Dr.Web for UNIX mail servers is a unique modular solution for the processing and filtering of incoming and outgoing traffic in mail servers under UNIX -systems (Linux/FreeBSD/Solaris(x86). Depending on the set of connected plug-ins it can filter e-mails for viruses and spam.

• Wide range of supported OS and mail systems
  Dr.Web for UNIX mail servers is compatible with Linux distribution (version glibc-2.2 and above), FreeBSD versions 4.х, 5.х, 6.х, Solaris version 10 (for Intel platform only).
  Dr.Web for UNIX mail servers is also compatible with the widest range of mail servers: CommuniGate Pro, Exim, Postfix, QMail, Sendmail, Courier MTA, ZMailer.
  The modular structure of Dr.Web for UNIX mail servers allows users with any mail system to use this solution, even those falling outside the supported mail systems' list, for which a qualified user can develop its own plug-in. Even more, the system can be installed prior to the mail system - i.e. it can itself receive e-mails, analyze and send.
• Possibility to connect unlimited number of plug-ins
  Dr.Web for UNIX mail servers allows you to extend the functionality of the solution to an unlimited extent. Any newly developed plug-in will operate with all supported MTA.
• Open-source solution
  Dr.Web for UNIX mail servers is based on the system of plug-ins open for independent developers. Any qualified users can implement those necessary for his functionality in the form of a plug-in using SDK supplied with the complex.
• Dr.Web is not anti-virus only!
  Dr.Web for UNIX mail servers is a complex for the protection of corporate mail systems. Depending on the set of connected plug-ins, Dr.Web for UNIX mail servers can perform the following functions:
  • Scan mail messages for viruses, spam and unsolicited e-mails. Both the message itself and the attachments to it, if any, are scanned regardless of their nesting level. Depending on the scanning result the message can be delivered to the mail box, blocked or modified. Dr.Web for UNIX has a unique spam-filtering technology that is ready to go. Dr. Web anti-spam requires no initial tuning or setup by the user; it begins working effectively upon install. Spam-filtering module does not require connection with any external server or database; this helps save on traffic substantially.
  • Whitelists\Blacklists
  • Parse e-mail messages and then analyze each of its components
  • Correctly process majority of known archives, including multi-volume or self-extracting (SFX)
  • Send notifications on the scanning results to recipients and\or third persons using notification templates
  • Keep logs of events
  • Self-protect its modules against malfunctioning
  • Detect and remove malicious codes, including mass-mailing worms, e-mail viruses, peer-to-peer viruses, Internet worms, file viruses, Trojans, stealth viruses, polymorphic viruses, bodiless viruses, macro viruses, ms office viruses, script viruses, spyware, spybots, password stealers, paid dialers, adware, riskware, hacktools, backdoors, keyloggers, joke programs, malicious scripts, other malware.
• Flexible settings and ease of administration
  Dr.Web for UNIX mail servers contains a flexible system of settings allowing you to perform any possible set of rules. An administrator can specify these rules directly, via configuration rules.
• Outstanding scalability
  This solution can meet the requirements of both small companies with only one server and as well as large transnational telecoms with unlimited mail traffic. Its efficiency, flexible settings and filtering capability with huge volumes of e-mail traffic on-the-fly means it can comply with even the highest demands.
• High productivity and stable operation
  Due to the multi-threaded scanning function Dr.Web for UNIX mail servers can process huge volumes of e-mails simultaneously. Its modular structure makes its disabling almost impossible (by the direct attack too). Low system resources requirements allows Dr.Web for UNIX mail servers to smoothly function on mail servers of almost any configuration.
• Unique technology!
  VadeRetro unique technology (developed by Goto Software, France) allows it to avoid using blacklists, which makes the intentional compromising of companies by adding them to blacklists impossible. Dr.Web for UNIX mail servers can change its behavior depending on the envelope of the processed e-mail, or the detected blocking objects.

E-mails are filtered for viruses, spyware, adware, riskware, hacker utilities and joke programs by the DrWeb anti-virus plug-in. High filtering speed of the plug-in is combined with low system resources consumption; it perfectly functions on mail servers of almost any configuration.

Stable operation
Due to modular structure of Dr.Web for UNIX mail servers and a special module responsible for the system efficiency it is almost impossible to disable the plug-in.

High response speed
Due to multi-threaded scanning technology the system’s response speed is very high. The files are scanned on-the-fly not waiting until earlier received messages are processed. This means end users receive e-mails almost in a moment!

High protection level
Combination of huge virus database and constantly perfecting heuristic analyzer there is not chances for viruses, including micro viruses, Trojan Horses and other malware to penetrate into users’ computers via e-mails. Plug-in detects ill-intentional programs written for all platforms — Windows, UNIX , DOS, including the objects which can infected files of Microsoft Office. Users can themselves choose the types of files to be scanned, as well as reaction to detected threats — reporting, curing of infected objects, moving of suspicious objects to quarantine, renaming.

Correct scanning of archives and packed files
The DrWeb plug-in correctly checks the majority of existing formats of packed files and archives with any nesting level, including multi-volume and self-extracting, which is extremely important for mail systems. The plug-in can process more than 1000 types of archives and packers. While checking archives the administrator can specify the maximum compression level and maximum file size for extraction.

Quarantine
The infected and\or suspicious files detected by the plug-in can be moved to quarantine for future processing. Later they can be cured or deleted.

Flexible settings and ease of administration
Flexible configuration files of the anti-virus plug-in allow for customization. Any actions made by the DrWeb plug-in are reflected in the log-file. Notification system of system administrators allows to promptly react to emerging threats.

E-mail messages are filtered for spam by the VadeRetro plug-in via its own library (read more in the "Technologies" pane). The library is dynamically updated and the quality of filtering is constantly improving.

Key functions

• Filtering of spam, phishing, pharming, scamming and bounce-messages
• Sending of notifications on the scanning results to recipients and\or third persons
• Logging of events
• Self-protection of modules against malfunctions.

Benefits

High speed of filtering
The anti-spam was primarily designed for corporate mail servers and so has a high filtering speed. In one second Dr.Web Anti-spam checks over one hundred messages for spam on-the-fly (1.9GHz Pentium 4 CPU)!

Low system resources requirements
High filtering speed is combined with low system resources consumption; the anti-spam perfectly functions on mail servers of almost any configuration.

Outstanding scalability
Dr.Web mail server solution can be adopted by small companies with one mail server only, large hosting companies and ISPs, with mail servers processing hundreds of thousands of e-mails a day.

An Anti-Spam that is ready to go!
Unlike other anti-spam software Dr. Web requires no initial tuning or setup by the user; it begins working effectively upon install. However, Dr. Web can also be taught to recognize and sort mail beyond its built-in parameters.

Intellectual processing of detected objects
Dr.Web Anti-spam for UNIX mail servers can adjust itself to choose the correct processing technology for any detected object. For example, for any type of unsolicited e-mails, such as phishing, pharming, scamming, bounce-messages, etc., Dr.Web is able to use its intellectual filtering technologies to produce an exceptionally high detection rate. Before a verdict is made - spam\not spam – the collective features of each message are studied.

Autonomous filtering saves on traffic
Spam-filtering module does not require connection with any external server or database; this helps save on traffic substantially.

Unique technologies
Spam-filtering unique technology allows to avoid using blacklists, which makes intentional compromising of companies by adding them to blacklists impossible.

Regular updates
Due to dynamically updated code of the anti-spam’s library the filtering speed is always high and the quality of detection is constantly improving. Updates for Dr.Web Anti-spam are released daily and downloaded automatically by the updating utility.

More details on spam filtering techniques in the Technologies pane.

Dr.Web for UNIX mail servers is designed as a group of simultaneously operating program modules. The range of tasks performed by the complex is determined by the plug-ins (libraries, responsible for processing of mails) connected to the complex.

The mail messages are processed by the modules of the mail daemon as follows: the incoming messages are received by the Receiver module which transfers them to the Checker module (drweb-maild) for check of mail messages. The Checker module calls plug-ins in series and they analyze the messages. The messages successfully checked by the plug-ins of the mail daemon are sent to the mail system by the Sender module. During the operation of the mail daemon different reports on the results of the check can be generated. These reports are generated by the Notifier module (drweb-notifier) and can be sent to senders or recipients of messages and to the system administrator. The processing of e-mails by the mail daemon can be flexibly regulated by rules.

The option to write rules into the configuration file of the mail daemon is one of the most из helpful options of Dr.Web MailD. The rules allow to flexibly vary operational parameters of the mail daemon depending on the content of e-mail messages. The current version of Dr.Web mail daemon allows to specify rules for addresses of senders and recipients and for the detection of malicious codes found in e-mail messages.

• Receiver The Receiver component is responsible for the receipt of e-mails, either directly from mail systems, or on SMTP/LMTP protocols, and their subsequent transfer to the drweb-maild component. Depending on the mail systems and protocols used, the functions of the Receiver component are performed by different modules (drweb-receiver, drweb-milter, drweb-cgp-receiver, etc.), and simultaneous operation of several modules of the Receiver component is supported, which allows to receive and process mail from several sources simultaneously. Certain modules of the Receiver component support modification/sending of received messages based on the check results received from the drweb-maild component. For example, the drweb-milter module has the functionality, which allows it to return the results of check of messages to the SendMail system before SMTP sessions ends.
• drweb-maild This is the main component for processing e-mails. The drweb-maild component performs the mime-parsing of messages, transfers the messages for processing to plug-ins and stores messages in the database. The processing of e-mails is made by plug-ins to the drweb-maild module. Plug-ins can be launched and unloaded at any time, without terminating the drweb-maild module. The messages are processed by plug-ins according to the processing order specified by the administrator. The plug-ins are assigned to two queues - BeforeQueueFilters and AfterQueueFilters.

  Immediately after the message is received, it is processed by the plug-in from the BeforeQueueFilters queue. Then, if the AfterQueueFilters queue is empty, the processing results of the message are sent to the Receiver component. If the AfterQueueFilters queue has some other plug-ins, the message, after it is processed by the plugin from the BeforeQueueFilters queue is forwarded to the database and then is sent to the internal queue of the drweb-maild module and the return code of the successful check is sent to the Receiver component. Then the message is checked by the plug-ins from the AfterQueueFilters queue. The check results are either sent to the Receiver component (if such possibility exists, for example, if the check result time-out has not expired yet), or to the Sender component. All the messages generated by plug-ins are also sent via the Sender component. Certain plug-ins require support of the database in order to function. Such plug-ins cannot be assigned to the BeforeQueueFilters queue.

• drweb-notifier The module generates reports on the operation of the complex. Additionally, installed plug-ins can add their own types of notifications. Request for generation of reports can be sent to both by plug-ins (for example, when a virus is found), as well as other components of the system. For example, the drweb-maild module can send requests to generate a statistics report of all plugged in components and the Sender component can send a request to generate a DSN report when a message cannot be delivered.
• Sender This component sends messages either directly to different mail systems, or on SMTP/LMTP protocols. Depending on the mail systems and protocols used, the functions of the Sender component are performed by different modules (drweb-sender, drweb-cgp-sender, etc.). The Sender component can receive requests to send messages from drweb-maild, drweb-notifier and drweb-monitor components.
• drweb-agent The drweb-agent module provides the option to process e-mails both autonomously and being integrated with Dr.Web Enterprise Suite. All components of the system, except for drweb-monitor, receive their configuration files via the drweb-agent module, that is why it should be launched before other components. The drweb-agent module checks the license and collects statistics on the operation of the components of the system: names of detected blocked objects, the volume of the traffic checked, etc.
• drweb-monitor An auxiliary component which launches and terminates the modules of the system in the specified order and controls their operation. In case some module of the system fails to operate drweb-monitor re-launches it and, if it is specified in settings, notifies the administrator about this.

Plug-ins

At present the following plug-ins are available.

• DrWeb - the plug-in checks e-mails for viruses by the Dr.Web engine. The scanning is made by the drWebd module. The messages are sent to drWebd being already parsed, that is why support of mime-parsing in the engine or in drWebd is not necessary. The plug-in is highly productive and its detection rate is very high.

  Stable operation
  Due to modular structure of Dr.Web for UNIX mail servers and a special module responsible for the system efficiency it is almost impossible to disable the plug-in.

  High response speed
  Due to multi-threaded scanning technology the system’s response speed is very high. The files are scanned on-the-fly not waiting until earlier received messages are processed. This means end users receive e-mails almost in a moment!

  High protection level
  Combination of huge virus database and constantly perfecting heuristic analyzer there is not chances for viruses, including micro viruses, Trojan Horses and other malware to penetrate into users’ computers via e-mails. Plug-in detects ill-intentional programs written for all platforms — Windows, UNIX , DOS, including the objects which can infected files of Microsoft Office. Users can themselves choose the types of files to be scanned, as well as reaction to detected threats — reporting, curing of infected objects, moving of suspicious objects to quarantine, renaming.

  Correct check of archives and packed files
  The DrWeb plug-in correctly checks the majority of existing formats of packed files and archives with any nesting level, including multi-volume and self-extracting, which is extremely important for mail systems. The plug-in can process more than 1000 types of archives and packers. While checking archives the administrator can specify the maximum compression level and maximum file size for extraction.

  Quarantine
  The detected infected and suspicious files detected by the plug-in can be moved to the quarantine. Later they can be additionally scanned, cured or deleted.

  Ease of administration
  The flexibility of configuration files allows to customize parameters of the plug-in. Any action made by the plug-in is reflected in the log-files, which later can be analyzed. Handy alerting system allows administrators to quickly react to emerging threats.

  Open source solution
  Due to open structure of Dr.Web for UNIX mail servers users can themselves develop additional modules using the DrWeb plug-in with the help of the open SDK and detailed documentation.

• headersfilter — the plug-in for filtering messages by headers. The plug-in filters not only the message itself, but the attachments as well, if any. A user can himself add rules for filtering of e-mails. Regular expressions can be used when filtering rules are specified. Flexible settings of plug-in allow to implement any number of rules. Plug-in is almost invisible to the system and never overloads it functioning almost instantaneously.

  Easy to use
  Usage of regular expressions allows to adjust the system both to skip e-mails and to filter them. As the number of rules is unlimited the system can be customized as the user needs it.

  Open source solution
  Due to open structure of Dr.Web for UNIX mail servers users can themselves develop additional modules using the headersfilter plug-in with the help of the open SDK and detailed documentation.

  Stable operation
  Due to modular structure of Dr.Web for UNIX mail servers and a special module responsible for the system efficiency it is almost impossible to disable the headersfilter plug-in.

• vaderetro - the plug-in for filtering for spam using its own library (Vade Retro). Due to dynamically updated code of the anti-spam’s library the filtering speed is always high and the quality of detection is constantly improving. In one second Dr.Web Anti-spam checks over one hundred messages for spam on-the-fly (1.9GHz Pentium 4 CPU)! High filtering speed is combined with low system resources consumption; the anti-spam perfectly functions on mail servers of almost any configuration.

  Depending on the analysis each messages receives the score from the VadeRetro library – an integer ranging from -10000 to +10000. The less the score is, the more likely the message is "legitimate", i.e. not spam. The threshold is set in the SpamThreshold parameter of the configuration file of the plug-in (if the score equals to the value of the SpamThreshold parameter; if it is greater than this value, the message is considered to be spam).

  Having analyzed the message the VadeRetro library can add to it the following headers (depending on the settings of the plug-in):

  • X-Drweb-SpamScore: n. n – the score given by the VadeRetro library.
  • X-Drweb-SpamState: b. b – yes for spam and messages with viruses and no for non-spam messages and bounce-messages.
  • X-Drweb-SpamState-Num: s. s – classification results of the VadeRetro libarary. s can take the following values: 0, 1, 2 and 3. 0 – a message is not spam, 1 – a message is spam, 2 – a message contains a virusс, 3 – this is a bounce-message. This header is added if the value for the ddXDrwebSpamStateNumHeader parameter of the vaderetro plug-in’s configuration file is set to yes.
  • X-Drweb-SpamVersion: version. version – version of the VadeRetro library. This header is added if the value for the AddVersionHeader parameter of the vaderetro plug-in’s configuration file is set to yes.
  Additionally, at the beginning of the "Subject:" field of messages classified by the Vade Retro library as spam, or as a virus, the vaderetro plugin the value of the SubjectPrefix parameter of the vaderetro plugin configuration file can be added конфигурационного файла Vade Retro if the value for the SubjectPrefix is different from the empty string value.

  Filtering techniques

  The anti-spam technologies consist of several thousand rules which can be divided into several groups.

  Heuristic analysis
  A highly intelligent technology that empirically analyzes all parts of a message: header, message body, etc. Not only the message itself but its attachment(s) is analyzed. The heuristic analyzer is constantly improved; new rules are frequently added.

  Counter – reaction
  The counter-reaction technique is one of the most advanced and efficient technologies of Dr.Web anti-spam. It helps counteract techniques and tricks used by spammers.

  HTML-patterns
  Messages with HTML-coding are compared with a list of known patterns from Dr. WEB’s anti-spam library. Such comparison, in combination with data on image sizes typically used by spammers, helps protect users against spam messages with HTML-code, which often include online images.

  Semantic analysis
  During a semantic analysis words and phrases from a message are compared with words and phrases typical for spam. The comparison is made against a predefined dictionary. All words, phrases and symbols are analyzed – both those visible to the human eye and those masqueraded by the technical tricks of spammers.

  Anti-scamming technology
  Scam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam. Included here are the so-called “Nigerian” scams, loan scams, lottery and casino scams and false messages from banks and credit organizations. A special module in Dr.Web anti-spam is used to filter such scams.

  Technical spam filtering
  So-called bounce messages may appear as a reaction to viruses, or as a manifestation of a viral activity – for example, messages from the self-spreading mass mailing worm or e-mail delivery failure messages, and are as undesirable as spam. A special module of Dr.Web Anti-spam filters such messages as unwanted.

Dr.Web for UNIX mail servers is licensed as:

• Dr.Web for UNIX mail servers, anti-virus
• Dr.Web for UNIX mail servers, anti-virus + anti-spam

The licenses, however, do not provide for integration of Dr.Web for UNIX mail servers with file servers and Internet Gateways. Their complex operation requires additional licenses.

Licensed components

• Dr.Web Daemon - the anti-virus server, version 4.33 and higher, processing requests for scanning and curing received as files or via a socket from filters. Dr.Web Daemon uses the same engine and the virus database as all scanners of the Dr.Web family providing the same level of protection.
• High-performance Dr.Web anti-virus scanner with text interface functioning in the console mode (or in X Windows emulator).
• A set of anti-virus filters for Sendmail, Qmail, Postfix, Communigate Pro, Courier MTA, ZMailer and Exim mail systems.
• The basic part of the complex, the monitoring and external systems interaction utilities.
• SDK for development of additional plug-ins.
• Automatic updating utility for hot updates every time the computer is connected to Internet.

There are the following types of licenses.

• Address license
  This license type is available for 15, 30, 50 and any number of addresses more than 50. Aliases are disregarded. 15 and 30 addresses licenses require enlisting of each protected address in a separate file. To enable the product to check the message, it's necessary that at least one of the addresses of the SMTP-envelopes should be the same as the one of the protected addresses (case-insensitive comparison is used). Thus, if there's a possibility for foo@bar.example.com . address to send messages with foo, foo@bar.example.com or foo@example.com addresses the three of them should be enlisted in a corresponding file. If the e-mail is found "uncheckable”, a notice it hasn't been checked because the license exhausted (or expired, or blacklisted) will be inserted into its body.
• Per server license
  The license allows using the Daemon for check of the unlimited number of e-mails on one server, with number of protected addresses not more than 3000. The volume of the filtered mail is limited by the server hardware only.
• Unlimited license
  The license allows using the Daemon for check of the unlimited number of e-mails on any number of servers.

Licensing of SDK
SDK is distributed free of charge. Plug-ins developed on its base by third-party developers are free of charge for non-commercial distribution. For commercial distribution such plug-ins should be certified and it is subject to a charge.