email protection administrator guide - excel micro · notifications subtab ... you can enable or...

Email Protection Administrator Guide

Updated: February 2012

Proprietary and Confidential


RESTRICTION ON USE, PUBLICATION, OR DISCLOSURE OF PROPRIETARY INFORMATION.Copyright © 2021 McAfee, Inc.

This document contains information that is proprietary and confidential to McAfee. No part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or oth-erwise) without prior written permission from McAfee. All copies of this document are the sole property of McAfee and must be returned promptly upon request.

McAfee, Inc.9781 South Meridian Blvd., Suite 400Englewood, CO 80112 USADirect +1 720-895-5700Fax +1 720-895-5757

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 2


Contents1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Differences in Administration for Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Account Management Necessary for Email Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

MX Record Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Alias Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Auto-creation of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Email Filtering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Types of Inbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Anti-Spam Filtering.............................................................................................................3Real-time Blackhole List.....................................................................................................4Anti-Virus Filter...................................................................................................................5Content Filtering and ClickProtect......................................................................................5Attachment Filtering ...........................................................................................................6Multi-Level Allow and Deny Lists........................................................................................7

Types of Outbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Configurable Actions for Filtered Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Notifications for Filtered Email..........................................................................................10

User-level Policy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Emailed Reports of Quarantined Spam Emails................................................................11

Customizing the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Licensed Branding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Language Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Outbound Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Optional Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Spam Control for Outlook® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Fail Safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Message Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

2 Access Email Protection Administration. . . . . . . . . . . . . . . . . . . . . . 15Who Can Access Email Protection Administration Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Other Documents You Might Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iii


Email Protection Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Web Protection Service Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Message Archiving Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

User Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Ensure You Can Receive Email from Your Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Sign into the Control Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Reset Your Password from the Sign in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

3 Check the Status of Email Protection on the Overview . . . . . . . . . . 25

4 Set up Your Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Confirm Your Inbound Servers Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Set up Additional Inbound Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Delete an Inbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Add IP Address of Outbound Server, If Necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Delete an Outbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Set up a Smart Host (If Outbound Mail Defense is Turned on) . . . . . . . . . . . . . . . . . . . . . . .32

Add an Outbound Email Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Redirect Your MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Check Your MX Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Set up User Creation Mode — SMTP Discovery or Explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

5 Customize Inbound Mail Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Enterprise or Service Provider Customer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Create a Custom Policy (Enterprise Customer Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Set Email Protection to Notify Users about Emails with Viruses . . . . . . . . . . . . . . . . . . . . . .44

Configure a Spam Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Define the Action to Take on Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Define Additional Words That Indicate Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Set up Spam Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iv


Turn Off a Default Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Custom Content Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Notify Users about Spam Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons . . . . . . . . . . . . . . . .58

Configure Web Hyperlink Filters (ClickProtect) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Upload a List of Allowed URLs.........................................................................................61Download a List of Allowed URLs from the Control Console ...........................................62

Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Filter by Attachment File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Filter by Attachment File Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Filter Zip File Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Notify Users about Attachment Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Allow or Deny Email to or from Specific Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Allow Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69Sender Policy Framework (SPF)......................................................................................70

Deny Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Deny Email to a Specific Recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Save a Copy of an Allow, Deny, or Recipient Shield List . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Add Allow, Deny, or Recipient Shield Addresses with a Batch File . . . . . . . . . . . . . . . . . . . .73

Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Enforced TLS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76Notifications Subtab .........................................................................................................76

Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Variables within a Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Define the Format and Text of Virus Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Define the Format and Text of Content Violation Notifications . . . . . . . . . . . . . . . . . . . . . . .79

Define the Format and Text of Attachment Violation Notifications . . . . . . . . . . . . . . . . . . . .80

Enforced TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Enforced TLS Subject Headers 83

Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

6 Customize Outbound Mail Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Create a Custom Outbound Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Email Encryption for Content Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Group Names...................................................................................................................87

Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission v


Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

7 Managing Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Set up Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Monitor Users’ Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Primary Email Addresses, Aliases, and Public Domain Addresses . . . . . . . . . . . . . . . . . . .90

Search for Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Interpret the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Sort the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Delete Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Release Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

View Quarantines Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Monitor Your Own Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

8 User-Level Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

9 Set up Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . 99Administer Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Set up Spooling for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Set up Notifications of Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

10 System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Email Protection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

View an Email Protection Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102Change the Graphic Display of the Report.....................................................................103Download a Report.........................................................................................................103

Traffic Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Traffic: TLS Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105Traffic Summary .............................................................................................................105Bandwidth Summary ......................................................................................................106

Traffic: Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106Email Encryption Summary ............................................................................................107Email Encryption Bandwidth Summary ..........................................................................107

Threats: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Threats: Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Threats: Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Threats: Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Threats: Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Enforced TLS Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vi


Traffic Summary .............................................................................................................118

ClickProtect: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

ClickProtect: Click Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Quarantine: Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Quarantine: Release Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

View Details of Log Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Inbound Server Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Disaster Recovery: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Disaster Recovery: Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Administer MSP Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Configure the MSP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Add Domains to the MSP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136Remove Domains from the MSP Connection.................................................................137

Turn on Exception Notifications for the MSP Connection . . . . . . . . . . . . . . . . . . . . . . . . . .137

View an MSP Connector Audit Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Download an Audit Report .............................................................................................142

Administer Performance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Performance Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Inbound Messages Report, Weekly or Monthly..............................................................144Outbound Messages Overview ......................................................................................146

11 Tips and Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . 147FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

User Management..........................................................................................................147Email Filtering.................................................................................................................148System Configuration .....................................................................................................150

Tips/Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Change Zip File Attachment Policy ................................................................................153Wrong Email Got Past Filter...........................................................................................154

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vii


This page intentionally left blank.

February 2012 Proprietary: Not for use or disclosure outside McAfee without written permission viii

Email Protection Administrator Guide Differences in Administration for Service

1. Overview

Email Protection provides security services that safeguard corporations from unsolicited spam email ("junk mail"), viruses, worms, and unwanted content at the network perimeter before they can enter the internal network.

Multiple layers of Email Protection provide secure and complete email filtering to protect your users. You can enable or disable specific layers by changing the licensed packages of features and/or through configuring the specific email policies in the Control Console, the comprehensive graphical interface into Email Protection.

This document describes the tasks necessary to configure and maintain your Email Protection.

Differences in Administration for Service Providers

This document is for use by Enterprise customers only. Service Provider customers do not administer groups for Email Protection and therefore, do not assign groups to email filtering policies. Instead, Service Provider customers assign policies directly to domains.

The capabilities for managing policies and groups, as described in this document, apply only to Enterprise customers.

Account Management Necessary for Email Protection

Account Management is a set of administrative screens you use to configure and manage the entities that use or are affected by Email Protection (Email Protection), as well as the Web Protection Service (WDS) and Message Archiving products. These entities include:

• Domains• Users• Other administrators, including other Customer Administrators, Domain

Administrators, Quarantine Managers, and Reports Managers

In addition, for Email Protection only, you use Account Management to administer groups of users that share a common email filtering policy.

For more information, see Account Management Administrator Guide.


Auto-creation of Users Email Protection Administrator Guide

MX Record ValidationYou can validate that the MX Records that are configured for your domain are properly redirected by entering the specific DNS and/or IP address for your MTA server. The Control Console displays the MX Record configuration as reported by the authoritative DNS server(s).

See Check Your MX Record.

Alias Domain NamesYou can configure “alias” domain names that act as virtual domains using the configurations and email addresses defined in the primary Domain name. Email addresses are created automatically for alias domains (for example, “[email protected]” is automatically created for “[email protected]”), allowing the single user to receive email for both addresses.

For more information, see Account Management Administrator Guide.

Auto-creation of Users

The Email Protection automatically creates new user accounts if all the following is true:

• SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a convenient way to add users to your service. However, this capability might also add users who are not real users at your company and not add users who are real.

• Three to six emails for that email address have been received, passed filtering, and accepted by your email server within a configured time period (typically, a single day).

• A user account does not exist for the email address in the designated Domain.• The emails were not addressed to an alias domain name.

For more information, see Set up User Creation Mode — SMTP Discovery or Explicit.

Email Filtering Policies

Email Protection has default inbound and outbound mail filters to block and clean malicious email and to quarantine email that might be malicious. The filters are configured by using policies, which are the parameters for the filters Default policies are automatically assigned to each of your domains.

You can customize the default inbound policy for any and each domain, or any and each group, to fit your business neEmail Protection.

2 Proprietary: Not for use or disclosure outside McAfee without written permission. February 2012

Email Protection Administrator Guide Email Filtering Policies

For more information, see Customize Inbound Mail Filters.

Types of Inbound Email FilteringEmail Protection can filter both inbound and outbound email. Inbound filtering that is available to be configured is as follows:

• Anti-Spam Filtering• Real-time Blackhole List• Anti-Virus Filter• Content Filtering and ClickProtect• Attachment Filtering• Multi-Level Allow and Deny Lists

Anti-Spam FilteringSpam is usually defined as unsolicited (and usually unwanted) and commercial email sent to a large number of addresses. However, what one recipient may consider as spam, another recipient would consider as legitimate email.

In addition, spam has become a tool of hackers and “electronic terrorists” who deliberately attempt to gather proprietary information from computer systems and/or attempt to cause harm to a company’s email system. Typically, these types of spammers deliberately use naming standards, hijacked “From:” addresses, scrambled content, etc., to bypass spam filters such as blacklists and keyword lists.

Using Stacked Classification Framework®, Email Protection provides the most comprehensive and effective spam-blocking product on the market today—blocking 98% of spam and providing an industry-leading low false positive rate (legitimate email marked as spam).

The Stacked Classification Framework aggregates the most effective spam filters and techniques in the industry into a spam likelihood. As appropriate, email is assigned a “high” or “medium” likelihood of being spam. A separate email action can be assigned to each likelihood.

The spam classification techniques include the following:

Spam FilterType Description

IP Reputation Connection Manager

This filter operates at the front of the Stacked Classification Framework. It rates the reputation of every incoming email, based on IP reputation data collected by your Email Protection provider on an on-going basis. Connections are dropped for all messages which originate from IP addresses that are determined to carry a reputation for sending spam.


Email Filtering Policies Email Protection Administrator Guide

Real-time Blackhole ListThe Real-time Blackhole List (RBL) is a system for creating intentional network outages ("blackholes") for the purpose of limiting the transport of known-to-be-unwanted mass email. The RBL is a database of IP addresses that are reported to be spam sources.

Bayesian Statistical Filtering

Statistical algorithms built by your Email Protection provider identify and quantify the possibility that an email is spam based on how often elements in that email have appeared in identified spam emails.

Industry Heuristics Email Protection incorporates thousands of successful industry-wide spam-fighting rules to recognize characteristics of spam.

Proprietary Heuristics Email Protection experts write and update thousands of proprietary rules to block spam, including fraudulent “phishing” spam, using real-time data from your service provider’s Threat Center.

URL Filtering URL filtering works by comparing embedded links found in emails with URLs associated with identified spam.

Reputation Analysis Email Protection constantly monitors inbound email to build a list of IP addresses and domain names to rate the reputation of the sender based upon the percentage of spam emails received from that address in the past.

Reputation-Based RBL Filtering

Using up to 31 real-time blackhole lists (RBLs) of known spammers provided by the industry, Email Protection creates a single RBL indicator to help gauge the likelihood of an email being sent by a known spammer. By using multiple black lists to create a single vote and by rating the reputation of each RBL based on its accuracy at distinguishing spammers from senders of legitimate email helps to minimize the possibility of a non-spammer being blocked by mistake.

Sender Policy Framework (SPF)

The SPF classifier helps identify and block fraudulent “spoofing” emails – those sent by spammers with forged “From” addresses – from entering your email network. For each inbound email, the SPF classifier will look up the sending domain’s Domain Naming System (DNS) record and its list of authorized IP addresses.

Emails that carry an IP address not found on the authorized list will be included within the Stacked Framework Classification System for the detection of spam. By determining whether or not the relationship between the DNS record and the IP address is legitimate, Email Protection is able to more accurately filter out fraudulent spoofed emails. As a result, Email Protection reduces risk for users who might be duped by the email into divulging confidential personal information.

Spam FilterType Description



Anti-Virus FilterEmail Protection provides highly effective, organization-wide virus and worm protection. By identifying viruses and worms at your network perimeter—before they enter or leave your messaging infrastructure— Email Protection minimizes outbreak and infection risks to your enterprise messaging infrastructure. You can configure whether infected emails are quarantined, denied, or stripped of infection.

• Provides maximum protection using multiple, industry-leading anti-virus engines to allow Email Protection to customize the protection to meet the latest threats.

• Virus definition updates every 5 minutes provide up-to-the-minute defense against the latest threats.

• Provides safe, external virus scanning and quarantine management for protection against viruses before they reach your network. Protects your users, networks, and data from harm

Content Filtering and ClickProtectEmail Protection protects your organization and reduces liability and risk by automatically identifying unwanted and malicious content before it enters or leaves your network.

You can enable any of the following types of content filtering:

Content Filter Type Description

Predefined Content Keyword Groups

You can enable or disable predefined content keyword groups provided by Email Protection:• Profanity• Sexual Overtones• Racially Insensitive

Customized Content Keyword Groups

You can define customized content keyword groups containing terms and phrases to satisfy the business and security neEmail Protection of your organization.

Multiple Levels of HTML Filtering

You can designate the level of HTML filtering to be used (low, medium, or high), with predefined actions for each level. Depending on the level, malicious HTML tags and scripting options embedded in email are stripped.

Graphic Image Replacement

You can enable or disable the automatic replacement of images with a transparent 1x1 pixel GIF within HTML emails.



Attachment FilteringEmail Protection provides you the ability to control the types and sizes of allowed attachments entering your email network. You can control attachment filtering using any of the following:

Stripping of Spam Beacons or Web bugs

“Spam beacons” and “web bugs” are typically transparent, 1x1 pixel graphics embedded in HTML content that send information about your system to the source (usually a URL) of the spam beacon or web bug. Typically, web bugs are used on Web sites to monitor surfing behavior, but now spammers are hiding them in their mass mailings as spam beacons. If the graphic is not removed before an email is opened, the spam beacon sends a signal back to the spammer’s URL that lets the spammer know whether the email was opened and if the recipient’s email address is valid. If the spammer gets this signal, the recipient is marked as a “valid” email address and is guaranteed to receive more spam in the future.

You can enable or disable the automatic stripping of spam beacons or Web bugs within HTML emails.

Disabling hyperlinks within email with

ClickProtectSM

ClickProtect allows you to monitor and disable or enable whether Web hyperlinks received in emails can be clicked and followed by the user. With multiple levels of ClickProtect policy control, Administrators can customize the desired level of protection. This feature supports blocking phishing sites and accidental downloads of viruses and worms.

Attachment Filter

Type

Description

Attachment Filtering by File Type

You can enable or disable filtering of attachments by file type. File type is determined using the file extension, MIME content type, and binary composition.

Attachment Filtering by Size

You can designate a maximum allowed size for each enabled attachment type.

Custom Attachment Rules by Filename

You can configure custom rules using filenames that override the “global” settings for an attachment file type. You can designate that the rule use the entire filename or any part of the filename.

Filtering for Files Contained within a Zip File Attachment

You can configure custom rules to cause Email Protection to analyze the files within a zip file attachment, if possible, to determine if a file in the zip file violates attachment policies. If the zip file cannot be analyzed, you can designate the email action to be applied.

Content Filter Type Description



Multi-Level Allow and Deny ListsEmail Protection allows you to define lists of emails that will always be denied (“blacklists) or will always be accepted (“whitelists”) at multiple levels. In addition, you can enable third-party Real-time Blackhole List to be used to filter unwanted emails.

The administrator-level lists override the user-level lists in a top-down manner: global lists first, policy set lists next, and lastly user-level lists. For example, if the same address is added to a user-level Allow list and the policy set Deny list, the address is always denied.

At the same level, the Allow list overrides the Deny list. For example, if you designate a range of email addresses (for example, by designating an entire domain) in the Deny list, but then designate a single email address from that domain in the Allow list, the email from that single address will be always accepted while the email from any other address in the domain in the Deny list will be always denied.

The same address string cannot be added multiple times in the same list or added to both the Allow and Deny lists.

Be aware that emails that have been quarantined by Email Protection may not need to be added to Deny lists because they are already being blocked from entering your email network.

Following are the types of Allow and Deny lists that are available in Email Protection:

Encrypted or “High Risk” Zip File Attachment Rules

You can configure custom rules for emails with encrypted zip files and/or zip files that are considered “high risk” (too large, too many nested levels, etc.).

Allow/Deny List

Type

Description

Global Deny List If your Email Protection provider determines that a Sending SMTP has sent too many invalid incoming emails within a specified time period, it will add the IP address for that Sending SMTP to a Global Deny List for a designated time period (default is 2 hours). During the denial period, all emails received from that Sending SMTP will be automatically denied. This process helps to protect against dictionary harvest and Denial of Service attacks. This process can be disabled at the system level.

Attachment Filter

Type

Description



Types of Outbound Email FilteringYou can add outbound filtering to each package, helping to ensure the safety and appropriateness of information being sent from your corporate email system to valued customers or business partners.

Policy set-level Sender Deny Lists and Sender Allow Lists

Sender Deny lists indicate sender addresses from which email is denied automatically. Sender Allow lists indicate sender addresses from which email is allowed without spam, content, or attachment filtering (virus filtering is always enabled unless specifically disabled).

You can designate a single email address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file.

Each policy set affects the email filtering for all user accounts in the groups that are subscribed to that policy set.

User-level Deny Lists and Allow Lists

Maintained by you and/or the user, Deny lists indicate sender addresses from which email is denied automatically. Allow lists indicate sender addresses from which email is allowed without spam filtering (all other enabled filtering will be applied).

You can designate a single email address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file.

These lists affect only the emails received for the designated user account and its alias addresses (“user-level” lists).

Recipient Shield List You can define a list of recipient email addresses for which you want to specify special email actions (for example, you want to deny all emails for a user who is an ex-employee). You can also specify the email action to take if the recipient email address is invalid in your system (permfailed by your email server as an “invalid recipient”).

Filter Type Description

Content Filtering

This feature automatically prevents inappropriate, malicious, or confidential content from leaving your corporate email system, allowing you to monitor and enforce your corporate email policies.

Attachment Filtering

Outbound attachments can be filtered by size, by MIME content type, or by binary content, according to your corporate email policies.

Allow/Deny List

Type

Description



Configurable Actions for Filtered EmailIn Email Protection, email filtering policies control how emails are filtered within a specific Domain and how Email Protection will respond during email filtering and reporting. Depending on the feature package that is licensed for a domain, specific email filters will be available to be enabled and configured. Also, depending on the enabled email filter, various actions must be configured that define how Email Protection will respond if an email violates the specific filter policy.

Based on the defined policy configuration, each email that violated the specified policy can have any of the following actions taken, depending on the type of policy:

Virus Scanning

Outbound virus scanning stops viruses and worms from leaving your corporate email system, preventing your enterprise from being the source of email-borne viruses to customers, suppliers, and partners.

Action Description

Quarantine The email is added to the respective quarantine area and is not sent to the recipient email address. If the email violated a spam policy, the email is reported in the user’s Spam Quarantine Report.

Tag The subject line of the email has a descriptive phrase (for example, “[SPAM]”) added to the beginning of the subject text and the email is sent to the recipient email address.

Deny Delivery The email is blocked automatically. Depending on the sending system’s configuration, the email sender may or may not be notified with a 5xx Deny email.

Do Nothing or Allow Delivery

The email is forwarded to the recipient email address with no processing applied. The values in the reports and the Overview window will be incremented for the relevant email policy to indicate that an email did trigger the specific policy.

Silent Copy A copy of the email is forwarded to a list of designated email addresses with no notification to the sender or recipient.

Strip Attachment If the email had an attachment that violated configured policies, this action causes that attachment to be removed from the email and the email is be sent to the recipient email address. Text is inserted into the email notifying the recipient that an attachment has been stripped. Only the attachment that violated the policy is stripped.

Clean If the email had an attachment that contained a virus or worm, this action attempts to remove the virus or worm and preserve the attachment. If the clean is successful, text is inserted into the email notifying the recipient that an attachment had contained a virus and was cleaned. If this action is selected, a second “fall-back” action also must be designated in case the Clean action fails. This action is specific to the virus filtering policies.

Filter Type Description


User-level Policy Configurations Email Protection Administrator Guide

Notifications for Filtered Email You can enable or disable email notifications to the sender and/or recipient email addresses of email that was filtered because of virus, content keywords, or attachment.

For more information, see one of the following:

• Set Email Protection to Notify Users about Emails with Viruses• Notify Users about Spam Content• Notify Users about Attachment Violations

User-level Policy Configurations

By default, policy configurations are defined for each domain and group. All emails received for all user accounts within a domain or group are processed using the same policy configurations.

Optionally, user-level policy configurations can be defined for individual users that override the Domain/Group policies. Thus, if there is a conflict between a user-level policy and any of the other types of policy configurations, the user-level policy setting will be used. These user-level policy configurations allow customization of email actions for each user.

User-level policies are confined to the following policies:

• Enable or disable email processing for spam, virus, content keyword, attachments, and/or HTML content.

• Specify actions to take for emails if they are determined to have a high or medium likelihood of being spam.

• Configure the spam quarantine reporting

Custom X-Header If the email was determined to have a high or medium likelihood of being spam, you can configure that a custom X-header be inserted into the email. This X-header can be used by your email servers to perform additional actions within your network, such as redirecting the email. Each spam likelihood can have a different custom X-header. This action is specific to the spam filtering policies.

Disable Filter A non-administrator user cannot disable virus filtering if it is licensed and enabled for a specific Domain or policy set. Only Administrators can enable or disable virus filtering for a specific Domain or policy set.

You can designate that Email Protection first attempts to remove the virus from an infected attachment, and if the clean fails, perform another action. You can designate that only the infected attachment is stripped. and the remaining email contents and attachments are sent to the recipient.

Action Description


Email Protection Administrator Guide Quarantine

To manage the policy for an individual user, see User-Level Policy Configuration.

To establish user control of policies, see Set up Spam Quarantine Reports.

User also can have some control over their policies.

Quarantine

Email Protection provides multiple quarantine areas with different security accesses to store and support review of suspect email outside of your email network.

Emails that violate configured policies and that have the Quarantine action applied are sorted into multiple quarantines to ease email management and support security levels:

• Spam Quarantined Messages – Accessible to all users, with users with role of User or Reports Manager allowed to access only their own personal spam quarantine

• Virus Quarantined Messages – Accessible to only Administrators and Quarantine Managers

• Attachment Quarantined Messages – Accessible to only Administrators and Quarantine Managers

• Content Keyword Quarantined Messages – Accessible to only Administrators and Quarantine Managers

Within each quarantine, you can do any of the following:

• Delete selected emails or all emails• Release selected emails or all emails for delivery to the recipient• View selected email in a Safe View window• Add the sender email addresses to the recipients’ user-level Allow list and release the

emails (available only for quarantined spam emails)

Emailed Reports of Quarantined Spam EmailsOptionally, emails are sent to users to indicate that spam emails that have been quarantined, using either of the following types of emails:

• Spam Quarantine Report Spam Quarantine Reports are HTML-based email notifications of quarantined spam emails that sent to users. Multiple links in the Reports allow management of quarantined spam email based on policy set-level and user-level configurable control settings. When the user clicks a link, the designated action is performed and the user is automatically logged into the Control Console.

• Spam Quarantine SummarySpam Quarantine Summaries are optional text-based email notifications of quarantined spam email sent to users, to support email applications that are not HTML-compatible. The user clicks the link provided in the email and is automatically logged into the Control Console. Once logged in, the user can navigate to the relevant window to manage the spam quarantine and modify personal settings.


Customizing the Interface Email Protection Administrator Guide

Customizing the Interface

Licensed BrandingThere are multiple branding levels that control the appearance and URL addresses used within the Control Console and Spam Quarantine Reports and Summaries:

• Standard – Branding uses images and addresses provided by your service provider.• Private – You control the images and addresses.• Cobrand – Branding uses images provided by you and your service provider., and

addresses provided by you.• White Label – Branding uses no identifying images and uses addresses provided by

you.

Branding levels other than Standard must be licensed separately.

For more information, see “Rebrand Your User Interface” in Account Management Administrator Guide.

Language LocalizationWithin the Control Console, windows and features available to the non-administrative user (whose role is User) can be provided in translated form supporting multiple languages. When the user logs in via the Sign in window, he or she can select the desired language in the Language field. Thereafter, all spam quarantine reporting emails and window and field labels will be provided in the designated language.

The following languages are supported:

• Brazilian Portuguese• Chinese Simplified• Chinese Traditional• Danish• Dutch• English• Finnish• French• German• Italian• Japanese• Korean• Norwegian• Portuguese• Russian• Spanish• Swedish• Turkish


Email Protection Administrator Guide Monitoring and Reporting

This feature is available only to non-administrative user accounts. This feature must be enabled at the system level to be available.

As a Customer Administrator, you can set the language for a user on the user’s Preferences screen. See “Set User Display Preferences, Including Your Own” in Account Management Administrator Guide.

Outbound DisclaimerYou can define text that will be appended to the email content to support liability or legal requirements for your organization. Every email that was sent from your organization to Email Protection for email filtering will have the designated text added to the end of the email content. This feature requires that outbound filtering be licensed.

See Add an Outbound Email Disclaimer.

NotificationsYou can customize the content of the notification email for each combination of the type of filter and each type of email action (quarantine, deny, or strip).

See Define the Format and Text of Notifications to Users.

Monitoring and Reporting

Email Protection provides near-real-time monitoring for most reports of system usage, email filtering, etc., for the designated Domain and date or date range. Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv).

There are multiple reports available for viewing in the Control Console:

For more information, see System Reports.

Optional Utilities

Your service provider provides additional, free tools that provide additional support for your email network.


Disaster Recovery Services Email Protection Administrator Guide

Spam Control for Outlook® If you receive email that you feel should have been filtered as spam, you can use the Spam

Control for Outlook® plug-in. The Spam Control for Outlook plug-in automatically packages the email data, forwards it to your service provider’s Threat Center, and then deletes it from your Microsoft Outlook mailbox. This utility only works for the Outlook mail client.

You can download this utility at the following location:

http://www.mxlogic.com/services/spam_blocking/spam_control.html

Disaster Recovery Services

Fail SafeThe Fail Safe Disaster Recovery Service provides protection against lost emails in the case when your inbound email server (a.k.a. Customer MTA server) may be unavailable to receive email. If you have multiple inbound servers configured in Email Protection, all of these servers must be unavailable before Fail Safe is invoked.

When your inbound servers becomes unavailable, Fail Safe begins “spooling” email, which means Fail Safe stores your emails in a temporary location until your inbound server becomes available. Once any of your inbound servers become available, Fail Safe begins “unspooling” the emails. That is, Fail Safe restores these stored emails to the inbound server using the "first in, first out" order.

The messages Fail Safe stores are not available until the messages have been unspooled. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days.

For more information, see Administer Disaster Recovery Services.

Message ContinuityMessage Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Message Continuity delivers the messages. Users can access their messages through a Web-based interface while messages are in Message Continuity only.

Message Continuity also has unlimited storage capacity and removes messages that have been in Message Continuity storage for more than 60 days.

For more information, see Administer Disaster Recovery Services.


http://www.mxlogic.com/services/spam_blocking/spam_control.html

Email Protection Administrator Guide Who Can Access Email Protection Admin-

2. Access Email Protection Administration

Who Can Access Email Protection Administration Screens

As a customer of Email Protection, you can have administrators who access the Control Console with different levels of privileges within Account Management and Email Protection.

The levels of administrative users you can add are as follows:

Administrative level Description

Reports Manager The Reports Manager can view, for an assigned domain, reports available with Email Protection. The Reports Manager can also manage his or her own user preferences and all other tasks a user can perform.

Group Administrator The Group Administrator can add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create, edit, and modify Email Protection policies for the assigned groups. Finally, a Group Administrator can view user lists and user details. A Group Administrator does not need to be a member of a group in order to have these capabilities.

Note: A Group Administrator cannot add or remove a group nor edit user information

Quarantine Manager The Quarantine Manager, for an assigned domain, can manage the same areas as a Report Manager, plus manage, for the assigned domain, all users’ Quarantine for spam and other problematic messages, only if Email Protection is enabled.

Domain Administrator The Domain Administrator, for an assigned domain, can manage the same areas as a Quarantine Manager, plus manage server setup and authentication rules for the domain.

Customer Administrator The Customer Administrator can manage all aspects of the customer’s Account Management for all domains.

Group Adsministrator The Group Administrator can, within the Group Administrator’s assigned domain, add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create and modify Email Protection policies for the assigned groups. A Group Administrator does not need to be a member of a group in order to have these capabilities.


Who Can Access Email Protection Administration Screens Email Protection Administrator Guide

The following figure summarizes the levels of administrators, plus users, in an Email Protection configuration.

Table 1: Email Protection Screen Access Privileges

Screen Access Feature Enablement

Required

Customer Administrator

Domain Administrator

Quarantine Manager

GroupAdmnistrator

Overview No Yes Yes No No

Policies tab

Policy Sets No Yes No No Yes

Anti-virus: Action No Yes No No Yes

Anti-virus: Notifications

No Yes No No Yes

Anti-SPAM: Classification

No Yes No No Yes

Anti-SPAM: Content Groups

No Yes No No Yes

Anti-SPAM: Reporting

No Yes No No Yes

Content: Content Groups

No Yes No No Yes


Email Protection Administrator Guide Who Can Access Email Protection Admin-

Content: Custom Content Groups

No Yes No No Yes

Content: Notifications

No Yes No No Yes

Content: HTML Shield

No Yes No No Yes

Content: Click Protect

Yes No No Yes

Attachments: File Types

No Yes No No Yes

Attachments: File Name Policies

No Yes No No Yes

Attachments: Additional Policies

No Yes No No Yes

Attachments: Additional Notifications

No Yes No No Yes

Allow/Deny: Sender Allow

No Yes No No Yes

Allow/Deny: Sender Deny

No Yes No No Yes

Allow/Deny: Recipient Shield

No Yes No No Yes

Enforced TLS: Actions

No Yes No No Yes

Enforced TLS: Notifications

No Yes No No Yes

Notifications: Content

No Yes No No Yes

Notifications: Attachment

No Yes No No Yes

Group Subscriptions

No Yes No No Yes

Disaster Recovery Yes No No Yes

Quarantine Tab No Yes Yes Yes No

SetupTab No


Required



Quarantine Manager

GroupAdmnistrator


Who Can Access Email Protection Administration Screens Email Protection Administrator Guide

Inbound Servers Setup

No Yes Yes No No

Outbound Servers Setup

Yes. Depending on your purchased package, this service might need to be enabled.

Yes Yes No No

Outbound Disclaimer

Yes. Depending on your purchased package, this service might need to be enabled.

Yes Yes No No

Disaster Recovery Setup

Yes. Either FailSafe or Message Continuity must be enabled or included in your package.

Yes Yes No No

MX Records Setup No Yes Yes No No

User Creation Settings

No Yes No No No

Reports tab

Traffic Overview No Yes Yes Yes No

Threats Overview No Yes Yes Yes No

Threats: Viruses No Yes Yes Yes No

Threats: Spam No Yes Yes Yes No

Threats: Content No Yes Yes Yes No

Threats: Attachments

No Yes Yes Yes No

ClickProtect:Overview

No Yes Yes Yes No

ClickProtect: Click Log

No Yes Yes Yes No


Required



Quarantine Manager

GroupAdmnistrator


Email Protection Administrator Guide Other Documents You Might Need

Other Documents You Might Need

Account Management is a self-contained subset of screens you access on the Control Console. You use it in conjunction with the administration screens for the previously-mentioned products. For information on administering these products, see the online help in the Control Console or the documentation as listed below.

Email Protection Documents• Email Protection Concepts Guide• Email Protection Quick Start• Intelligent Routing User Guide• Message Continuity Administrator Quick Start Guide

Quarantine: Release Overview

No Yes Yes Yes No

Quarantine: Release Log

No Yes Yes Yes No

User Activity No Yes Yes Yes No

Event Log No Yes Yes Yes No

Audit Trail No Yes Yes Yes No

Inbound Server Connections

No Yes Yes Yes No

Disaster Recovery: Overview

Yes. Either FailSafe or Message Continuity must be enabled.

Yes Yes Yes No

Disaster Recovery: Event Log

Yes. Either FailSafe or Message Continuity must be enabled.

Yes Yes Yes No


Required



Quarantine Manager

GroupAdmnistrator


Ensure You Can Receive Email from Your Service Provider Email Protection Administrator Guide

Web Protection Service Documents• Web Protection Service Quick Start• WDS Connector Installation Guide

Message Archiving Documents• Message Archiving Administrator Guide• Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2000• Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2003• Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2007

User GuidesIn addition, a variety of guides for your users are available. These are:

• Email Protection User Guide• Message Archiving User Guide• Spam Control for Outlook• Message Continuity User Quick Start Guide

Ensure You Can Receive Email from Your Service Provider

If you had or still have a different email security or filtering service and your network is administered so that you can receive email only from IP addresses associated with that security service, you must administer your network to allow incoming email from the Control Console servers. For example, a port in your company’s firewall may need to be enabled to receive email from the IP addresses of the Control Console servers.

This enablement is necessary in order for you and your users to set the initial password for access to the Control Console.

Sign into the Control Console

To manage your account, you must sign into the Control Console with the following steps.

Note: The first time you sign in, you might need to create your password. If so, see Reset Your Password from the Sign in Page.

1 Open a browser on your computer and enter the URL for the Control Console.


Email Protection Administrator Guide Sign into the Control Console

The URL should be identified in the Service Activation Guide you received from your provisioner. If you don’t have the URL, contact your sales representative or Customer Support.

2 At the Control Console Sign in page, enter your email address and password.

3 Click Sign in.

If you have not previously entered an answer to a security question, the Security Question screen pops up.

The answer to the security question is used is used to validate you, the user, if you forget your password. You can later change your security question and/or security answer on the Preferences page of your user account. See “Set User Display Preferences, Including Your Own” in Account Management Administrator Guide.

4 Select a security question and type the answer. Your answer is not case-sensitive.

Note: If you also use the Email Protection, you can also sign into the Control Console from a Spam Quarantine Report.

Reset Your Password from the Sign in Page

Note: This capability may not be available if the user authentication method is set to LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the system level.

If you forget your password or want to reset it, perform the following steps:

1 On the Sign in page, click the Forgot your password or need to create a password? link.

The following screen is displayed.

2 In the Username field, type your email address.

3 Do one of the following:


Sign into the Control Console Email Protection Administrator Guide

• If your email address is working and you are already receiving email, select Email password information to me.

• If your email address is not working, select Email password information to my Domain Contact. Your Domain Contact might be your administrator or another person your administrator defined for your domain within the Control Console. Check with your administrator on who that person is.

4 Click Next.

If you selected the option for your email, your email application receives an email momentarily with further instructions. Continue with Step 5.If you selected the option to email a Domain Contact, that person receives an email from which the person can reset your password. The person can also forward the message to an alternative email address you might have. Contact that person for the password, then try to sign in again. You are finished with this procedure.

5 If you selected the option to email information to you, open the email in your email application. The email subject line says Control Console Sign in Information.

The email is similar to the following:

6 Click the link in the email. The link is active for only a limited time after the email is sent (typically, 60 minutes).


Email Protection Administrator Guide Sign into the Control Console

7 If you previously had selected a security question, the security question is displayed. If you had not previously selected a security question, select a question from the Security Question drop-down menu.

8 Type the answer to the question in the Security Answer field.

9 For the Security Question field, click Change if you need to change the security question or answer. You must answer this question when you forget your password or need to reset it.

The Security Question and Security Answer fields are displayed. Select a question from the Security Question drop-down menu, then type an answer.

10 In the Password field, type a password.

• The password must comply with the following rules:• Length must be a minimum of 8 characters.• Alpha, numeric, and special character types are allowed.• There must be at least one character that differs in character type (alpha, numeric,

or special) from the majority of characters. Thus, if the password contains mostly alpha characters, then at least one character must be either a special character or numeric. For example, majordude is invalid, but majordude9 is valid.


Sign into the Control Console Email Protection Administrator Guide

• Allowed special characters are:

• Spaces are not allowed.• Passwords are case-sensitive (for example, “Password”, “password”, and

“PASSword” would be different passwords).Make sure you can remember your password, but do not use obvious passwords (for example, “password”, your name, or a family member’s name). Keep your password safe and private.

11 Retype your password in the Confirm Password field.

12 Click Save.

left parenthesis ( ( ) ampersand ( & ) right bracket ( ] )

right parenthesis ( ) ) asterisk ( * ) colon ( : )

apostrophe ( `) hyphen ( - ) semicolon ( ; )

tilde ( ~ ) plus sign ( + ) double quotes ( " )

exclamation ( ! ) equals sign ( = ) single quotes ( ' )

@ bar ( | ) less than sign ( < )

hash ( # ) backslash ( \ ) greater than sign ( > )

dollar sign ( $ ) left curly bracket ( { ) period ( . )

percentage sign ( % ) right curly bracket ( }) question mark ( ? )

caret ( ^ ) left bracket ( [ )



3. Check the Status of Email Protection on the Overview

The Overview window provides the following high-level information about the email traffic to your domain(s) over the previous 24 hours:

• Disaster recovery information• News and update information

Customer Administrators will see the information for all the Domains in the Customer where the role was defined. Domain Administrators will see the information for only the Domain where the role was defined.

1 Click Email Protection > Overview.

The Overview page is displayed with the initial view.

2 Click Display Statistics.

The Overview page is displayed with the complete view.



The sections on the screen provide the following information:



Section Description

Inbound 24-Hour Snap Shot This box displays a 24-hour snapshot of inbound email traffic:

Messages – Number of inbound messages processed

Avg Size – Average size of inbound messages, including attachments

Bandwidth – Average bandwidth used by inbound messages

Viruses – Number of inbound emails that contained viruses

Spam – Number of inbound emails that were potentially spam

Quarantined – Total number of inbound emails that were quarantined for any reason, including spam, virus, etc.

Outbound 24-Hour Snap Shot

This box displays a 24-hour snapshot of the Domain’s or Customer’s outbound email traffic:

Messages – Number of outbound messages processed

Avg Size – Average size of outbound messages, including attachments

Bandwidth – Average bandwidth used by outbound messages

Avg Size – Average size of outbound messages, including attachments

Viruses – Number of outbound emails that contained viruses

Quarantined – Total number of outbound emails that were quarantined for any reason, including viruses.

Traffic (Last 24 Hours – {timezone})

This box shows a graph of traffic volume for the last 24 hours of the designated time zone.

Optionally, select one of the graphic display type icons to change the appearance of the graph.

Policy Enforcement (Last 24 Hours – {timezone})

This section shows the percentage of messages that had the different email actions applied (for example, stripped, blocked, tagged, quarantined, cleaned, or normally delivered) over the past 24 hours of the designated time zone.


Disaster Recovery Current Status

This section lists domains that are currently in Disaster Recovery. The Email Protection is currently spooling the specified domain's email



Disaster Recovery Activity (Last 24 Hours)

This box shows how many emails were spooled and unspooled by Fail Safe for all Domains in the indicated Customer during the last 24 hours of the designated time zone.

Spooled Messages – Indicates the number of emails that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them.

Unspooled Messages – Indicates the number of emails that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them.

What’s New This section displays a list of new information available about Email Protection. Depending on the configuration, this section may be blank or may contain different information.

News This section shows any updates on current email threats and other important email security news (links). Click the desired link to view the complete information. Depending on the configuration, this section may be blank or may contain different information.

Section Description


Email Protection Administrator Guide Confirm Your Inbound Servers Setup

4. Set up Your Servers

This section describes how to ensure your inbound and outbound servers are set up correctly for Email Protection.

Confirm Your Inbound Servers Setup

Email Protection filters email destined for your inbound Simple Mail Transfer Protocol (SMTP) email server or servers. Your provisioner should have already defined one or more SMTP servers in the Control Console. To confirm that these servers are defined, perform the following steps:

1 Click Email Protection > Setup.

2 From the Domain drop-down menu on the Setup page, select the domain whose SMTP server you want to check.

The SMTP Host Address field displays the domain name(s) or IP address(es) for the domain’s SMTP server. In our example, domain denver.acme.com has an SMTP server with a domain name of mail1.denver.acme.com.The Inbound Servers Setup page is displayed.

3 Make sure the SMTP server(s) listed are valid and correct.

4 Ensure that all other information on the page is correct, and select Save.

5 Repeat steps 2 through 4 for any other domains in your network.

Set up Additional Inbound Servers

You can configure additional inbound servers to receive inbound email from Email Protection for the designated domain. All servers for a domain that receive inbound email from Email Protection must be configured on the Inbound Servers Setup screen.


Set up Additional Inbound Servers Email Protection Administrator Guide

Any server addresses designated here must be valid and available to connection from Email Protection. After the Save Changes button is clicked, the Email Protection immediately routes email to the active servers.


2 From the Domain drop-down menu, select the domain whose SMTP server you want to add.

3 Click Add New Host.

A new set of fields appears for the server

4 In the SMTP Host Address field, type the fully qualified DNS or IP address of the server host being configured. CIDR notation is not allowed.

If you do not have a registered and valid DNS name for your email servers, you must enter the IP addresses of each server.

5 In the Port field, type the port on the server to which the Email Protection will connect. The default value is 25.

6 In the Preference field, type the number indicating order of connection preference between multiple servers. Email Protection attempts to connect first to the server with the lowest preference number. If that server is not available (either down or too busy), Email Protection tries the server with the next lowest preference number, and so on. If multiple servers have the same preference number, Email Protection will randomly route the email delivery between them.

7 Click the Active checkbox to allow the server is immediately start accepting email traffic.

Caution: If all servers are set to inactive, all emails received for this Domain will be tempfailed.

8 Click Save.

Delete an Inbound ServerTo delete an inbound server, perform the following steps:

1 Access the appropriate domain on the Inbound Server Setup screen

2 Click the Delete checkbox next to the server you want to delete.

3 Click Save.

30 Proprietary: Not for use or disclosure outside McAfee without written permission. May 2011

Email Protection Administrator Guide Add IP Address of Outbound Server, If

Add IP Address of Outbound Server, If Necessary

If your service includes Outbound Message filtering, you must identify one or more outbound mail servers through which your users send outgoing mail. While your outbound server might use a Domain Name Server (DNS) name within your network (for example, lewisoutbound.acme.com), you identify the outbound sever within Email Protection with an IP address (for example, 111.222.111.0). Alternatively, you can specify a Classless Inter-domain Routing (CIDR) address for a range of outbound servers (for example, 111.222.111.0/27) only. The address must be a public address.

Any server addresses designated here must be valid and available for a connection. After the Save Changes button is clicked, Email Protection immediately accepts email traffic from the active servers.

Note: If email is received from an outbound server that is not configured in the Email Protection system, it will be refused. If no outbound package has been designated for the selected domain, this window is unavailable.

1 Click Email Protection > Setup> Outbound Servers.

The Outbound Server Setup page is displayed.

2 Click Add New Address, and add the address of the outbound server.

3 Click Save Changes.

4 Record the address listed under Recommended Smart Host Server Settings. You should use this address to perform the next task, Set up a Smart Host (If Outbound Mail Defense is Turned on).

Important: You or your network administrator should also do the following before or immediately after adding your outbound server(s):• Update Sender Policy Framework (SPF) records on your mail server(s) to ensure

only authorized sources are sending outbound email.• Scan your network for open relays, viruses and malware.• Refer to the Accepted Use Policy (AUP) at http://www.mxlogic.com/terms/aup/

index.cfm for information on bulk mail.


http://www.mxlogic.com/terms/aup/index.cfm

Add IP Address of Outbound Server, If Necessary Email Protection Administrator Guide

Delete an Outbound ServerTo delete an outbound server, perform the following steps:

1 Access the appropriate domain on the Outbound Server Setup screen

2 Click the Delete checkbox next to the server you want to delete.

3 Click Save Changes.

Set up a Smart Host (If Outbound Mail Defense is Turned on)

To ensure that your outbound email is filtered, you must designate, for each of your outbound mail servers, an Email Protection server as your Smart Host. Your outbound email is then relayed through Email Protection before continuing to its final destinations. The outbound Smart Host address is listed at the bottom of the Outbound Server Setup screen, or you can refer to your Service Activation Guide for more details.

Note: This task is performed on your outbound email server or servers, on your network router, or on some other server, depending on your network’s configuration.

Add an Outbound Email Disclaimer You can create and assign text that will be appended to all outgoing emails that are filtered by Email Protection for the designated domain. For example, you might want to specify that the email sent from your company is the property of your company with all right reserved.

Note: If no outbound package has been designated for the selected Domain, this window is unavailable.

1 Click Email Protection > Setup> Outbound Servers.


Email Protection Administrator Guide Redirect Your MX Records

The Outbound Server Setup page is displayed.

2 Click Display disclaimer in outbound email messages.

3 In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000 characters is allowed.

4 Click Save.

Redirect Your MX Records

The Mail Exchange (MX) record for each of your mail servers is a specification within a Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP). Each MX record specifies a host name and preference that determines where and how your ISP routes your company’s email.

Your MX record or records at your ISP must be changed to fully-qualified domain names (for example, denver.acme.com) within the Email Protection network. These changes allow Email Protection to filter your email before it arrives at your company’s mail servers.

Your Network Administrator or Domain Registrar is typically the individual responsible for making these changes.

The information necessary for your company to make these changes is provided in your Email Protection Activation Guide, which you receive when you first sign up for service.


Check Your MX Record Email Protection Administrator Guide

Check Your MX Record

Be aware that because of the nature of the Internet, it may take several days for your MX record redirect to propagate to all the email servers that may be sending email to your email server. During that time, your email server may still receive email directly from those email servers until they are updated with your latest MX record information.

The MX Record Analysis window allows you to query Email Protection or your company’s Authoritative DNS Name Server for the MX Records that are recognized for the SMTP server names for a domain. You can then confirm that all the IP records that are configured for your domain’s MX Records are correctly redirected to Email Protection.

The analysis indicates the following:

• All Authoritative Name Servers for the entered DNS name• All MX Records that are recognized by the Authoritative Name Servers – this process

retrieves all the MX Records for a given domain• Whether the hostname for each MX Record is a valid hostname, an outdated hostname

that will work but should be updated, or an unrecognized hostname which may be allowing email to be routed around Email Protection

This window also indicates the recommended values (using the default values configured at the system level for Email Protection) to assist you in determining whether your MX Records are redirected correctly. For example, if all the SMTP servers defined for a domain do not show the same information, this can indicate that your MX Records are not defined correctly.

Note: This feature must be enabled at the system level to be available in Email Protection.

1 Click Email Protection > Setup> MX Records.

The MX Record Analysis screen is displayed.


Email Protection Administrator Guide Check Your MX Record

By default, the screen shows the results of a DNS lookup by Email Protection on the IP addresses you submitted to your Internet Service Provider. The column headings show the following:

Under each MX Records returned by... heading, MX records should be listed that were set by your Internet Service Provider, along with the priority preference of the record, and the status of the MX record.

• Valid – MX Record is current and fully authenticated.• Valid – recommend update – MX Record uses an older hostname standard. It still

works, but it is recommended that you update to the current hostname standard.• Unrecognized – MX Record could not be authenticated and may be allowing email to

enter your system bypassing Email Protection. This situation, if occurring within 72 hours of the MX Record change, may indicated the changes are not yet complete.

Field Description

MX Record Analysis Results for …

The domain for which a DNS lookup was performed.

MX Records returned by… The name of the DNS server, which can be the DNS server of your Email Protection provider or a DNS server from your company, if selected.


Set up User Creation Mode — SMTP Discovery or Explicit Email Protection Administrator Guide

2 Check the Recommended MX Record Settings. This section indicates a list of typical MX Record configurations using the system-defined default values and the currently selected domain name. Note that this list may not match your actual MX Record configurations. These values are configured at the system level.

You can alternatively enter a fully-qualified DNS Server name at your company in the Target Authoritative Name Server field, then click Analyze. This capability is helpful if the default display of MX records appears to be incomplete or in error.

Similar results to those returned by Email Protection provider’s DNS Server might occur.

Note: You can also select the View only this name server link to reduce the number of DNS server lists of MX Records. Click the View all name servers link list all DNS servers again.

Set up User Creation Mode — SMTP Discovery or Explicit

Note: This procedure applies only if your service includes Email Protection.

Explicit user creation means that you must add user email addresses using one of the methods that are described later. SMTP Discovery means that users are created automatically based on SMTP transactions. That is, several incoming email messages to a user indicate that the user exists for the customer. As a result, Email Protection creates that user in the Control Console.

SMTP Discovery is the default setting for a new customer, such that at initial startup of service, users might be created in the Control Console without any administration by you, the Customer Administrator.

Note: Only messages delivered to recipient email addresses in a primary domain are counted for the purpose of user creation. Messages sent to recipient email addresses in alias domains are not counted.

If you use Directory Integration, explicit user creation is highly-recommended.

To turn on Explicit User Creation, perform the following steps:


2 Click User Creation Settings.


Email Protection Administrator Guide Set up User Creation Mode — SMTP Dis-

3 Under the User Creation Mode heading, select Explicit.

4 Click Save.


Set up User Creation Mode — SMTP Discovery or Explicit Email Protection Administrator Guide


Email Protection Administrator Guide Enterprise or Service Provider Customer

5. Customize Inbound Mail Filters

Email Protection has default inbound and outbound mail filters to block and clean malicious email and to quarantine email that might be malicious. The filters are configured by using policies, which are the parameters for the filters Default policies are automatically assigned to each of your domains.

You can customize the default inbound policy for any and each domain, or any and each group, to fit your business needs.

Enterprise or Service Provider Customer

Important: This document is for use by Enterprise customers only.

The way in which custom policies are applied to your users varies depending on whether you are classified as a service provider or enterprise customer. If you are a service provider customer, each domain can have one custom policy (see Figure 7). If you are an enterprise customer, a single default policy applies to all domains. Thus, for an enterprise customer, you must create a group or groups of users, and for each group, you can create a custom policy. A group can be created according to domain membership (see Figure 8) or according to any other user characteristics that may apply across multiple domains (see Figure 9). For procedures, see “Create a Group” in Account Management Administrator Guide.

Note: Because a group defined by an enterprise customer can contain users from different domains, a group policy does not apply to a domain, but rather to the group of users to which it is defined. A custom group policy supersedes the default policy that is assigned to all domains.


Enterprise or Service Provider Customer Email Protection Administrator Guide

Figure 6: Service Provider Custom Policy Assignment

Figure 7: Enterprise Custom Policy Assignment (Groups by Domain)


Email Protection Administrator Guide Create a Custom Policy (Enterprise Cus-

Figure 8: Enterprise Custom Policy Assignment (Groups by Other Attributes)

Create a Custom Policy (Enterprise Customer Only)

Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains.

1 Click Email Protection > Policies.

2 Click the New button to launch the New Policy screen.

The New Policy Set fields are displayed.


Create a Custom Policy (Enterprise Customer Only) Email Protection Administrator Guide

3 Click Save.

The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs.

Field Description

Name Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy.

Owner The Owner heading indicates who can edit the policy. If the owner is Customer, only Customer Administrators can edit the policy. If the owner is Group, then Group Administrators assigned to that group, as well as Customer Administrators, can view or edit the policy.

Description Enter a description of the new policy set.

Direction From the drop-down menu, select the direction of email, inbound SMTP or outbound SMTP, for which this policy will be configured.

Copy From From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields.

Copy Sender Allow List

Click the checkbox to copy the Sender Allow list from the policy set selected in the Copy From field.

Copy Sender Deny List

Click the checkbox to copy the Sender Deny list from the policy set selected in the Copy From field.

Copy Recipient Shield List

Click the checkbox to copy the Recipient Shield list from the policy set selected in the Copy From field.

Copy ClickProtect Allow List

Click the checkbox to copy the ClickProtect Allow list from the policy set selected in the Copy From field.


Email Protection Administrator Guide Configure a Virus Filter

Configure a Virus Filter

Email Protection uses multiple virus scanning applications to analyze email to determine if a virus may be present. In your custom policy, you can configure how Email Protection handles an email that contains a known virus.

Important Note: If an email is detected that contains a wide-spread worm or virus (for example, SoBig or MyDoom), Email Protection may automatically block that email, regardless of the settings in your custom policy.

To create a new policy content filter, perform the following steps:


2 Click the policy you want to change.

3 Click Virus.

The Actions screen is displayed.

4 Complete the fields as described in the following table.

Field Description


Configure a Virus Filter Email Protection Administrator Guide

5 Click Save or click on the Notifications under the Virus tab.

Set Email Protection to Notify Users about Emails with Viruses

You can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained a known virus. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users.

Note: Virus notifications will not be sent out for emails that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Email Protection.



3 Click Virus.

If a Message Contains a Virus

Select an action Email Protection should take if an email contains a virus:• Do nothing – Email Protection sends the email to the recipient with

no filtering or notification.— Caution: This action is potentially hazardous because the email

will still contain the virus. • Quarantine the message after attachment is stripped – Email

Protection strips an infected attachment from the email and sends the email to quarantine with the message that an attachment had been stripped. Email Protection does not send a separate notification to the recipient.

• Strip the attachment – Email Protection strips the infected attachment from the email and sends the email to the recipient. Email Protection inserts text into the email to notify the recipient that an attachment has been stripped.

• Deny delivery – Email Protection denies delivery of the email.• Clean the message – Email Protection attempts to remove the virus

content and save the remainder of the message. If successful, Email Protection sends the email to the recipient with the message that the email had been cleaned of a virus. If you select this action, you must also select an action for the If a Message Cannot be Cleaned field.

If a Message Cannot be Cleaned

If you previously selected Clean the message, select an action Email Protection should take if Email Protection fails to clean an infected email:• Quarantine the message after attachment is stripped – The

infected attachment is stripped from the email and the email is sent to the recipient’s virus quarantine area without notification to the recipient. Text is inserted into the email indicating that an attachment has been stripped.

• Strip the attachment – The infected attachment is stripped from the email and the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped.

• Deny delivery – The email is denied delivery.


Email Protection Administrator Guide Configure a Spam Filter

4 Click Notifications.

5 Complete the following fields:

Configure a Spam Filter

Email Protection spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework® to determine if email is spam. Based on this analysis, Email Protection give each email a score.

There are three scores are used to determine the likelihood of spam and what actions should be taken. Those scores are:

Field Description

To the sender when a message is … due to a virus infection

Select one or more conditions that will cause Email Protection to send a notification email to the sender. • Quarantined – The infected email was quarantined.• Denied delivery – The infected email was denied delivery.• Stripped – The infected attachment was stripped and the email sent

to the recipient.

To the recipient when a message is … due to a virus infection

Select one or more conditions that will cause Email Protection to send a notification email to the recipient. • Quarantined – The infected email was quarantined.• Denied delivery – The infected email was denied delivery.• Stripped – The infected attachment was stripped and the email sent

to the recipient.


Configure a Spam Filter Email Protection Administrator Guide

• “Medium” likelihood if default settings are used. This email is normally quarantined for review.

• “High” likelihood if default settings are used. This email is normally quarantined for review.

• “Critical” likelihood. This spam is blocked.

If you specified an additional Realtime Blackhole List (RBL) in the Spam screen of the assigned policy, the RBL can influence the spam score as well.

Note: Occasionally, some emails might be marked as spam when in fact they are legitimate emails. For these “false positive” email messages, you can help Email Protection “tune” the spam thresholds and rules by sending a forwarded copy of the email with all content and attachments to [email protected]

To configure a spam filter, you can perform the following tasks

• Define the Action to Take on Spam • Spam – Content Groups Subtab

• Spam – Reporting Subtab

Define the Action to Take on Spam1 Click Email Protection > Policies.


3 Click Spam.

The Classification screen is displayed.


Field Description



5 Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go to step 8.

Multiple real-time blackhole lists (RBLs) of known spammers are provided by the industry, from which Email Protection creates a single RBL indicator to assess the risk of an email originating from a known spammer. The use of multiple blackhole lists to create a single vote and rate the reputation of each RBL for accuracy helps to minimize the possibility of blocking a non-spammer by mistake.

6 If you clicked More Options, click the Enable Real Time Blackhole List (RBL) checkbox.

Note: You can also block spammers by completing a Sender Deny List under the policy’s Allow/Deny option.

7 Click Save or click on Content Groups under Virus.

Define Additional Words That Indicate Spam

Email Protection spam content filtering controls spam by comparing the content (subject and body) of an email against predefined lists of keywords and/or phrases (“spam content groups”).

You can define a custom spam content group that contains additional lists of keywords that are used to filter email as spam. For each content group, you also define the action to take on email that contains a keyword. If the action is to send spam matches to quarantine, users who receive Spam Quarantine Reports can view the matching messages in the quarantine.

Note: A spam content group does not analyze the content within attachments.

If a Message is Probably Spam (Medium likelihood) area

Select an action Email Protection should take if an email has a spam score of 90% or higher:• Tag the message subject with “[SPAM]” – Email Protection adds

the phrase “[SPAM]” to the beginning of the email’s subject text and sends the email to the recipient.

• Quarantine the message – Email Protection sends the email to quarantine.

• Deny delivery – Email Protection denies delivery of the email.

Note: Emails that have the following actions applied will be reported as Other in the Threats: Spam report.

• Do nothing – Email Protection sends the email to the recipient with no filtering or notification.

If a Message is Probably Spam (High likelihood) area

Select an action Email Protection should take if an email has a spam score of 99.9% or higher. These actions are the same as those for Medium likelihood.



The action for a content group you define overrides spam actions for Email Protection default spam filters. For example, if Email Protection determines that an email has a medium likelihood of being spam and also contains a keyword that is in your spam content group, the action defined for your spam content group is applied.

However, if you also define content filtering on the Content – Content Groups screen (see Configure a Content Filter, that content filter overrides the keyword filtering you define on the following Spam – Content Groups screen. In addition, spam identified by the Content – Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam.



3 Click the Spam.

4 Click Content Groups.

5 Double-click the Content Group you wish to modify.

6 In the Group Name field, type the name of your spam content group.

This name should summarize the kind of keywords you want Email Protection to look for. For example, you might want to identify musical terms, such as concert, music, rock, jazz, and so on, as spam. In this case, your group name might be music.

7 From the Action drop-down menu, select an action to take if an email matches a keyword:

• None - The email is forwarded to the recipient email address.</li>• Quarantine the message - The email is sent to the recipient's domain content

quarantine area.• Deny Delivery - The email is denied delivery.• Allow - The email is sent to the recipient email address.

Note: The Allow option is useful if you want to override standard Email Protection spam content filtering for particular keywords.



Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam report.

• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the subject line of the email at the beginning of the subject text and the email is sent to the recipient email address.

• Encrypt Message- is also available for Outbound content groups, if the Customer has subscribed to Encryption.

• Silent Copy - allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down.

8 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in email. Use the following rules for entering keywords.

• Each entry must be on its own line (separated by a hard return). • If an entry contains multiple words, the entire phrase is used as a literal string (“as

is”). • If individual words are desired, each word must be on its own line.• Letter-case (for example, upper case or lower case) is ignored.• The wildcards question mark (“?”) and asterisk (“*”) can be used to designate the

following:— “?” (without quotes) designates any single character, including white space

characters (for example, menu, space, line break, etc.). — For example, “w?y” would catch “way”, “why”, and “w y”.— “*” (without quotes) at the end of the string designates multiple characters

until a white space character is encountered. For example, “refi*” would catch “refinance”, “refinancing” and “refine”.

— “*” (without quotes) followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered.

For example, “refi*d” would catch “refinanced”, but would also catch “refinishing is a great way to save d”.

— If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, “\*” or “\?”).

9 For example, “why\?” (without quotes) would catch the string “why?” and the question mark would not be used as a wildcard.Click the Enable checkbox to turn on the spam content group.

10 Click Save for the new spam content group.

11 Click Save for the policy or continue to the Reporting tab.

To change a policy’s existing spam content group, click Edit.



Set up Spam Quarantine ReportsWhen Email Protection scores email and determines that email might be problematic, but the email is not clearly a security risk, Email Protection place the email into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including:

• How reports are formatted.• How often reports are sent• How Spam is filtered• What actions users can take on quarantined email

See the Email Protection User Guide on how users might manage quarantine reports.

To set up quarantine reports for users, perform the following steps:

1 Click Email Protection> Policies.

2 Select a policy set for which the quarantine reports will apply.

3 Click Spam > Reporting.

4 Under the Enable Spam Quarantine Reporting for heading, select one of the following options:

• All users – All user accounts associated with the policy set receive Spam Quarantine Reports.Note: Users must be able to log into the Control Console to manage their spam quarantine areas.

• Selected users – Only those user accounts configured for Spam Quarantine Reports on the User Management screens receive the reports.

• No users – No users associated with this policy set receive Spam Quarantine Reports.



5 Under the Default Settings heading, complete the following field:

6 Under the Spam Quarantine Report Security Settings heading, complete the following fields:

Field Description

Frequency From the Frequency drop-down menu, select how often users receive Spam Quarantine Reports if they have email in spam quarantine.

Report Type From the Report Type drop-down menu, select the content that each Spam Quarantine Report should contain:

HTML – All Quarantined – All emails in your spam quarantine area are listed in the Spam Quarantine Report.

HTML – New Items Since Last Report – Only those emails received since the previous Spam Quarantine Report are listed in the Spam Quarantine Report.

Text – Summary – A text-only email notification is sent to you with a link to your spam quarantine, instead of the Spam Quarantine Report. This option supports users with email applications that do not support HTML content.

Text – New Items Since Last Report – A text-only email report is sent to you that indicates how many new emails have been quarantined as spam since the last report and the total number of spam emails in your spam quarantine. The report also lists the email messages that have been quarantined since the last report.

HTML Format From the HTML Format drop-down menu, select one of the following:

HTML with Actions – The links Allow, Deny, and Release are enabled in the Spam Quarantine Reports.

HTML without Actions – The links Allow, Deny, and Release are disabled in the Spam Quarantine Reports. Users must log into the Control Console to perform these actions.

Note: This field is ignored if the Report Type field is set to Text-only Summary.

Field Description

Report Links From the Report Links drop-down menu, select the number of days after which the links in the Spam Quarantine Report become inactive.

A low value may not give the users enough time to review their Spam Quarantine Report and perform any spam management. A high value might increase the security risk of unauthorized access into the Control Console using an old Spam Quarantine Report.



7 Under the Other Options heading, select any or all of the following options:

Restrict user rights when accessing quarantine from spam quarantine report

Click the checkbox so that administrator-level users will be logged in with role of User when accessing the Spam Quarantine Reports. If you leave the checkbox blank, administrator-level users will be logged as their administrative role.

Note: Selecting this option is recommended to provide additional security for the Control Console. This option applies to all administrative levels, including Reseller Administrators, Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers.

Field Description

Allow users to personalize spam filtering actions

Click the checkbox to allow users to customize actions that Email Protection takes on email that is likely to be spam. Users actually select the actions on spam from the Preferences screen on the Control Console.

Allow users to personalize delivery frequency

Click the checkbox to allow users to change the frequency with which they receive Spam Quarantine Reports. Users select the frequency of reports from the Preferences screen on the Control Console.

Allow users to personalize report type

Click the checkbox to allow users to change the default settings you set in the Report Type field on this screen. Users can change the Report Type from the Preferences screen on the Control Console.

Allow users to “opt out” of spam filtering

Click the checkbox to allow users to turn filters for spam on or off. Users can turn off spam filtering from the Preferences screen on the Control Console.

Enable “Always Deny” shortcut from spam quarantine report

Click the checkbox to enable the Always Deny link in user’s Spam Quarantine Reports, the Message Quarantine windows, and the Safe Message View window.

If you leave the checkbox blank, users must go to the Allow/Deny Sender Lists window to change their Allow or Deny lists.

Show spam score on spam quarantine report

Click the checkbox to display the spam likelihood score for each quarantined message in the Spam Quarantine Reports.

Allow users to download Spam Control For Outlook®

Click the checkbox to display a link in Spam Quarantine Reports, from which users can download the Spam Control For Outlook utility. The location from which the utility is downloaded is configured in the Branding Settings window.

Note: This feature can be enabled or disabled at the system level.

Field Description


Email Protection Administrator Guide Configure a Content Filter

8 Click Save.

Configure a Content Filter

You can create a custom content filter. The content filter does the following:

• Blocks or quarantines the email that contains prohibited keywords.• Notifies the sender or recipient when an email has been quarantined or blocked.• Blocks HTML malicious tags or prohibited images.• Manages the ability for users to click on links in email.

Note: Content filtering does not analyze the content within attachments.

Note: You also define content filtering on the Spam – Content Groups screen (see Configure a Spam Filter, the Content – Content Groups overrides the keyword filtering you define on the following Spam – Content Groups screen. In addition, spam identified by the Content – Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam.

Allow non-admin users to sign in directly to the Control Console

Click the checkbox to allow users to log into the Control Console using the Sign in window.

Note: This feature does not affect the ability of users to log in by clicking a link in a Spam Quarantine Report. If Control Console access is not enabled and users do not receive the Spam Quarantine Report, the Quarantine Manager or higher level roles must perform any changes to the user settings, maintenance of the users’ spam quarantine, etc.

Display message content in Safe Message View

Click the checkbox to allow users to view the body content of an email in the Safe Message View window.

If you leave the checkbox blank, the user must release the email to see what it contains in the body content.

Display user email addresses in spam quarantine report

Click the checkbox to enable the view of user addresses in the HTML SQR report so that users do not have to scroll through multiple addresses before they get to the quarantine items.

Allow users to configure alternate email address for spam report delivery

Click the checkbox to allow users to choose an alternate email address to reroute their Spam Quarantine Report if needed. Users may go to Account Management>User>Preferences to add their email alternate.

Alert! – Please be advised that redirecting a user's SQR allows the chosen alternate recipient to have full access to their Control Console account, including access to that user's Preferences. Therefore; please encourage the user to choose their alternate email address carefully.

Field Description


Configure a Content Filter Email Protection Administrator Guide

Note: Due to the nature of the content filtering, the screen images may contain offensive material.




3 Click Content.

The Content Groups screen is displayed, showing the default content groups.• Profanity• Racially Insensitive• Sexual OvertonesYou cannot change the keywords in these groups..The Content Group Policy fields are displayed.

Email Protection also provides predefined content groups that contain valid and acceptable personal identifiable information that is allowed in email messages due to specific policies. You cannot edit these content groups, but can designate whether or not they are used. Following are the two types of predefined content groups:

• Credit Card Number• Social Security Number

The Credit Cards that are supported include AMEX, VISA, MC, and DISC.

Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in various ways and Email Protection may not be able to capture all messages that contain this information.

More Options...

If a Customer or Domain subscribes to Email Encryption, then selecting this option can be used to enforce Email Encryption if the outbound message contains the word '[encrypt]'. The word, [encrypt] can reside in the message subject line or the body of the outbound message.



Note: This option is only available on the Outbound Policy Content Group page.

1 Click Edit or double-click on your selected Content Group, you may perform the following:

• Group Name This defaults to the name of your selected group.• Content This field is disabled for Content Groups

2 From the drop-down Action list, the following actions may be applied to a Content Group

• None - The email is forwarded to the recipient email address.• Quarantine the message -The email is sent to the recipient's domain content

quarantine area.• Deny Delivery -The email is denied delivery.• Allow -The email is sent to the recipient email address.• Tag the message subject with "[SPAM]" -The phrase "[SPAM]" is added to the

subject line of the email at the beginning of the subject text and the email is sent to the recipient email address.

• Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption.

3 Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down.

4 Click Save

Turn Off a Default Content FilterYou can deactivate any of the Email Protection default content filters if you want to allow email containing those keywords to be delivered or you want to replace the list of keywords with your own list.

Note: Instead of turning off the content filter, you can also choose the action None for the filter. In this case, Email Protection filters email, but delivers matching email to users with no other notifications or marking.



3 Click Content.

The Content Groups screen is displayed, showing the default content groups.• Profanity• Racially Insensitive• Sexual Overtones

4 Double-click one of the default content groups.

5 Uncheck the Enable checkbox.

6 Click Save.



Custom Content GroupThe Custom Content Groups subtab allows customers to define their own custom content keyword group and assist in monitoring their email. By configuring a Content Group, the customer can determine how the system reacts if it receives an email that contains text that violated that content policy. Customers can also define a different action for each content group.

Note: If the content group is enabled, then email will be filtered for that content.</p>

1 Click New or double-click your selected Custom Content Group,and perform the following:

2 Group Name: select and type of your Custom Content Group.

3 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in email. Use the following rules for entering keywords.

• Each entry must be on its own line (separated by a hard return). • If an entry contains multiple words, the entire phrase is used as a literal string (“as

is”). • If individual words are desired, each word must be on its own line.• Letter-case (for example, upper case or lower case) is ignored.• The wildcards question mark (“?”) and asterisk (“*”) can be used to designate the

following:— “?” (without quotes) designates any single character, including white space

characters (for example, menu, space, line break, etc.). — For example, “w?y” would catch “way”, “why”, and “w y”.— “*” (without quotes) at the end of the string designates multiple characters

until a white space character is encountered. For example, “refi*” would catch “refinance”, “refinancing” and “refine”.



— “*” (without quotes) followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered.

For example, “refi*d” would catch “refinanced”, but would also catch “refinishing is a great way to save d”.

— If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, “\*” or “\?”).

For example, “why\?” (without quotes) would catch the string “why?” and the question mark would not be used as a wildcard.

Caution: It is possible to create wildcard combinations that will filter valid email, including all email, and/or will substantially slow email processing. Be very careful if you use wildcards to ensure that only the desired content is filtered.

4 From the Action drop-down menu, select an action to take if an email matches a keyword:

• None - The email is forwarded to the recipient email address.</li>• Quarantine the message - The email is sent to the recipient's domain content

quarantine area.• Deny Delivery - The email is denied delivery.• Allow - The email is sent to the recipient email address.

Note: The Allow option is useful if you want to override standard Email Protection spam content filtering for particular keywords.

Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam report.

• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the subject line of the email at the beginning of the subject text and the email is sent to the recipient email address.

• Encrypt Message- is also available for Outbound content groups, if the Customer has subscribed to Encryption.

• Silent Copy - allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down.

5 Click the Enable checkbox to turn on the spam content group.

6 Click Save for the new spam content group.

7 Click Save for the policy or continue to the Notifications tab.

Notify Users about Spam ContentYou can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained spam content. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users.



Note: Virus notifications will not be sent out for emails that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Email Protection.



3 Click Content.


Complete the following fields:

Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons

You can configure how Email Protection filters email for HTML attachments or various forms of HTML coding within email.


Field Description

To the sender when a message is … due to a content group violation

Select one or more conditions that will cause Email Protection to send a notification email to the sender. • Quarantined – The infected email was quarantined.• Denied delivery – The infected email was denied delivery.

To the recipient when a message is … due to a content group violation

Select one or more conditions that will cause Email Protection to send a notification email to the recipient. • Quarantined – The infected email was quarantined.• Denied delivery – The infected email was denied delivery.




3 Click Content.

4 Click HTML Shield.

5 Under HTML Shield Protection, select one of the following options:

6 Under Options for Low and Medium Setting, click the checkbox Enable spam “beacon” and web bug blocking to block spam beacons and web bugs.

A spam beacon can reveal user activity to spammers while flagging the recipient’s address as active. A Web bug is any one of a number of techniques used to track who is reading a Web page or e-mail, when, and from what computer. A Web bug can also be used to see if an e-mail was read or forwarded to someone else, or if a Web page was copied to another Website.Note: This option is available only if you picked the Low or Medium options for HTML filtering.

Field Description

Low Select this option to remove only malicious HTML tags from the email and forward the email to the recipient. Text is added to the email to indicate that HTML content was removed.

Medium Select this option to remove the following HTML content from the email and forward the email to the recipient:• Malicious HTML tags• HTML comments and attributes• All Java, Javascript, and ActiveX code

Text is added to the email to indicate that HTML content was removed.

High Select this option to remove all HTML content, including scripts as in the Medium option, from the email and to forward the email to the recipient. Text is added to the email to indicate that HTML content was removed.

None Select this option to not perform HTML filtering on email.



7 Click the checkbox Replace all image links with a default transparent image to eliminate objectionable images in email.

This option replaces links to images in email with links to an image with one transparent pixel.

Note: This option is available only if you picked the Low or Medium options for HTML filtering.

8 Click Save or continue to ClickProtect.

Configure Web Hyperlink Filters (ClickProtect)

You can configure whether Web hyperlinks in email are blocked or can be clicked and followed by the user. You can also designate a ClickProtect Allow List of URL addresses that are excluded from the ClickProtect processing (for example, your corporate URLs). As another option, you can set tracking of links that are clicked so that they are reported in the ClickProtect: Click Log Report.

Caution: ClickProtect only processes links in emails with accepted message formats, which include HTML or Rich Text



3 Click Content.

4 Click ClickProtect.

5 Click one of the following options:

• Disable ClickProtect — Disables this feature completely and allows users to click and access Web hyperlinks in the emails without logging information in the system.



• Display warning message before redirecting — Displays a dialog box with a customizable warning message. Users can then either stop the click-through process or continue to the Web site.

• Display warning message and deny click-throughs — Displays a dialog box with a customizable warning message and does not allow users to continue with the click-through process.

6 If you clicked one of the last two options above, overtype the text in the Warning Message text box. You can also leave the default text if desired

7 In the Allow URL or IP field, type URL or IP addresses that you want to allow users to access and bypass ClickProtect processing.

The following values are allowed:• IP Address — Complete address (for example, 10.10.10.1) or partial address with

wild cards (for example, 10.10.10.*).• Domain Name — Qualified domain name (for example, xyz.com) or subdomains

(for example, *@*.xyz.com denies emails from any subdomain of the XYZ domain, such as [email protected]). If you know you want to allow all emails from this domain, then use this option instead of typing in each email address associated with the domain. The following list provides some examples of allowable URLs.— www.domainname.com— www.domainname.n*— www.domainname.*— www.domainname.example.com— www.domainname.*.com— www.domainname.xxx.xxx.xxx.xxx.com— domainname.com

The following are not accepted in domain names:— http://— slashes— IP addresses.

8 Click Add.

The value is added to the list box.Note: (This step is only available to certain user roles, when a user-defined policy set is selected.) If you want to include the values listed for the Default Inbound policy set, select the check box located beneath the list.

Upload a List of Allowed URLsYou can create a list of allowed URLs and upload that list to the Control Console. To upload a list, perform the following steps:

1 Create a file with a predefined list of URLs. The predefined list must be in the following format:

• Must be a text file


Define an Attachment Filter Email Protection Administrator Guide

• One entry per line• File must be available for your browser to access

2 On the ClickProtect screen, click More Options.

Additional fields are displayed.

3 To upload the file, click Browse next to the Upload List field and locate the file.

4 Click Upload Allow List.

The contents are added to the ClickProtect Allow List box.

5 Click Save.

Download a List of Allowed URLs from the Control ConsoleIf you want to download the list of allowed URLs to your local drive, click Download ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in Microsoft Excel.

Define an Attachment Filter

You can create a customer attachment filter. You can filter email for attachments based on the following criteria:

• Filter by Attachment File Types, including file size.• Filter by Attachment File Name • Filter Zip File Attachments


Email Protection Administrator Guide Define an Attachment Filter

Filter by Attachment File Types To filter email by file type, you must define the following:

• What file types are allowed to be received• File size restrictions on the allowed file types• The email action that will be used if an email violates any of the file type attachment

policies




3 Click Attachments.

The Attachments: File Types screen is displayed.

4 For each file type in the Allowed Attachment Types section, select one of the following options from the drop-down menu:

• Disallow — All email containing this file type are blocked.• A file size, such that an email with a file of this file type that exceeds the file size

is blocked.— Max 500 KB— Max 1 MB— 2 MB— 5 MB— 10 MB— 15 MB

• Any size — Email with this file type is allowed and delivered.Note: By default, each listed attachment file type is allowed unless you specifically select it to be disallowed, except for the types Executables and Scripts. These two file types are relatively easy to self-invoke from an email, and thus increase the security risk of a self-running virus or worm.



The following table lists the file extensions associated with each file type:

5 In the Action to take for Disallowed Attachments section, select one of the following options:

File Type Example File Extensions

Microsoft Word Documents

*.doc, *.dot, *.rtf, *.wiz

Microsoft Powerpoint Documents

*.pot, *.ppa, *.pps, *.ppt, *.pwz

Microsoft Excel Documents

*.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw

Microsoft Access Files *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp

Other Microsoft Office Files

*.cal, *.frm, *.mbx, *.mif, *.mpc, *.mpd, *.mpp, *.mpt, *.mpv, *.win, *.wmf

Adobe Acrobat (PDF) Files

*.abf, *.atm, *.awe, *.fdf, *.ofm, *.p65, *.pdd, *.pdf

Macintosh Files *.a3m, *.a4m, *.bin, *.hqx, *.rs_

Compressed or Archived Files

*.arj, *.bz2, *.cab, *.gz, *.gzip, *.jar, *.lah, *.lzh, *.rar, *.rpm, *.tar, *.tgz, *.z, *.zip

Audio Files *.aff, *.affc, *.aif, *.aiff, *.au, *.m3u, *.mid, *.mod, *.mp3, *.ra, *.rmi, *.snd, *.voc, *.wav

Video/Movie Files *.asf, *.asx, *.avi, *.lsf, *.lsx, *.m1v, *.mmm, *.mov, *.movie, *.mp2, *.mp4, *.mpa, *.mpe, *.mpeg, *.mpg, *.mpv2, *.qt, *.vdo

Image Files *.art, *.bmp, *.dib, *.gif, *.ico, *.jfif, *.jpe, *.jpeg, *.jpg, *.png, *.tif, *.tiff, *.xbm

Executables Note: This file type defaults to Disallow.

*.bat, *.chm, *.class, *.cmd, *.com, *.dll, *.dmg, *.drv, *.exe, *.grp, *.hlp, *.lnk, *.ocx, *ovl, *.pif, *.reg, *.scr, *.shs, *.sys, *.vdl, *.vxd

Scripts Note: This file type defaults to Disallow.

*.acc, *.asp, *.css, *.hta, *.htx, *.je, *.js, *.jse, *.php, *.php3, *.sbs, *.sct, *.shb, *.shd, *.vb, *.vba, *.vbe, *.vbs, *.ws, *.wsc, *.wsf, *.wsh, *.wst

ASCII Text Files *.cfm, *.css, *.htc, *.htm, *.html, *.htt, *.htx, *.idc, *.jsp, *.nsf, *.plg, *.txt, *ulx, *.vcf, *.xml, *.xsf

Postscript Files *.cmp, *.eps, *.prn, *.ps

All Other Files Any file extensions that are not included in the other file types




• Deny delivery – Email Protection denies delivery of the email.• Strip the attachment – Email Protection strips the attachment from the email and

the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped.


6 Click Save or continue to the Filename tab.

Filter by Attachment File NameYou can create custom filter to filter email for specific file names. This filter overrides any conflicting file type policies you may have defined.

To define a filter for attachment file name, perform the following steps:





4 Click Filename Policies.

The Filename Policies screen is displayed.

5 Click New.

The New Attachment Filename Policy section is displayed.

6 From the Filter drop-down menu, select one of the following:

• Is – Email Protection filters for file names that have an exact match to the text in the Value field. For example, if you want to filter for the file name config.exe and no others, you must select Is and then type config.exe in the Value field. For this example,, the Is option has the meaning “File name IS config.exe.”



• Contains – Email Protection filters for file names that contain the text in the Value description anywhere within the filename string. For example, if you want to filter for any file that contains config in its name, like postconfig or config.ini, select this option.

• Ends with – Email Protection filters for file names that end with the text in the Value description. For example, if you want to filter for any executable files ending with .exe, select this option.

7 In the Value field, type the name or partial name with which Email Protection should search incoming email. For example, if you want Email Protection to search for any file containing the text config, type config.

8 From the Action drop-down menu, select one of the following options:


• Deny delivery – Email Protection denies delivery of the email.• Strip the attachment – Email Protection strips the attachment from the email and

the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped.


9 Ignore the Silent Copy drop-down list. No silent copy will be sent.

10 Click Save to save the new filename filter.

11 Click Save for the policy or continue to the Additional Policies tab to filter for zip file attachments.

Filter Zip File AttachmentsYou can create a custom filter for zipped file or compressed file attachments. These policies are ignored unless the Compressed or Archived Files filetype is allowed in the Attachments: File Types screen.

To define a filter for attachment file name, perform the following steps:





4 Click Additional Policies.

The Additional Attachment Policies screen is displayed.



5 From the Message contains high-risk attachment drop-down menu, select one of the following options:

• Allow delivery – Email Protection sends the email to the recipient with no filtering or notification.

• Quarantine the message – Email Protection sends the email to quarantine.• Deny delivery – Email Protection denies delivery of the email.This action applies if an email has an attachment that is a zipped file and that violates any of the following rules:• The zip file itself is too large ( > 500MB). • A file contained in the zip file is too large ( > 100MB). • The zip file contains too many files ( > 1500 files). • The compression rate is too high ( > 95% compressed). • The zip file contains too many levels of nesting ( > 3 levels).

6 From the Message contains an encrypted zip attachment drop-down menu, select one of the following options:

• Allow delivery – Email Protection sends the email to the recipient with no filtering or notification.

• Quarantine the message – Email Protection sends the email to quarantine.• Deny delivery – Email Protection denies delivery of the email.The action applies if an email message has an attachment that is a zipped file and is encrypted and password-protected. This format is commonly used to prevent scanning for viruses in zipped files.

7 From the File in zip attachment violates attachment policy drop-down menu, select one of the following options.

• Attachment policy action – The action for the specific policy that was violated will be performed on the entire attachment. If multiple policies were violated, the policies defined in the Attachment – Filename Policies subtab override the policies defined in this subtab.

• Do nothing – The email is sent to the recipient with no filtering applied.The action applies if an email that has an attachment that is a zipped file and the zipped file contains files that violate the previously-defined filters for attachments.



Notify Users about Attachment ViolationsYou can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained an attachment violation. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users.






6 Click Save.

Field Description

To the sender when a message is … due to an attachment policy violation

Select one or more conditions that will cause Email Protection to send a notification email to the sender. • Quarantined – The email that contained an attachment violation was

quarantined.• Denied delivery – The email that contained an attachment violation

was denied delivery.• Stripped – The infected attachment was stripped and the email sent to

the recipient.

To the recipient when a message is … due to an attachment policy violation

Select one or more conditions that will cause Email Protection to send a notification email to the recipient. • Quarantined – The email that contained an attachment violation was

quarantined.• Denied delivery – The email that contained an attachment violation

was denied delivery.• Stripped – The violating attachment was stripped and the email sent to

the recipient.


Email Protection Administrator Guide Allow or Deny Email to or from Specific

Allow or Deny Email to or from Specific Addresses

You can define lists of sender email addresses, domain names, or IP addresses whose email is always delivered to your users, or conversely, whose email is always denied delivery. In addition, you can define lists of recipient email addresses that are always denied receiving email.

The Sender Allow and Sender Deny lists are used in combination with the user-level Allow and Deny lists that can be defined for specific user accounts. In the case of a conflicting entry (for example, the same email address is in the user-level Allow list and the Sender Deny list at the policy set level), the lists defined in these tabs override the user-level lists.

The allowed maximum of items for each list is defined at the system level and may vary for different installations of Email Protection.

Allow Email from a Specific AddressYou can define a list of sender addresses whose email will always be accepted without email filtering. The exception is that virus filtering is always applied if licensed for that policy set, unless overridden by the user-level policy configurations. In addition, the user-level Deny list will override the policy set-level Sender Allow list.

You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File.



3 Click Allow/Deny.

The Sender Allow screen is displayed.

4 In the Add Address field, type the address of a sender whose email should be delivered without filtering.


Allow or Deny Email to or from Specific Addresses Email Protection Administrator Guide

The following values are allowed in the list entries:• Email addresses – Complete sender email address or partial address with

wildcards (for example, “[email protected]” or “g*@domain.com”)• Domain names – Complete domain name or partial name with wildcards (for

example, “domain.com”)• IP addresses – Complete IP address or partial address with wildcards (for

example, “123.123.12.3” or “123.123.12.*”)Note: CIDR notation is not allowed. Each IP address must be designated separately.

5 Click Add.

The address is added to the allowed address box on the right.

6 Repeat steps 4 and 5 for each address you want to add.

7 Click Save.

You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List.

Sender Policy Framework (SPF)You are able to whitelist a specific email addess or domain and assign an SPF check to that address. Subsequent mail coming from the whitelisted domain is then checked against SPF records. Should the SPF check fail, the mail is denied.

The following conditions apply to an SPF verification:

• If the record cani be verified, then content and spam filtering is skipped for the sender’s inbound messages.

• If the record cannot be verified, then filtering is not skipped for the sender’s inbound messages.

Note: If a sender on the allow list does not have an SPF record the inbound message is still allowed.



Deny Email from a Specific Address You can define a list of sender addresses whose email will always be denied regardless of email filtering. This Deny list overrides the user-level Allow list.




3 Click Allow/Deny.


4 Click Sender Deny.

The Sender Deny screen is displayed.

5 In the Add Address field, type the address of a sender whose email should be denied without filtering.

The following values are allowed in the list entries:• Email addresses – Complete sender email address or partial address with

wildcards (for example, “[email protected]” or “g*@domain.com”)• Domain names – Complete domain name or partial name with wildcards (for

example, “domain.com”)• IP addresses – Complete IP address or partial address with wildcards (for

example, “123.123.12.3” or “123.123.12.*”)Note: CIDR notation is not allowed. Each IP address must be designated separately.

6 Click Add.

The address is added to the denied address box on the right.


8 In the If the Sender is on the Sender Deny List section, select one of the following options:

• Accept and silently discard the message – The email is accepted, but is discarded without notification.


Allow or Deny Email to or from Specific Addresses Email Protection Administrator Guide

• Deny delivery – The email is denied delivery.

9 Click Save.


Deny Email to a Specific Recipient You can define a list of recipient user addresses whose incoming email will always be denied, regardless of email filtering. For example, you can designate that emails received to an ex-employee’s user account are always denied. Email received for all alias email addresses for the designated user account is also included in the Recipient Shield processing.




3 Click Allow/Deny.


4 Click Recipient Shield.

The Recipient Shield screen is displayed.

5 In the Add Address field, type the address of a recipient whose email should be denied.

You can type a complete recipient email address or partial address with wildcards (for example, “[email protected]” or “g*@domain.com”).Note: The email addresses must be defined in the primary Domain. Alias domain names are not allowed.

6 Click Add.

The address is added to the recipient address box on the right.




8 In the If the Recipient is on the Recipient Shield List section, select one of the following options:

• Accept and silently discard the message – The email is accepted, but is discarded without notification.

• Deny delivery – The email is denied delivery.• Do nothing – The email is forwarded to the recipient email address with no

processing applied.

9 Click Save.


Save a Copy of an Allow, Deny, or Recipient Shield List

You can download the allow or deny list you have created so you can store a copy. To download a copy, perform the following steps.

1 On the Allow, Deny, or Recipient Shield screen, click More Options.

2 Click Download [] List.

A download window is displayed. Email Protection automatically creates a Microsoft Excel spreadsheet (*.csv file) containing the address list. You can choose to save the file or open it directly.

Add Allow, Deny, or Recipient Shield Addresses with a Batch File

1 Using a text editor, create a text file that contains one email address per line, and save it to your computer.

2 On the Allow, Deny, or Recipient Shield screen, click More Options.

Additional fields are displayed.

3 Click Browse and search for the text file you created.

4 Click Upload [] List.

5 Click Save.


Transport Layer Security Email Protection Administrator Guide

Transport Layer Security

Transport Layer Security (TLS) has routinely been supported and is still supported by our Email Protection system. If a TLS connection can be negotiated between the sender and the recipient MTAs, then the system delivers the email over TLS. If a TLS connection CANNOT be established between the sender or the recipient MTA, then the mail transfer agent delivers, via SMTP, without encryption. Therefore, it is recommended that you specify a Sender’s domain and/or sub-domain for this policy so that TLS is enforced. Thus, if TLS cannot be established, then the message will not be delivered and a bounce message will be generated to the sender, recipient, or both depending on the Notifications.

Note: Enforced TLS requires a negotiation between our mail transfer agent and yours to be successful. You must have TLS turned on at your end to accomodate this transaction. Refer to your MTA software manual on “How to enable/turn-on TLS” to ensure TLS is implemented in your system prior to setting up your domain lists.

From the Policy Set screen Select the Enforce TLS tab and complete the following steps.

Subscribe to Default TLS List

By checking the subscription to the TLS default list you will be adding the appropriate Inbound/Outbound Default domain policy to your customized Enforced TLS domain list. The default list can be viewed by clicking the corresponding Inbound/Outbound Default selection under the Policies tab.

NOTE: This option is only available in custom (non-default) policy sets.

NOTE: If the default list changes, your subscription to the default is updated to reflect those changes.


Email Protection Administrator Guide Transport Layer Security

Add Domain

6 To enter values into the TLS domain list enter the full address of the Sender/Recipient’s domain and/or sub-domain.

NOTE: To enter values into the TLS domain list enter the full address of the Sender/Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or subdomain must be explicitly specified for enforced TLS. Specifying a Sender/Recipient's domain doesn't automatically include any sub-domains of that domain.

7 Click the Add » button. The value is added to the list box.

NOTE: The maximum number of values allowed in the Add Domain list is specified. This limit is defined at the system level (see the online help for the specific count). Any duplicate or invalid values are discarded automatically.

More Options

8 To Upload a file with a predefined list, click the Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above.

9 To remove a value from the list, select it in the list box and click the « Remove button.

NOTE: To select more than one value from the list, press Ctrl on your keyboard, click each entry you want to remove, and then click the « Remove button.

Save

10 Click the Save button to save your information.

Download

To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save.


Transport Layer Security Email Protection Administrator Guide

Enforced TLS tabThe Notifications subtab under Enforced TLS allows you to configure whether the sender and/or recipient is notified if an email can not be sent via a TLS connection.

Notifications Subtab

Send Email Notifications

11 Check the box “Denied Delivery “regarding the heading “To the sender when a message is.....” to notify the sender is unable to send their message due to a TLS violation.

12 Click Save

13 Check the box “Denied Delivery “regarding the heading “To the recipient when a message is.....” to notify the recipient is unable to receive their message due to a TLS violation.

14 Click Save

View your selection Click the Notifications Tab in the Policy Set screen


Email Protection Administrator Guide Define the Format and Text of Notifica-

Define the Format and Text of Notifications to Users

You can configure templates for the notification emails that are sent to the sender and/or recipient when an email message is filtered for:

• Viruses• Content• Attachments

Default notification templates are provided for all the notification scenarios. You can change these templates if you wish.

One notification email template is defined for each combination of the following:

• Filtering type — For viruses, content, or attachments• Destination of the notification — Sender or recipient• Email Action — Deny, strip, or quarantine

Variables within a NotificationWithin the notification emails, variables automatically insert content from the system. For example, the variable $(DATE) inserts the date when the notification email was sent. Default variables already exist for the default notifications. If you want to use a different variable, you must manually type the variable as shown below and the variables are case-sensitive.

$(SUBJECT) Inserts a variable that automatically indicates the subject of the email that violated the policy.

$(FROM) Inserts a variable that automatically indicates the sender’s email address (From: address) from the email that violated the policy. This variable inserts the From: address that is displayed in the email.

$(SENDER) Inserts a variable that automatically indicates the sender’s email address (From: address) from the email that violated the policy. This variable inserts the SMTP envelope From: address received from the sending email server.

$(TO) Inserts a variable that automatically indicates the recipient’s email address (To: address) from the email that violated the policy.

$(DATE) Inserts a variable that automatically indicates the date when the email was received that violated the policy.

$(REASON) Inserts a variable that automatically indicates the reason why the email violated the policy.

$(ACTION) Inserts a variable that automatically indicates the action that was applied to the email that violated the policy.


Define the Format and Text of Notifications to Users Email Protection Administrator Guide

The set of Notifications tabs includes the following subtabs:

• Notifications – Virus Notifications subtab (see page 1)• Notifications – Content Notifications subtab• Notifications – Attachment Notifications subtab

In addition, each subtab will have a separate Edit area for each of its notification templates.

Because all the individual notification templates offer the same functionality, only one set of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that the same features are used to modify the remaining notification templates, the only difference being the combinations of filter type, destinations, and email actions. Be sure to modify the navigation and information accordingly.

Define the Format and Text of Virus Notifications




The Notifications: Virus screen is displayed.

4 Click on a notification in the Virus Notifications box.

$(DOMAIN) Inserts a variable that automatically indicates the domain that received the email that violated the policy.

$(MSG_HEADER)

Inserts a variable that automatically indicates the email header information from the email that violated the policy.

$(SIZE) Inserts a variable that automatically indicates the size, including attachments, of the email that violated the policy.

$(POSTMASTER)

Inserts the contact email address configured for the domain.



5 Click Edit.

The Edit section of the screen is displayed.

6 Change, if desired, the text or variables in any or all of the following fields:

7 Click Save.

Define the Format and Text of Content Violation Notifications




The Virus Notifications screen is displayed.

4 Click Content.

The Content Notifications screen is displayed.

From Designates what email address is listed as the From: address in the notification email. Optionally, you can type variables that insert system information into this content.

Reply-To Designates what email address is used if the recipient of the notification email clicks the Reply button in his/her email application. Optionally, you can type variables that insert system information into this content.

Subject Type the text to be used as the subject for the notification email template. Optionally, you can type variables that insert system information into this content.

Body Type the text to be used as the body text for the notification email template. Optionally, you can type variables that insert system information into this content.



5 Click on a notification in the Content Notifications box.

6 Click Edit.



8 Click Save.

Define the Format and Text of Attachment Violation Notifications




The Virus Notifications screen is displayed.







4 Click Attachment.

The Attachment Notifications screen is displayed.

5 Click on a notification in the Attachment Notifications box.

6 Click Edit.



8 Click Save.

Enforced TLS The Notifications > TLS subtab allows you to configure a template of how the notification email will appear that is sent to the sender and/or recipient.







Within the notification emails, there are available variables that will automatically insert content from the system. For example, the variable $(DATE) will insert the date when the notification email was sent. You must manually type the variables as shown below and the variables are case-sensitive.

9 Highlight the message you wish to review and Click Edit to launch the edit template.

Variables within the template include:

$(SUBJECT) - The Subject field is blank because the message was blocked before the email content had been sent. If you wish to have a Subject value for the Notification message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification'.

$(FROM) - Inserts a variable that automatically indicates the sender's email address (From: address) from the email that violated the policy. This variable inserts the From: address that is displayed in the email.

$(SENDER) - Inserts a variable that automatically indicates the sender's email address (From: address) from the email that violated the policy. This variable inserts the SMTP envelope From: address received from the sending email server.

$(TO) - Inserts a variable that automatically indicates the recipient's email address (To: address) from the email that violated the policy.

$(DATE) - Inserts a variable that automatically indicates the date when the email was received that violated the policy.

$(REASON) - Inserts a variable that automatically indicates the reason why the email violated the policy.

$(ACTION) - Inserts a variable that automatically indicates the action that was applied to the email that violated the policy.

$(DOMAIN) - Inserts a variable that automatically indicates the Domain that received the email that violated the policy.

$(POSTMASTER) - Inserts postmaster (ex. [email protected]) email address for the Domain.

Variable syntax requires $({name_of_variable}), where {name_of_variable} is replaced with the predefined variable name (without the curly brackets).


Email Protection Administrator Guide Disaster Recovery

Enforced TLS Subject Headers

As mentioned, the Subject field in the TLS Email Subject Line, the TLS Email Header, and the TLS Notification Message Body will not contain Subject data since the email was denied and no data was retrieved.

The following examples demonstrate the Subject Field or Subject Notification only displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an empty variable.

Email Subject Line

Email Subject Header

TLS Notification Subject Header Response

Disaster Recovery

Disaster Recovery allows you to specify what actions to take when email cannot be delivered. There are three available options:

• Defer to domain-based Message Continuity access control configured under Disaster Recovery Setup

Select this option to use the configuration settings from the Disaster Recovery Setup window.

• Allow users to use the Message Continuity webmail client


Assign a Group to the Custom Policy Email Protection Administrator Guide

Select this option to allow users to use the Message Continuity webmail client when email cannot be delivered.

• Do not allow users to use the Message Continuity webmail client

Select this option if you do not wish to allow users to use the Message Continuity webmail client when email cannot be delivered.

Assign a Group to the Custom Policy

To perform this task, you must first create the group of users who are to be assigned to the policy. See “Managing Groups” in Account Management Administrator Guide.


2 Select the custom policy to which you want to assign a group.

3 Click Group Subscriptions.

The Policy Configuration Groups screen is displayed.

4 Select the group you want to assign.

5 Click Add.


Email Protection Administrator Guide Create a Custom Outbound Policy

6. Customize Outbound Mail Filters

You can customize the default outbound policy for any and each domain, or any and each group, to fit your business needs.

Note: Outbound email is not filtered for spam. You also can not customize allow or deny lists for outbound email. You can, however, copy allow or deny lists from an existing inbound policy.

Create a Custom Outbound Policy

Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains.


2 Click New.

The New Policy Set fields are displayed.

Field Description

Name Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy.

Description Enter a description of the new policy set.


Configure a Virus Filter Email Protection Administrator Guide

3 Click Save.

The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs.

Configure a Virus Filter

You configure a virus filter for outbound email in the same way as that for inbound email. For more information, see Configure a Virus Filter.

Configure a Content Filter

You can create a custom content filter for outbound email. You can only set up Content Groups and Notifications. HTML Shield and ClickProtect are not available for outbound email. You set up content groups and notifications in the same way as that for inbound email. For more information, see Configure a Content Filter.

Direction From the drop-down menu, select the direction of email, outbound SMTP, for which this policy will be configured.

Copy From From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields.

Copy Sender Allow List

Click the checkbox to copy the Sender Allow list from the policy set selected in the Copy From field.

Copy Sender Deny List

Click the checkbox to copy the Sender Deny list from the policy set selected in the Copy From field.

Copy Recipient Shield List

Click the checkbox to copy the Recipient Shield list from the policy set selected in the Copy From field.

Copy ClickProtect Allow List

Click the checkbox to copy the ClickProtect Allow list from the policy set selected in the Copy From field.



Email Encryption for Content Groups

Group NamesYou are able to send regular email based on your selected policies but, you may also encrypt messages for a specific Group Name under Content Groups if desired. Select the group name you wish to encrypt, from the Action drop-down list select to have that Group encrypted.

More Options …

If a Customer or Domain subscribes to Email Encryption, then selecting this option can be used to enforce Email Encryption if the outbound message contains the word ‘[encrypt]’. This word, [encrypt] can reside in the message Subject line or the body of the outbound message.

This option can be found under Email Protection > Policies > Outbound (default) > Content >Content Groups.



Define an Attachment Filter

You configure an attachment filter for outbound email in the same way as that for inbound email. For more information, see Define an Attachment Filter.

Define the Format and Text of Notifications to Users

You configure notifications for outbound email in the same way as that for inbound email. For more information, see Define the Format and Text of Notifications to Users.

Assign a Group to the Custom Policy

You assign a group to a policy for outbound email in the same way as that for inbound email. For more information, see Disaster Recovery.


Email Protectionr Administrator Guide Set up Quarantine Reports

7. Managing Quarantine Reports

Set up Quarantine Reports

When Email Protection scores email and determines that email might be problematic, but the email is not clearly a security risk, Email Protection place the email into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including:

• How reports are formatted.• How often reports are sent• How Spam is filtered• What actions users can take on quarantined email

See the Email Protection User Guide on how users might manage quarantine reports.

To set up quarantine reports for users, see Set up Spam Quarantine Reports.

Monitor Users’ Quarantined Email

Email is quarantined based the filtering for spam, viruses, content, and attachments, as designated on your domains’ or groups’ policies. To monitor quarantined email, you can perform the following tasks:

• Search for Quarantined Email• Interpret the Search Results• Sort the Search Results• Delete Quarantined Messages• Release Quarantined Messages• View Quarantines Messages

As an administrator, you can also directly access your own quarantined email within the Control Console. See Monitor Your Own Quarantine.


Monitor Users’ Quarantined Email Email Protectionr Administrator Guide

Primary Email Addresses, Aliases, and Public Domain Addresses

Most quarantined emails show the primary email address as the recipient email address. However, if Intelligent Routing is used, quarantined email to a public domain address continues to be shown as a public domain address. If an email that was sent to an alias email address is quarantined, the recipient email address is changed to be the associated primary email address. Any emails released out of any of the quarantine areas are sent to the primary email address. Thus, no alias email addresses will be listed in these windows.

Search for Quarantined EmailTo search quarantined email, perform the following steps:

1 Click Email Protection > Quarantine.

2 If necessary, click Quarantine Search.

3 Complete any or all of the following fields to define your search:


Email Protectionr Administrator Guide Monitor Users’ Quarantined Email

Note: All fields are used in the search. If your search finds a large number of messages, narrow your search by narrowing the scope within one or more fields.

4 Click Search.

A list of messages is displayed at the bottom of the screen.

Interpret the Search ResultsThe Search Results section of the Quarantine Search screen displays the following information for each email message:

• Date — The date the message was quarantined, according to the local timezone of the recipient.

• From — The sender of the message.• To — The recipient of the message.• Subject — The subject of the message.• Size — The size of the message, in kilobytes, including any attachments.

Also, a sixth column displays information that varies, depending on the type of threats you searched for: The following table lists the type of information that might be contained in this column.

Field Description

From Enter a full sender email address. The address must include the recipient name and the domain name, for example [email protected].

To Enter a recipient email address. The address must include the recipient name and the domain name.

Threat From the drop-down menu, select one of the following:• Spam• Virus• Attachment• Content• All Threats

Day list From the drop-down menu, select the day, from the past week, whose messages you want to see. You can also select All Days.

Note: The date of a message is determined by the time, according to the user’s timezone, the message was placed in quarantine.

Inbound/Outbound

From the drop-down menu, select one of the following:.• View inbound only• View outbound only• View inbound & outbound

Note: This field is available only if the selected Domain has both inbound and outbound packages associated with it.



Sort the Search ResultsYou can sort the search results according to any of the columns in the Search Results section.

1 Click on the heading of the column you want to sort.

You have the choice of sorting the messages in ascending or descending order of the values in the column.

2 Click Sort Ascending or Sort Descending.

Threat Type

Selected

Column

Label

Description

Virus Virus Displays the type of virus detected in the email

Spam Spam Score Displays a score that indicates how likely that the email is spam. • A spam score of 90% - 98.9% is considered “medium”

likelihood if default settings are used.• A spam score of 99% or higher is considered “high” likelihood

if default settings are used.

Email Protection anti-spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework® to determine the score. If you specified an additional Realtime Blackhole List (RBL) in the Anti-Spam screen of the assigned policy, the RBL can influence the spam score as well.

Note: Occasionally, some emails might be marked as spam when in fact they are legitimate emails. For these “false positive” email messages, you can help Email Protection “tune” the spam thresholds and rules by sending a forwarded copy of the email with all content and attachments to [email protected].

Attachment Attachment Displays the name of an attachment that was included in the email message and violates attachment rules (size, file typ, zip file attachments) as defined on the Attachment screens of the assigned policy. If a message contains more than one delinquent attachment, the first attachment found in the message is listed. You can check to see all attachments by opening the message.

Content Keyword Displays Content to indicate that the email that violated a content policy, as defined in the Content Groups screen for the assigned policy. You can see what keywords were violated by opening the message and checking the Status line.

All Threats Type Displays the type of threat filtering that the email violated.



3 To hide columns in the results, move your cursor over the Columns menu item and click the checkboxes to select or deselect the columns you want to display in your sorted list.

4 To move columns around so they are displayed in a different left-to-right sequence, perform the following steps:

A Place your cursor on the column you want to move.B Click and hold the mouse button.C Drag the column to a different location.

Delete Quarantined MessagesEmail Protection deletes each message automatically if the messages stays in quarantine for more than seven days. However, you can immediately delete quarantined email listed in the Quarantine Search Results in one of two ways:

• Highlight each email in the list and click Delete.• Click Delete All, which deletes all email in the Search Results list.

Release Quarantined MessagesBy releasing a quarantined email message, you remove the message from quarantine and send the email to the mailbox of the recipient’s primary email address. You can release email in one of two ways:

• Click the checkbox for each email you want to release, and click Release.The email is removed from quarantine and sent to the recipient mailbox or mailboxes.

• Click the checkbox for each email you want to release, and click the Always Allow for User.The email is removed from quarantine and sent to the recipient mailbox or mailboxes. This option also adds the sender address of each selected message to the Allow list of the associated recipient.

Caution: Releasing emails that contained worms or viruses can potentially allow the recipients’ machines to be infected.

View Quarantines MessagesEmail Protection allows you to view a quarantined message without risk of infection by any malicious virus or attachments. To view a message in the quarantine:

1 Double-click the message you want to view.

The message opens in a new tab with the subject heading.



2 Check the email for any of the following, depending on the Threat type:

If the Threat type is Spam, check the subject line and body of the message, as well as the Status line for the spam score.If the Threat type is Content, check the Status line for the word or words that violated the content filter.If the Threat type is Attachment, check the Attachments list for size and/or type of file or for html code violations. The Content Type is based on the MIME protocol.If the Threat type is Virus, check the Virus list for the viruses found.

3 Note the IP address listed in the message. This address is the last hop the message took prior to delivery to Email Protection. The IP address can be useful in tracking the path of a message and can help identify spoofed senders.

4 After checking a message, do one of the following:

• Delete the message as described in Delete Quarantined Messages.



• Release the message as described in Release Quarantined Messages.• Close the message by clicking the X in the tab at the top of the message.

Monitor Your Own QuarantineYou can check your own messages in quarantine and take the same actions on those messages that you do on other users. To access your own quarantined messages, perform the following steps:

1 Click Email Protection > Quarantine.

2 Click My Spam.

Your message quarantine is displayed.

3 Perform any of the following tasks:

• Search for Quarantined Email• Interpret the Search Results• Sort the Search Results• Delete Quarantined Messages• Release Quarantined Messages• View Quarantines Messages



8. User-Level Policy Configuration

You can modify some aspects of a policy for individual users. For more information, see the following sections in the Account Management Administrator Guide.

• “Personalize Spam Reporting for a User”• “Allow or Deny Email to a User from Specific Addresses”• “Search the Quarantine of a User”• “View the Email Activity Summary of a User”

Users can also manage some aspects of their email filtering. See Email Protection User Guide.


Email Protection Administrator Guide Administer Disaster Recovery Services

9. Set up Disaster Recovery Services

Administer Disaster Recovery Services

Disaster Recovery Services consists of one of two services:

• Fail Safe — Fail Safe saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Fail Safe delivers the messages. Users cannot access their messages while messages are in Fail Safe only.Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days.

• Message Continuity — Message Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Message Continuity delivers the messages. Users can access their messages through a Web-based interface while messages are in Message Continuity only.Message Continuity also has unlimited storage capacity and removes messages that have been in Message Continuity storage for more than 60 days.

Set up Spooling for Disaster Recovery1 Click Email Protection > Setup > Disaster Recovery.

2 From the Domain drop-down menu, select the domain you want to set up for Disaster Recovery.

3 In the Configuration Settings section, select one of the following options:

• Automatic — This option automatically spools all incoming email when Email Protection detects a loss of connectivity with your email server(s). With this option, you must also specify how long Email Protection should wait after connectivity is lost to begin spooling.Note: Be aware that it may take several minutes to determine that your inbound server is unavailable. During this time, and during the time delay, received emails can be tempfailed if your inbound server is unavailable

• Manual — This option allows you to start and stop Disaster Recovery spooling manually for planned email server outages such as server maintenance. When necessary, you then select Start Spooling to initiate manual spooling; and select Stop Spooling to stop it.Note: It may take a few minutes for manual spooling of incoming mail to start and stop.


Administer Disaster Recovery Services Email Protection Administrator Guide

4 If you selected the Manual option, check the Deliver spooled email when connectivity is available box to deliver spooled email when connectivity to the email server(s) is restored.

5 If your service includes Message Continuity, check the checkbox Allow users to use Message Continuity to set the default permission for users to get messages through Message Continuity. This setting applies to the domain. You can override this setting on the Disaster Recovery screen under Policies if you have some groups that you don’t want to allow access.

Set up Notifications of Disaster RecoveryYou can specify that notifications are emailed automatically to designated recipients, typically yourself or other administrators, when the following Disaster Recovery events occur:

• Automatic spooling has started• Automatic unspooling has started• Automatic or manual unspooling has completed.

1 Under the Notifications section of the Disaster Recovery Setup screen, type, in the Recipient Email Address field, the email address of a person who should receive notification of a disaster recovery event.

Note: In order to minimize the possibility that Disaster Recovery notifications cannot be delivered to listed recipients, it is recommended that notifications be sent to email addresses associated with cell phones or pagers.

2 Click Add.

3 Repeat steps 1 and 2 for up to three more notification recipients.


Email Protection Administrator Guide Email Protection Reports

10. System Reports

Email Protection Reports

Email Protection provides a large number of reports with which to monitor your service.

Report Description

Traffic Overview Information about all Inbound and Outbound email traffic and bandwidth for the designated domain(s) during the selected date or date range.

Threat: TLS Information about all TLS Inbound and Outbound email traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range.

Threats: Overview Information about email violations by policy type for the designated domain(s) during the selected date or date range.

Threats: Viruses Information about all Inbound and Outbound emails that violated the virus policies for the designated domain(s) during the selected date or date range,

Threats: Spam Information about emails that violated the spam policies for the designated domain(s) during the selected date or date range.

Threats: Content Information about emails that violated the content keyword policies for the designated domain(s) during the selected date or date range.

Threats: Attachments Information about emails that had attachments that violated the attachment policies for the designated Domain(s) during the selected date or date range.

Enforced TLS Details Information about all Enforced TLS Inbound and Outbound email traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation.

ClickProtect: Overview Information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in emails that can be clicked and followed by the user or that can be blocked, depending on the ClickProtect policy configurations for the designated domain(s) during the selected date or date range.

ClickProtect: Click Log Information about Web hyperlinks in emails that were clicked by the recipient for the designated domain(s) during the selected date or date range.

Quarantine: Release Overview Information about emails that were quarantined and released from all quarantine areas within the Email Protection for the designated domain(s) during the selected date or date range.


View an Email Protection Report Email Protection Administrator Guide

View an Email Protection Report

To view an Email Protection Report, perform the following steps:

1 Click Email Protection > Reports.

2 From the Domain drop-down menu, select the domain for which you want the report.

The Traffic Overview report is displayed.

3 From the Reports drop-down menu, select the report you want.

4 Click the Period field to display the Calendar selector.

5 From the Calendar selector, do one of the following:

A Select Today for data on the current day.B Select a specific date, within the last 7 days, to display data only for that date.C Select the name of the month that appears at the bottom of the calendar. D Select a month and date in the drop-down lists.E Position cursor over the week number (to the left of the first date in a week) and

click to display data for the entire week beginning with that date.

Quarantine: Release Log Information about emails that were released from all quarantine areas within the Email Protection for the designated domain(s) during the selected date or date range.

User Activity Information about all Inbound and Outbound email traffic and bandwidth for the designated domain(s) during the selected date or date range.

Event Log Displays messages that have had actions performed based on the content, spam content, virus, or attachment policy definitions. Messages can be sorted per domain, and Inbound direction, Outbound direction or both. Messages that are identified as threats by the Email Protection are also included.

Audit Trail Displays the audit log items for all actions performed by users at Report Manager, or higher level, roles within the Control Console for the designated domain(s) during the selected date or date range, including sign ins and configuration changes.

Inbound Server Connections Displays information about the connections made to the Inbound email servers during processing

Disaster Recovery: Overview Information about emails that were spooled and unspooled by the disaster recovery service for the designated domain(s) during the selected date or date range.

Disaster Recovery: Event Log Displays the event log items for actions performed within the disaster recovery service. Included are actions performed automatically by the Email Protection and performed manually by the administrator.

Report Description


Email Protection Administrator Guide View an Email Protection Report

Note: You can select only the current month or click the down arrow at the top of the calendar to select the previous month. You cannot retrieve data from a timeframe beyond the previous month.

Change the Graphic Display of the ReportYou can display some of the information in a report as a bar graph, as a line graph, or as a pie chart.

To select a graphic display type, select the appropriate icon on the upper right corner of each graphic, if available. The icons are as follows:

Download a ReportTo download textual report information into a Microsoft Excel spreadsheet (*.csv), click Download on any report, then follow the instructions.

Traffic OverviewThe Traffic: Overview window displays overview information about the inbound and outbound email traffic for the designated domain.

This icon displays the graphic as a bar graph.

This icon displays the graphic as a line graph.

This icon displays the graphic as a solid (filled) line graph.


View an Email Protection Report Email Protection Administrator Guide

The following table lists the report items in the report.

Report Item Description

Traffic Trends The number of inbound and outbound emails for the designated Domain and date range.• Green – Inbound data• Purple – Outbound data

Traffic Summary Information about inbound and outbound email traffic for the designated Domain and date range as follows:• Inbound Messages – Indicates the total number of inbound emails

received.• Average Inbound Messages/Hour – Indicates the average number of

inbound emails received each hour.• Outbound Messages – Indicates the total number of outbound emails

sent.• Average Outbound Messages/Hour – Indicates the average number

of outbound emails sent each hour.

Bandwidth Trends The bandwidths, in kilobytes, used by inbound and outbound email for the designated Domain and date range.• Green – Inbound data• Purple – Outbound data


Email Protection Administrator Guide View an Email Protection Report

Traffic: TLS Report The Traffic: TLS Report window displays information about all TLS Inbound and Outbound email traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range.

.

Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month.

You can use the Download button to save a copy of the currently displayed report results in spreadsheet format.

Report Purpose

Identifies Inbound and Outbound email messages that were delivered via a TLS connection and any email messages that were denied due to an Enforced TLS Policy violation.

Traffic SummaryTLS Inbound Messages - The total of TLS inbound messages that were processed via a TLS connection.

Bandwidth Summary

Information about the bandwidth used by inbound and outbound email for the designated domain and date range as follows:• Inbound Total Bandwidth – The total bandwidth used by received

inbound emails.• Average Inbound Message Size – The average size of inbound

emails.• Outbound Total Bandwidth – The total bandwidth used by sent

outbound emails.• Average Outbound Message Size – The average size of sent

outbound emails.



Traffic: Encryption Email Protection Administrator Guide

% Inbound Messages sent via TLS - The percentage of incoming email messages processed via a TLS connection

Inbound Messages blocked by Enforced TLS - The total of inbound email messages blocked by an Enforced TLS policy

TLS Outbound Messages - The total of TLS outbound messages that were processed via a TLS connection.

% Outbound Messages sent via TLS - The percentage of outgoing email messages processed via a TLS connection.

Outbound Messages blocked by Enforced TLS - The total of outgoing email messages blocked by an Enforced TLS policy.

Bandwidth SummaryTLS Inbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes.

% Inbound Bytes sent via TLS - The percentage of Inbound mail sent via TLS, measured in bytes

Outbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes

% Outbound Bytes sent via TLS - The percentage of Outbound mail sent via TLS, measured in bytes.

Traffic: Encryption

The Traffic: Encryption report displays information about all Outbound email traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range sent out to be encrypted.


Email Protection Administrator Guide Traffic: Encryption

Selecting the checkbox for Email Encryption on both the Create/Edit Customer page and Create/Edit Domain page allows customers to use the ‘Encrypt Message’ action when working with Outbound policy Content Groups.

When the ‘Encrypt Message’ action is selected for a Content Group, then any message that contains that content is routed to an encryption server and available to the recipient.

Email Encryption is only available for a selected Outbound package.

Email Encryption SummaryOutbound Messages blocked by Email Encryption - The total outbound messages to be delivered for encryption.

% Outbound Messages sent via Encryption - The percentage of outgoing email messages sent out to be encrypted.

Email Encryption Bandwidth SummaryOutbound Total Bandwidth - TThe total bandwidth of outgoing email messages sent for encryption.

% Outbound Bytes sent via TLS - The percentage of outgoing bytes messages sent out to be encrypted.

Threats: OverviewThe Threats: Overview report displays overview information about email violations by policy type for the designated domain.





Inbound Threat Trends

The total number of inbound emails that violated each policy type for the designated Domain and date range. Data for each policy type is color-coded as indicated in the legend below the graphic.

Inbound Threat Summary

Information about the number of inbound emails that violated each policy type for the designated Domain and date range.• Total Viruses – The total number of inbound emails that contained

known worms and viruses.• Infection Rate – The percentage of inbound emails that contained

known viruses vs. the total number of received inbound emails.• Total Spam Identified – The total number of inbound emails filtered

for potential spam.• Spam Volume – The percentage of inbound emails that were filtered

for potential spam.• Spam Beacons Detected – The total number of spam beacons

detected in inbound emails. Note that each email may contain multiple spam beacons.

• Content Keyword Violations – The total number of inbound emails that violated the content keyword policies.

• Attachment Policy Violations – The total number of inbound emails that had attachments that violated the attachment policies.


Email Protection Administrator Guide Traffic: Encryption

Threats: VirusesThe Threats: Viruses report displays information about emails that violated the virus policies for the designated domain.

Outbound Threat Trends

The total number of outbound emails that violated each policy type for the designated domain and date range. Data for each policy type is color-coded as indicated in the legend below the graphic.

Outbound Threat Summary

Information about the number of outbound emails that violated each policy type for the designated Domain and date range as follows:• Total Viruses – The total number of outbound emails that contained

known viruses.• Infection Rate – The percentage of outbound emails that contained

known viruses vs. the total number of sent outbound emails.• Content Keyword Violations – The total number of outbound emails

that violated the content keyword policies.• Attachment Policy Violations – The total number of outbound

emails that had attachments that violated the attachment policies.






Virus Volume Trends

The total number of emails that contained known viruses. • Green – Inbound data• Purple – Outbound data


Email Protection Administrator Guide Threats: Spam

Threats: Spam

The Threats: Spam window displays information about emails that violated the spam policies for the designated domain.

Virus Detection Summary

Indicates information about the emails that contained worms or viruses: • Total Viruses Inbound – The total number of inbound emails that

contained known viruses (“infected emails”).• Inbound Infection Rate – The percentage of infected inbound

emails vs. the total number of received inbound emails.• Total Viruses Outbound – The total number of infected outbound

emails.• Outbound Infection Rate – The percentage of infected outbound

emails vs. the total number of sent outbound emails.• Disinfected (cleaned) – The total number of infected emails that had

their viruses successfully removed and the emails were forwarded to their destinations.

• Stripped – The total number of infected emails that had the infected attachments stripped and then were forwarded to their destinations.

Top Inbound Viruses

The most frequently encountered viruses in inbound emails, in the order of most frequent to less frequent, and the total number of encounters for each virus.

Virus Policy Actions

The percentage of policy actions applied to infected emails.

Top Outbound Viruses

The most frequently encountered viruses in outbound emails, in the order of most frequent to less frequent, and the total number of encounters for each virus.



Threats: Spam Email Protection Administrator Guide



Spam Volume Trends

The total number of emails that violated spam policies. • Green – Inbound data• Purple – Outbound data


Email Protection Administrator Guide Threats: Content

Threats: Content

The Threats: Content window displays information about emails that violated the content keyword policies for the designated domain.

Spam Detection Summary

Information about the emails that violated spam policies: • Total Inbound Spam Identified – The total number of inbound

emails that violated spam policies.• Inbound Spam Volume – The percentage of inbound emails that

violated spam policies vs. the total number of received inbound emails.

• Spam Beacons Detected – The total number of spam beacons detected in emails. Note that each email may contain multiple spam beacons.

• RBL – The total number of emails that were filtered by the Real-time Blackhole List (RBL).

• DUL – The total number of emails that were filtered by the Dial-up User List (DUL).

• RSS – The total number of emails that were filtered by the Relay Spam Stopper (RSS).

• Spam Content Group – The total number of emails that contained keywords from the content groups that were created in the Anti-Spam > Content Group subtab; in this example, the group named “Viagra.”

Spam Policy Actions

The percentage of policy actions applied to the emails that violated spam policies.



Threats: Content Email Protection Administrator Guide



Content Policy Violation Trends

The total number of emails that violated the content keyword policies. • Green – Inbound data• Purple – Outbound data


Email Protection Administrator Guide Threats: Attachments

Threats: Attachments

The Threats: Attachments window displays information about emails that had attachments that violated the attachment policies for the designated domain.

Top Inbound and Outbound Content Group Violations

Both the Top Inbound Content Group Violations and the Top Outbound Content Group Violations reports measure the number of messages found to violate the top ten inbound / outbound customer email content policies for both global policies and custom policies.

Information about the emails that violated content keyword policies: • Credit Card - The total number of emails that contained keywords

and phrases from the Credit Card predefined content group.• Profanity – The total number of emails that contained keywords from

the Profanity content group.• Racially Insensitive – The total number of emails that contained

keywords from the Racially Insensitive content group.• Sexual Overtones – The total number of emails that contained

keywords from the Sexual Overtones content group.• Social Security - The total number of emails that contained keywords

and phrases from the Social Security predefined content group.• Custom Content Groups – The total number of emails that contained

keywords from the content groups that were created in the Current Content Groups window; in this example, “HIPPA Compliance.”

Content Policy Actions

The percentage of policy actions applied to the emails that violated content keyword policies.



Threats: Attachments Email Protection Administrator Guide



Attachment Policy Violation Trends

The total number of emails that had attachments that violated the attachment policies. • Green – Inbound data• Purple – Outbound data


Email Protection Administrator Guide Enforced TLS Details

Enforced TLS Details

The Enforced TLS Details report displays information about all Enforced TLS Inbound and Outbound email traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation.

Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month.

You can use the Download button to save a copy of the currently displayed report results in a spreadsheet format.

Attachment Summary

Information about the emails that had attachments that violated the attachment policies: • Average Attachment Size – The average size of attachments

encountered in emails.• Executables – The total number of executables (for example, *.exe

or *.com) received as attachments.• Scripts – The total number of script files received as attachments.• Office Documents – The total number of Microsoft Office

documents (for example, *.doc or *.xls files) received as attachments.

• Audio – The total number of audio files (for example, *.wav or *.mp3 files) received as attachments.

• Images – The total number of graphic files (for example, *.gif or *.bmp files) received as attachments.

• Compressed Archives – The total number of archive files (for example, *.zip or *.tar files) received as attachments.

Attachment Policy Actions

The percentage of policy actions applied to the emails that had attachments that violated the attachment policies.



Enforced TLS Details Email Protection Administrator Guide

Select your customer to manage.

• Field• Description• Customer

From the drop-down list select the Customer. (If needed)

Domain

From the drop-down list select the Domain or "All Domains". (If needed)

Note: When there are 1000 domains listed in the drop-down a Find button will display to assist the user in locating the correct domain.

Depending on how your system is configured, you may run a report for a primary domain, a domain alias, or a public domain. A Public Domain is a registered domain with a public MX record that is used for uniform email addresses across multiple primary domains. A public domain name will have the primary domain appended to it with brackets “[primary domain]”, and a Domain Alias is appended with brackets “[alias]”.

The following examples demonstrate this feature:

• acme.com [acme-denver.com] is the public domain [primary domain] respectively.• acme.com [alias]

Traffic SummaryEnforced TLS Accepted - Inbound Messages - The total number of TLS inbound messages that were processed via an Enforced TLS connection for a given domain.

Enforced TLS Accepted - Outbound Messages - The total number of TLS outbound messages that were processed via an Enforced TLS connection for a given domain.

Enforced TLS Accepted - Inbound Bandwidth - The quantity of data transferred via Enforced TLS for inbound messages, measured in bytes, for a given domain.

Enforced TLS Accepted - Outbound Bandwidth - The quantity of data transferred via Enforced TLS for outbound messages, measured in bytes for a given domain.

Enforced TLS Denied - Inbound Messages - The total of incoming email messages blocked by an Enforced TLS policy for a given domain.

Enforced TLS Denied - Outbound Messages - The total of outgoing email messages blocked by an Enforced TLS policy for a given domain.


Email Protection Administrator Guide ClickProtect: Overview

ClickProtect: Overview

The ClickProtect: Overview window displays overview information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in emails that can be clicked and followed by the user or that were blocked, depending on the ClickProtect policy configurations.



ClickProtect Trends

The numbers of emails that contained hyperlinks and that contained hyperlinks that were clicked by the recipients.• Green – Total number of emails that contained hyperlinks.• Purple – Number of emails that contained hyperlinks that were

clicked by the recipients.


ClickProtect: Click Log Email Protection Administrator Guide

ClickProtect: Click Log

The ClickProtect: Click Log window displays information about hyperlinks in emails that were clicked by recipients.

ClickProtect Statistics

Information about the emails that contained hyperlinks that were processed by ClickProtect: • Messages with links – The total number of emails that contained

hyperlinks.• Messages with multiple links – The total number of emails that

contained multiple hyperlinks.• Total clicks – The total number of times that a recipient clicked a

hyperlink in an email.• Total allowed click throughs – The total number of times that a

recipient was allowed to access the destination designated in a clicked hyperlink.

• Total denied click throughs – The total number of times that a recipient was prevented from accessing the destination designated in a clicked hyperlink.

• Number of individual users that clicked – The total number of recipients that attempted to click a hyperlink in an email.

• Spam messages with clicks – The total number of spam emails that contained hyperlinks clicked by recipients.

• Messages with links on the ClickProtect Allow List – The total number of emails that contained hyerlinks that were listed on the ClickProtect Allow list.



Email Protection Administrator Guide Quarantine: Release Overview


Quarantine: Release Overview

The Quarantine: Release Overview displays overview information about emails that were quarantined and released from all the quarantine areas within Email Protection for the designated domain.


Timestamp The date, time, and time zone when the hyperlink was clicked in the filtered email.

From The email address that sent this email (“sender email address”).

To The email address to which this email was sent (“recipient email address”).

Subject The text that was in the subject header of this email.

URL The URL destination defined in the clicked hyperlink (the URL to where the recipient attempted and/or was successful in clicking through).

Score The spam likelihood score that was assigned to the email by Email Protection.


Quarantine: Release Overview Email Protection Administrator Guide



Inbound Quarantine Release Trends

The total number of emails that were quarantined and then released in all the quarantine areas. Data for each policy type is color-coded as indicated in the legend below the graphic.

Inbound Spam Release Summary

Information about the emails that were quarantined as potential spam and then released.• Total Spam Identified – The total number of quarantined emails that

were identified as potential spam.• Total Spam Released – The total number of emails released from the

spam quarantine.• Release Percent – The percent of emails released from the spam

quarantine vs. the total number of emails that were quarantined as potential spam.

• Total # of individuals – The total number of user accounts that had emails released from the spam quarantine.


Email Protection Administrator Guide Quarantine: Release Log

Quarantine: Release Log

The Quarantine: Release Log displays detailed information about emails that were released from all the quarantine areas within Email Protection for the designated domain.

Inbound Virus Release Summary

Information about the emails that were quarantined because of viruses and then released.• Total Viruses Identified – The total number of viruses detected in

incoming emails that were quarantined.• Total Virus Released – The total number of emails released from the

virus quarantine.• Release Percent – The percent of emails released from the virus

quarantine vs. the total number of emails that were quarantined because of viruses.

• Total # of individuals – The total number of user accounts that had emails released from the virus quarantine.

Inbound Content Release Summary

Information about the emails that were quarantined because of content and then released.• Total Content Policy Violations – The total number of quarantined

emails that violated content policies.• Total Content Released – The total number of emails released from

the content quarantine.• Release Percent – The percent of emails released from the content

quarantine vs. the total number of emails that was quarantined because of content.

• Total # of individuals – The total number of user accounts that had emails released from the content quarantine.

Inbound Attachment Release Summary

Information about the emails that were quarantined because of attachments and then released.• Total Attachment Policy Violations – The total number of

quarantined emails that violated attachment policies.• Total Attachment Released – The total number of emails released

from the attachment quarantine.• Release Percent – The percent of emails released from the

attachment quarantine vs. the total number of emails that were quarantined because of attachments.

• Total # of individuals – The total number of user accounts that had emails released from the attachment quarantine.



Quarantine: Release Log Email Protection Administrator Guide



Display Designates which type of quarantine release events to display.• All Events – Displays release events for all the quarantines.• Spam – Displays release events for the spam quarantine.• Attachments – Displays release events for the attachment quarantine.• Content – Displays release events for the content quarantine.• Viruses – Displays release events for the virus quarantine.

Type The reason why this email was quarantined.• Spam – Email violated spam policies.• Virus – Email contained a known virus.• Attach – Email’s attachment violated the attachment policies.• Content – Email contained content that violated the content policies,

including keywords and HTML.




Release Date The date, time, and time zone when this email was released from quarantine in Email Protection.

Size The total file size of this email, including all attachments.

Additional Feature

Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item.


Email Protection Administrator Guide View Details of Log Items

View Details of Log Items

You can view detailed information about a log item when the cursor is positioned over it. The specific information differs depending on which report you are viewing.



Type The reason why the email was quarantined.• Spam – Email was quarantined because it violated spam policies.• Viruses – Email was quarantined because it violated virus policies.• Attachments – Email was quarantined because it violated

attachment policies.• Content – Email was quarantined because it violated content

policies.

Subject The contents of the Subject line of the email.

To The email address to which this email was addressed (“recipient email address”).

Sender IP The IP address of the server that sent the email.

From The email address from which this email was sent (“sender email address”).

Released by The user account of the user who released the email from the quarantine.

Quarantine Depending on the reason why the email was quarantined, this description indicates the specific reason why the email was quarantined:• Score – Indicates the spam likelihood score that was assigned to the

email.• Attachment Type – Indicates the name of the attachment that

caused the email to be quarantined.• Virus – Indicates the name of the virus that caused the email to be

quarantined.• Content Keyword – Indicates the specific content keyword that

caused the email to be quarantined.

Size The total file size of the email, including attachments.


User Activity Email Protection Administrator Guide

User Activity

The User Activity report displays the user accounts that have received the most inbound emails and have sent the most outbound emails for the designated domain.

Release Date The date, time, and time zone when the email was released from the quarantine.

Quarantine Date The date, time, and time zone when the email was quarantined.

Timestamp The date, time, and time zone when the logged item was processed (for example, when an email was processed by Email Protection.

Details Additional information about the logged item (for example, the name of the virus in the email).

Actions The email action that was performed on the email.

Server The name or IP address of the inbound server.

Registered on The DNS Authorized Name Server where the inbound server is registered.

Status The status of the inbound server.

Preference The preference level assigned to the inbound server.

Domain(s) d The domains that are using this inbound server in Email Protection.



Email Protection Administrator Guide User Activity



Top Inbound Users area

Email Addresses The recipient email addresses that received the most inbound email, in order of volume.

Messages The total number of emails received by each email address.

Size The size of the largest email, including attachments, received by each email address.

Top Outbound Users area

Email Addresses The sender email addresses that sent the most outbound email, in order of volume.

Messages The total number of emails sent by each email address.

Size The size of the largest email, including attachments, sent by each email address.


Event Log Email Protection Administrator Guide

Event Log

The Event Log displays the event log items for actions performed for emails that were determined to violate content, spam content, virus, or attachment policies for the designated Domain and date range, including actions performed automatically by Email Protection and performed manually by the users.

The following table lists the report items in the report


Display Designates which set of event log items to display.• All Events – Displays event log items for actions performed for all

the quarantines.• Attachments – Displays only event log items for actions performed

on emails that had attachments that violated the attachment policies.• Content – Displays only event log items for actions performed on

emails that violated the content policies.• Spam Keyword – Displays only event log items for actions

performed on emails that violated the spam content keyword policies.

• Viruses – Displays only event log items for actions performed on emails that contained known viruses.


Email Protection Administrator Guide Audit Trail

Audit Trail

The Audit Trail report displays the audit log items for all actions performed by users of Report Managers or higher level roles within the Control Console for the designated domain and date range, including user names and configuration changes.

Direction Designates whether event log items for inbound emails or outbound emails are displayed.• Inbound Only – Designates that only inbound emails are display.• Outbound Only – Designates that only outbound emails are

displayed.• Inbound & Outbound – Designates that both inbound and

outbound emails are displayed.

Type The type of policy that the filtered email violated.

Timestamp The date, time, and time zone when the action was performed on the filtered email.




Details The reason for the action (for example, if the email contained a virus, the virus name is shown).

Action The action that was applied to the email.

Additional Feature Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item.



Inbound Server Connections Email Protection Administrator Guide


Inbound Server Connections

The Inbound Server Connections report displays information about the connections made to the inbound email servers (a.k.a. Customer MTAs) during processing. This report may be useful in determining down times or connection issues.


Timestamp column

The date, time, and time zone when the action was performed in the Control Console.

Domain column The domain where the action was performed.

Details column A description of the action that was performed, including the role and user account of the user that performed the action.


Email Protection Administrator Guide Inbound Server Connections



Display Volume Trends For

Designate which inbound server(s) to display.• All Servers – Display information for all the inbound servers

configured for the selected Domain.• Inbound Server – Display information about the selected inbound

server only.

Connection Volume Trends for All Servers

The total number of successful and unsuccessful connections to the designated server(s). • Green – Indicates successful connections.• Purple – Indicates failed connection attempts.


Overall Failure Rate

The percentage of connection failures to the designated server(s).

Total Successes The total number of successful connections to the designated server(s).

Total Failures The total number of unsuccessful attempts to connect to the designated server(s).

Server:Port The server address and port being reported.


Disaster Recovery: Overview Email Protection Administrator Guide

Disaster Recovery: Overview

The Disaster Recovery: Overview report displays information about emails that were spooled and unspooled by the disaster recovery service, which can be either FailSafe or Message Continuity.

Failure Rate % The percentage of connection failures to this server and port.

Success The total number of successful connections to this server and port.

Fail The total number of unsuccessful attempts to connect to this server and port.



Email Protection Administrator Guide Disaster Recovery: Event Log


Disaster Recovery: Event Log

The Disaster Recovery: Event Log displays the event log items for actions performed within the disaster recovery service, which can be either FailSafe or Message Continuity. Actions include those performed automatically by Email Protection and those performed manually by the users.


Disaster Recovery Trends – Messages

The total number of spooled and unspooled emails processed by the disaster recovery service over the designated time period.


Disaster Recovery Summary - Messages

The numbers of emails processed by the disaster recovery service.• Spooled Messages – Indicates the number of emails that were

spooled, either automatically or manually.• Unspooled Messages – Indicates the number of emails that were

unspooled, either automatically or manually.

Disaster Recovery Trends – Bytes

The amount of spool storage used by spooled and unspooled emails processed by the disaster recovery service over the designated time period.


Disaster Recovery Summary – Bytes

Details of the file size of spooled and unspooled emails processed by the disaster recovery service over the designated time period.• Spooled Bytes – Indicates the amount of spool storage used by

spooled emails.• Unspooled Messages – Indicates the amount of spool storage freed

by unspooled emails.


Administer MSP Connector Email Protection Administrator Guide


Administer MSP Connector

Managed Service Platform (MSP) Connector enables the delivery of email traffic and threat data directly to your ConnectWise network performance dashboards.

The MSP Connector will only push data from the previous calendar month to the ConnectWise dashboard. All data will be kept for two calendar months. For example, in July, customers would be able to view data from both May and June.

Customers who also subscribe to the ConnectWise network automation services will be able to obtain a quick, at-a-glance view of their monthly Email Protection traffic and threat data directly through the ConnectWise dashboard, without having to log into the Control Console.

To utilize the MSP Connector capabilities, you should:

• Configure your ConnectWise information on the Configuration screen.• Select the domains needed to push your data to ConnectWise.• Enable Exception Notification if you wish to receive csv. files reporting data. • Create a distribution list for your domains.

NOTE: To utilize this functionality the user must have ConnectWise 7.2 and an MSP Integration Add-On.

Configure the MSP ConnectionTo configure the MSP connection to ConnectWise, perform the following steps:

1 Click Account Management > Customers > MSP Connector.

The Configuration screen is displayed.


Timestamp The date, time, and time zone when the action was performed in disaster recovery.

Event The event log items for disaster recovery actions performed for the designated domain and date range.

Initiated By The responsible party that performed the disaster recovery action. If an action was manually performed, indicates the role and user account of the person who performed the action.


Email Protection Administrator Guide Administer MSP Connector

2 Check the box to enable the ConnectWise integration

3 Click the SSL: Enable to ensure your information is encrypted through Secure Socket Layer.

NOTE: When SSL is disabled, a warning message displays.

4 In the Site field, type your ConnectWise access site.

5 In the Company ID field, type your ConnectWise Company ID.

6 In the Integrator Username field, type your ConnectWise Integrator Username.

7 In the Integrator Password field, type your Integrator Password for ConnectWise.

Note: Click the Change Password button to update or change your Integrator Password information to match your Integrator Password to ConnectWise.

8 In the Time Zone drop-down menu, select the time zone on which to base the timestamp for the ConnectWise instances.

9 Click Test to make sure the connection works.

10 Click Save.



Add Domains to the MSP ConnectionTo assign the domain(s) for which should be sent to ConnectWise, perform the following steps:


2 Click Domains.

The Domains screen is displayed.

3 To find one or a few domains out of a large number of domains, type the name of the domain you wish to find in the Filter field.

4 Click Filter.

5 In the Available Domains column, check all domains whose information is to be pushed to ConnectWise.

6 Click Add to move them to the Selected Domains column.

Note: Clicking Add All selects all domains, even those not displayed due to pagination. Add All is disabled if there is an active filter for available domains.



Remove Domains from the MSP ConnectionTo remove domains from the MSP connection, select the domain(s) you want to remove, and click Remove.

Note: Clicking Remove All will remove the domains listed even those not displayed due to pagination. The Remove All button is disabled if there is an active filter for selected domains.

Turn on Exception Notifications for the MSP Connection

To assign the domain(s) for which should be sent to ConnectWise, perform the following steps:



3 Click the Exceptions Notifications: Enable checkbox to turn on notifications.



4 From the Exception Notification Distribution drop-down menu, select the distribution list to receive an MSP Connector Exception report via email. The Exception Report is a .csv file, sent out at approximately 12:00 A.M. MT, which includes all failures that occurred in the last 24 hours.

Failures may include one of the following:• Failed - authentication• Failed - connection• Failed - invalid Company ID• Failed - invalid Solution Name• Failed - rejected• Failed - unknown

5 Click Save.

The following figure displays an example of a MSP Connector Exception report

View an MSP Connector Audit Report To assign the domain(s) for which should be sent to ConnectWise, perform the following steps:


2 Click Audit Report.

A list of Audit Reports is displayed.



The Status column lists the status of attempts to pass data to ConnectWise.

3 Double-click a report to view the details of the report.

The details of the audit reports are displayed.





Status

The following table defines the possible reports status in the Audit Report and the suggested actions to correct the status.

Completed - X domains succeeded

No action required.

Status Definitions

Suggested Actions

Partially Completed - X of Y domains failed

Domains failed because they may not have been provisioned on the ConnectWise side.

Failed - authentication

Username, password, or site is invalid; check information on the ConnectWise side.

Failed - connection

• ConnectWise server was moved• ConnectWise server was offline• ConnectWise network potentially down

Failed - invalid Company ID

Company ID may have changed on the ConnectWise side

Failed - invalid Solution Name

Contact Support.

Failed - rejected

Domains failed because they may not have been provisioned on the ConnectWise side.

Failed - unknown

Contact Support

Domain The customer's domain.

Spam removed The total number of inbound messages detected as medium or high-likelihood spam for the previous calendar month.

Viruses Removed The total number of messages with known viruses ("infected emails") for the previous calendar month.

Account Messages The total number of messages successfully delivered to the receiving MTA for the previous calendar month.


Administer Performance Reports Email Protection Administrator Guide

Download an Audit ReportYou can download an Audit Report in the form of a .csv file by clicking Download.

Administer Performance Reports

Performance Reports are pdf files, delivered only via email, that provide graphs and charts that visually present statistical information regarding your Email Protection. Your Performance Report information can be set to report weekly and/or monthly data. You may copy this statistical report for your company's use.

Note: Performance Reports are also available for Web Protection Service.

The report period for weekly reports is 12:00 a.m. Monday until 11:59 p.m. Sunday.

The report period for monthly reports is the first day of the month at 12:00 a.m. until the last day of the month at 11:59 p.m.

Some of the data within this report is subject to variables such as:

• Time zone settings• Message delivery timing (may be briefly queued)• Quarantine releases• Reporting period

Total Messages The total number of messages processed for the previous calendar month.

Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages.

Spam Removed The total number of inbound messages detected as medium or high-likelihood spam starting from the beginning of the current calendar year through the date the report was generated.

Viruses Removed The total number of messages with known viruses ("infected emails") starting from the beginning of the current calendar year through the date the report was generated.

Account Messages The total number of messages successfully delivered to the receiving MTA starting from the beginning of the current calendar year through the date the report was generated.

Total Messages The total number of messages processed starting from the beginning of the current calendar year through the date the report was generated

Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages.



Email Protection Administrator Guide Administer Performance Reports

To administer Performance Reports, perform the following steps:

1 If necessary, click Account Management > Customers > Distribution Lists to set up a distribution list to which you want to sent the reports. For more information, see the online Help or “Create a Distribution List for Email Protection Status Messages and Performance Reports” in Account Management Administrator Guide.

2 Click Account Management > Customers > Performance Reports.

The Customer Performance Reports screen is displayed.

3 From the Deliver To drop-down menu, select the distribution list containing the recipient(s) for the Performance Reports.

4 From the Time Zone drop-down menu, select the time zone for the Performance Reports.

5 Click either or both of the Frequency checkboxes to specify how often a report is sent and what data is included:

• Weekly — The report is sent at the beginning of the week and shows data for the previous week, from Monday through Sunday.

• Monthly — The report is sent at the beginning of the month and shows data for the previous month, from the first day through the last day of the month.

6 Click Save.

Note: You can also click Send Now to immediately email the Performance Report from the last reporting period to the distribution list.

Performance Report DescriptionsThe following tables reflect either weekly or monthly reports depending on the customer’s request.



Inbound Messages Report, Weekly or Monthly

The Inbound Messages Overview reflects the total number of Inbound Messages that were processed and delivered.

This includes:

• Inbound Threats• Inbound Message Actions• Disaster Recovery reports

Field Description

Total Inbound Messages The total number of all inbound messages processed. When users have the same filtering options, the message is counted only one time. When a user has a specific filtering option, the message is counted for particular each user config-uration.

Inbound Messages Delivered The total number of all inbound messages successfully delivered.

Spam Detected The total number of all inbound messages counted as SPAM


Email Protection Administrator Guide Administer Performance Reports

Virus Detected The total number of all inbound messages counted as Viruses.

Attachment Violations The total number of all inbound messages with attachments that violated the policy rules for attachments.

Content Violations The total number of all the inbound messages with words that violated the pol-icy rules for content groups.

Normal Delivery The total number of all inbound messages delivered that did not have the policy action Clean, Quarantine, Strip, Tag, or Deny applied to the message.

Cleaned The total number of all inbound messages that violated the policy rules for virus and had the policy action Clean applied to the message.

Denied The record of all the inbound messages refused because they violated the pol-icy rules for spam, virus, content, or attachments or is on a deny list.

Quarantined The total number of all inbound messages that violated the policy rules for spam, virus, content, or attachments and had the policy action Quarantine applied to the message.

Stripped The total number of all inbound messages that violated the policy rules for attachments or virus and had the policy action Strip applied to the message.

Tagged The total number of all inbound messages that violated the policy rules for spam or content and had the policy action Tag applied to the message.

Spooled Messages The total number of all messages spooled, either automatically or manually.

Unspooled Messages The total number of all messages unspooled, either automatically or manually.

Field Description



Outbound Messages Overview

The Outbound Messages Overview reports on the number of messages processed and successfully delivered.

This includes:

• Outbound Threats• Outbound Message Actions



11. Tips and Frequently Asked Questions

FAQs

User Management

Question: Can a user see another user’s quarantined emails?

Answer: Sign in access to the Control Console is user-specific. Unless the user has logged in as an Administrator or Quarantine Manager, the user will not be able to see quarantined emails or any other data for any other user. The exception is that Report Managers will be able to see data in the reports if it is user-specific (for example in the User Activity Report window.

Question: I see email addresses in the User Management window that aren’t real or that I didn’t add.

Answer: Email Protection delivers all email that is addressed to your Domains, unless the email is rejected by your inbound servers or the email has been filtered because it violated a defined policy. This type of email delivery is known as “proxy service.”

If the User Creation field is set to SMTP Discovery, Email Protection will auto-create user accounts for new email addresses if all the following are true:

• A specified number (default is 3) emails that were not quarantined or denied have been received within a day for the new email address.• Emails that had content stripped, but were sendable can still trigger automatic user

account creation.• Emails that would have been quarantined, but were received before the user

account was created, will be denied.• Your inbound server accepted delivery of the emails.• A user account does not already exist for the new email address.• The new email address was not sent to an alias domain name.

Thus, you will see email addresses in the User Management window that may be invalid in your system, but that your inbound server accepted. You can either manually delete these user accounts or they will be automatically deleted after a default time period if no sign-ins or user-level configurations are detected for these user accounts. Sign-ins from the Spam Quarantine Report are included.

Because user accounts might be continually created and deleted, both manually and automatically, and that a single user may use multiple email addresses, billing is not determined by the number of user accounts in a Domain. Billing is determined by the value entered in the Total Billed Users Qty field during Domain creation or edit.

If you want to disable the automatic creation of user accounts, do one of the following:



• Set the User Creation field to Explicit. • Configure your inbound email servers to deny emails received for invalid recipients.

Question: How does the user log into the Control Console for the auto-created email address?

Answer: One of the following must occur before a user can log into the Control Console:

• The user must receive a Spam Quarantine Report and click one of its links before they expire.

• The user must request a Set Password email in the Sign in window. • An Administrator can manually set the password for the user in the Control Console.

Question: Why does a Web browser open when I try to do anything on my Spam Quarantine Re port?

Answer: The Spam Quarantine Report provides an easy-to-use connection into the appropriate feature in the Control Console. The Control Console is a Web-based graphical user interface and is the primary interface to Email Protection.

When a user clicks a link in the Spam Quarantine Report, it causes the default Web browser to open, automatically logs the user into the Control Console, and performs the action designated in the clicked link.

Email Filtering

Question: I’ve just made a change to my policies; how long does it take before it is active?

Answer: Typically, most configuration changes in the Control Console, including policy configurations, Allow and Deny lists, and changes to entity configurations, will take approximately 10-15 minutes before the configuration is effective. Depending on the system architecture, the changes must be stored and then propagated to multiple MTAs performing the processing for Email Protection. Some changes may take longer, such as deleting an entire domain with all its related data.

Question: There are emails in my quarantine that I want to always receive. I clicked the “Always Allow” button, but the emails still get caught – What am I doing wrong?

Answer: The user-level Allow list does not disable virus, content, or attachment filtering; it only disables the spam filtering. If the email violated any of the enabled policies, it would be filtered even if its sender address was added to the user-level Allow list.

In addition, companies often send items in a format that looks like spam that a user may have opted to receive, such as electronic newsletters or emails, causing the email to be quarantined. When a user clicks the Always Allow link in the Spam Quarantine Report or the Spam Message Quarantine window, the sending email address is added to the user-level Allow list. However, for various reasons, emails of this nature may not always come from the same address every day. Because senders often rotate the address of these types of emails, the same item could be delivered the very next day and still be blocked because the sender address does not match the previous entry in the Allow list.



To help prevent this situation, you can use wildcards to designate an entire domain or part of an email address (if there is a common pattern) to be added in the Allow list, thus accepting all mail from the domain or email addresses that matched the designated pattern.

Question: What are the default email policies?

Answer: You can view the current default policy configurations in the Policy Configurations set of windows. The default settings are designed to minimize the possibility that email will be blocked while still providing reasonable protections against attacks and viruses.

Question: How does Email Protection score spam? What about “false positives”?

Answer: The Anti-Spam filtering technology detects the likelihood that an email is spam by processing the email through thousands of heuristics, rules, and tests, as well as sophisticated statistical classification techniques, as part of its Stacked Classification

Framework®. Each test provides a weighted score that is added to the overall “spam score.” We have pre-defined two threshold scores for your Anti-Spam policy, “high” and “medium.” You can designate a separate action to be performed for each threshold.

It is important to note that some emails might be marked as spam when in fact they are legitimate emails (“false positive”). While we believe that this false positive tagging will not be a frequent occurrence, it may happen occasionally, especially to mailing-list and newsletter traffic. In such cases, we ask that you help us “tune” our spam thresholds and rules by sending a forwarded copy of the email with all content and attachments to [email protected]. Your interaction is crucial in helping us build better Anti-Spam rules.

Using the Control Console, you can quarantine, tag, or block emails based on the corresponding threshold levels. Additionally, you can construct enterprise-level Allow and Deny lists that override spam threshold levels. Finally, you can enable or disable the Realtime Blackhole List (RBL).

Question: What exactly does “deny delivery” do? Will we add to email volume by generating bounce messages if we set our policies to “Deny”?

Answer: To satisfy standard SMTP protocol, if an email is denied for any reason, the Email Protection MTA sends a 5xx Deny message to the sender MTA. At that point, the standard configuration for the sender MTA is to send a bounce email to the sender address. It is possible that the sender MTA will just drop the message, but this is atypical. Email Protection has no control over the actions of the sender MTA.

The exception to this processing is if the Recipient Shield policy is set to Deny. In this case, Email Protection will generate the bounce email and send it directly to the sender address.

Use the Accept and Silent Discard email action for the relevant policies if you want to minimize email volume caused by 5xx Deny messages or if you do not want the sender to be notified that the email was denied. This email action accepts the email as if it was valid, and then discards it without notification to the sender or recipient.



Question: I’m receiving spam email from my own email address and I know I didn’t send it. What’s happening and how do I stop it?

Answer: A spammer has “spoofed” your email address. Spoofing means that the “From:” address in emails has been falsified to be an address other than the real source of the emails. The intent is to trick the recipient into opening the email because it appears to be from a trusted source. In your case, they made the mistake of using your own email address as the spoofed address and you realized that you had not sent the email. Spoofing is illegal according to the CAN-SPAM Act of 2003; however, it is still a common tactic used by spammers.

You can do any of the following in Email Protection to block these types of emails.

• Confirm that your own email address is not in an Allow list.It is possible that the spoofed email would be caught by normal spam filtering; however, if your email address is in an Allow list, spam filtering will be disabled. If necessary, remove your email address from any Allow lists to make sure spam filtering is performed.

• Add your own email address to your user-level Deny listThis policy will automatically deny any emails received from your email address. It will apply to all emails received from the Internet into Email Protection that are filtered and then sent to you. It will affect only emails sent to your address.

• Add your own email address or entire Domain name to your policy set Sender Deny list

This policy will do the same as above, but will apply all user accounts subscribed to that policy set. If the Domain name is used, then all emails from that Domain will be filtered.

Note: Using a Deny list as a filtering tactic in this situation will succeed only if your corporate email is not sent into the Internet cloud before delivery to other addresses in your Domain name. The assumption is that your corporate email is delivered within your internal network without filtering by Email Protection.

If your organization does deliver your corporate email using a delivery method that includes sending it into the Internet, it is possible that valid corporate emails will be filtered if you make the above policy changes.

System Configuration

Question: I just redirected my MX Record. How can I make sure that my email is coming through Email Protection?

Answer: Once the MX Record has been redirected and the entities (Reseller, Customer, Domain, and user accounts) have been configured, emails can be sent from a sender outside of the system to a user provisioned on the Domain. To see if the email was received in your system from Email Protection, monitor email processing flow in the Overview window.

You should be aware that email servers do not always accept changes immediately after the redirection of the MX Record. This means that some email servers may still send email directly to your inbound servers and not to the redirected MX Record for the first 2-3 days after the redirection.



It is also highly recommended that you block the acceptance of email traffic from any source other than Email Protection into your inbound servers to help prevent the possibilities of hackers directly connecting your servers.

Question: Why am I redirecting the MX Record and how does my email get back to me?

Answer: The MX Record is the method of telling all the other email servers on the Internet who you are (your domain names) and where you are (your inbound server addresses). When any email is sent, the sending email server looks at the MX Record to verify the email server to which the email should be delivered.

By redirecting your MX Record to point to the server where Email Protection is installed, you are sending your email to Email Protection. Email Protection captures your domain’s email traffic by acting as the email server for the Domain, routing the traffic through Email Protection filters, and then delivering the acceptable emails to your email servers. You configure your email servers in the Inbound Servers Setup window.

In a similar way, if you have enabled outbound email filtering, you would configure your sending email server to send your email to Email Protection. Email Protection filters your email and then sends it to the Internet cloud.

One advantage of redirecting your MX Record is that the addresses of your email servers are now no longer published, which helps to protect your email servers from direct email attacks and bad email.

Question: My server went down for a short period of time – what happened to our company’s emails?

Answer: Email Protection attempts to connect to all the servers configured for your domain in the Inbound Servers Setup window in the order designated in the Preference column, from the lowest number to the highest number. It then determines whether you have Fail Safe enabled for your email and if it is, it will start spooling and unspooling the email appropriately.

If Fail Safe is not enabled and if Email Protection cannot establish a connection with any of your email server(s), it will deliver a “temporary failure” message to the sending email server. When this occurs, the sending email server will usually attempt to redeliver the email again.

Most email servers are set to keep trying to deliver the email for an extended period of time before they finally stop and permanently fail the email. Email Protection cannot control the length of time or the frequency at which the sender’s email server will continue to attempt deliver these emails. However, the Fail Safe feature can store emails in the event that Email Protection cannot deliver emails due to an email server malfunction. Contact your sales representative for more information about Fail Safe.

Question: How does Email Protection affect my MTA?

Answer: Email Protection architecture naturally provides high-level redundancy and disaster recovery by leveraging a secondary MX record set to your internal mail servers. The service is currently configured to deliver your inbound email traffic to the Message



Transfer Agent (MTA) servers (a.k.a. inbound servers) on your premises configured in each domain. if you change the addressing in your network for your inbound servers, you must update the configurations in Email Protection.

At any time in Email Protection, you may change configuration of the IP address of your inbound servers. Be prudent when making changes to your delivery MTA configuration as any applied modifications will be enabled instantly and affect inbound SMTP routing.

Question: I want to temporarily stop filtering a domain’s emails, but I do not want to delete the domain’s information. How do I do this?

Answer: You can set the inbound servers for the Domain to be inactive. This action causes all emails received for that domain to be tempfailed. Be aware that email traffic for that domain will still consume bandwidth because it is likely that the sending email servers will reattempt multiple times to send the email until it finally permfails the email as “undeliverable.” This process matches standard SMTP protocols.

Question: Why is Email Protection refusing connections from my inbound email servers?

Answer: If Email Protection received a minimum of 20 attempted connections from an IP address where more than 60% of the recipients are invalid, it adds the IP address to a temporary “global blacklist” for 4 hours (by default – the time period is configurable at the system level). After the time period has passed, Email Protection will remove the IP address from the temporary global blacklist and again accept connections from it.

This process helps protect against Dictionary Harvest Attacks, where spammers are attempting all combinations of email addresses to glean valid email addresses for subsequent spamming. It also helps protect against Denial of Service attacks.

This feature and its configurations are controlled at the system level. The above values are the defaults.

Question: The Internet Explorer Content Advisor keeps blocking the Control Console. How do I prevent that?

Answer: You must disable the Content Advisor feature of the Internet Explorer to be able to use the Control Console. Do the following to disable the Content Advisor feature if it is enabled:

1 In the Internet Explorer window, click Tools > Internet Options.

2 In the Internet Options window, click the Content tab.

3 In the Content Advisor area in the Content tab, click the Disable button.

If there is an Enable button, but no Disable button, this means that Content Advisor is already disabled. Click the Cancel button until you return to the browser window.

4 Enter the password in the Supervisor Password Required dialog.

5 Click the OK button.

6 Continue clicking the OK button until you return to the Internet Explorer window.



Question: When I click a command in the Control Console, nothing seems to happen.

Answer: If you’ve set your Web browser to not accept cookies or Javascript, the Control Console will not work. “Cookies” are mini-applications that run in your Web browser to communicate with the originator of the cookie through the Internet. The Control Console downloads cookies to your computer to allow it to send and receive data from the Email Protection data center as you perform actions and navigate between the windows.

If you are concerned about security, you can configure your Web browser to allow cookies only for a single session. This means that only while you have that specific instance of your Web browser open, cookies will be accepted. If you close the Web browser and then reopen it, cookies will not be accepted. Do the following to configure Internet Explorer to accept cookies:


2 In the Internet Options window, click the Privacy tab.

3 In the Settings area in the Privacy tab, do one of the following:

A Move the slider to select Medium.B Click the Sites button.

4 In the Per Site Privacy Actions window, enter the URL for your Control Console in the Address of Web Site field

5 Click the Allow button.

6 Click the OK button until you return to your browser.

Do the following to configure Internet Explorer to accept Javascript:


8 In the Internet Options window, click the Security tab.

9 In the Security tab, click the Internet (globe) icon and then click the Custom Level button.

10 Confirm that the items under the Scripting section in the list are all set to Enabled.

11 Click the OK button until you return to the browser window.

Tips/Techniques

Change Zip File Attachment PolicyWe regularly receive a large zipped file as an email attachment from a trusted source, but it is automatically denied before we see it. How do we get that file without turning off attachment filtering altogether?

The default settings in Email Protection are to deny automatically emails with zipped files whose content cannot be analyzed or if the file size exceEmail Protection certain criteria. If you want to receive such files, but not turn off attachment filtering, you have two options.



Option 1

Modify Message contains a high risk zip attachment field in the Additional Policies subtab and save the policy change. This method affects emails for all user accounts associated with the policy set.

Option 2

If the attachment filename is always the same or contains the same string (for example, if the filename always contains “monthly_report”), you can designate a policy specific to that filename. In this case, create a custom filename policy in the Filename Policies subtab.

Caution: This policy would allow any attachment file that contains the designated string in its name to potentially bypass email filtering.

Wrong Email Got Past FilterWhat do we do if spam email, virus email, etc., was delivered anyway?

If you or an email recipient in your system has received email that you feel should have been filtered, do the following:

1 Check that the email addresses were not added to an Allow list by either the email recipient or by an Administrator.

2 Check your policy settings in the Control Console to confirm that you have not changed any settings to allow these emails to bypass filtering.

3 If you have determined that Email Protection or your email system was not configured to let these emails bypass filtering, forward the email with all content, header information, and attachments to [email protected].

Service personnel will analyze the email information to refine the filtering engines for subsequent release, and if necessary, post any urgent updates to virus scanners, etc., to support filtering these emails properly.
