO), followed by its primary, Fully Qualified Domain Name. The system allows you to limit
maximum sessions per a given Helo name and Helo's per given source ip address.
PineApp OSG consults its database about following parameters:
Helo rate limit , Penalty will be give to the specific Helo name that exceeded the number
of allowed mail session he is allowed to open per give time frame.
Unique Helo rate limit, Penalty will be give to the specific Ip address that exceeded the
number of allowed mail Helo names it is allowed to host per IP per give time frame.
Helo rate limit Black List Time (In Second)
Unique Helo rate limit Black List Time (In Second)
Helo rate limit per Hour/Minute/Second.
Unique Helo rate limit per Hour/Minute/Second

PineApp Ltd. 8 Hata'asia Street, Nesher, Israel, 3660201, POB 285

T +972-4-8212321 F +972-4-8203676 E info@PineApp.com W www.PineApp.com