Symantec Mail Security for SMTP. Administration Guide

Transcription

1 Symantec Mail Security for SMTP Administration Guide

2 Symantec Mail Security for SMTP Administration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. April 27, 2006 Copyright notice Copyright Symantec Corporation. All rights reserved. Symantec, the Symantec logo, Brightmail, LiveUpdate, SESA, and Norton AntiVirus are U.S. registered trademarks or registered trademarks of Symantec Corporation or its affiliates in other countries. Other names may be trademarks of their respective owners. Symantec Mail Security for SMTP 5.0 is protected under U.S. Patent Nos. 6,052,709; 5,999,932; and 6,654,787. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software and commercial computer software documentation as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA Printed in the United States of America

3 Technical support Licensing and registration As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using. To receive the latest product information by , go to: and join our support bulletin mailing list. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

4 Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at enterprise/. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at platinum/. When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Contents Chapter 1 Chapter 2 Chapter 3 About Symantec Mail Security for SMTP Key features Functional overview Architecture Where to get more information Configuring system settings Configuring certificate settings Configuring host (Scanner) settings Working with the Services page HTTP proxies SMTP Scanner settings Advanced SMTP settings Configuring internal mail hosts Testing Scanners Configuring LDAP settings Replicating data to Scanners Starting and stopping replication Replication status information Troubleshooting replication Configuring Control Center settings Control Center administration Control Center certificate Configuring, enabling and scheduling Scanner replication SMTP host System locale Configuring settings Configuring address masquerading Importing masqueraded entries Configuring aliases Importing aliases Configuring local domains Importing local domains and addresses... 51

6 6 Contents Understanding spam settings Configuring suspected spam Choosing language identification type Software acceleration Configuring spam settings Configuring virus settings Configuring LiveUpdate Excluding files from virus scanning Configuring general settings Configuring invalid recipient handling Configuring scanning settings Configuring container settings Configuring content filtering settings Chapter 4 Configuring filtering About filtering Notes on filtering actions Multiple actions Multiple policies Security risks About precedence Creating groups and adding members Assigning filter policies to a group Selecting virus policies for a group Selecting spam policies for a group Selecting compliance policies for a group Enabling and disabling end user settings Allowing or blocking based on language Managing Group Policies Creating virus, spam, and compliance filter policies Creating virus policies Creating spam policies Creating compliance policies Managing Firewall policies Configuring attack recognition Configuring sender groups Configuring Sender Authentication Managing policy resources Annotating messages Archiving messages Configuring attachment lists Configuring dictionaries Adding and editing notifications...114

7 Contents 7 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Working with Spam Quarantine About Spam Quarantine Delivering messages to Spam Quarantine Working with messages in Spam Quarantine for administrators Accessing Spam Quarantine Checking for new Spam Quarantine messages Administrator message list page Administrator message details page Searching messages Configuring Spam Quarantine Delivering messages to Spam Quarantine from the Scanner Configuring Spam Quarantine port for incoming Configuring Spam Quarantine for administrator-only access Configuring the Delete Unresolved setting Configuring the login help Configuring recipients for misidentified messages Configuring the user and distribution list notification digests Configuring the Spam Quarantine Expunger Specifying Spam Quarantine message and size thresholds Troubleshooting Spam Quarantine Working with Suspect Virus Quarantine About Suspect Virus Quarantine Accessing Suspect Virus Quarantine Checking for new Suspect Virus Quarantine messages Suspect Virus Quarantine messages page Searching messages Configuring Suspect Virus Quarantine Configuring Suspect Virus Quarantine port for incoming Configuring the size for Suspect Virus Quarantine Testing Symantec Mail Security for SMTP Verifying normal delivery Verifying spam filtering Testing antivirus filtering Verifying filtering to the Spam Quarantine Configuring alerts and logs Configuring alerts Viewing logs Configuring logs...159

8 8 Contents Chapter 9 Chapter 10 Working with reports About reports Choosing a report About charts and tables Selecting report data to track Setting the retention period for report data Running reports Saving and editing Favorite Reports Running and deleting favorite reports Troubleshooting report generation No data available for the report type specified Sender HELO domain or IP connection shows gateway information Reports presented in local time of Control Center By default, data are saved for one week Processed message count recorded per message, not per recipient Recipient count equals message count Deferred or rejected messages are not counted as received Reports limited to 1,000 rows Printing, saving, and ing reports Scheduling reports to be ed Administering the system Getting status information Overview of system information Message status Host status LDAP synchronization Log details Scanner replication Version Information Managing Scanners Editing Scanners Enabling and disabling Scanners Deleting Scanners Administering the system through the Control Center Managing system administrators Managing software licenses...192

9 Contents 9 Administering the Control Center Starting and stopping the Control Center Checking the Control Center error log Increasing the amount of information in BrightmailLog.log Starting and stopping UNIX and Windows services Starting and stopping Windows services Starting and stopping UNIX services Periodic system maintenance Backing up logs data Backing up the Spam and Virus Quarantine databases Maintaining adequate disk space Appendix A Appendix B Appendix C Feature Cross-Reference New features for all users Changes for Symantec Mail Security for SMTP users New feature names Discontinued features Changes for Symantec Brightmail Antispam users About filtering and message handling options Spam foldering and the Symantec Outlook Spam Plug-in About foldering and the plug-in Installing the Symantec Outlook Spam Plug-in Usage scenarios End user experience Software requirements Configuring automatic spam foldering Configuring the Symantec Spam Folder Agent for Exchange Configuring the Symantec Spam Folder Agent for Domino Enabling automatic spam foldering Enabling language identification Integrating Symantec Mail Security with Symantec Security Information Manager About Symantec Security Information Manager Interpreting events in the Information Manager Configuring data sources Firewall events that are sent to the Information Manager Definition Update events that are sent to the Information Manager Message events that are sent to the Information Manager Administration events that are sent to the Information Manager...228

10 10 Contents Appendix D Editing antivirus notification messages Modifying notification files Changing the notification file character set Editing messages in the notification file Notification file contents Glossary Index

11 Chapter 1 About Symantec Mail Security for SMTP This chapter includes the following topics: Key features Functional overview Architecture Where to get more information Key features Symantec Mail Security for SMTP offers enterprises an easy-to-deploy, comprehensive gateway-based security solution through the following: Antispam technology Symantec s state-of-the-art spam filters assess and classify as it enters your site. Antivirus technology Virus definitions and engines protect your users from -borne viruses. Content Compliance These features help administrators enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements. Group policies and filter policies An easy-to-use authoring tool lets administrators create powerful and flexible ad hoc filters for individuals and groups.

12 12 About Symantec Mail Security for SMTP Functional overview Functional overview You can deploy Symantec Mail Security for SMTP in different configurations to best suit the size of your network and your processing needs. Each Symantec Mail Security for SMTP host can be deployed in the following ways: Scanner Deployed as a Scanner, a Symantec Mail Security for SMTP host filters . Your installation can have one or many Scanners. Symantec Mail Security for SMTP runs alongside your existing or groupware server(s). Control Center Deployed as a Control Center, a Symantec Mail Security for SMTP host is a Web-based configuration and administration center. Use it to configure and manage filtering, SMTP routing, system settings, and all other functions. Your enterprise-wide deployment of Symantec Mail Security for SMTP can have multiple Scanners but only one Control Center, from which you configure and monitor all the Scanner hosts. The Control Center provides status for all Symantec Mail Security for SMTP hosts in your system, system logs, and extensive customizable reporting. Use it to configure both system-wide and host-specific details. The Control Center provides the Setup Wizard, for initial configuration of all Symantec Mail Security for SMTP instances at your site, and also the Add Scanner Wizard, for adding new Scanners. It also hosts the Spam and Suspect Virus Quarantines, for storage of spam and virus messages respectively. End users can access the Control Center to view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure the Spam Quarantine for administrator-only access. Scanner and Control Center A single Symantec Mail Security for SMTP host performs both functions. Note: Symantec Mail Security for SMTP provides neither mailbox access for end users nor message storage; it is not intended for use as the only MTA in your infrastructure. Note: Symantec Mail Security for SMTP does not filter messages that don t flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, the messages will not pass through the Symantec Mail Security for SMTP filters.

13 About Symantec Mail Security for SMTP Architecture 13 Architecture Symantec Mail Security for SMTP processes a mail message as follows. For the sake of discussion, our sample message passes through the Filtering Engine to the Transformation Engine without being rejected. The incoming connection arrives at the inbound MTA via TCP/IP. The inbound MTA accepts the connection and moves the message to its inbound queue. The Filtering Hub accepts a copy of the message for filtering.

14 14 About Symantec Mail Security for SMTP Where to get more information The Filtering Hub consults the LDAP SyncService directory to expand the message s distribution list. The Filtering Engine determines each recipient s filtering policies. The message is checked against Blocked/Allowed Senders Lists defined by administrators. Virus and configurable heuristic filters determine whether the message is infected. Content Compliance filters scan the message for restricted attachment types or keywords, as defined in configurable dictionaries. Spam filters compare message elements with current filters published by Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings. The Transformation Engine performs actions per recipient based on filtering results and configurable Group Policies. Where to get more information In addition to this Administration Guide, your Symantec Mail Security for SMTP product comes with the following documentation: Symantec Mail Security for SMTP Installation Guide Symantec Mail Security for SMTP Planning Guide Symantec Mail Security for SMTP Getting Started Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information. You can visit the Symantec Web site for more information about your product. The following online resources are available: Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates techsupp/ent/ enterprise.html /licensing/els/help/en/ help.html symantec.com

15 About Symantec Mail Security for SMTP Where to get more information 15 Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats avcenter/global/index.html

16 16 About Symantec Mail Security for SMTP Where to get more information

17 Chapter 2 Configuring system settings System settings apply to the Control Center and to attached and enabled Scanners. This section explains the following: Configuring certificate settings Configuring host (Scanner) settings Testing Scanners Configuring LDAP settings Replicating data to Scanners Configuring Control Center settings Configuring certificate settings Manage your certificates using the Certificate Settings page. The two types of certificates are as follows: MTA TLS certificate This is the TLS certificate used by the MTAs in each Scanner. Every Scanner has separate MTAs for inbound messages, outbound messages, and message delivery. Assign this certificate from the Inbound Mail Settings and Outbound Mail Settings portions of the SMTP tab on the Settings > Hosts page. User interface HTTPS certificate This is the HTTPS certificate used by the Control Center for secure Web management. Assign this certificate from the Settings > Certificates page.

18 18 Configuring system settings Configuring certificate settings You can add certificates to the certificate list in the following two ways: Add a self-signed certificate by adding the certificate and filling out the requested information as presented to you at the time. Add a Certification Authority Signed certificate by submitting a certificate request to a Certification Authority. When you receive the certificate back from the Certification Authority, you then import the certificate into the Control Center. Manage certificates Follow these steps to add either self-signed or Certification Authority Signed certificates and to assign certificates. To add a self-signed certificate to the list 1 In the Control Center, click Settings > Certificates. 2 Click Add. 3 In the Certificate type drop-down list, choose Self-Signed Certificate. 4 Complete the information on the Add Certificate page. 5 Click Create. To add a Certification Authority Signed certificate to the list 1 In the Control Center, click Settings > Certificates. 2 Click Add. 3 In the Certificate type drop-down list, choose Certificate Authority Signed. 4 Fill in the information on the Add Certificate page. 5 Click Request. A new page is displayed, showing the certificate information in a block of text, designed for use by the Certification Authority. 6 Copy the block of text that appears and submit it to the Certification Authority. Each Certification Authority has its own set of procedures for granting certificates. Consult your Certificate Authority for details. 7 When you receive the certificate file from the Certification Authority, place the file in an easily accessed location on the computer from which you are connecting to the Control Center. 8 On the Certificate Settings page, click Import.

19 Configuring system settings Configuring certificate settings 19 9 On the Import Certificate page, type the full path and filename or click Browse and choose the file. 10 Click Import. To view or delete a certificate 1 In the Control Center, click Settings > Certificates. 2 Check the box next to the certificate to be viewed or deleted. 3 Click View to read the certificate. 4 Click Delete to remove the certificate. To assign an MTA TLS certificate 1 In the Control Center, click Settings > Hosts. 2 Select a host and click Edit. 3 Click the SMTP tab. 4 Check Accept TLS encryption as appropriate. 5 Choose the TLS certificate from the Certificate drop-down list for the inbound or outbound MTA. 6 Click Save. To assign a user interface HTTPS certificate 1 In the Control Center, click Settings > Control Center. 2 Select a certificate from the User interface HTTPS certificate drop-down list. 3 Click Save.

20 20 Configuring system settings Configuring host (Scanner) settings Configuring host (Scanner) settings The following sections describe changes that can be made to individual hosts. Information is available on these topics: Working with the Services page HTTP proxies SMTP Scanner settings Working with the Services page You can stop or start the following services on a Scanner. Conduit LiveUpdate Filter Engine MTA Note: If you stop the filter-hub or the MTA service and wish to continue receiving alerts, specify an operating MTA IP address in the settings for the Control Center. In addition, you can configure individual Scanner replication and MTA settings that can help you take a Scanner offline on this page. Work with the services page Use the following procedures from the Services page to manage individual Scanner services, replication, and stop the flow of messages through a Scanner. To start and stop services 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Select the services to be started or stopped. 5 Click Stop to stop a running service or Start to start a stopped service. To enable or disable Scanner replication for a host 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit.

21 Configuring system settings Configuring host (Scanner) settings 21 3 Click Edit. 4 Using the Scanner Replication portion of the page, check Enable Scanner Replication for this host to enable Scanner replication. (Replication is enabled by default.) 5 Using the Scanner Replication portion of the page, uncheck Enable Scanner Replication for this host to disable Scanner replication. The Control Center will not update the directory for this Scanner when the box is not checked. 6 Click Save to store your changes. To take a Scanner out of service 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 On the MTA Operation portion of the page, check Do not accept incoming messages. All messages in Scanner queues are processed as needed, but no new messages will be received. 5 Click Save to store your changes. HTTP proxies The Conduit and Symantec LiveUpdate run on each Scanner, and receive filter updates from Symantec. If you need to add proxy and/or other security settings to your server definition, use the steps below. To change or add proxy information 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Click the Proxy tab. 5 Check Use proxy server. 6 Specify the proxy host name and port on this panel. In addition to this information, you can include a user name and password as needed. 7 Click Save to store your information.

22 22 Configuring system settings Configuring host (Scanner) settings SMTP Scanner settings A full complement of SMTP settings has been provided to help you define internal and external SMTP configurations for Scanners. Inbound SMTP settings determine how the inbound MTA processes inbound messages. Outbound SMTP settings determine how the outbound MTA processes outbound messages. If you set up inbound or outbound SMTP filtering rather than using Content Compliance filters, you can save resources because messages that do not meet the SMTP criteria will be rejected before content filtering begins. To modify SMTP settings for a Scanner 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Click SMTP. 5 As appropriate, complete the SMTP definition for the scanner. The following parameters are included: Setting Scanner Role Description Determines if the Scanner is used for Inbound mail filtering only, Outbound mail filtering only, or Inbound and outbound mail filtering.

23 Configuring system settings Configuring host (Scanner) settings 23 Setting Inbound Mail Settings* Description Provides settings for inbound messages. In this area, you can provide the following information: Inbound mail IP address Location at which inbound messages will be received. Inbound mail SMTP port Port on which inbound mail is received, typically port 25. Accept TLS encryption Indicates if TLS encryption is accepted. Check the box to accept encryption. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption. Certificate Specifies an available certificate for TLS encryption. Accept inbound mail connections from all IP addresses Indicates that all connections for inbound messages are accepted when checked. This is the default. Accept inbound mail connections from only the following IP addresses and domains Indicates that only the addresses or domain names entered in the checked IP Address/Domains box are accepted. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. Warning: If you are deploying this Scanner behind a gateway, and are specifying one or more IP addresses instead of All IP addresses, you must add the IP addresses of ALL upstream mail servers in use by your organization. Upstream mail servers that are not specified here may be classified as spam sources. Relay local domain mail to: Gives the location where inbound mail is sent after being received on the inbound port.

24 24 Configuring system settings Configuring host (Scanner) settings Setting Outbound Mail settings* Relay non-local mail to: Description Provides settings for outbound mail characteristics. In this area, you can provide the following information: Outbound mail IP address Specifies the IP address on which outbound messages are sent. Outbound mail SMTP port Specifies the port on which outbound mail is sent, typically port 25. Accept TLS encryption Indicates if TLS encryption is accepted. Check the box to accept encrypted information. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption. Certificate Specifies an available certificate for TLS encryption. Accept outbound mail connections from the following IP addresses and domains Indicates that only the addresses entered in the checked IP Address/Domains box are accepted. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. Specifies how outbound SMTP message relaying is routed. By default, MX Lookup is used. Apply above settings to all hosts Indicates that when saved, all settings on this page are applied immediately to all hosts. Advanced Settings Provides for inbound, outbound and delivery advanced settings. See Advanced SMTP settings on page 25 for details. (*) Classless InterDomain Routing (CIDR) is supported for inbound and outbound mail connection IP addresses. 6 Click Save to store your changes.

25 Configuring system settings Configuring host (Scanner) settings 25 Advanced SMTP settings Use the MTA Configuration portion of the page to specify the MTA host name. The MTA Host Name gives you the ability to define the Hello banner during the initial portion of the SMTP conversation. Use the following advanced inbound SMTP settings to further define your SMTP configuration: Table 2-1 Item Inbound SMTP advanced setting descriptions Description Maximum number of connections Maximum number of connections from a single IP address Maximum message size in bytes Maximum number of recipients per message Insert RECEIVED header to inbound messages Enable reverse DNS lookup Sets the maximum number of simultaneous inbound connections allowed. Additional attempted connections are rejected. The default is 2,000 connections. Sets the maximum number of simultaneous inbound connections allowed from a single IP address. Additional connections for the same IP address will be rejected. The default is 20. You can also limit the number of connections from a single IP address per time period. Click Policies > Attacks in the Control Center. Sets the maximum size of a message before it is rejected. The default is 10,485,760 bytes. Sets the maximum number of recipients for a message. The default is 1,024 recipients. Places a RECEIVED header in the message during inbound SMTP processing. Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name when checked. This is the default condition. When unchecked, reverse DNS lookup is not performed for inbound messages. Use the following advanced outbound SMTP settings to define further your SMTP configuration: Table 2-2 Item Maximum number of connections Outbound SMTP advanced setting descriptions Description Sets the maximum number of permissible simultaneous outbound connections. Additional attempted connections are rejected. The default is 2,000 connections.

26 26 Configuring system settings Configuring host (Scanner) settings Table 2-2 Item Outbound SMTP advanced setting descriptions Description Maximum message size in bytes Maximum number of recipients per message Default domain for sender addresses with no domain Insert RECEIVED header Strip pre-existing RECEIVED headers from outbound messages Enable reverse DNS lookup Sets the maximum size allowable for a message before it is rejected. The default is 10,485,760 bytes. Indicates the maximum number of recipients permitted to receive this message. The default is 1,024 recipients. Sets a default domain when none can be found in the message. Places a RECEIVED header in the message during outbound SMTP processing when checked. When unchecked, no RECEIVED header is inserted during outbound SMTP processing. If Insert RECEIVED header and Strip RECEIVED headers are both checked, the outbound SMTP RECEIVED header remains when the message goes to the delivery queue. Removes all RECEIVED headers for the message when checked. When headers are stripped, message looping can occur depending on the settings of other MTAs. When unchecked, RECEIVED headers remain in the message during outbound processing. The RECEIVED header for outbound SMTP processing remains in the message when Insert a RECEIVED header and Strip pre-existing RECEIVED headers from outbound messages are checked. Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name. when checked. This is the default condition. When unchecked, reverse DNS lookup is not allowed for outbound messages. Settings also exist governing SMTP delivery configuration for your site. Delivery configuration message settings are as follows: Table 2-3 Item Maximum number of external connections Maximum number of external connections to a single IP address SMTP delivery advanced setting descriptions Description Sets the maximum number of simultaneously allowed external connections. Additional attempted connections are rejected. The default is 100 connections. Sets the maximum number of simultaneous connections allowed to a single IP address. Additional connections to this IP address are rejected. The default is 50 connections. You can also limit the number of connections to a single IP address per time period.

27 Configuring system settings Configuring host (Scanner) settings 27 Table 2-3 Item SMTP delivery advanced setting descriptions Description Maximum number of connections to all internal mail servers Sets the maximum number of connections allowed to all defined internal mail servers. Any additional connection attempts are rejected. The default is 100 internal mail server connections. Maximum number of connections per single internal mail server Minimum retry interval Sent message timeout Message delay time in queue before notification Enable TLS encryption Sets the maximum number of connections to one internal mail server. Any additional attempt to make a connection is rejected. The default is 50 connections. Sets the smallest interval the SMTP server waits before trying to deliver a message again. The default is 15 minutes. Sets the time after which a undelivered message times out and is rejected from the queue. The default is 5 days. Sets the time a message waits in the mail queue before notification of nondelivery is sent. The default is 4 hours. Allows TLS encryption when checked. If unchecked, TLS encryption is not performed. By default, TLS encryption is not enabled. To set up the SMTP Advanced Configuration 1 From the Control Center, click Settings > Hosts. 2 Select a Scanner from the displayed list. 3 Click Edit. 4 Click the SMTP tab. On this page, you will see some general-purpose settings described in SMTP Scanner settings on page Click Advanced Settings. On this page you will see some advanced Scanner configuration SMTP settings. These settings are fully described in Advanced SMTP settings on page As appropriate, modify the settings explained above. 7 Click Save to store your information. You are returned to the main SMTP configuration page. 8 Click Save.

28 28 Configuring system settings Testing Scanners Configuring internal mail hosts You can add or delete internal mail hosts at your site. Configure internal mail hosts Follow these procedures to add or delete internal mail hosts. To add an internal mail host 1 From the Control Center, click Settings > Hosts. 2 Check the Scanner you want to configure. 3 Click Edit. 4 Click the Internal Mail Hosts tab. 5 Specify the IP address for an internal mail host. 6 Click Add. 7 Click Save to store the information. To delete an internal mail host 1 From the Control Center, click Settings > Hosts. 2 Check the Scanner you want to configure. 3 Click Edit. 4 Click the Internal Mail Hosts tab. 5 Select an internal mail host. 6 Click Delete. Testing Scanners 7 Click Save to store the information. After adding or editing a Scanner, you can quickly test that the Scanner is operating and that the Agent is able to make a connection. The Agent is a component that facilitates communicating configuration information between the Control Center and each Scanner. To test a Scanner 1 In the Control Center, click Status > Host Details. 2 If only one Scanner is attached to your system, you can see a snapshot of how it is currently functioning.

29 Configuring system settings Configuring LDAP settings 29 3 If more than one Scanner is attached, select the Scanner you want to test from the drop-down list. You will see a snapshot of its current status. Configuring LDAP settings The Control Center can optionally use directory information from LDAP servers at your site for one or both of the following purposes: Authentication LDAP user and password data is used for Quarantine access authentication and resolving aliases for quarantined messages. The Control Center reads user and password data directly from the LDAP server. Synchronization LDAP user and group data is used for group policies, directory harvest attack recognition, distribution list expansion and dropping messages for invalid recipients. User and group data is read from the LDAP server and cached in the Control Center and Scanners, but not written back to the LDAP server. Symantec Mail Security for SMTP supports the following LDAP directory types: Windows 2000 Active Directory Windows 2003 Active Directory Sun Directory Server 5.2 (formerly known as the iplanet Directory Server) Exchange 5.5 Lotus Domino LDAP Server 6.5 Note: If you are using version 5.2 of the SunOne LDAP server, you must update to patch 4 to address some changelog issues that arose in patch 3. Configure LDAP settings Follow these procedures to configure LDAP settings. To add an LDAP server 1 In the Control Center, click Settings > LDAP. 2 Click Add. 3 Complete the necessary fields presented for defining a new LDAP Server. The values you complete will depend on your choice in the Usage drop-down list. 4 Click Save.

30 30 Configuring system settings Configuring LDAP settings Note: When adding an LDAP server that performs synchronization, you can replicate data from the Control Center to attached and enabled Scanners with the Replicate now button. Begin this replication only after initial synchronization has completed successfully as shown on the Status > LDAP Synchronization page, and the number of rejected entries is 0 or stays constant after successive synchronization changes. If synchronization has not completed successfully, error messages will be shown on the Status > LDAP Synchronization page. Alternatively, you can wait until the next scheduled replication occurs at which time all Scanners will be fully updated by the LDAP synchronization server. Note: If you see the error during server creation, Failed to create user mappings for source, and you have recently changed DNS servers, restart your LDAP synchronization components. Windows users use the Services control panel to first stop SMS Virtual Directory, then start SMS Sync Server. Dependencies are automatically restarted. Alternatively, the host can be rebooted. Linux/Solaris users issue the following command: /etc/init.d/sms_ldapsync restart Then, follow the above steps again. The following table describes the available settings for LDAP authentication and synchronization services when an LDAP server is being added to the Control Center Table 2-4 Item Description Host LDAP Server Parameters when adding a server Description Text describing the LDAP server being defined. Permissible characters are any alphanumeric character (0-9, a-z, and A-Z), a space ( ), hyphen (-), or underline (_) character. Any other symbol will cause the definition to fail. Host name or IP address. Port TCP/IP port for the server. The default port is 389. Directory Type Specifies the type of directory used by the LDAP server. Available choices are: Active Directory iplanet/sun ONE/Java Directory Server Exchange 5.5 Domino

31 Configuring system settings Configuring LDAP settings 31 Table 2-4 Item Usage LDAP Server Parameters when adding a server Description Describes how this LDAP server will be used. Available usage modes are: Authentication Synchronization Authentication and Synchronization You can have only one authentication server defined in the Control Center. Administrator Credentials Specifies login and usage information for the LDAP server as follows: Anonymous bind Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved. Name (bind DN) Login name allowing you to access the LDAP server. When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=administrator,cn=recipients,ou=mysite,o=myorg rather than a shortened form such as cn=administrator to ensure detection of all change events and guarantee full authentication by the LDAP server. For an Active Directory server, the full DN or logon name with User Principal Name suffix can be required. Password Password information that allows you to access the LDAP server. Test Login Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server. Windows Domain Names (Active Directory only) Windows domain names you see in the Log on to dropdown list when logging onto a Windows host. Use commas or semicolons to separate multiple domain names. Primary domain (Domino only) Domain aliases (Domino only) Internet domain to which mail is delivered. Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

32 32 Configuring system settings Configuring LDAP settings Table 2-4 Item Authentication Query Details LDAP Server Parameters when adding a server Description Contains the following options: Autofill Places default values in the field for you to modify as needed. Query start (Auth base DN) Designates the point in the directory from which to start searching for entries to authenticate. If an entry contains an ampersand, delimit the ampersand as follows: OU=Sales \& Marketing,OU=test,DC=domain,DC=com & OU=test1,DC=domain,DC=com Login attribute Specifies the attribute that identifies a directory entry representing a person. Primary attribute Finds users based on the attribute which represents a mailbox. alias attribute Finds users based on the attribute representing an alternative address for entities mailbox. Login query Finds users based on their Login attributes. Test Attempts to execute the query as defined. Note: For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid) for that user. Synchronization Configuration Allows for the following definitions governing synchronization behavior: Synchronize every Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day. Audit level Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off. Page size Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the iplanet/sunone directory server, change Page size to 0 for optimal performance. This section is grayed out if Usage type is Authentication.

33 Configuring system settings Configuring LDAP settings 33 Table 2-4 Item Synchronization Query Details LDAP Server Parameters when adding a server Description Specifies queries to use for synchronization. Available choices are: Autofill Places default values in the field for you to modify as needed. Query start (Sync base DN) Designates the point in the directory from which to start searching for entries with addresses/aliases or groups. To use this field, begin by clicking Auto Fill for the naming contexts of the directory. Reduce the received list of DN s brought into the field by Auto Fill to a single DN, or write your own DN based on the provided list. Custom query start Allows for the addition of a customized query. User query Finds users in the LDAP server. Group query Finds LDAP groups in the LDAP server. Distribution list query Finds Distribution Lists in the LDAP Server. Buttons labelled Test allow you to test each synchronization query type. Note: If you need to change Host, Port, base DN, ldap Group filter, User filter, or Distribution List filter after saving an LDAP synchronization source, you must delete the source, add the source including all attributes to be filtered, and perform a full synchronization. To edit an LDAP server 1 In the Control Center, click Settings > LDAP. 2 Choose an LDAP server definition by checking the box next to it. 3 Click Edit. 4 Make changes as appropriate. 5 Click Save.

34 34 Configuring system settings Configuring LDAP settings Not all parameters are available for editing in an LDAP definition. Only the following can be changed after an LDAP server has been defined: Table 2-5 Item Administrator Credentials LDAP Server Parameters when editing a server Description Specifies login and usage information for the LDAP server as follows: Anonymous bind Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved. Name (bind DN) Login name allowing you to access the LDAP server. When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=administrator,cn=recipients,ou=mysite,o=myorg rather than a shortened form such as cn=administrator to ensure detection of all change events and guarantee full authentication by the LDAP server. For an Active Directory server, the full DN or logon name with User Principal Name suffix can be required. Password Password information that allows you to access the LDAP server. Test Login Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server. Windows Domain Names (Active Directory only) Windows domain names you see in the Log on to dropdown list when logging onto a Windows host. Use commas or semicolons to separate multiple domain names. Primary domain (Domino only) Domain aliases (Domino only) Internet domain to which mail is delivered. Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

35 Configuring system settings Configuring LDAP settings 35 Table 2-5 Item Authentication Query Details Synchronization Configuration LDAP Server Parameters when editing a server Description Contains the following options: Autofill Places default values in the field for you to modify as needed. Query start (Auth base DN) Designates the point in the directory from which to start searching for entries to authenticate. Login attribute Specifies the attribute that identifies a directory entry representing a person. Primary attribute Finds users based on the attribute which represents a mailbox. alias attribute Finds users based on the attribute representing an alternative address for entities mailbox. Login query Finds users based on their Login attributes. Test Attempts to execute the query as defined. Allows for the following definitions governing synchronization behavior: Synchronize every Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day. Audit level Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off. Page size Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the iplanet/sunone directory server, change Page size to 0 for optimal performance. This section is grayed out if Usage type is Authentication. Editing an LDAP server definition can cause a full synchronization to be initiated. This can have serious performance impact on your system until the synchronization completes. To initiate an LDAP synchronization 1 Click Status > LDAP Synchronization. 2 If you wish to synchronize fewer than 1,000 changes of LDAP data, click Synchronize Changes. 3 If you wish to synchronize 1,000 changes of LDAP data or more, click Full Synchronization.

36 36 Configuring system settings Configuring LDAP settings To cancel an LDAP synchronization in progress 1 Click Status > LDAP Synchronization. 2 Click Cancel Synchronization. To delete an LDAP server 1 In the Control Center, click Status > LDAP Synchronization. Check to be sure that no synchronization is processing. You cannot delete a synchronization server while synchronization is running. 2 Click Settings > LDAP. 3 Choose an LDAP server definition by checking the box next to it. 4 Click Delete. Synchronization status information When LDAP data is synchronized between an LDAP server and the Control Center, status information is generated and displayed via the Status tab. To view LDAP Synchronization status information In the Control Center, click Status > LDAP Synchronization. The following information is displayed: Item Status Description Information about synchronization activity. Status can be any of the following: Idle Nothing is happening. Starting A synchronization request was issued either by the Control Center or through a replication request from a Scanner. Cancelled Either the LDAP synchronization was cancelled manually via clicking Status > LDAP Synchronization > Cancel, or a replication was in progress when a scheduled or manual LDAP synchronization was initiated. In Progress A synchronization request has been acknowledged by the synchronization server and the process is under way. Success The synchronization has completed successfully. Failed The synchronization has failed. Consult your logs to identify possible causes. Started Ended The time at which the most recent synchronization began. The time at which the most recent synchronization finished.

37 Configuring system settings Replicating data to Scanners 37 Item Read Added Modified Deleted Rejected Description The number of directory entries read from the synchronization server. For a full synchronization, this number is equal to the total number of records from the LDAP source. The number of directory entries added from the synchronization server to the Control Center. The number of records modified in the Control Center based on synchronization server information. The number of entries deleted from the Control Center based on synchronization server information. The number of directory entries from the LDAP server rejected by the synchronization server. A number of LDAP transactions can be rejected when an attempt to add a group entry fails because one or more of the group members is not yet known to the LDAP synchronization service. Generally, this can be resolved by issuing a Synchronize Changes request from the Control Center. Each time this is done, the number of rejected entries should decrease. Once all group members are propagated, the group entries are added successfully. If, after a number of LDAP synchronization attempts, you continue to see the same number of rejected entries for an LDAP Source, examine the logs at Status > Logs with Control Center: LDAP selected in the Log Type: drop-down list. Use the information on this page to determine why the entries are repeatedly rejected. Pay particular attention to the file error.log.x, where X is a number. Replicating data to Scanners After an LDAP server has been defined to the Control Center, and after the synchronization of LDAP data between the LDAP server and the Control Center has successfully completed one full cycle, LDAP data can be synchronized to all attached and enabled Scanners. LDAP data includes: Directory information User settings Allowed/Blocked Sender settings Language settings For replication to work properly, you must have completed the procedures in Configuring, enabling and scheduling Scanner replication on page 42 and

38 38 Configuring system settings Replicating data to Scanners made certain that Scanner replication is enabled for each Scanner as described in Working with the Services page on page 20. In this section, information is available on the following: Starting and stopping replication Replication status information Troubleshooting replication Starting and stopping replication You may occasionally need to start or stop replication manually. Start or stop replication Start and stop replication using the following procedures. To start a manual replication cycle 1 In the Control Center, click Status > Scanner Replication. 2 Click Replicate Now. To stop a replication in progress 1 In the Control Center, click Status > Scanner Replication. 2 Click Cancel Replication. Replication status information When LDAP data is replicated from the Control Center to one or more Scanners, status information is generated and displayed via the Status interface in Symantec Mail Security for SMTP. To view replication status information In the Control Center, click Status > Scanner Replication.

39 Configuring system settings Replicating data to Scanners 39 The following information is displayed: Item Status Started Ended Size Description Status can be any of the following: Idle Nothing is happening. Started A replication request has been issued. Cancelled Either the LDAP synchronization was cancelled manually via clicking Status Synchronization > LDAP > Cancel, or a replication was in progress when a scheduled or manual LDAP synchronization was initiated. In Progress A replication request has been acknowledged by the Control Center and the process is under way. Success The replication has completed successfully. Failed The replication has failed. Consult your logs to identify possible causes. The time at which the most recent replication began. The time at which the most recent replication finished. The number of bytes of replicated data. Troubleshooting replication Replication will not complete until at least one LDAP synchronization source is available, and synchronization has completed successfully. Until this happens, there is no data that replication can use to update Scanners. Troubleshoot replication The following techniques can help you troubleshoot replication problems. Basic troubleshooting procedure 1 Verify that synchronization has occurred. 2 If a successful synchronization has occurred, check your replication status and take one or more of the actions described below. To verify that synchronization has completed successfully 1 In the Control Center, click Status > LDAP Synchronization. 2 Check the Status column for a Success message. For additional information about synchronization status, see Synchronization status information on page 36. To check replication status 1 In the Control Center, click Status > Scanner Replication.

40 40 Configuring system settings Configuring Control Center settings 2 Check the Status column for each attached and enabled Scanner on the list. For additional information about replication status, see Replication status information on page 38. To troubleshoot a status message 1 If the Scanner has a Status of Success, all attached and enabled Scanners are fully updated with LDAP information and no action is required. 2 If a message is displayed indicating that replication has been cancelled and was not cancelled via Status > Replication and clicking Cancel, an LDAP synchronization source was found, but either synchronization has not yet completed, or synchronization has failed. Check your synchronization status. (See To check replication status on page 39.) Check the Control Center log for errors about creating or moving synchronization data within the Control Center, or errors regarding communication between the Control Center and a Scanner. Check LDAP synchronization logs for any errors that occur in transforming data from the Control Center database to a Scanner database. 3 If you see the message No scanners configured for replication, make sure you have successfully added an LDAP synchronization server, that the initial synchronization service has completed successfully, that you have enabled global replication via Settings > Replication Settings, and that replication is enabled on at least one attached and enabled Scanner via the Replication tab at Settings > Hosts > Edit. 4 If the replication process shows the message IN-PROGRESS for an unusually long period of time, the replication process has stalled. It is difficult to predict the length of time a replication can take. As a benchmark, a user population of 25k users and 5k distribution lists (with nesting levels ranging from 1-10), can take as much as 7.5 hours on a Dell 1850 running Linux. To resolve a replication process with a message of In-Progress Perform a manual replication from the Control Center. If replication still stalls, restart the Control Center software and begin the entire cycle again with a full synchronization. Configuring Control Center settings The Symantec Mail Security for SMTP Control Center allows you to configure the following: Control Center administration Control Center certificate

41 Configuring system settings Configuring Control Center settings 41 Configuring, enabling and scheduling Scanner replication SMTP host System locale Control Center administration You access the Control Center via a Web browser. By default anyone with the correct address and logon information has access from any host. You can choose to limit host access to the Control Center if you wish. Users attempting to log into the Control Center from unauthorized computers will see a 403 Forbidden page in their Web browser. Reverse Domain Name Server (DNS) lookup must be enabled in your DNS software for this feature to work with host names. When entering host names, there is a possibility that a name can be entered incorrectly. If it is the only name on the list, you have effectively blocked yourself all access to the Control Center. See the procedure below for help resolving this situation. Specify Control Center access or reset Control Center access Follow these instructions to specify Control Center access or to regain access to the Control Center. To specify Control Center access 1 In the Control Center, click Settings > Control Center. 2 Check All hosts to allow any host access to the Control Center. 3 Check Only the following hosts to assign specific hosts to access the Control Center. All other hosts are rejected after you add one or more hosts to the list. Add and Delete buttons are available to help you manage the list of allowed hosts. 4 To add a host, type host name, IP address, IP address with subnet mask, or Classless Inter-Domain Routing (CIDR) netblock and click Add. Specify additional computers or networks as needed. 5 Click Save to store the current settings. To regain access to the Control Center when no host name matches the list 1 Log in to the MySQL Control Center. 2 Select the Brightmail database. use brightmail;

42 42 Configuring system settings Configuring Control Center settings 3 Delete the host control access items from the database. truncate settings_host_access_control; About specifying host names for Control Center access When specifying host names for Control Center access, the Control Center allows clients to connect based on the Control Center s own DNS perspective. If the client s IP address resolves into a name that is allowed (a reverse lookup ), then it s a match and the client is allowed to access the Control Center. The reverse lookup of an IP address is controlled by the owner of a netblock, not necessarily a user of that netblock, so users often have no control over what name their IP addresses resolve to. Also, two different DNS servers may each have mappings for the same netblock that are not the same. For example, the client s authoritative DNS server has a reverse lookup record of m1.example.com for the client s IP address, while the DNS that is configured to be the Control Center s primary DNS server has a reverse mapping of dhcp23.example.com for the same IP address. In this case, the Control Center will see the dhcp23.example.com name whenever the client connects, so that is the name that should be entered into the host access control list in the Control Center. This situation happens more frequently on private networks than on the public Internet. Control Center certificate Through the Control Center, you can designate a user interface HTTPS certificate. This enhances the security for the Control Center and those logging into it. To designate a Control Center certificate 1 In the Control Center, click Settings > Control Center. 2 Through the User interface HTTPS certificate dropdown list, select the desired choice. 3 Click Save to store the current settings. Configuring, enabling and scheduling Scanner replication In the Control Center, replication refers to the process by which LDAP data are propagated from the Control Center to attached and enabled Scanners. Replication is controlled by global settings in the Control Center and by locally configurable settings on each Scanner. The following information will assist you in configuring and scheduling replication. However, no replication can occur until you have defined one or more LDAP servers to the Control Center and one

43 Configuring system settings Configuring Control Center settings 43 full synchronization cycle has completed. For information on setting up LDAP services, see Configuring LDAP settings on page 29. The replication attributes on the Control Center > Replication Settings page determine how replication operates in your installation. You can determine if replication is to take place, and how often it occurs. These are in addition to settings available on local Scanners attached and enabled through the Control Center. To configure Control Center replication settings 1 In the Control Center, click Settings > Control Center. 2 To activate Scanner replication, check Enable Scanner Replication. 3 If Scanner replication is enabled, set the frequency and interval of replication for Replicate every as follows: Frequency Use this edit box to enter a digit indicating the number of intervals at which replication occurs. Interval Use the combo box to select the interval of time between replications. Available choices are hours and days. The replication schedule should begin at a different time than the synchronization schedule to avoid schedule conflicts. For instance, if you have replication set to every 12 hours, setting the LDAP synchronization schedule to 53 minutes will help prevent one from starting while the other is in progress. 4 Click Replicate Now to have LDAP data replicated to all attached and enabled Scanners immediately. 5 Click Save to store the current settings. 6 To verify the most recent replication, click Status > Scanner Replication in the Control Center. Note: The replication process will not complete until an LDAP synchronization source is available. Local replication settings Local replication settings for each Scanner are configured by editing the Scanner configuration. For more information, see Starting and stopping replication on page 38. Additional information is available for checking the status of Scanner replication and for troubleshooting possible problems with Scanner replication in Replicating data to Scanners on page 37 and Troubleshooting replication on page 39.

44 44 Configuring system settings Configuring Control Center settings SMTP host The Control Center manages the sending of the following information to designated addresses and repositories at your site: Alert notifications Reports Spam Quarantined messages When the MTA for Symantec Mail Security for SMTP is used, messages that pass through it will be tracked by the message tracking log facilities in the product. In order for the Control Center to know where to send information, you must supply the SMTP host IP address and port. To specify where the Control Center should send alerts, reports, and quarantined messages 1 In the Control Center, click Settings > Control Center. 2 In the Control Center Settings section of the page, fill in the Host and Port values for the MTA. 3 Click Save to store the current settings. System locale The Control Center can be configured for single and double-byte character sets and for related language settings. This is done through the Locale setting. To configure the Control Center to handle single and double-byte character sets and related foreign languages 1 In the Control Center, click Settings > Control Center. 2 Using the dropdown list in the System Locale section of the page, select a language from the list.

45 Chapter 3 Configuring settings Configuring address masquerading Configuring aliases Configuring local domains Understanding spam settings Configuring virus settings Configuring invalid recipient handling Configuring scanning settings Configuring address masquerading Address masquerading is a method of concealing addresses or domain names behind the mail gateway by assigning replacement values to them. Symantec Mail Security for SMTP lets you implement address masquerading on inbound mail, outbound mail, or both. Manage masqueraded entries Follow these steps to add or edit masqueraded entries. To add a masqueraded entry 1 In the Control Center, click Settings > Address Masquerading. 2 Click Add. 3 Specify an address or domain to masquerade. 4 Specify a new name for the address or domain name. 5 Specify a mail flow direction to which this masqueraded name will apply: inbound, outbound, or both.

46 46 Configuring settings Configuring address masquerading 6 Click Save. To edit a masqueraded entry 1 In the Control Center, click Settings > Address Masquerading. 2 Click the masqueraded address or domain or check a box, and then click Edit. 3 In the Edit Masqueraded Entry page, modify the masqueraded entry as desired. 4 Click Save. Importing masqueraded entries In addition to creating new masqueraded entries, you can import them from a text file similar to the Sendmail virtusertable. In the import file, place each masquerade address definition on a line by itself. Each address in the file must be separated with one or more spaces or tabs, or a combination of spaces and tabs. Commas or semi-colons are not valid delimiters. The masquerade address definition consists of the following: Original entry Specifies the original address or domain name to be masqueraded Replacement entry Specifies the replacement address or domain name. Apply to Indicates the direction to which masquerading is applied. Available choices are: Inbound messages Outbound messages Inbound and outbound messages Following is a sample import file: [email protected] [email protected] inbound [email protected] [email protected] outbound [email protected] [email protected] inbound/outbound [email protected] new4.com inbound [email protected] new5.com outbound [email protected] new6.com inbound/outbound orig7.com [email protected] inbound orig8.com [email protected] outbound orig9.com [email protected] inbound/outbound

47 Configuring settings Configuring aliases 47 To import a list of masqueraded entries 1 In the Control Center, click Settings > Address Masquerading. 2 Click Import. 3 On the Import Masqueraded Entry page, enter or browse to the filename containing the list of masqueraded entries. 4 Click Import. Note: If entries in the import file are not specified correctly, do not match the required file format, or are duplicates, a message is displayed. You can click a link to download a file containing the unprocessed entries. Click Cancel to return to the main Address Masquerading page to review the valid imported entries. Configuring aliases An alias is an address that translates to one or more other addresses. Windows users may understand this concept as a distribution list. You can add an alias as a convenient shortcut for typing a long list of recipients. An alias can also translate addresses from one top-level domain to another, such as from example.com to example-internetsecurity.com. addressed to [email protected], for example, would be delivered to [email protected]. Note: The alias functionality available on the Settings > Aliases page is separate from LDAP aliases. Note the following additional information about aliases: Aliases are recursive. This means that an alias specified in the destination address list is expanded as defined in the list of aliases. For example, with the aliases specified in Table 3-1, a message addressed to [email protected] would be delivered to the destination addresses for both [email protected] and [email protected], because [email protected] includes [email protected]. Table 3-1 Alias [email protected] [email protected] Example of recursive aliases Destination addresses [email protected], [email protected], [email protected] [email protected], [email protected], [email protected]

48 48 Configuring settings Configuring aliases Alias transformation does not occur for messages passing through Symantec Mail Security for SMTP s MTA to the Internet. Alias transformation only applies to inbound or internal messages that pass through Symantec Mail Security for SMTP s MTA. The system s inbound MTA checks addresses in the SMTP envelope To: to determine if any need to be transformed exists. Transformed addresses are written back to the SMTP envelope To:. The contents of the message To: and Cc: headers are ignored and not changed. Inbound address masquerading has precedence over aliases. If the same original address or domain exists in both the address masquerading list and the aliases list, but the new address or domain is different, the message is routed to the new address or domain in the address masquerade list, not the aliases list. Manage aliases Follow these steps to add or edit aliases. To add an alias 1 In the Control Center, click Settings > Aliases. 2 Click Add. 3 In the Add Aliases page, type the alias in the Alias domain or address box. Alias form address specify one user name and domain Domain specify one domain from which addresses should be translated Examples [email protected] example.com 4 Type a domain or one or more destination addresses in the Domain or addresses for this alias box. Alias form address specify user name and domain for each address. Separate multiple addresses with a comma, semicolon, or space. Domain specify one domain to which addresses should be translated Examples [email protected], [email protected] symantec-internetsecurity.com

49 Configuring settings Configuring aliases 49 Importing aliases 5 Click Save. To edit an alias 1 In the Control Center, click Settings > Aliases. 2 Click the alias or check the box next to an alias, and then click Edit. 3 In the Edit aliases page, modify the text in the Alias domain or address box as desired. 4 Modify the text in the Domain or addresses for this alias box as desired. 5 Click Save. Aliases can be imported from a text file. Each address in the text file must be separated with one or more spaces or tabs, or a combination of spaces and tabs. Commas or semi-colons are not valid delimiters. In the import file, each line must contain an alias address followed by one or more destination addresses. Following is a sample import file: [email protected] [email protected] [email protected] [email protected] [email protected] noadsorspam.com blocksads.com To import aliases 1 In the Control Center, click Settings > Aliases. 2 Click Import. 3 On the Import Aliases page, enter or browse to the filename containing the list of aliases. 4 Click Import. Note: If entries in the import file are not specified correctly, do not match the required file format, or are duplicates, a message is displayed. You can click a link to download a file containing the unprocessed entries. Click Cancel to return to the main Aliases page to review the valid imported entries.

50 50 Configuring settings Configuring local domains Configuring local domains On the Local Domains page, you can view, add, edit, and delete local domain names and addresses for which inbound messages are accepted. You can also import lists of local domains formatted as described in this section. Work with local domains Use these procedures to manage local domains. To add local domains or addresses 1 In the Control Center, click Settings > Local Domains. 2 On the Local Domains page, click Add. 3 In Domain or address from which to accept inbound mail, enter a local domain, subdomain, or address. The resulting behavior for each setting is as follows: Setting Syntax Behavior Domain name company.com The system accepts for all recipients in the specified domain. Subdomain.company.com The system accepts for all recipients in all subdomains of the parent domain, but not in the parent domain. address [email protected] The system accepts only for the specified recipient. You can also specify a destination host to which the domain or address is routed via the Optional Destination Host field. You can specify both host name and port for the destination host as well as enable MX lookup. Note: If you do not specify a destination host here, the domain or address is routed to the Inbound Relay you configure on the SMTP Settings page. See SMTP Scanner settings on page Click Save to add the domain, subdomain, or address. To delete a local domain 1 In the Control Center, click Settings > Local Domains. 2 Select a local domain from the list of domains. 3 Click Delete.

51 Configuring settings Understanding spam settings 51 Importing local domains and addresses Lists of local domain definitions and addresses can be imported from a US-ASCII file, similar to the Sendmail mailertable. In the import file, place each domain definition on a line by itself. The domain definition consists of the following: Domain Name Can be either a complete domain name, a subdomain name, or an address. Destination Consists of destination type and destination host name. Only definitions with a destination type (Mailer) of SMTP or ESMTP are supported, and %backreferences are not supported. After import, ESMTP destination types convert to SMTP. When the host name is enclosed in brackets smtp:[destination.domain.com] MX lookup is not performed for the destination host. Here is a sample import file: [email protected] smtp:local1.com [email protected] smtp:local2.com:20 [email protected] smtp:[local3.com]:30 [email protected] smtp:[local4.com].local5.com smtp:[ ] local6.com smtp:[ ]:60 To import a list of local domains 1 In the Control Center, click Settings > Local Domains. 2 Click Import. 3 On the Import Local Domains page, enter or browse to the file containing the list of domain definitions. 4 Click Import. Note: If entries in the import file do not match the required file format, you can download a file containing the unprocessed entries. Understanding spam settings The following types of spam settings are available in Symantec Mail Security for SMTP: Configuring suspected spam Choosing language identification type

52 52 Configuring settings Understanding spam settings Software acceleration Configuring suspected spam Note: This feature is only available if you are running Symantec Premium AntiSpam (SPA). If you would like to know more about this feature, contact your Symantec representative. When evaluating whether messages are spam, Symantec Mail Security for SMTP calculates a spam score from 1 to 100 for each message, based on techniques such as pattern matching and heuristic analysis. If an scores in the range of 90 to 100 after being filtered by Symantec Mail Security for SMTP, it is defined as spam. For more aggressive filtering, you can optionally define a discrete range of scores from 25 to 89. The messages that score within this range will be considered suspected spam. Unlike spam, which is determined by Symantec and not subject to adjustment by administrators, you can adjust the trigger for suspected spam. Using policies, you can specify different actions for messages identified as suspected spam and messages identified as spam by Symantec. For example, assume that you have configured your suspected spam scoring range to encompass scores from 80 through 89. If an incoming message receives a spam score of 83, Symantec Mail Security for SMTP will consider this message to be suspected spam, and will apply the action you have in place for suspected spam messages, such as Modify the Message (tagging the subject line). Messages that score 90 or above will not be affected by the suspected spam scoring setting, and will be subject to the action you have in place for spam messages, such as Quarantine the Message. Note: Symantec recommends that you not adjust the spam threshold until you have some exposure into the filtering patterns at your site. Then, gradually move the threshold setting down 1 to 5 points per week until the number of false positives is at the highest level acceptable to you. A great way to test the effects of spam scoring is to set up a designated mailbox or user to receive false positive notifications to monitor the effects of changing the spam score threshold. Choosing language identification type Language identification is the ability to block or allow messages written in a specified language. For example, you can choose to only allow English and

53 Configuring settings Understanding spam settings 53 Spanish messages, or block messages in English and Spanish and allow messages in all other languages. You can use one of two types of language identification: Language identification offered by Symantec Mail Security for SMTP Processing takes place within the software, and no further software needs to be installed. Using the Policies > Group Policies > Edit > Language tab, administrators can set language preferences or allow users to set language preferences. Language identification offered by the Symantec Outlook Spam Plug-in Processing takes place on each user s computer, and each user must install the Symantec Outlook Spam Plug-in. Users set their own language preferences. Software acceleration Configuring spam settings It is possible to increase the speed at which your software can operate. Doing so will increase your need for system memory. Software acceleration is turned on by default. You can use the Spam Settings page to configure settings for suspected spam, language identification, and software acceleration. To configure spam settings: 1 In the Control Center, click Settings > Spam. 2 Under Do you want messages to be flagged as suspected spam?, click Yes. 3 Click and drag the slider to increase or decrease the lower limit of the range for suspected spam. You can also type a value in the box. 4 Under Do you want to enable Language Identification, click Yes or No. Yes No Click Yes if users will use the Symantec Outlook Spam Plug-in for language identification. Built-in language identification is disabled, and can t be accessed in the Edit Group page. Click No to use the built-in language identification. Symantec Outlook Spam Plug-in language identification won t work if you click No. 5 Under Software acceleration, check Enable antispam software acceleration.

54 54 Configuring settings Configuring virus settings 6 Click Save. Configuring virus settings The following types of virus settings are available in Symantec Mail Security for SMTP: Configuring LiveUpdate Excluding files from virus scanning Configuring general settings Configuring LiveUpdate LiveUpdate is the process by which your system receives current virus definitions from Symantec Security Response. Work with LiveUpdate Follow these procedures to view LiveUpdate status, start LiveUpdate, and schedule LiveUpdate to run automatically. To view LiveUpdate status 1 Click Settings > Virus. The top portion of the LiveUpdate tab shows the time of the last update attempt, its status, and the update version number. 2 Click View Manifest to view a complete list of virus definitions contained in this update. To initiate a LiveUpdate 1 Click Settings > Virus. 2 Click LiveUpdate. 3 Click the LiveUpdate Now button. To set the LiveUpdate schedule 1 Click Settings > Virus. 2 Click LiveUpdate. 3 To discontinue using an automatic update schedule, click the Disable automatic updates button. 4 To implement scheduled automatic updates, click the Enable scheduled updates button.

55 Configuring settings Configuring virus settings 55 5 Specify a day or days of the week and time at which to begin LiveUpdates. 6 Specify an interval of time after which LiveUpdate runs again. Configuring Rapid Response updates Rapid Response updates retrieve the very latest virus definitions from Symantec Security Response. While Rapid Response definitions are published more frequently (every 10 minutes) than automatic update definitions, they are not as thoroughly tested. To receive Rapid Response updates 1 Click Settings > Virus. 2 Click LiveUpdate. 3 Click Enable Rapid Response updates. Symantec Mail Security for SMTP checks every 10 minutes after this setting is saved. 4 Click Save. Installing non-default definitions Symantec Mail Security for SMTP employs the Intelligent Updater in order to update virus definitions. You can also update antivirus files with any other Symantec definitions downloaded to the computer running Symantec Mail Security for SMTP. To enable installation of non-default definitions: Click the box, Check for and install non-default definitions. Excluding files from virus scanning You can exclude specific classes and formats of files (such as.wav or MIDI) from being scanned by Symantec Mail Security for SMTP. To exclude a class and format of file from virus scanning 1 Click Settings > Virus. 2 Click Exclude Scanning. 3 Click Add to create a definition of files for exclusion from virus scanning. 4 Name the definition by placing a value in Exclude scanning list name. 5 In the File Classes list, choose All File Classes or a specific class such as Sound.

56 56 Configuring settings Configuring invalid recipient handling 6 If you choose to exclude specific file classes, you can also select the types of files in that class to be excluded in the File Type list. 7 Click the Add File Classes or Add File Types button. 8 Click Save to store a list. Configuring general settings The Bloodhound level determines the way in which the system uses heuristics to flag viruses. Symantec Mail Security uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. Bloodhound technology is capable of detecting upwards of 80 percent of new and unknown executable file threats. Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead because it examines only message bodies and attachments that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a message or attachment is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file. Lower heuristic levels may miss viruses, but consume less processing power, potentially speeding incoming mail processing. Higher heuristic levels may catch more viruses, but consume more processing power, potentially slowing incoming mail processing. To set the Bloodhound Level 1 Click Settings > Virus. 2 Under Bloodhound Level, click the High, Medium, Low, or Off button. 3 Click Save. Configuring invalid recipient handling By default, when an message arrives addressed to your domain, but is not addressed to a valid user, Symantec Mail Security for SMTP passes the message to the internal mail server. The internal mail server may either accept the message and generate a bounce message for that recipient, or the internal mail server may reject the recipient, in which case Symantec Mail Security for SMTP generates a bounce message for the recipient. Upon receiving the bounce message, the sender can resend the original message with the correct address.

57 Configuring settings Configuring scanning settings 57 However, messages with invalid recipients can also result from a spammer s directory harvest attack. You can drop all messages for invalid recipients using the Drop messages for invalid recipients action described below. There is a Remove invalid recipients action available on the Policies > Attacks > Directory Harvest Attack page that only removes invalid recipients if a directory harvest attack is occurring. These two settings can be combined or enabled individually. Note: Dropping messages for invalid recipients is an extreme measure. Enabling it may prevent diagnosis of serious problems with your configuration, so only enable it after you re sure your system is stable. Also, if enabled, even accidentally mis-addressed messages will be dropped, and no bounce message sent. The Remove invalid recipients action available on the Policies > Attacks > Directory Harvest Attack page is a less extreme measure. To configure invalid recipient handling 1 In the Control Center, click Settings > Invalid Recipients. 2 Do one of the following: 3 Click Save. Configuring scanning settings Uncheck Drop messages for invalid recipients to return bounce messages to the sender for invalid addresses. Check Drop messages for invalid recipients to drop invalid messages from the mail stream and return no bounce messages to the sender. For this setting to take effect, a full synchronization and replication cycle must be completed. This setting is independent of the Directory Harvest Attack Firewall policy, and can be used in conjunction with it. Use the Scanning Settings page to configure container settings and content filtering settings. Configuring container settings When Symantec Mail Security for SMTP processes certain zip files and other types of compressed files, these files can expand to the point where they deplete system memory. Such container files are often referred to as zip bombs. Symantec Mail Security for SMTP can handle such situations by automatically

58 58 Configuring settings Configuring scanning settings sidelining large attachments and cleaning them. There is a presumption that such a file can be a zip bomb and should not be allowed to deplete system resources. The file is sidelined for cleaning only because of its size, not because of any indication that it contains a virus. You can specify this size threshold and the maximum extraction level that Symantec Mail Security for SMTP will process in memory, as well as a time limit for scanning containers. If the configured limits are reached, Symantec Mail Security for SMTP will automatically perform the action designated for the unscannable category in the Group Policies settings. To configure container settings 1 In the Control Center, click Settings > Scanning. 2 Under Container Settings, specify a number in the Maximum container scan depth box. A container is unscannable for viruses if the nested depth in a container file (such as a.zip file or message) exceeds the number specified. Do not set this value too high or you could be vulnerable to denial of service attacks or zip bombs, in which huge amounts of data are zipped into very small files. 3 Specify a number in the Maximum time to open container box and click Seconds, Minutes, or Hours. A container is unscannable for viruses if the specified time elapses when scanning containers (such as.zip files). Use this setting to detect containers that don t exceed the other container settings, but yet include container nesting, many files, large files, or a combination of these. 4 Specify a number in the Maximum individual file size when opened box and click KB, MB, or GB. A container is unscannable for viruses if any individual component of the container when unpacked exceeds the size specified. 5 Specify a number in the Maximum accumulated file size when opened box and click KB, MB, or GB. A container is unscannable for viruses if the total size of all the files in a container when unpacked exceeds the size specified. 6 Click Save. Configuring content filtering settings In addition for checking plain text files against words as defined in contentrelated policies, Symantec Mail Security for SMTP can check attachments against these dictionaries that are not plain-text files. While such checking

59 Configuring settings Configuring scanning settings 59 maximizes the effect of content filtering, it can also impact the system load and slow down filtering. To check attachments that are not plain text against your dictionaries 1 Click Settings > Scanning. 2 In Content Filtering Settings, check Enable searching of non-plain text attachments for words in dictionaries. This can decrease system efficiency. 3 Click Save.

60 60 Configuring settings Configuring scanning settings

61 Chapter 4 Configuring filtering This chapter includes the following topics: About filtering Creating groups and adding members Assigning filter policies to a group Managing Group Policies Creating virus, spam, and compliance filter policies Managing Firewall policies Configuring Sender Authentication Managing policy resources About filtering Although Symantec Mail Security for SMTP provides default settings for dealing with spam and viruses, you will likely want to tailor the actions taken on spam and viruses to suit your requirements. Content filtering and Firewall policies offer further methods of managing mail flow into and out of your organization. Symantec Mail Security for SMTP provides a wide variety of actions for filtering , and allows you to either set identical options for all users, or specify different actions for distinct user groups. You can specify groups of users based on addresses, domain names, or LDAP groups. For each group, you can specify an action or group of actions to perform, given a particular verdict. Each category of includes one or more verdicts. Verdicts are the conclusions reached on a message by the filtering process. Symantec Mail

62 62 Configuring filtering About filtering Security for SMTP performs actions on a message based on the verdict applied to that message, and the groups that include the message recipient as a member. The following table lists filtering verdicts by filtering category: Table 4-1 Filtering verdicts by category Filtering Category Verdict Description Firewall Directory harvest attack Connection is blocked because an attempt is underway via ing to your domain with a specified number of non-existent recipient addresses, sent from the same IP address to capture valid addresses. Spam attack Virus attack Connection is blocked because a specified quantity of spam messages has been received from a particular IP address. Connection is blocked because a specified quantity of infected messages has been received from a particular IP address. Virus Virus is flagged because it contains a virus, based on current Symantec virus filters. Mass-mailing worm Unscannable for viruses Encrypted attachment Spyware or adware Suspicious attachment is flagged because it contains a mass-mailing worm, based on current virus filters from Symantec. is flagged because it exceeds the container limits configured on the Scanning Settings page, or because it is unscannable for other reasons, such as malformed MIME attachments. is flagged because it contains an attachment that is encrypted or password-protected and therefore cannot be scanned is flagged because it contains nay of the following types of security risks: spyware, adware, hack tools, dialers, joke programs, or remote access programs. See Security risks on page 70 for descriptions of these risks. is flagged because it contains an attachment that may contain a virus or other threat. Spam Spam is flagged as spam, based on current spam filters from Symantec. Suspected spam is flagged as suspected spam based on administratorconfigurable Spam Scoring. Content Compliance Any part of a message is flagged because it contains keywords in your configurable dictionary.

63 Configuring filtering About filtering 63 Table 4-1 Filtering verdicts by category (Continued) Filtering Category Verdict Description Attachment type Attachment content Subject: From: Address To: Address Cc: Address Bcc: Address To:/Cc:/Bcc: Address From:/To:/Cc:/Bcc: Address Envelope Sender Envelope Recipient Envelope HELO Message Header Message Size Body For all messages is flagged because it contains a specific attachment type. is flagged because specific text appears in a specific frequency in its attachments. is flagged based on the text in the Subject: line. is flagged based on the text in the From: address. is flagged based on the text in the To: address. is flagged based on the text in the Cc: address. is flagged based on the text in the Bcc: address. is flagged based on the text in the To:, Cc:, or Bcc: address. is flagged based on the text in the From:, To:, Cc:, or Bcc: address. is flagged because its envelope contains a particular sender address. is flagged because its envelope contains a particular recipient address. is flagged because its envelope contains a particular SMTP HELO domain. is flagged because it contains a particular header. is flagged because it is a particular size. is flagged based on the text in the body. All not filtered by a higher precedence policy is flagged.

64 64 Configuring filtering About filtering The following table shows the filtering actions available for each verdict. Note: See Notes on filtering actions on page 66 for additional limitations. Table 4-2 Filtering actions by verdict Action Description Verdict Directory harvest attack Spam attack Virus attack Virus Spam, Suspected Spam Content Compliance Add a header Add an X-header to the message. Add annotation Add BCC recipients Archive the message Bounce the message Clean the message Defer SMTP connection Delay message delivery Insert predefined text into the message (a disclaimer, for example). Blind carbon copy the message to the designated SMTP address(es). Deliver the original message and forward a copy to the designated SMTP address, and, optionally, host. Return the message to its From: address with a custom response, and deliver it to the recipient. Optionally, the original message can be included. Delete unrepairable virus infections and repair repairable virus infections. Using a 4xx SMTP response code, tell the sending MTA to try again later. Hold the message in the Suspect Virus Quarantine for a configured number of hours (default is six hours), then refilter, using new virus definitions, if available. Only available for the suspicious attachment verdict. Delete the message Delete the message. Deliver the message normally Deliver the message. Viruses and mass-mailing worms are neither cleaned nor deleted.

65 Configuring filtering About filtering 65 Table 4-2 Filtering actions by verdict (Continued) Action Description Verdict Directory harvest attack Spam attack Virus attack Virus Spam, Suspected Spam Content Compliance Deliver message to the recipient s Spam folder Deliver the message to end-user Spam folder(s). Requires use of the Symantec Spam Folder Agent for Exchange or the Symantec Spam Folder Agent for Domino. Forward the message Forward the message to designated SMTP address(es). Hold message in Spam Quarantine Send the message to the Spam Quarantine. Modify the Subject line Add a tag to the message s Subject: line. Reject SMTP connection Remove invalid recipients Using a 5xx SMTP response code, notify the sending MTA that the message is not accepted. If a directory harvest attack is taking place, remove each invalid recipient rather than sending a bounce message to the sender. You must complete LDAP synchronization and Scanner replication before enabling this feature. Route the message Route the message using the designated SMTP host. Save to disk Send notification Strip and hold in Suspect Virus Quarantine Save the message to a standard location on the Scanner computer. On Solaris or Linux, you must specify a writable directory. Deliver the original message and send a predefined notification to designated SMTP address(es) with or without attaching the original message. Remove all message attachments and hold the message in the Suspect Virus Quarantine for a configured number of hours (default is six hours). Then refilter, with new virus definitions, if available. Only available for the suspicious attachment verdict. Strip attachments Remove all message attachments.

66 66 Configuring filtering About filtering Table 4-2 Filtering actions by verdict (Continued) Action Description Verdict Directory harvest attack Spam attack Virus attack Virus Spam, Suspected Spam Content Compliance Treat as a blocked sender Treat as a massmailing worm Treat as an allowed sender Treat as a virus Treat as spam Treat as suspected spam Process the message using the action(s) specified in the domain-based Blocked Senders List. Applies even if the domain-based Blocked Senders List is disabled, and applies to inbound messages only. Process the message using the action(s) specified in the associated worm policy. The message is delivered normally if the worm policy is disabled or does not apply because of message direction. Process the message using the action(s) specified in the domain-based Allowed Senders List. Applies even if the domain-based Allowed Senders List is disabled, and applies to inbound messages only. Process the message using the action(s) specified in the associated virus policy. The message is delivered normally if the virus policy is disabled or does not apply because of message direction. Process the message using the action(s) specified in the associated spam policy. The message is delivered normally if the spam policy is disabled or does not apply because of message direction. Process the message using the action(s) specified in the associated suspected spam policy. The message is delivered normally if the suspected spam policy is disabled or does not apply because of message direction. Notes on filtering actions When using Table 4-2 consider the following limitations: All Virus verdicts except suspicious attachments share the same available actions. Two additional actions, Delay message delivery and Strip and hold

67 Configuring filtering About filtering 67 in Suspect Virus Quarantine, are available only for the suspicious attachment verdict. All Spam verdicts share the same available actions. All Content Compliance verdicts share the same available actions. Messages from senders in the Allowed Senders Lists are always delivered directly to end-user mailboxes, bypassing spam filtering. When using the Modify the subject action, you can specify the character set encoding to use. If the encoding you choose is different than the encoding used by the original message, either the message or the modified subject line will not be displayed correctly. When using the Save to disk action on Solaris or Linux, you must specify a writeable directory. By default, inbound and outbound messages containing a virus or massmailing worm, and unscannable messages, including malformed MIME messages, will be deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages. See Table 4-5, Virus categories and default actions, on page 75. Multiple actions You can create compound actions, performing multiple actions for a particular verdict. An example follows: 1 Defining a virus policy, the administrator selects the Virus verdict and then assigns the actions, Clean, Add annotation, and Send notification to the policy. 2 Defining a Group Policy, the administrator assigns members then selects the new virus policy. 3 An message is received whose recipients include someone in the new Group Policy. 4 Symantec Mail Security for SMTP cleans the message, annotates it, then sends a notification to its intended recipients.

68 68 Configuring filtering About filtering The following table lists the limitations on combining actions. Table 4-3 Compatibility of filtering actions by verdict Action Compatibility with other actions Can be added multiple times? Add a header Any except Delete the message No Add annotation Any except Delete the message One for header or one for footer, but not both Add BCC recipients Any except Delete the message Yes Archive the message Any No Bounce the message Any No Clean the message Any except Delete the message No Defer SMTP connection Delay message delivery Can t be used with other actions Any except Delete the message, Deliver message normally, Hold the message in Spam Quarantine, Strip and delay No No Delete the message Bounce Message Send Notification Archive No Deliver message normally Deliver the message to the recipient s Spam folder Any except Delay message delivery, Delete the message, Quarantine the message, and Strip and delay Any except Delete the message No No Forward the message Any except Delete the message Yes Hold message in Spam Quarantine Any except Delay message delivery Deliver the message normally Delete the message Strip and delay If used with Deliver the message to the recipient s Spam folder, affected messages are quarantined, but if released from Spam Quarantine, messages are delivered to the recipient s Spam folder. No Modify the Subject line Any except Delete the message One for prepend and one for append

69 Configuring filtering About filtering 69 Table 4-3 Compatibility of filtering actions by verdict (Continued) Action Compatibility with other actions Can be added multiple times? Reject SMTP connection Remove invalid recipients Can t be used with other actions Any except Delete the message No No Route the message Any except Delete the message No Save to disk Any No Send notification Any except Delete the message No Strip and hold message in Suspect Virus Quarantine Any except: Delete the message Deliver message normally Hold the message in Spam Quarantine Delay message delivery No Strip attachments Any except Delete the message Yes Treat as a blocked sender Treat as a massmailing worm Treat as an allowed sender Can t be used with other actions Can t be used with other actions Can t be used with other actions No No No Treat as a virus Can t be used with other actions No Treat as spam Can t be used with other actions No Treat as suspected spam Can t be used with other actions No Multiple policies If there are multiple policies that may apply to a message, the policy that is applied depends on the direction the message is traveling. If the message is outbound, the policy applied is based on the sender. If the message is inbound, the policy applied is based on the recipient.

70 70 Configuring filtering About filtering Security risks Symantec Mail Security for SMTP can detect security risks. Security risks are programs that do any of the following: Provide unauthorized access to computer systems Compromise data integrity, privacy, confidentiality, or security Present some type of disruption or nuisance These programs can put your employees and your organization at risk for identity theft or fraud by logging keystrokes, capturing and instant messaging traffic, or harvesting personal information, such as passwords and login identifications. Security risks can be introduced into your system unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license agreement from another software program related to or linked in some way to the security risk. Table 4-4 lists the categories of security risks that Symantec Mail Security for SMTP detects. Each of these risks can cause a verdict of spyware or adware. Table 4-4 Category Adware Hack tools Dialers Joke programs Security risk categories included in spyware or adware verdict Description Stand-alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the user s knowledge. Adware might monitor browsing habits for advertising purposes. It can also deliver advertising content. Programs used to gain unauthorized access to a user s computer. For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses. Programs that use a computer, without the user s permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome. For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it.

71 Configuring filtering About filtering 71 Table 4-4 Category Remote access programs Spyware Security risk categories included in spyware or adware verdict Description Programs that let a remote user gain access to a computer over the Internet to gain information, attack, or alter the host computer. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer. About precedence Determining the precedence of different types of filtering for a particular message rests on many factors. For more information on the various lists discussed below, see Configuring sender groups on page 95. If more than one verdict matches a message, the following applies: Any matching verdict that calls for an action of defer or reject takes precedence over verdicts that call for other actions. If multiple matching verdicts call for defer or reject, the one of those verdicts that appears first in the precedence list (see below) takes precedence. If no matching verdict calls for an action of defer or reject, then the matching verdict that appears first in the precedence list takes precedence. Although a verdict can call for multiple actions, only one verdict determines the actions that are taken on a message. Actions called for by lower precedence verdicts are not applied. Order of precedence: Virus attack Worm Virus Spyware or adware Suspicious attachment (suspected virus) Unscannable Encrypted attachment End user-defined Allowed Senders List End user-defined Blocked Senders List Administrator-defined, IP-based Allowed Senders List

72 72 Configuring filtering Creating groups and adding members Administrator-defined, IP-based Blocked Senders List Administrator-defined, domain-based Allowed Senders List Administrator-defined, domain-based Blocked Senders List Spam attack Directory harvest attack Safe Senders List (part of the Sender Reputation Service) Open Proxy Senders (part of the Sender Reputation Service) Third Party Services Allowed Senders List Third Party Services Blocked Senders List Content Compliance policies Dropped invalid recipient Spam Blocked language Suspected spam Suspected Spammers (part of the Sender Reputation Service) Sender authentication failure Note that end user-defined lists have precedence over all other lists. This may affect your decision regarding whether to enable end user preferences. Also, lists that you create have precedence over lists created by Symantec. However, third party DNS blacklists do not have priority over all Symantec lists. In the event of a conflict between Open Proxy Senders and an entry from a DNS blacklist, Open Proxy Senders will win. Creating groups and adding members Group policies are configurable message management options for an unlimited number of user groups which you define. Policies collect the spam, virus, and content filtering verdicts and actions for a group. Add or remove members from a group You can specify groups of users based on addresses, domain names, or LDAP groups. For each group, you can specify filtering actions for different categories of .

73 Configuring filtering Creating groups and adding members 73 Note: To edit a group member, such as to correct a typo, delete the member and add the member again. There is no edit button for group members. To create a new Group Policy 1 In the Control Center, click Policies > Group Policies. This page lists each Group Policy. The Default Group Policy, which contains all users and all domains, appears last. Although you can add or modify actions for the Default Group Policy, you cannot add members to the Default Group Policy. You cannot delete or disable the Default Group Policy. 2 On the Group Policies page, click Add. 3 Enter a name in the Group Name box. 4 Click Save. To add a new member to a Group Policy 1 In the Control Center, click Policies > Group Policies. 2 Click the underlined name of the Group Policy you want to edit. 3 Ensure that the Members tab is displayed, and click Add. 4 Specify members using one or both of the following methods: Type addresses, domain names, or both in the box. To specify multiple entries, separate each with a comma, semicolon, or space. However, do not use a comma and a space, or a semicolon and a space. Use * to match zero or more characters and? to match a single character. To add all recipients of a particular domain as members, type any of the following: *@domain.com If you use a wildcard in the domain when specifying a member, be sure to precede the domain with symbol and precede symbol with a wildcard, a specific user, or a combination of those. The following examples show valid uses of wildcards: user@domain.* user*@dom*.com ali*@sub*.domain.com

74 74 Configuring filtering Creating groups and adding members These examples are not valid, and won t match any users: dom*.com sub*.domain.com Check the box next to one or more LDAP groups. The LDAP groups listed on this page are loaded from your LDAP server. See Configuring LDAP settings on page 29 for information about configuring LDAP. 5 Click Add members to add the new member(s). 6 Click Save on the Edit Group page. To delete a Group Policy member 1 On the Members tab of the Add Group page, check the box next to one or more addresses, domains, or LDAP groups, and then click Delete. 2 Click Save on the Edit Group page. To import Group Policy members from a file 1 On the Members tab of the Add Group page, click Import. 2 Enter the appropriate path and filename (or click Browse to locate the file on your hard disk), and then click Import. Separate each domain or address in the plain text file with a newline. Below is a sample file: [email protected] [email protected] ben*@example.com example.net *.org The addresses in the samples behave as follows: [email protected] and [email protected] match those exact addresses. ben*@example.com matches [email protected] and [email protected], etc. example.net matches all addresses in example.net. *.org matches all addresses in any domain ending with.org. 3 Click Save.

75 Configuring filtering Assigning filter policies to a group 75 Note: The maximum number of entries in the Members list for a Group Policy is 10,000. If you require more than 10,000 entries, contact your Symantec representative for instructions on how to configure MySQL and Tomcat to support more entries. This limitation refers to the number of entries in the Members list, not the number of users at your company. Due to this limit on importing large lists of users, when possible use domain names, subdomain names or wildcards in addresses to add users to groups. To export Group Policy members to a file 1 In the Members tab of the Add Group page, click Export. 2 Complete your operating system s save file dialog box as appropriate. Note: LDAP groups cannot be imported or exported. If you export from a group that includes LDAP groups, the LDAP groups will be omitted from the export. Assigning filter policies to a group By default, groups you create are assigned the default filter policies for spam and viruses (there is no default for compliance policies). Follow the steps in the sections below to assign different filter policies to groups. You may first want to create your own filter policies. See Creating virus, spam, and compliance filter policies on page 82. Selecting virus policies for a group Virus policies determine what to do with inbound and outbound messages that contain any of six categories of threats. Table 4-5 lists the categories and the default action for each category. Table 4-5 Category Viruses Virus categories and default actions Default action Clean the message Mass-mailing worms Unscannable messages Encrypted attachments Delete the message Delete the message Prepend [WARNING ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] to Subject: header.

76 76 Configuring filtering Assigning filter policies to a group Table 4-5 Category Spyware or adware Virus categories and default actions (Continued) Default action Prepend [SPYWARE OR ADWARE INFECTED] to Subject: header. Suspicious attachments Inbound message: Strip and hold message in Suspect Virus Quarantine. Outbound message: Delay message delivery. For a description of each of these categories, see Table 4-1. See Creating virus policies on page 83 for information about creating virus policies. By default, inbound and outbound messages containing a virus or mass-mailing worm, and unscannable messages, including malformed MIME messages, will be deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages. To select virus policies for a group 1 In the Control Center, click Policies > Group Policies. 2 On the Group Policies page, click the group for which you want to select virus policies. 3 Click the Virus tab. 4 If desired, check Enable inbound virus scanning for this group to enable the following six virus policies for incoming . 5 Select the desired policy from each of the following drop-down lists: Inbound virus policy Inbound mass-mailing worm policy Inbound unscannable message policy Inbound encrypted message policy Inbound suspicious attachment message policy Inbound spyware/adware message policy 6 If desired, check Enable outbound virus scanning for this group to enable the following six virus policies for outgoing . 7 Select the desired policy from each of the following drop-down lists: Outbound virus policy Outbound mass-mailing worm policy Outbound unscannable message policy Outbound encrypted message policy

77 Configuring filtering Assigning filter policies to a group 77 Outbound suspicious attachment message policy Outbound spyware/adware message policy 8 Optionally, click View next to any policy to view details of that policy. 9 Click Save. Note: You cannot change virus policy details from the Edit Group page. See Creating virus policies on page 83 for information about creating or editing virus policies. Selecting spam policies for a group Spam policies determine what to do with inbound and outbound messages that contain spam or suspected spam. See Creating spam policies on page 85 for information about creating spam policies. By default, inbound and outbound spam will be marked up with [Spam] at the beginning of subject lines, and inbound and outbound suspected spam will be marked with [Suspected Spam]. Both types of spam will not be deleted by default. To select spam policies for a group 1 In the Control Center, click Policies > Group Policies. 2 On the Group Policies page, click the group for which you want to select spam policies. 3 Click the Spam tab. 4 If desired, check Enable inbound spam scanning for this group to enable the following two spam policies for incoming . 5 Select the desired policy from each of the following drop-down lists: Inbound spam policy Inbound suspected spam policy 6 If desired, check Enable outbound spam scanning for this group to enable the following two spam policies for outgoing . 7 Select the desired policy from each of the following drop-down lists: 8 Click Save. Outbound spam policy Outbound suspected spam policy

78 78 Configuring filtering Assigning filter policies to a group Note: You cannot change spam policy details from the Edit Group page. See Creating spam policies on page 85 for information about creating or editing spam policies. Selecting compliance policies for a group By associating an appropriate compliance policy with a group, you can check messages for attachment types, keywords, or regular expressions. Depending on the message content, you can add annotations, send notifications, or copy messages to an address. See Creating compliance policies on page 86 for information about creating compliance policies. To select compliance policies for a group 1 In the Control Center, click Policies > Group Policies. 2 On the Group Policies page, click the group for which you want to select compliance policies. 3 Click the Compliance tab. 4 Check Enable Inbound Content Compliance for this group. 5 Select the desired policy from the Content Compliance Policies drop-down list. If desired, click View to see a summary of the compliance policy, and then click OK to return. As you add compliance policies from the drop-down list, they are displayed in the bottom list and become unavailable in the dropdown list. 6 Click Add. 7 If desired, add additional policies from the Content Compliance Policies drop-down list. 8 Configure the outbound compliance policies similarly. 9 Click Save. Note: You cannot change compliance policy details from the Edit Group page. Although you can add existing policies to the lists on this page, you cannot add new compliance policies from this page. See Creating compliance policies on page 86 for information about creating compliance policies.

79 Configuring filtering Assigning filter policies to a group 79 Enabling and disabling end user settings The end user settings determine whether end users in a group can log in to the Control Center to configure personal Allowed and Blocked Senders Lists and block or allow in specified languages. Note: Depending on your system and the group you are editing, you may not be able to view the End Users tab on the Edit Group page. See Requirements for enabling end user settings on page 79 for details. To log in, users access the same URL in their browser as Control Center administrators: The login and password for end users is the same as their LDAP login and password. For information about supported browsers, see the Symantec Mail Security for SMTP Installation Guide. Note: End users are limited to a total of 200 entries in their combined Allowed Senders and Blocked Senders Lists. The Specify language settings check box enables or disables user access to the language identification offered by Symantec Mail Security for SMTP, not the Symantec Outlook Spam Plug-in. If the Symantec Outlook Spam Plug-in is installed and enabled, end users can set their language preferences using the Options dialog box accessible from the Symantec Outlook Spam Plug-in toolbar. Note: The language identification technology employed by Symantec Mail Security for SMTP to identify the language of a message is not foolproof. Note that messages identified to be in a disallowed language are deleted. Requirements for enabling end user settings The following requirements must be satisfied before end users can configure their own personal Allowed and Blocked Senders Lists and block or allow in specified languages: At least one LDAP SyncService server must be configured and enabled. In Settings > LDAP settings, an LDAP source configured for Authentication or Authentication and Synchronization must be defined and saved. In Settings > Replication settings, a replication schedule must be defined and enabled.

80 80 Configuring filtering Assigning filter policies to a group In Policies > Group Policies > Edit Group, the End user preferences must be enabled for the given group on the End Users tab. The members of the group in question can only be LDAP users, not a locally defined user (that is, an address you typed manually). Note: End user Allowed and Blocked Senders Lists take precedence over most other filters. See About precedence on page 71 for the precedence list. This could impact your decision on whether to enable end user settings. To select end user policies for a group 1 In the Control Center, click Policies > Group Policies. 2 On the Group Policies page, click the group for which you want to select compliance policies. 3 Click the End Users tab. 4 Check Enable end user settings for this group. 5 If desired, check Create Personal Allowed and Blocked Senders Lists. 6 If desired, check Specify language settings. 7 Click Save. Allowing or blocking based on language Using the language identification offered by Symantec Mail Security for SMTP, you can block or allow messages written in specified languages for a group. For example, you can choose to only allow English and Spanish messages, or block messages in English and Spanish and allow messages in all other languages. Note: If the Language tab in the Edit Group page is inaccessible, the Symantec Outlook Spam Plug-in has been enabled. To disable support for the Outlook Plug-in and enable support for built-in language identification, set Language Identification to No on the Spam Settings page. That will make the Language tab accessible. See Choosing language identification type on page 52. To allow or block based on language for a group 1 In the Control Center, click Policies > Group Policies. 2 On the Group Policies page, click the group for which you want to select compliance policies. 3 Click the Language tab.

81 Configuring filtering Managing Group Policies 81 4 Click the desired setting. 5 If you chose the second or third option, check the box for each desired language. 6 Click Save. Note: The language identification technology employed by Symantec Mail Security for SMTP to identify the language of a message is not foolproof. Note that messages identified to be in a disallowed language are deleted. Managing Group Policies The Group Policy management options let you do the following: Set Group Policy precedence, the order in which Group Policy membership is determined when policies are applied. Edit Group Policy membership and actions. Enable and disable Group Policies. Delete Group Policies. View Group Policy information for particular users. For information on adding members to groups and importing or exporting lists of group members, see Creating groups and adding members on page 72. Manage Group Policies The following sections describe common administrative tasks for Group Policies. To set Group Policy precedence Check the box next to a Group Policy, and then click Move Up or Move Down to change the order in which it is applied. Note: The Default Group Policy is always the last Group Policy in the list. You cannot change the precedence of the Default Group Policy. To edit an existing Group Policy On the Group Policy page, click the policy name or check the box next to a Group Policy, and then click Edit.

82 82 Configuring filtering Creating virus, spam, and compliance filter policies Add or delete members or change filtering actions for this Group Policy as you did when you created it. See Add or remove members from a group on page 72 for more information. To enable a Group Policy Check the box next to a Group Policy, and then click Enable. To disable a Group Policy Check the box next to a Group Policy, and then click Disable. Note: You cannot disable the Default Group Policy. To delete a Group Policy On the Group Policies page, check the box next to a Group Policy, and then click Delete. To view Group Policy information for a particular user or domain: 1 On the Members tab of the Edit Group page, click Find User. 2 Type an address or domain name in the address box. 3 Click Find User. The Control Center lists the first enabled group in which the specified user exists, searching in the order that groups are listed on the Group Policies page. Creating virus, spam, and compliance filter policies Use filter policy pages to combine a message characteristic, such as virus, with an action, such as delete. The initial page you see when you click on Spam, Virus, or Compliance under Policies > Filter Policies contains a table that indicates the status of defined virus, spam, or compliance policies. Table 4-6 Column Policy status page Description Virus/Spam/Content Compliance Policies Enabled Applied to Name of the policy Indicates if the policy is enabled for one or more groups Indicates the directions the policy is applied to: Inbound, Outbound, or both

83 Configuring filtering Creating virus, spam, and compliance filter policies 83 Table 4-6 Column Number of Groups Policy status page (Continued) Description Number of groups that this policy has been used in Creating virus policies Using the Virus Policies page, you can add, edit, copy, delete, and enable or disable virus policies. To add an virus policy 1 In the Control Center, click Policies > Virus. 2 Click Add. 3 In the Policy name box, type a name for the virus policy. This name appears on the Virus Policies page, and on the Virus tab when configuring a Group Policy. Compliance, spam, and virus policy names must be unique. For example, if you have a compliance policy called XYZ, you can t have an spam or virus policy called XYZ. 4 Under Apply to, choose where this virus policy should be available: Inbound messages Outbound messages Inbound and Outbound messages This determines where this virus policy is available on the Virus tab when configuring a Group Policy. For example, if you choose Inbound messages and the mass-mailing worm condition on this page, this virus policy is only available in the Inbound mass-mailing worm policy drop-down list when configuring a Group Policy. 5 Under Groups, check one or more groups to which this policy should apply. You can also add an virus policy to a group on the Virus tab of the Edit Group page. 6 Under Conditions, select one of the following six conditions: If a message contains a virus If a message contains a mass-mailing worm The message contains a virus The message contains a mass-mailing worm, a worm that propagates itself to other systems via , often by using the address book of an client program

84 84 Configuring filtering Creating virus, spam, and compliance filter policies If a message is unscannable for viruses A message can be unscannable for viruses for a variety of reasons. For example, if it exceeds the maximum file size or maximum scan depth configured on the Scanning Settings page, or if it contains malformed MIME attachments, it may be unscannable. Compound messages such as zip files that contain many levels may exceed the maximum scan depth. If a message contains an encrypted attachment If a message contains a suspicious attachment If a message contains spyware or adware The message contains an attachment that cannot be scanned because it is encrypted. The message contains an attachment that, according to Symantec filters, may contain a virus or other threat. The message contains spyware or adware. 7 Select the desired action. See Table 4-2, Filtering actions by verdict, on page 64. For some actions you need to specify additional information in fields that appear below the action. 8 Click Add Action. 9 If desired, add more actions. See Table 4-3, Compatibility of filtering actions by verdict, on page Click Save. Determining your suspicious attachment policy When you choose the condition, If a message contains a suspicious attachment, two additional actions become available: Delay message delivery Strip and hold in Suspect Virus Quarantine Both of these actions enable you to make use of the Suspect Virus Quarantine to delay filtering these messages until a later time, when updated virus definitions may be available. This provides enhanced protection against new and emerging virus threats. By default, these messages are held in the Suspect Virus Quarantine for 6 hours. You can vary the number of hours on the Settings > Quarantine page, Virus tab. Changing default virus actions By default, inbound and outbound messages containing a virus or mass-mailing worm, and unscannable messages, including malformed MIME messages, will be

85 Configuring filtering Creating virus, spam, and compliance filter policies 85 deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages. See Table 4-5, Virus categories and default actions, on page 75. Creating spam policies Using the Spam Policies page, you can add, edit, copy, delete, and enable or disable spam policies. To add a spam policy 1 In the Control Center, click Policies > Spam. 2 Click Add. 3 In the Policy name box, type a name for the spam policy. This name appears on the Spam Policies page, and on the Spam tab when configuring a Group Policy. Compliance, spam, and virus policy names must be unique. For example, if you have a compliance policy called XYZ, you can t have a spam or virus policy called XYZ. 4 Under Apply to, choose where this spam policy should be available: Inbound messages Outbound messages Inbound and Outbound messages This determines where this spam policy is available on the Spam tab when configuring a Group Policy. For example, if you choose Inbound messages and the spam condition, this spam policy is only available in the Inbound spam policy drop-down list when configuring a Group Policy. 5 Under Groups, check one or more groups to which this policy should apply. You can also add a spam policy to a group on the Spam tab of the Edit Group page. 6 Under Conditions, select one of the following three conditions: If the message is Spam If the message is Suspected Spam If the message is Spam or Suspected Spam Perform the specified action if a message is determined to be spam. Perform the specified action if a message might be spam. The suspected spam level is adjustable on the Spam Settings page. Perform the specified action if a message contains either spam or suspected spam.

86 86 Configuring filtering Creating virus, spam, and compliance filter policies 7 Select the desired action. See Table 4-2, Filtering actions by verdict, on page 64. For some actions you need to specify additional information in fields that appear below the action. 8 Click Add Action. 9 If desired, add more actions. See Table 4-3, Compatibility of filtering actions by verdict, on page Click Save. Creating compliance policies Using the Content Compliance Policies page, you can add, edit, copy, delete, and enable or disable compliance policies. You can also change the precedence of compliance policies by changing their location in the list on this page. You can create compliance policies based on key words and regular expressions found in specific areas of a message. Based on policies you set up, you can perform a wide variety of actions on messages that match against your compliance policies. Compliance policies can be used to: Eliminate messages with specific content, or specific file attachment types or filenames. Control message volume and preserve disk space by filtering out oversized messages. Block from marketing lists that generate user complaints or use up excessive bandwidth. Block messages containing certain keywords or regular expressions in their headers, bodies, or attachments. Actions specified for custom filter matches will not override actions resulting from matches in your Blocked Senders Lists or Allowed Senders Lists. In other words, if a message s sender matches an entry in your Blocked Senders Lists or Allowed Senders Lists, compliance policies will have no effect on the message. See About precedence on page 71 for more information. Guidelines for creating compliance policy conditions Keep these suggestions and requirements in mind as you create the conditions that make up a filter. To start out, you may want to set your policies so that messages that are match by compliance policies are quarantined, forwarded, or modified

87 Configuring filtering Creating virus, spam, and compliance filter policies 87 instead of deleted. When you are sure the compliance policies are working correctly, you can adjust the action. Sieve scripts cannot be imported, including those created in previous versions of Symantec or Brightmail software. There is no limit to the number of conditions per compliance policy. Conditions can t be nested. You can create compliance policies that block or allow based upon the sender information, but usually it is best to use the Allowed Senders Lists and Blocked Senders Lists. However, it is appropriate to create compliance policies if you need to block or keep based on a combination of the sender and other criteria, such as the subject or recipient. The order of conditions in a filter does not matter as far as whether a filter matches a message. However, if a filter has Body tests, you can optimize the filter by positioning them as the final conditions in a filter. Spammers usually spoof or forge some of the visible headers and the usually invisible envelope information. Sometimes they forge header information using actual addresses or domains of innocent people or companies. Use care when creating filters against spam you ve received. The following considerations apply to keyword text string searches. For details on regular expression searches, see Using Perl-compatible regular expressions in conditions on page 91. All tests for words and phrases are case-insensitive, meaning that lowercase letters in your conditions match lower- and uppercase letters in messages, and uppercase letters in your conditions match lower- and uppercase letters in messages. For example, if you tested that the subject contains inkjet, then inkjet, Inkjet, and INKJET in a message subject would match. If you instead tested for INKJET in the subject, then inkjet, Inkjet, and INKJET would still match. This applies to all test types and all filter components. Multiple white spaces in an header or body are treated as a single space character. For example, if you tested that the subject contains inkjet cartridge, then inkjet cartridge and inkjet cartridge in a message subject would match. If you instead tested for inkjet cartridge in the subject, then inkjet cartridge and inkjet cartridge would still match. This applies to all test types and all filter components. A message subject containing i n k j e t c a r t r i d g e would not match a test for inkjet cartridge or inkjet cartridge.

88 88 Configuring filtering Creating virus, spam, and compliance filter policies Adding conditions to compliance policies Refer to the following tables when creating your compliance policy. Table 4-7 describes the conditions available when creating a compliance policy. Table 4-7 Compliance conditions Condition Test against Examples Any part of the message Dictionary. See Configuring dictionaries on page 112. Profanity Attachment content Text within an attachment file. Find all attachments that contain the word discount more than three times. Attachment type Bcc: address An attachment list, file name, or MIME type. See Configuring attachment lists on page 110. Bcc: (blind carbon copy) message header. script.vbs application/octet-stream jane example.com [email protected] Body Contents of the message body. This component test is the most processing intensive, so you may want to add it as the last condition in a filter to optimize the filter. You already may have won Cc: address Cc: (carbon copy) message header. jane example.com [email protected] Envelope HELO SMTP HELO domain in message envelope. example.com Envelope recipient Recipient in message envelope. jane example.com [email protected] Envelope sender Sender in message envelope. jane example.com [email protected]

89 Configuring filtering Creating virus, spam, and compliance filter policies 89 Table 4-7 Compliance conditions (Continued) Condition Test against Examples For all messages All not filtered by a higher precedence policy is flagged. For example, if a message matches a spam, virus, sender group, or higher precedence compliance policy, it won t match the For all messages condition. (Not applicable) From: address From: message header. jane example.com [email protected] From:/To:/Cc:/Bcc: address Message header Message size From:, To:, Cc:, and Bcc: message headers. Message header specified in the accompanying text field. A header is case-insensitive. Don t type the trailing colon in a header. Size of the message in bytes, kilobytes, or megabytes, including the header and body is less than or greater than the specified value. jane example.com [email protected] Reply-To reply-to Message-ID Subject Subject: message header. $100 F R E E, Please Play Now! To: address To: message header. jane example.com [email protected] To:/Cc:/Bcc: address To:, Cc:, and Bcc: message headers. jane example.com [email protected]

90 90 Configuring filtering Creating virus, spam, and compliance filter policies Table 4-8 shows the additional fields available when you add a condition. Table 4-8 Condition Additional fields for adding conditions Information required Attachment content, Bcc: address, Body, Cc: address, Envelope HELO, Envelope recipient, Envelope sender, From: address, From/To/Cc/ Bcc: address, Subject, To: address, To/Cc/Bcc: address Any part of the message Attachment type Choose one of three options: Click the first radio button, choose contains or does not contain, type a frequency and a keyword. Click the second radio button, choose a test type, and type a keyword. Click the third radio button, choose matches or does not match, and type a regular expression Choose a dictionary from the drop-down list, and type a word frequency in the box. Choose one of three options: Click the first radio button and choose an attachment list. Click the second radio button and type a filename. Click the third radio button and type a MIME type. This condition will also flag attachments that are within container files. For all messages Message header Message size No additional information is needed. This condition flags all messages not filtered by a higher precedence policy. Type the header category (From, To, etc), then follow the instructions in the first row above. Choose a comparison from the first drop-down list, type a number, and choose units from the second drop-down list. Table 4-9 describes the filter tests available for certain conditions when creating a compliance policy. Table 4-9 Test type Contains/does not contain Filter tests Description Tests for the supplied text within the component specified. Sometimes called a substring test. You can also test for frequency - the number of instances of the supplied text that appear. Starts with/does not start with Equivalent to ^text.* wildcard test using matches exactly.

91 Configuring filtering Creating virus, spam, and compliance filter policies 91 Table 4-9 Test type Filter tests (Continued) Description Ends with/does not end with Matches exactly/ does not match exactly Equivalent to.*text$ wildcard test using matches exactly. Exact match for the supplied text (not available for the message body). Notes: All text tests are case-insensitive. Some tests are not available for some components. Using Perl-compatible regular expressions in conditions To use Perl-compatible regular expressions, click matches regular expression or does not match regular expression for any of the conditions that offer you that choice (the conditions in the first row of Table 4-8, plus the Message header condition). You can refine your search as described in Table To match certain special characters, you must escape each with \ as shown in the table. For more information about Perl-compatible regular expressions, see: Table 4-10 Sample Perl-compatible regular expressions Character Description Example Sample matches. Match any one character j.n jen, jon, j2n, j$n.* Match zero or more characters.+ Match one or more characters jo.. sara.* s.*m.* sara.+ s.+m.+ john, josh, jo4# sara, sarah, sarahjane, saraabc%123 sm, sam, simone, s321m$xyz sarah, sarahjane, saraabc%123 simone, s321m$xyz \. Match a period stop\. stop. \* Match an asterisk b\*\* b** \+ Match a plus character 18\+ 18+

92 92 Configuring filtering Creating virus, spam, and compliance filter policies Table 4-10 Sample Perl-compatible regular expressions (Continued) Character Description Example Sample matches [0-9]{n} Match any numeral n times, for example, match a social security number [0-9]{3}-[0-9]{2}-[0-9]{4} Note: Symantec Mail Security for SMTP uses two different types of analysis in scanning for messages that match your criteria. If you specify a condition using a regular expression, a regular expression analysis is performed. If you specify a condition using a keyword or dictionary, a text search is performed. To add a compliance policy 1 In the Control Center, click Policies > Compliance. 2 Click Add. 3 In the Policy name box, type a name for the compliance policy. This name appears on the Content Compliance Policies page, and in the Compliance tab when configuring a Group Policy. Compliance, spam, and virus policy names must be unique. For example, if you have a compliance policy called XYZ, you can t have a spam or virus policy called XYZ. 4 Under Apply to, choose where this compliance policy should be available: Inbound messages Outbound messages Inbound and Outbound messages 5 Under Groups, check one or more groups to which this policy should apply. You can also add a compliance policy to a group on the Compliance tab of the Edit Group page. 6 Under Conditions, click a condition. See Table 4-7, Compliance conditions, on page 88. For some conditions you need to specify additional information in fields that appear below the condition. 7 Click Add Condition. See Table 4-8, Additional fields for adding conditions, on page 90. Add additional conditions if desired. 8 Under Perform the following action, click an action. See Table 4-2, Filtering actions by verdict, on page 64. For some actions you need to specify additional information in fields that appear below the action.

93 Configuring filtering Managing Firewall policies 93 9 Click Add Action. Add additional actions if desired. See Table 4-3, Compatibility of filtering actions by verdict, on page Click Save. Note: You can use keywords or a regular expression in a compliance policy to strip attachments. However, you cannot specify that only attachments containing the keyword or regular expression are stripped. All attachments to the message will be stripped if any of the attachments contain the keyword or regular expression. Determining compliance policy order You can change the order in which compliance policies are checked against messages. To set compliance policy order 1 In the Control Center, click Policies > Compliance. 2 Check the box next to a compliance policy. 3 Click Move Up or Move Down. Enabling and disabling compliance policies After you create compliance policies, they are automatically enabled and put to use. For testing or other administrative purposes, you may need to enable or disable one or more filters without having to delete them. By disabling filters, filters become inactive but are displayed in the Content Compliance Policies list. To enable or disable a compliance policy 1 In the Control Center, click Policies > Compliance. 2 Check the box next to a compliance policy. 3 Click Enable or Disable. Managing Firewall policies Symantec Mail Security for SMTP can detect patterns in incoming messages to thwart certain types of spam and virus attacks. You can block and allow messages based on addresses, domains, or IP address. Messages can be checked against Open Proxy Senders, Suspected Spammers, and Safe Senders

94 94 Configuring filtering Managing Firewall policies lists maintained by Symantec. Sender authentication provides a way to block forged . Configuring attack recognition Symantec Mail Security for SMTP can detect the following types of attacks originating from a single SMTP server (IP address). Directory harvest attacks Spam attack Virus attack Spammers employ directory harvest attacks to find valid addresses at the target site. A directory harvest attack works by sending a large quantity of possible addresses to a site. An unprotected mail server will simply reject messages sent to invalid addresses, so spammers can tell which addresses are valid by checking the rejected messages against the original list. By default, connections received from violating senders are deferred. A specified quantity of spam messages has been received from a particular IP address. By default, connections received from violating senders are deferred. A specified quantity of infected messages has been received from a particular IP address. By default, connections received from violating senders are deferred. Enable, disable, and configure attack recognition Set up attack recognition as described in the following sections. All attack recognition types are disabled by default, and must be enabled to be activated. To enable or disable attack recognition 1 In the Control Center, click Policies > Attacks. 2 Check the box next to each attack type that you want to enable or disable, or check the box next to Attacks to select all attack types. 3 Click Enable to enable the checked attack types, or click Disable to disable the checked attack types. To configure directory harvest, spam, and virus attack recognition 1 In the Control Center, click Policies > Attacks. 2 Click Directory Harvest Attack, Spam Attack, or Virus Attack.

95 Configuring filtering Managing Firewall policies 95 3 Accept the defaults or modify the values under Attack Configuration: Minimum percentage of... Minimum number of... Qualification time window Penalty box time Percentage of bad recipient, spam, or virus messages from a single server that must be exceeded to trigger the specified action. The minimum number must also be exceeded. Number of bad recipient, spam, or virus messages from a single server that must be exceeded to trigger the specified action. The minimum percentage must also be exceeded. Time period in which the specified percentage and number of bad recipient, spam, or virus messages violations must be exceeded to trigger the specified action. Period of time to perform the specified action against all messages from the sending SMTP connection. 4 Under Actions, accept the default, recommended action of Defer SMTP Connection, or change and/or add more actions. 5 Click Save. Configuring sender groups Filtering based on the source of the message, whether it s the sender s domain, address or mail server IP connection, can be a powerful way to fine-tune filtering at your site. Note: This section describes global Blocked and Allowed Senders Lists, which are applied at the server level for your organization. Two other options are available to give users the ability to maintain individual Blocked and Allowed Senders Lists. You can enable personal Allowed and Blocked Senders Lists on the End Users tab of the Edit Group page. See Enabling and disabling end user settings on page 79. Alternatively, you can deploy the Symantec Outlook Spam Plug-in. With the Symantec Outlook Spam Plug-in, users can easily create personal lists of blocked and allowed senders from within their Outlook mail client. The Plug-in imports information from the Outlook address book to populate the personal Allowed Senders List. See Installing the Symantec Outlook Spam Plug-in on page 210.

96 96 Configuring filtering Managing Firewall policies Symantec Mail Security for SMTP lets you customize spam detection in the following ways: Define Allowed Senders Symantec Mail Security for SMTP treats mail coming from an address or connection in an Allowed Senders List as legitimate mail. As a result, you ensure that such mail is delivered immediately to the inbox, bypassing any other filtering. The Allowed Senders Lists reduce the small risk that messages sent from trusted senders will be treated as spam or filtered in any way. Define Blocked Senders Symantec Mail Security for SMTP supports a number of actions for mail from a sender or connection in a Blocked Senders List. As with spam verdicts, you can use policies to configure a variety of actions to perform on such mail, including deletion, forwarding, and subject line modification. Use the Sender Reputation Service By default, Symantec Mail Security for SMTP is configured to use the Sender Reputation Service. Symantec monitors hundreds of thousands of sources to determine how much sent from these IP addresses is legitimate and how much is spam. The service currently includes the following lists of IP addresses, which are continuously compiled, updated, and incorporated into Symantec Mail Security for SMTP filtering processes at your site: Open Proxy Senders IP addresses that are either open proxies used by spammers or zombie computers that have been co-opted by spammers. Safe Senders IP addresses from which virtually no outgoing is spam. Suspected Spammers IP addresses from which virtually all of the outgoing is spam. No configuration is required for these lists. You can choose to disable any of these lists. Incorporate lists managed by other parties Third parties compile and manage lists of desirable or undesirable IP addresses. These lists are queried using DNS lookups. When you configure Symantec Mail Security for SMTP to use a third-party sender list, Symantec Mail Security for SMTP checks whether the sending mail server is on the list. If so, Symantec Mail Security for SMTP performs a configured action, based on the policies in place.

97 Configuring filtering Managing Firewall policies 97 About Allowed and Blocked Senders Lists Note the following about the Allowed Senders Lists and Blocked Senders Lists: Duplicate entries: You cannot have the exact same entry in both a Blocked Senders List and an Allowed Senders List of the same type. If an entry already exists in one list, you will receive the message Duplicate sender - not added when you try to add the same entry to the other list. If you d prefer to have this entry in the other list, first delete the entry from the list that now contains it, then add it to the other list. Similar entries: If you have two entries such as [email protected] and *@b.com in the two different lists, the list with higher precedence wins. See About precedence on page 71 for the precedence of each list. Performance impact of third party DNS lists: Incorporating third party lists adds additional steps to the filtering process. For example, in a DNS list scenario, for each incoming message, the IP address of the sending mail server is queried against the list, similar to a DNS query. If the sending mail server is on the list, the mail is flagged as spam. If your mail volume is sufficiently high, running incoming mail through a third party database could hamper performance because of the requisite DNS lookups. Symantec recommends that you use the Sender Reputation Service lists instead of enabling third party lists. To understand which list or other verdict has priority in message filtering when more than one applies, see About precedence on page 71. Reasons to use Allowed and Blocked Senders Table 4-11 provides some examples of why you would employ lists of allowed or blocked senders. The table also lists an example of a pattern that you as the system administrator might use to match the sender: Table 4-11 Use cases for lists of allowed and blocked senders Problem Solution Pattern example Mail from an end-user s colleague is occasionally flagged as spam. Desired newsletter from a mailing list is occasionally flagged as spam. Add a colleague s address to the end user s Allowed Senders List. Add the domain name used by the newsletter to the domain-based Allowed Senders List. [email protected] newsletter.com

98 98 Configuring filtering Managing Firewall policies Table 4-11 Use cases for lists of allowed and blocked senders (Continued) Problem Solution Pattern example An individual is sending unwanted mail to people in your organization. Add the specific address to the domain-based Blocked Senders List. Numerous people from a specific range of IP addresses are sending unsolicited mail to people in your organization. After analyzing the received headers to determine the sender's network and IP address, add the IP address and net mask to the IP-based Blocked Senders List / How Symantec Mail Security for SMTP identifies senders and connections The following sections provide details about the Allowed Senders Lists and Blocked Senders Lists. Supported Methods for Identifying Senders You can use the following methods to identify senders for your Allowed Senders Lists and Blocked Senders Lists. Domain-based: specify sender addresses or domain names Symantec Mail Security for SMTP checks the following characteristics of incoming mail against those in your lists: MAIL FROM: address in the SMTP envelope. Specify a pattern that matches the value for localpart@domain in the address. You can use the * or? wildcards in the pattern to match any portion of the address. From: address in the message headers. Specify a pattern that matches the value for localpart@domain in the From: header. You can use wildcards in the pattern to match any portion of this value. If you choose to identify messages by address or domain name, see Table 4-12 for examples. Table 4-12 Example example.com Matches for addresses or domain names Sample matches [email protected], [email protected], [email protected] [email protected] sara*@example.org [email protected] [email protected] [email protected], [email protected] [email protected], [email protected]

99 Configuring filtering Managing Firewall policies 99 IP-based: specify IP connections Symantec Mail Security for SMTP checks the IP address of the mail server initiating the connection to verify if it is on your Allowed Senders Lists or Blocked Senders Lists. Wildcards are not supported. Although you can use network masks to indicate a range of addresses, you cannot use subnet masks that define non-contiguous sets of IP addresses (e.g / ). Supported notations are: Single host: IP address with subnet mask: / Classless Inter-Domain Routing (CIDR) IP address: /18 Third party services: supply the lookup domain of a third party sender service Symantec Mail Security for SMTP can check messages sources against third party DNS-based lists to which you subscribe, for example, list.example.org. Automatic expansion of subdomains When evaluating domain name matches, Symantec Mail Security for SMTP automatically expands the specified domain to include subdomains. For example, Symantec Mail Security for SMTP expands example.com to include biz.example.com and, more generally, *@*.example.com, to ensure that any possible subdomains are allowed or blocked as appropriate. Logical connections and internal mail servers: non-gateway deployments When deployed at the gateway, Symantec Mail Security for SMTP can reliably obtain the physical or peer IP connection for an incoming message and compare it to connections specified in the Allowed Senders Lists and Blocked Senders Lists. If deployed elsewhere in your network, for example, downstream from the gateway MTA, Symantec Mail Security for SMTP works with the logical IP connection. Symantec Mail Security for SMTP determines the logical connection by obtaining the address that was provided as an IP connection address when the message entered your network. Your network is based on the internal address ranges that you supply to Symantec Mail Security for SMTP when setting up your Scanners. This is why it is important that you accurately identify all the internal mail hosts in your network. For more information, see Advanced SMTP settings on page 25. Adding senders to Blocked Senders Lists To prevent undesired messages from being delivered to inboxes, you can add specific addresses, domains, and connections to your Blocked Senders Lists.

100 100 Configuring filtering Managing Firewall policies To add domain-based, IP-based, and Third Party Services entries to your Blocked Senders Lists 1 In the Control Center, click Policies > Sender Groups. 2 Click one of the Blocked Sender groups. 3 Click Add. 4 On the Add Sender Group Members page, supply the information appropriate for the current Blocked Sender group. See How Symantec Mail Security for SMTP identifies senders and connections on page Click Save. 6 Modify the default action for messages originating from blocked senders (Delete the message) if desired. 7 Click Save on the Edit Sender Group page. Adding senders to Allowed Senders Lists To ensure that messages from specific addresses, domains, and connections are not treated as spam, you can add them to your Allowed Senders Lists. To add domain-based, IP-based, and Third Party Services entries to your Allowed Senders Lists 1 In the Control Center, click Policies > Sender Groups. 2 Click one of the Allowed Sender groups. 3 Click Add. 4 In the Add Sender Group Members page, supply the information appropriate for the current Allowed Sender group. See How Symantec Mail Security for SMTP identifies senders and connections on page Click Save. 6 Modify the default action for messages originating from allowed senders (Deliver message normally) if desired. 7 Click Save on the Edit Sender Group page.

101 Configuring filtering Managing Firewall policies 101 Deleting senders from lists Follow the steps below to delete senders. To delete senders from your Blocked Senders Lists or Allowed Senders Lists 1 In the Control Center, click Policies > Sender Groups. 2 Click one of the Blocked or Allowed Sender groups, depending on the list that you want to work with. 3 In the list of senders, check the box next to the sender that you want to remove from your list, and then click Delete. 4 Click Save. Editing senders Follow the steps below to change sender information. To edit information for senders in your Blocked Senders Lists or Allowed Senders Lists 1 In the Control Center, click Policies > Sender Groups. 2 Click one of the Blocked or Allowed Sender groups, depending on the list that you want to work with. 3 In the list of senders, click the check box next to the sender whose information you want to modify, and then click Edit. You can also click an underlined sender name to automatically jump to the corresponding edit page. 4 Make any changes, and then click Save. 5 Click Save on the Edit Sender Group page. Enabling or disabling senders When you add a new sender to a Sender Group, Symantec Mail Security for SMTP automatically enables the filter and puts it to use when evaluating incoming messages. You may need to periodically disable and then re-enable senders from your list for troubleshooting or testing purposes or if your list is not up to date. Symantec Mail Security for SMTP will treat mail from a sender that you ve disabled just as it would any other message. To enable or disable senders in your lists 1 In the Control Center, click Policies > Sender Groups.

102 102 Configuring filtering Managing Firewall policies 2 Click one of the Blocked or Allowed Sender groups, depending on the list that you want to work with. A red x in the Enabled column indicates that the entry is currently disabled. A green check mark in the Enabled column indicates that the entry is currently enabled. 3 In the list of senders, do one of the following: 4 Click Save. To enable a sender entry that is currently disabled, check the box adjacent the sender information, and then click Enable. To disable a sender entry that is currently enabled, check the box adjacent the sender information, and then click Disable. Importing allowed and blocked sender information If you have many senders and addresses to add to your Blocked Senders Lists or Allowed Senders Lists, it is often easier to place the sender information in a text file and then import the file. This section describes how to format that file. Maximum number of entries in an allowed and blocked sender file Be aware of the following limitations when importing senders: The maximum number of sender lines per file when importing senders is 500,000. To add more (up to the limit noted below), divide senders into multiple files and import multiple times. The maximum number of total allowed and blocked senders that can be stored is 650,000. No warning is displayed if you exceed these limits. Sender data is silently dropped. Format of allowed and blocked sender file The file is line-oriented and uses a format similar to the Lightweight Directory Interchange Format (LDIF). It has the following restrictions and characteristics: The file is in the installation directory, in the following location: /scanner/rules/allowedblockedlist.txt The file must have the required LDIF header that is included upon installation. Do not change the first three uncommented lines: dn: [email protected], ou=bmi objectclass: top objectclass: uiablackwhitelist

103 Configuring filtering Managing Firewall policies 103 After the header, each line contains exactly one attribute, along with a corresponding pattern. Empty lines or white spaces are not allowed. Lines beginning with # are ignored. Entries terminating with the colon-dash pattern (:-) are disabled; entries terminating with the colon-plus pattern (:+) are enabled; entries with neither set of terminating symbols are enabled. To populate the list, specify an attribute, which is followed by a pattern. In the following example, a list of attributes and patterns follows the LDIF header. See Table 4-13 for an explanation of the attribute codes. ## Permit List # dn: cn=mailwall, ou=bmi objectclass: top objectclass: bmiblackwhitelist AC: / AS: [email protected] RC: / RS: [email protected] BL: sbl.spamhaus.org # Example notations for disabled and enabled entries follow RS: [email protected]:- RS: [email protected]:+ Table 4-13 lists the attributes and the syntax for the values. Table 4-13 Syntax for imported Allowed and Blocked Sender Lists Attribute Description Examples AC: RC: AS: RS: BL: Allowed connection or network. Specify a numerical IP address, numerical IP address and network mask, or Classless Inter- Domain Routing (CIDR) IP address. Rejected connection or network. Specify a numerical IP address, numerical IP address and network mask, or CIDR IP address. Allowed sender. Specify an address or domain using alphanumeric and special characters, except the plus sign (+). Rejected or blocked sender. Specify an address or domain using alphanumeric and special characters, except the plus sign (+). Third party blocked sender list. Use the zone name specified by the list provider. AC: AC: / AC: /18 RC: RC: / RC: /18 AS: example.com AS: [email protected] AS: [email protected] RS: example.com RS: [email protected] RS: [email protected] BL: sbl.spamhaus.org

104 104 Configuring filtering Managing Firewall policies Table 4-13 Syntax for imported Allowed and Blocked Sender Lists (Continued) Attribute Description Examples WL: Third party allowed sender list. Use the zone name specified by the list provider. WL: query.senderbase.org To import sender information from a text file 1 In the Control Center, click Policies > Sender Groups. 2 Click any of the Blocked Senders or Allowed Senders Lists. You can import entries for all of the Blocked Senders and Allowed Senders Lists in one import action, no matter which list you open. The codes in Table 4-13 determine which list your entries join. 3 Click Import. 4 In the Import dialog box, specify the location of the your text file with the sender information, and then click Import. Ensure that the sender information is formatted as described in Format of allowed and blocked sender file on page 102. Symantec Mail Security for SMTP merges data from the imported list with the existing sender information. 5 Click Save. Exporting sender information You can export to a single file all the information in your Allowed Senders Lists and Blocked Senders Lists. To export sender information from your Blocked Senders Lists or Allowed Senders Lists 1 In the Control Center, click Policies > Sender Groups. 2 Click any of the Blocked Senders or Allowed Senders Lists. The entries for all Blocked Senders and Allowed Senders Lists are exported no matter which list you open. 3 Click Export. Your browser will prompt you to open the file from its current location or save it to disk.

105 Configuring filtering Configuring Sender Authentication 105 Enabling Open Proxy Senders, Safe Senders, and Suspected Spammers lists Symantec continuously compiles and updates the three Sender Reputation Service lists: Open Proxy Senders IP addresses that are either open proxies used by spammers or zombie computers that have been co-opted by spammers. Safe Senders IP addresses from which virtually no outgoing is spam. Suspected Spammers IP addresses from which virtually all of the outgoing is spam. Symantec monitors hundreds of thousands of sources to determine how much sent from these addresses is legitimate and how much is spam. from given sources can then be blocked or allowed based on the source s reputation value as determined by Symantec. By default, Symantec Mail Security for SMTP is configured to incorporate the source information from all three lists comprising the Sender Reputation Service. To enable or disable Proxy Senders, Safe Senders, and Suspect Spammers lists 1 In the Control Center, click Policies > Sender Groups. 2 Check or uncheck the boxes for the desired lists. 3 Click Enable or Disable. Configuring Sender Authentication Symantec Mail Security for SMTP can check incoming for authenticity using the Sender Policy Framework (SPF) or the Sender ID standard. This can reduce spam because spammers often attempt to forge the mail server name to evade discovery. Symantec Mail Security for SMTP checks the sending IP address against the published DNS record for the named mail server. If the DNS record includes a hard outbound policy (one that requires compliance), and it does not match the sending IP address, the specified action is taken on the message. If the IP address matches, or the domain publishes only an informational policy, or does not publish a policy, no action is taken. For more information about SPF, see: For more information about Sender ID, see:

106 106 Configuring filtering Managing policy resources If you add Sender Authentication domains, it s best to specify the highest level domain possible, such as example.com, because subdomains of the specified domain will also be tested for compliance. Warning: Authenticating all domains can lead to significant unnecessary processing load. Many domains do not publish an outbound policy, or publish only an informational policy. Attempting authentication on these domains does not lead to any action, and will use processing resources, at times excessively. Authentication is most effective for domains that publish hard policies that are frequently spoofed in phishing attacks. To enable sender authentication 1 In the Control Center, click Policies > Sender Authentication. 2 Check Enable Sender Authentication. 3 Under Authentication Types, check Sender Policy Framework (SPF), Sender ID, or both. 4 To choose domains to authenticate, click Authenticate only the following domains, or to authenticate all domains, skip to step 6. 5 Click Add, type a domain name, and click Save to add domains to the list. Optionally, you can click on a domain or check the domain and click Edit to edit the spelling of a domain you already added. You can also check a domain and click Delete to delete that entry from the list. 6 Click Authenticate all domains to attempt sender authentication on incoming messages from all domains. 7 If desired, change the default action, or add additional actions. By default, each failed message has the phrase [sender auth failure] prepended to its subject line. 8 Click Save. Managing policy resources Annotating messages The settings under Policy Resources are used in the conditions or actions for policies. Annotations are phrases or paragraphs that are placed at the beginning or end of the body of an message when you choose the action Add annotation. An

107 Configuring filtering Managing policy resources 107 annotation may be a legal disclaimer or text necessary to comply with government or corporate policy, such as All sent to or from this system may be retained and/or monitored. How plain text and HTML text is added to messages When specifying an annotation, a plain text version is required, and an HTML version is optional. In nearly all cases, you should type the same message for both the plain text and HTML versions. If desired, you can use HTML formatting tags in the HTML version, such as <b>bold text here</b>, but don t use HTML structure tags, such as <body> or <html>. Table 4-14 lists the annotation behavior depending on the type of message and whether you specified an HTML annotation or not. Table 4-14 Annotation behavior If these MIME parts are found... And annotations have been specified... Then... Text only Plain text only Plain text annotation is added to the message Text only Plain text and HTML Plain text annotation is added to the message; HTML annotation is not used Text and HTML Plain text only Plain text annotation is added to the plain text part, and added to the HTML part by enclosing it in a <p> tag Text and HTML Plain text and HTML Plain text annotation is added to the plain text part, and HTML annotation is added to the HTML part For messages containing both text and HTML MIME parts, the configuration of each recipient s client (e.g. Microsoft Outlook) may determine which part is displayed. Annotation guidelines Note the following additional information about annotations: An annotation can contain up to 10,000 individual words. Up to 100 distinct annotations are allowed. Don t use HTML structure tags such as <body> or <html> in the HTML box. When adding an annotation, you can specify the character set encoding to use. If the encoding you choose is different than the encoding used by the original message, either the message text or the annotation text will not be displayed correctly. You can avoid this problem by creating a notification instead of an annotation, and attaching the original message to the

108 108 Configuring filtering Managing policy resources notification. See Adding and editing notifications on page 114 for instructions. When you specify the action to add an annotation in a policy, you can choose to prepend the annotation to the beginning of the message body, or append the annotation to the end of the message body. If you prepend, you may want to end your annotation text with a blank line or a line of dashes, to provide a clear boundary before the beginning of the message body. To add a new annotation 1 In the Control Center, click Policies > Annotations. 2 Click Add. 3 In the Annotation description box, type a name for the annotation. This is the name that appears on the Annotations page and in the annotations list in the Actions section when configuring a policy. 4 In the Plain text box, type the annotation text. 5 Choose a character encoding for the plain text annotation. ISO and UTF-8 are appropriate for European languages. SHIFT-JIS and ISO-2022-JP are appropriate for Japanese. 6 If desired, type annotation text in the HTML box. You can use HTML formatting tags, if desired. See How plain text and HTML text is added to messages on page Choose a character encoding for the HTML annotation, if you ve specified an HTML annotation. 8 Click Save. Editing an annotation You can edit an annotation to change the wording. To edit an annotation 1 In the Control Center, click Policies > Annotations. 2 Click the annotation that you want to edit. 3 Change the annotation text as desired. 4 Click Save.

109 Configuring filtering Managing policy resources 109 Archiving messages The archive action creates a copy of a message and sends it to an address, and, optionally, an archive server host. If no additional action is specified, the original message is delivered normally as well. The copy is delivered via SMTP to the specified address, so can be accessed as by the address owner. Ensure that the address you specify is valid and that the messages delivered to the address are managed appropriately. For example, you may want to add the archived messages to your backup scheme. Note the following additional information about the Archive action: Only one, global address is supported. You can t supply different archive addresses for different policies. The specified archive address replaces the original message recipients in the message envelope. The To: header is not changed. Archiving occurs after spam and virus filtering but before message markup, such as modifying the subject line. To set the archive address destination 1 In the Control Center, click Policies > Archive. 2 In the Archive address box, type a complete address, such as [email protected]. 3 Optionally, specify a computer to which to relay archived messages in the Archive server host box. 4 Optionally, specify a port for the archive server host in the Archive server port box. Port 25, the usual port for SMTP messages, is the default. 5 Check or uncheck Enable MX Lookup to enable or disable MX lookup for the archive server host. If enabled, archive messages are routed using the MX information corresponding to the archive server host. If disabled, archive messages are always routed to the specified archive server host. 6 Click Save. Configuring optional archive tags When adding the archive action to a policy, you can optionally specify an archive tag. Specifying an archive tag adds an X-archive: header to archived messages followed by your text. The X-archive: header may be useful to sort archived messages when viewing them with an client. However, Symantec Mail Security for SMTP itself does not use the X-archive: header. If multiple

110 110 Configuring filtering Managing policy resources policies result in archiving the same message, each unique X-archive: header is added to the message. For example, the following archive tag: Docket adds the following header to the message when it is archived: X-archive: Docket To specify an archive tag 1 When configuring a virus, spam, or compliance policy, click the Archive the message action. See Creating virus policies on page 83, Creating spam policies on page 85, or Creating compliance policies on page In the Optional archive tag box, type the text that should occur after the X-archive header. Type any character except carriage return, line feed, or semicolon. 3 Choose encoding for the archive tag. ISO and UTF-8 are appropriate for European languages. SHIFT-JIS, EUC-JP, and ISO-2022-JP are appropriate for Japanese. 4 Click Add Action. 5 Finish configuring the policy. Configuring attachment lists Attachment lists provide a way to match against specific types of attachments. For example, you could create an attachment list that matches messages containing.exe files. By adding that attachment list to a policy, you could strip attachments from those messages, insert an annotation for the recipients, and notify the senders. The following attachment lists have been predefined, and can be edited: Archive Files Document Files Executable Files Image Files Multimedia Files Table 4-15 includes information about valid choices for attachment list properties. You choose a true file type or class from the pull-down lists on the

111 Configuring filtering Managing policy resources 111 Add Attachment List page. For the last three choices, all characters are interpreted literally; wildcards are not allowed. Table 4-15 Attachment characteristics for attachment lists Characteristic Description Examples True file type True file class File name Specifies an attachment type based on direct inspection of the type of file. You can use this to match files whose extensions may not accurately reflect their true file types. Each file type is a member of a specific file class. Specifies an attachment type based on the class of file. You can use this to match files whose extensions may not match their true file classes. Part or all of a file. A partial match for a file will match a file, such as oxy for oxygen.txt. Microsoft Word for Windows Word Processor Document oxy oxygen oxygen.txt Extension A period followed by usually three letters at the end of a file that, by convention, indicates the type of the file..txt.exe.text.zip MIME-type The MIME type of the attachment in the message. MIME is a standard for attachments. text/plain image/gif application/msword application/octet-stream For a technical description of MIME, see the following RFC: To add an attachment list 1 In the Control Center, click Policies > Attachment Lists. 2 Click Add. 3 In the Attachment list name box, type a name for the attachment list. This is the name that appears on the Attachment Lists page and as the Attachment List in the Conditions section when configuring a policy. 4 In the Configure Attachment Types box, either: Click the first radio button to match files based on the actual type or class of the file, even if that type or class does not match the extension. Choose True file type or True file class. Then click on the classes or

112 112 Configuring filtering Managing policy resources classes and types that you want to match. Press and hold Ctrl while clicking to select more than one file class or file type. Click the second radio button to match files based on their file names, extensions, or MIME types. Choose File name, Extension, or MIMEtype. Then choose is, contains, begins with, or ends with. Then type the text to match or not match. Type only one filename, extension, or MIME type in the box. Table 4-15 includes information about valid extension, file name, and MIME-type attachment types. Type the MIME type completely, such as image or image/gif, not ima. 5 Click Add to add the condition you created to the list of conditions at the bottom of the page. 6 Repeat steps 4 and 5 to add more conditions as desired. If needed, you can click on a condition in the list and click Delete to delete that condition. 7 Click Save. Configuring dictionaries A dictionary is a list of words, phrases, or both that messages are checked against when you choose the Any part of the message condition in a compliance policy. Symantec Mail Security for SMTP evaluates matches to a dictionary using substring text analysis, not regular expression analysis. Symantec Mail Security for SMTP includes the following predefined dictionaries, which can be edited. The dictionaries marked as ambiguous contain terms that could be legitimate when used in certain contexts. Profanity Profanity (Ambiguous) Racial Racial (Ambiguous) Sexual Sexual Slang Sexual (Ambiguous) Note the following additional information about dictionaries: Tests against dictionaries only match the exact word listed, not other common endings, such as verb tenses. Wildcards are not supported in dictionaries.

113 Configuring filtering Managing policy resources 113 You can enter multiple keywords as one phrase. Separate the keywords with spaces. Up to 100 dictionaries are supported, and each dictionary can contain up to 10,000 words. Individual words in a dictionary cannot be set to be more or less important than other dictionary words. A dictionary can be used in multiple compliance policies. When adding words to a dictionary, keep in mind that some words can be considered both profane and legitimate, depending on the context. Symantec Mail Security does not search for dictionary matches in the HTML headers or tags of HTML messages or HTML attachments. To add a new dictionary 1 In the Control Center, click Policies > Dictionaries. 2 Click Add. 3 In the Dictionary name box, type a name for the dictionary. This is the name that appears on the Dictionaries page and in the drop-down list for the Any part of the message condition when configuring a compliance policy. 4 Type a keyword or phrase in the Enter a word or phrase box. 5 Click Add to add the keyword or phrase to the list at the bottom of the page. 6 Repeat steps 4 and 5 to add more keywords as desired. 7 Click Save. Importing dictionary keywords You can import dictionary keywords from a newline delimited text file. Keywords can be imported into a new, empty dictionary, or an existing dictionary. To import dictionary keywords 1 In the Control Center, click Policies > Dictionaries. 2 Click the dictionary that you want to import keywords into or create a new dictionary by clicking Add. 3 Click Import. The dictionary keywords or phrases in the text file should be newline delimited each keyword or phrase should be on a separate line.

114 114 Configuring filtering Managing policy resources 4 Click Save. Editing a dictionary Edit an existing dictionary to add or delete keywords. To edit a dictionary 1 In the Control Center, click Policies > Dictionaries. 2 Click the dictionary that you want to edit. 3 Add or delete keywords as desired. 4 Click Save. Adding and editing notifications Notifications are preset messages that can be sent to the sender, recipients, or other addresses when a specified condition in a policy is met. For example, if you have a policy that strips.exe attachments from incoming messages, you may want to also notify the sender that the attachment has been stripped. Notifications are different than alerts. Alerts are sent automatically when certain system problems occur, such as low disk space. See Configuring alerts and logs on page 155. Note that the original message is delivered to the original recipients unless you specify an additional action that prevents this. To add a new notification 1 In the Control Center, click Policies > Notifications. 2 Click Add. 3 In the Notification description box, type a name for the notification. This is the name that appears on the Notifications page and in the Notification list when you choose the Send notification action when configuring a policy. 4 In the Send from box, type an address that the notification should appear to be from. Specify the full address including the domain name, such as [email protected]. Since recipients can reply to the address supplied, type an address where you can monitor responses to the notifications. Alternatively, include a statement in the notification that responses won t be monitored.

115 Configuring filtering Managing policy resources Under Send to, check one or more of the following: Sender Recipients Others Check this box to send the notification to sender listed in the message envelope (not the sender listed in the From: header). Check this box to send the notification to the recipients listed in the message envelope (not the recipients listed in the To: header). Check this box to send the notification to one or more complete addresses that you specify. Separate multiple addresses with a comma, semicolon, or space. 6 Choose a character encoding for the Subject. ISO and UTF-8 are appropriate for European languages. SHIFT-JIS, EUC-JP, and ISO-2022-JP are appropriate for Japanese. 7 In the Subject box, type the text for the Subject: header of the notification message. 8 Choose a character encoding for the Message body. ISO and UTF-8 are appropriate for European languages. SHIFT-JIS, EUC-JP, and ISO-2022-JP are appropriate for Japanese. 9 In the Message body box, type the text for the body of the notification message. 10 Optionally, check Attach the original message to attach the original message to the notification message. 11 Click Save.

116 116 Configuring filtering Managing policy resources

117 Chapter 5 Working with Spam Quarantine This chapter includes the following topics: About Spam Quarantine Delivering messages to Spam Quarantine Working with messages in Spam Quarantine for administrators Configuring Spam Quarantine About Spam Quarantine Spam Quarantine provides storage of spam messages and Web-based end-user access to spam. Use of Spam Quarantine is optional. Quarantined messages and associated databases are stored on the Control Center. Symantec recommends Spam Quarantine for user populations of 30,000 users or less. Delivering messages to Spam Quarantine To use Spam Quarantine, check that your system is configured as follows: One or more groups must have an associated filter policy that quarantines messages. For example, you could create a suspected spam policy called Spam Quarantine that quarantines suspected spam messages and set it as the inbound suspected spam policy for the Default group. Control Center access to your LDAP server using Authentication must be working for end users to be able to log in to Spam Quarantine to check their quarantined messages, for LDAP alias expansion, and for the Delete Unresolved setting.

118 118 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators Note: To understand how Spam Quarantine handles messages sent to distribution lists or aliases, see Notification for distribution lists/aliases on page 130. Working with messages in Spam Quarantine for administrators Accessing Spam Quarantine This section describes how Spam Quarantine works for administrators. Online help similar to this information is available for end users when they log into Spam Quarantine. Administrators access Spam Quarantine by logging into the Control Center. Administrators with full privileges or Manage Quarantine rights (view or modify) can work with messages in Quarantine. Administrators with view rights for Manage Quarantine will see the Quarantine Settings link in the Settings tab, but will be unable to make changes to those settings. Users access Spam Quarantine by logging into the Control Center using the user name and password required by the type of LDAP server employed at your company. For users, the Spam Quarantine message list page is displayed after logging in. Checking for new Spam Quarantine messages New messages that have arrived since logging in and checking quarantined messages are not shown in the message list until you do one of the following: Click the Quarantine tab (or, if viewing Virus Quarantine, click Spam Quarantine in the left pane) Click Show Filters if necessary, then click Display All to cancel a search Except for immediately after either of these two actions, newly arrived messages are not displayed in Spam Quarantine. Administrator message list page The administrator message list page provides a summary of the messages in Spam Quarantine. The user message list page is very similar. See Differences between the administrator and user message list pages on page 121.

119 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators 119 Work with messages on the message list page The following steps describe how to perform some common tasks on the message list page. To sort messages Click on the To, From, Subject, or Date column heading to select the column by which to sort. A triangle appears in the selected column that indicates ascending or descending sort order. Click on the selected column heading to toggle between ascending and descending sort order. By default, messages are listed in date descending order, meaning that the newest messages are listed at the top of the page. To view messages Click on a message subject to view an individual message. To redeliver misidentified messages Click on the check box to the left of a misidentified message and then click Release to redeliver the message to the intended recipient. This also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator address (such as yourself), Symantec, or both. This allows the administrator or Symantec to monitor the effectiveness of Symantec Mail Security for SMTP. To delete individual messages 1 Click on the check box to the left of each message to select a message for deletion. 2 When you ve selected all the messages on the current page that you want to delete, click Delete. Deleting a message in the administrator s Spam Quarantine also deletes the message from the applicable user s Spam Quarantine. For example, if you delete Kathy s spam messages in the administrator s Spam Quarantine, Kathy won t be able to see those messages when accessing Spam Quarantine. To delete all messages Click Delete All to delete all the messages in Spam Quarantine, including those on other pages. This deletes all users quarantined messages.

120 120 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search messages Click Show Filters to search messages for a specific recipient, sender, subject, message ID, or date range. See Searching messages on page 123. To navigate through messages Click one of the following buttons to navigate through message list pages: Go to beginning of messages Go to the end of messages. This button is displayed if there are less than 50 pages of messages after the current page. Go to previous page of messages Go to next page of messages Choose up to 500 pages before or after the current page of messages To set the entries per page On the Entries per page drop-down list, click a number. Details on the administrator message list page Note the following Spam Quarantine behavior: When you navigate to a different page of messages, the status of the check boxes in the original page is not preserved. For example, if you select three messages in the first page of messages and then move to the next page, when you return to the first page, all the message check boxes are cleared again. The To column in the message list page indicates the intended recipient of each message as listed in the message envelope. When you display the contents of a single message in the message details page, the To: header (not envelope) information is displayed, which is often forged by spammers.

121 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators 121 Differences between the administrator and user message list pages The pages displayed for administrators and other users on your network have the following differences. Users can only view and delete their own quarantined messages. Quarantine administrators can view and delete all users quarantined messages, either one by one, deleting all messages, or deleting the results of a search. When users click Release, the message is delivered to their own inbox. When a Quarantine administrator clicks Release, the message is delivered to the inbox of each of the intended recipients. The administrator message list page includes a To column containing the intended recipient of each message. Users can only see their own messages, so the To column is unnecessary. The Settings button is only available to Quarantine administrators, not users. Users only have access to Spam Quarantine, not the rest of the Control Center. Administrator message details page When you click on the subject line of a message in the message list page, this page displays the contents of individual quarantined messages. The user message details page is very similar. See Differences between the administrator and user message pages on page 123. Note the following message details page behavior: Graphics appear as gray rectangles When viewed in Spam Quarantine, the original graphics in messages are replaced with graphics of gray rectangles. This suppresses offensive images and prevents spammers from verifying your address. If you release the message by clicking Release, the original graphics will be viewable by the intended recipient. It is not possible to view the original graphics within Spam Quarantine. Attachments can t be viewed The names of attachments are listed at the bottom of the message, but the actual attachments can t be viewed from within Spam Quarantine. However, if you redeliver a message by clicking Deliver, the message and attachments will be accessible from the inbox of the intended recipient.

122 122 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators Work with messages in the message details page The following steps describe how to perform some common tasks on the message details page. To choose the language encoding for a message that doesn t display correctly Click a language encoding in the drop-down list. The Control Center may not be able to determine the proper language encoding for messages containing double-byte characters, such as Asianlanguage messages. If the message is garbled, select the language encoding most likely to match the encoding used in the message. To redeliver misidentified messages Click Release to redeliver the message to the intended recipient. This also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator address (such as yourself), Symantec, or both. This allows the administrator or Symantec to monitor the effectiveness of Symantec Mail Security for SMTP. To delete the message To delete the message currently being viewed, click Delete. When you delete a message, the page refreshes and displays the next message. If there are no more messages, the message list page is displayed. Deleting a message in the administrator s Spam Quarantine also deletes the message from the applicable user s Spam Quarantine. For example, if you delete Kathy s spam messages in the administrator s Spam Quarantine, Kathy won t be able to see those messages when accessing Spam Quarantine. To navigate through messages Click one of the following buttons to navigate through message details pages: Go to next message Go to previous message To return to the message list To return to the message list, click Back To Messages.

123 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators 123 To display full headers Searching messages To display all headers available to Spam Quarantine, click Display Full Headers. The full headers may provide clues about the origin of a message, but keep in mind that spammers usually forge some of the message headers. To display brief headers To display only the From:, To:, Subject:, and Date: headers, click Display Brief Headers. Differences between the administrator and user message pages The pages displayed for administrators and other users on your network have the following differences: Users can only view and delete their own quarantined messages. Quarantine administrators can view and delete messages for all users. Users only have access to Spam Quarantine, not the rest of the Control Center. Click Show Filters on the message list page to display the search fields. Type in one or more boxes or choose a time range to display matching messages in the administrator Spam Quarantine. The search results are displayed in a page similar to the message list page. The user search page is very similar. See Differences between the administrator and user search pages on page 126 for more information. If you search for multiple characteristics, only messages that match the combination of characteristics are listed in the search results. For example, if you typed LPQTech in the From box and Inkjet in the Subject box, only messages containing LPQTech in the From: header and Inkjet in the Subject: header would be listed in the search results. Search messages The search results sometimes may not return the results you expect. See Search details on page 125. To display the search area On the message list page, click Show Filters.

124 124 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search message envelope To recipient Type in the To box to search the message envelope RCPT TO: recipient in all messages for the text you typed. You can search for a display name, the user name portion of an address, or any part of a display name or user name. If you type a full address in the To box, only the user name portion of [email protected] is searched for. You can attempt to search for the domain portion of an address by typing just the domain, but if more than 50% of the messages contain part of the search phrase, nothing will be displayed. See Search details on page 125. The search is limited to the envelope To:, which may contain different information than the header To: displayed on the message details page. To search from headers Type in the From box to search the From: header in all messages for the text you typed. You can search for a display name, address, or any part of a display name or address. The search is limited to the visible message From: header, which in spam messages is usually forged. The visible message From: header may contain different information than the message envelope. To search subject headers Type in the Subject box to search the Subject: header in all messages for the text you typed. To search the Message ID header Type in the Message ID box to search the message ID in all messages for the text you typed. You can view the message ID on the message details page in Spam Quarantine, by clicking Display Full Headers. In addition, most clients have the capability of displaying the full message header, which includes the message ID. For example, in Outlook 2000, double click on a message to show it in a window by itself, click View and then click Options. The message ID is typically assigned by the first server to receive the message and is supposed to be a unique identifier for a message. However, spammers may tailor the message ID to suit their purposes, such as to hide their identity. For legitimate , the message ID may indicate the domain where the message was sent from or the server used to send the message.

125 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators 125 To search using time range Choose a time range from the Time Range list to show all messages from that time range. Search details The search function is optimized for searching a large number of messages. However, this can lead to unexpected search results. Keep in mind the following when analyzing search results: Note: If any term in the search phrase matches 50% or more of the messages in the database, then the search will show no results. About 570 common words such as after and which are ignored in any of the search boxes, as well as the word spam. These are called MySQL stopwords. Words of three characters or less are ignored. This applies to To, From, Subject, and Message ID searches. If any word in a multiple word search is found in a message, that message is considered a match. For example, searching for red carpet will match red carpet, and also red wine and flying carpet. You don t have to put quote marks around search text that contains spaces. Searches match exact whole words only in To, From, Subject, and Message ID searches. A word is considered a group of letters, numbers, or underscores. For example, if you searched for finance, the search would not find refinance. Also, if you searched for [email protected], the search is interpreted as user_name OR example. Since com is three characters, it is ignored. and the period are treated as spaces. Search results are sorted by date descending order by default but can be resorted by clicking on a column heading. Wildcards such as * are not supported in search. All searches are literal. If you search for multiple characteristics, only messages that match the combination of characteristics are listed in the search results. For example, if you typed LPQTech in the From box and Inkjet in the Subject box, only messages containing LPQTech in the From header and Inkjet in the Subject: header would be listed in the search results. All text searches are case-insensitive. This means that if you typed emerson in the From box, then messages with a From: header containing emerson, Emerson, and emerson would all be displayed in the search results.

126 126 Working with Spam Quarantine Configuring Spam Quarantine The amount of time required for the search is dependent on how many search boxes you filled in and the number of messages in the current mailbox. Searching in the administrator mailbox will take longer than searching in a user s mailbox. Spammers usually spoof or forge some of the visible messages headers such as From: and To: and the invisible envelope information. Sometimes they forge header information using the actual addresses or domains of innocent people or companies. Differences between the administrator and user search pages The pages displayed for administrators and other users on your network have the following differences: Quarantine administrators can search for recipients. In the Search Results page, users can only delete their own quarantined messages. Quarantine administrators can delete all users quarantined messages. Configuring Spam Quarantine Most Spam Quarantine settings are accessed by clicking Quarantine Settings on the Settings tab, then clicking on the Spam tab, if necessary. Delivering messages to Spam Quarantine from the Scanner Use the Group Policies filtering actions to deliver spam messages to Spam Quarantine. Note: Spam Quarantine does not use a separate SMTP mail server to send notifications and resend misidentified messages, although an SMTP mail server must be available to receive notifications and misidentified messages sent by Spam Quarantine. Set this SMTP server on the Control Center Settings page. The SMTP server you choose should be downstream from the Scanner, as notifications and misidentified messages do not require filtering. To deliver messages to Spam Quarantine 1 In the Control Center, click Policies > Spam. 2 Click Add.

127 Working with Spam Quarantine Configuring Spam Quarantine Under Policy name, type Spam Quarantine or a descriptive name of your choice. 4 Under Apply to, click Inbound messages. 5 Under Groups, check the box next to the groups that should have their quarantined. 6 Under Conditions, choose If a message is suspected spam. You may want to also configure spam to be deleted. Alternatively, you could configure both spam and suspected spam to be quarantined. 7 Under Perform the following action, click Hold message in Spam Quarantine. 8 Click Add Action. 9 Click Save. For more information about Group Policies, see Creating groups and adding members on page 72. Configuring Spam Quarantine port for incoming By default, Spam Quarantine accepts quarantined messages from the Scanner on port To specify a different port In the Control Center, click Settings > Quarantine and type the new port in the Spam and suspect virus quarantine port box. You don t need to change any Scanner settings to match the change in the Spam and Virus Quarantine Port box. To disable the Quarantine port, type 0 in the Spam and suspect virus quarantine port box. Disabling the spam and suspect virus quarantine port is appropriate if your computer is not behind a firewall and you re concerned about security risks. Note: If you disable the Spam and suspect virus quarantine port, disable any spam or virus filtering policies that quarantine messages. Otherwise, quarantined messages will back up in the delivery MTA queue until the expiration time elapses and will then be bounced back to the original sender.

128 128 Working with Spam Quarantine Configuring Spam Quarantine Configuring Spam Quarantine for administrator-only access If you don t have an LDAP directory server configured or don t want users in your LDAP directory to access Quarantine, you can configure Quarantine so that only administrators can access the messages in Quarantine. When administrator-only access is enabled, you can still perform all the administrator tasks described in Working with messages in Spam Quarantine for administrators on page 118, including redelivering misidentified messages to local users, whether or not you re using an LDAP directory at your organization. However, notification of new spam messages is disabled when administrator-only access is enabled. To configure Quarantine for administrator-only access 1 In the Control Center, click Settings > Quarantine. 2 On the Spam tab, under General Settings, check the box next to Administrator-only Quarantine. 3 Click Save. Configuring the Delete Unresolved setting By default, quarantined messages sent to non-existent addresses, based on LDAP lookup, will be deleted. If you clear the check box for Delete messages sent to unresolved addresses, these messages will be stored in the Spam Quarantine postmaster mailbox. Undeliverable quarantined messages go to Spam Quarantine postmaster on page 139 describes how to view these messages. Note: If there is an LDAP server connection failure or LDAP settings have not been configured correctly, then quarantined messages addressed to nonexistent users are stored in the Spam Quarantine postmaster mailbox whether the Delete unresolved check box is selected or cleared. Configuring the login help By default, when users click on the Need help logging in? link on the Control Center login page, online help from Symantec is displayed in a new window. You can customize the login help by specifying a custom login help page. This change only affects the login help page, not the rest of the online help. This method requires knowledge of HTML.

129 Working with Spam Quarantine Configuring Spam Quarantine 129 To specify a custom login help page 1 Create a Web page that tells your users how to log in and make it available on your network. The Web page should be accessible from any computer where users will log in to Spam Quarantine. 2 In the Control Center, click Settings > Quarantine Settings. 3 In the Login help URL box, type the URL to the Web page you created. 4 Click Save on the Quarantine Settings page. To disable your custom login help page, delete the contents of the Login help URL box. Configuring recipients for misidentified messages If users or administrators find false positive messages in Spam Quarantine, they can click Release. Clicking Release redelivers the selected messages to the user s normal inbox. You can also send a copy to a local administrator, Symantec, or both. Note: If you are quarantining messages flagged by content compliance filters, you should copy a local administrator who can review the misidentified messages and make appropriate changes to the content compliance filters. Unless you are quarantining spam, you should not copy Symantec Security Response. Symantec Security Response will take no action on submissions of suspected spam or content compliance policy violations. To configure recipients for misidentified message submissions 1 In the Control Center, click Settings > Quarantine. 2 If needed, click on the Spam tab. 3 To report misidentified messages to Symantec, under Misidentified Messages, click Symantec Security Response. This is selected by default. Symantec Security Response analyzes message submissions to determine if filters need to be changed. However, Symantec Security Response will not send confirmation of the misidentified message submission to the administrator or the user submitting the message. 4 To send copies of misidentified messages to a local administrator, under Misidentified Messages, click Administrator and type the appropriate address.

130 130 Working with Spam Quarantine Configuring Spam Quarantine These messages should be sent to someone who will monitor misidentified messages at your organization to determine the effectiveness of Symantec Mail Security for SMTP. Type the full address including the domain name, such as The administrator address must not be an alias, or a copy of the misidentified message won t be delivered to the administrator address, and errors will be recorded in the log accessible from the Logs tab (not the BrightmailLog.log Spam Quarantine log file). 5 Click Save. Configuring the user and distribution list notification digests By default, a notification process runs at 4 a.m. every day and determines if users have new spam messages in Spam Quarantine since the last time the notification process checked. If so, it sends a message to users who have new spam to remind them to check their spam messages in Spam Quarantine. You can also choose to send notification digests to users on distribution lists. The sections below describe how to change the notification digest frequency and format. Notification for distribution lists/aliases If Spam Quarantine is enabled, a spam message sent to an alias with a one-toone correspondence to a user s address is delivered to the user s normal quarantine mailbox. For example, if tom is an alias for tomevans, quarantined messages sent to tom or to tomevans all arrive in the Spam Quarantine account for tomevans. Note: An alias on UNIX or distribution list on Windows is an address that translates to one or more other addresses. In this text, distribution list is used to mean an address that translates to two or more addresses. When Symantec Mail Security for SMTP forwards a spam message sent to a distribution list to Spam Quarantine, the message is not delivered in the intended recipients Spam Quarantine. Instead, the message is delivered to a special Spam Quarantine mailbox for that distribution list. However, you can configure Spam Quarantine to send notification digests about the messages in a distribution list mailbox to the recipients of that distribution list by selecting the Notify distribution lists check box on the Spam tab of the Quarantine Settings page.

131 Working with Spam Quarantine Configuring Spam Quarantine 131 If the Include View link box is selected, recipients of the notification digest can view all the quarantined distribution list messages. If the Include Release link box is selected, recipients of the notification digest can release quarantined distribution list messages. If any recipient clicks on the Release button for a message in the quarantined distribution list mailbox, the message is delivered to the normal inboxes of all the distribution list recipients. Note: For example, if a distribution list called mktng contains ruth, fareed, and darren, spam sent to mktng and configured to be quarantined won t be delivered to the Spam Quarantine inboxes for ruth, fareed, and darren. If the Notify distribution lists check box on the Quarantine Settings page is selected, then ruth, fareed, and darren will receive notifications about the quarantined mktng messages. If the Include View link box is selected on the Quarantine Settings page, then ruth, fareed, and darren can view the quarantined mktng messages by clicking on the View link in the notification digests. If the Include Release link box is also selected, then ruth, fareed, and darren can redeliver the any quarantined mktng message by clicking on the Release button in the notification digest. If ruth clicks on the Release button for a quarantined mktng message, the message is delivered to the normal inboxes of ruth, fareed, and darren. Separate notification templates for standard and distribution list messages By default, the notification templates for standard quarantined messages and quarantined distribution list messages are different. This allows you to customize the notification templates for each type of quarantined message. Changing the notification digest frequency To change the frequency at which notification messages are sent to users, follow the steps below. The default frequency is every day. To not send notification messages, change the Notification frequency to NEVER. To change the notification digest frequency 1 In the Control Center, click Settings > Quarantine. 2 If needed, click the Spam tab. 3 Choose the desired setting from the Notification frequency drop-down list. 4 Choose the desired setting from the Notification start time drop-down lists. 5 Click Save.

132 132 Working with Spam Quarantine Configuring Spam Quarantine Changing the notification digest templates The notification digest templates determine the appearance of notification messages sent to users as well as the message subject and send from address. The default notification templates are similar to the text listed below. The distribution list notification template lacks the information about logging in. In your browser, the text doesn t wrap, so you ll have to scroll horizontally to view some of the lines. This prevents unusual line breaks or extra lines if you choose to send notifications in HTML format. Spam Quarantine Summary for %USER_NAME% There are %NEW_MESSAGE_COUNT% new messages in your Spam Quarantine since you received your last Spam Quarantine Summary. These messages will automatically be deleted after %QUARANTINE_DAYS% days. To review the complete text of these messages, go to %QUARANTINE_URL% and log in. ===================== NEW QUARANTINE MESSAGES ===================== %NEW_QUARANTINE_MESSAGES% =================================================================== In the notification digest sent to users, the variables in Table 5-1 are replaced with the information described in the Description column. You can reposition each variable in the template or remove it. Table 5-1 Variable Notification Message Variables Description %NEW_MESSAGE_COUNT% %NEW_QUARANTINE_MESSAGES% %QUARANTINE_DAYS% %QUARANTINE_URL% Number of new messages in the user s Spam Quarantine since the last notification message was sent. List of messages in the user s Spam Quarantine since the last notification was sent. For each message, the contents of the From:, Subject:, and Date: headers are printed. View and Release links are displayed for each message if they are enabled and you ve chosen Multipart or HTML notification format. Number of days messages in Spam Quarantine will be kept. After that period, messages will be purged. URL that the user clicks on to display the Spam Quarantine login page.

133 Working with Spam Quarantine Configuring Spam Quarantine 133 Table 5-1 Variable %USER_NAME% Notification Message Variables Description User name of user receiving the notification message. To edit the notification templates, digest subject, and send from address 1 In the Control Center, click Settings > Quarantine. 2 If needed, click on the Spam tab. 3 Under Notification Settings, click Edit next to Notification template. 4 In the Send from box, type the address that the notification digests should appear to be from. Since users can reply to the address supplied, type an address where you can monitor users questions about the notification digests. Specify the full address including the domain name, such as [email protected]. 5 In the Subject box, type the text that should appear in the Subject: header of notification digests, such as Your Suspected Spam Summary. Don t put message variables in the subject box; they won t be expanded. Note: The Send from and Subject settings will be the same for both the user notification template and distribution list notification template. 6 Edit the user notification template, distribution list notification template, or both. See Table 5-1, Notification Message Variables, on page 132. Don t manually insert breaks if you plan to send notifications in HTML. 7 Click Save to save your changes to the template and close the template editing window. Or, click one of the following: Default: Erase the current information and replace it with defaults. Cancel: Discard your changes to the notification template and close the template editing window. 8 Click Save on the Quarantine Settings page. Enabling notification for distribution lists You can configure Spam Quarantine to send notification digests about the messages in a distribution list mailbox to the recipients in a distribution list. See Notification for distribution lists/aliases on page 130 for more information.

134 134 Working with Spam Quarantine Configuring Spam Quarantine To enable notification for distribution lists 1 In the Control Center, click Settings > Quarantine. 2 If needed, click on the Spam tab. 3 Under Notification Settings, click Notify distribution lists. 4 Click Save on the Quarantine Settings page. Selecting the notification digest format The notification digest template determines the MIME encoding of the notification message sent to users as well as whether View and Release links appear in the message. To choose a notification format 1 In the Control Center, click Settings > Quarantine. 2 If needed, click on the Spam tab. 3 Under Notification Settings, click one of the following items in the Notification format list: Multipart (HTML and text): Send notification messages in MIME multipart format. Users will see either the HTML version or the text version depending on the type of client they are using and the client settings. The View and Release links do not appear next to each message in the text version of the summary message. HTML only: Send notification messages in MIME type text/html only. Text only: Send notification messages in MIME type text/plain only. If you choose Text only, the View and Release links do not appear next to each message in the summary message. 4 Check the Include View link box to include a View link next to each message in the notification digest message summary. When a user clicks on the View link in a notification digest message, the selected message is displayed in Spam Quarantine in the default browser. This check box is only available if you choose Multipart (HTML and text) or HTML only notification format. If you remove the %NEW_QUARANTINE_MESSAGES% variable from the notification digest template, the new message summary, including the View links, won t be available. 5 Check the Include Release link box to include a Release link next to each message in the notification digest message summary. The Release link is for misidentified messages. When a user clicks on the Release link in a notification digest message, the adjacent message is

135 Working with Spam Quarantine Configuring Spam Quarantine 135 released from Spam Quarantine and sent to the user s normal inbox. This check box is only available if you choose Multipart (HTML and text) or HTML only notification format. If you remove the %NEW_QUARANTINE_MESSAGES% variable from the notification digest template, the new message summary, including the Release links, won t be available. 6 Click Save. Configuring the Spam Quarantine Expunger The Spam Quarantine Expunger runs periodically to delete messages. You can configure the amount of time spam messages are kept before being deleted, the frequency of deletion, and the deletion start time. Setting the retention period for messages To change the amount of time spam messages are kept before being deleted, follow the steps below. You may want to shorten the retention period if quarantined messages are using too much of your system s disk space. However, a shorter retention period increases the chance that users may have messages deleted before they have been checked. The default retention period is 7 days. By default, the Expunger runs at 1 a.m. every day to delete messages older than the retention period. Each time the process runs, at most 10,000 messages can be deleted. Increase the expunger frequency if your organization receives a very large volume of spam messages. To set the Spam Quarantine message retention period 1 In the Control Center, click Settings > Quarantine. 2 If needed, click on the Spam tab. 3 Under Spam Quarantine Expunger, type the desired number of days in the Days to store in Spam Quarantine before deleting field. 4 Click Save on the Quarantine Settings page. Setting the Expunger frequency and start time The Expunger periodically deletes messages after the amount of time listed in the Days to store in Spam Quarantine before deleting field. To set the Expunger frequency and start time 1 In the Control Center, click Settings > Quarantine Settings. 2 If needed, click on the Spam tab.

136 136 Working with Spam Quarantine Configuring Spam Quarantine 3 Choose the desired setting from the Quarantine Expunger frequency dropdown list. 4 Choose the desired setting from the Quarantine Expunger start time dropdown lists. 5 Click Save. Specifying Spam Quarantine message and size thresholds To limit the number of messages in Spam Quarantine or size of Spam Quarantine, configure Spam Quarantine threshold settings. Table 5-2 Threshold Spam Quarantine Thresholds Description Maximum size of quarantine database Maximum size per user Maximum number of messages Maximum number of messages per user Maximum amount of disk space used for quarantined messages for all users. When a new message arrives after the threshold has been reached, a group of the oldest messages are deleted, and the new message is kept. Maximum amount of disk space used for quarantine messages per user. When a new message arrives after the threshold has been reached, a group of the oldest messages for the user are deleted, and the new message is kept. Maximum number of messages for all users (the same message sent to multiple recipients counts as one message). When a new message arrives after the threshold has been reached, a group of the oldest messages are deleted, and the new message is kept. Maximum number of quarantine messages per user. When a new message arrives after the threshold has been reached, a group of the oldest messages for the user are deleted, and the new message is kept. To specify Spam Quarantine message and size thresholds 1 In the Control Center, click Settings > Quarantine. 2 Under Thresholds, for each type of threshold you want to configure, select the check box and enter the size or message threshold. You can configure multiple thresholds.

137 Working with Spam Quarantine Configuring Spam Quarantine Click Save. Note: No alert or notification occurs if Spam Quarantine thresholds are exceeded. However, you can be alerted when disk space is low, which may be caused by a large number of messages in the Spam Quarantine database. For more information about alerts, see Configuring alerts and logs on page 155. Note: Disabling per user thresholds can dramatically improve quarantine performance. Troubleshooting Spam Quarantine The following sections describe some problems that may occur with Spam Quarantine. Message The operation could not be performed is displayed Rarely, you or users at your organization may see the following message displayed at the top of the Spam Quarantine page while viewing messages in Spam Quarantine: The operation could not be performed. If this happens, check the error log as described in Checking the Control Center error log on page 194. Can t log in due to conflicting LDAP and Control Center accounts If there is an account in your LDAP directory with the user name of admin, you won t be able to log in to Spam Quarantine as admin, but you will still be able to log into the Control Center as admin. This is because your LDAP administrator account name conflicts with the default Control Center administrator account name. To address this problem, you can change the user name in LDAP. You cannot change the admin user name in the Control Center. Error in log file due to very large spam messages If you check the log file as described in Checking the Control Center error log on page 194 and see lines similar to those listed below, the messages forwarded

138 138 Working with Spam Quarantine Configuring Spam Quarantine from the Scanner to Spam Quarantine are larger than the standard packet size used by MySQL (1 MB). com.mysql.jdbc.packettoobigexception: Packet for query is too large ( > ) at com.mysql.jdbc.mysqlio.send(mysqlio.java:1554) at com.mysql.jdbc.mysqlio.send(mysqlio.java:1540) at com.mysql.jdbc.mysqlio.sendcommand(mysqlio.java:1005) at com.mysql.jdbc.mysqlio.sqlquerydirect(mysqlio.java:1109) at com.mysql.jdbc.connection.execsql(connection.java:2030) at com.mysql.jdbc.preparedstatement.executeupdate(preparedstatement.ja va:1750) at com.mysql.jdbc.preparedstatement.executeupdate(preparedstatement.ja va:1596) at org.apache.commons.dbcp.delegatingpreparedstatement.executeupdate (DelegatingPreparedStatement.java:207) at com.brightmail.dl.jdbc.impl.databasesqlmanager.handleupdate(unknown Source) at com.brightmail.dl.jdbc.impl.databasesqlmanager.handleupdate(unknown Source) at com.brightmail.dl.jdbc.impl.databasesqltransaction.create(unknown Source) at com.brightmail.bl.bo.impl.spammanager.create(unknown Source) at com.brightmail.service.smtp.impl.smtpconsumer.run(unknown Source) Error in log file cannot release mail from Spam Quarantine This can occur if the IP address of the Control Center is not specified for inbound and outbound mail settings on the Settings > Hosts Add or Edit page, SMTP tab. See SMTP Scanner settings on page 22 for instructions. Users don t see distribution list messages in their Spam Quarantine When a Scanner forwards a spam message sent to a distribution list to Spam Quarantine, the message is not delivered in the intended recipients quarantine. Instead, the message is delivered to a special Spam Quarantine mailbox for that distribution list. For more information, see Notification for distribution lists/ aliases on page 130.

139 Working with Spam Quarantine Configuring Spam Quarantine 139 Undeliverable quarantined messages go to Spam Quarantine postmaster If Spam Quarantine can t determine the proper recipient for a message received by Symantec Mail Security for SMTP, it delivers the message to a postmaster mailbox accessible from Spam Quarantine unless you have specified Delete message sent to unresolved addresses in Settings > Quarantine. Your network may also have a postmaster mailbox you access using a mail client that is separate from the Spam Quarantine postmaster mailbox. Spam messages may also be delivered to the Spam Quarantine postmaster mailbox if there is a problem with the LDAP configuration. Note: No notification messages are sent to the postmaster mailbox. To display messages sent to the postmaster mailbox 1 Log into the Control Center as an administrator with full privileges or Manage Quarantine rights. 2 Click Quarantine. 3 Click Show Filters. 4 In the To box, type postmaster. 5 Specify additional filters as needed. 6 Click Display Filtered or Display All. Error in log file due to running out of disk space If you check log file as described in Checking the Control Center error log on page 194 and see lines similar to those listed below, make sure that you haven t run out of disk space on the computer where Spam Quarantine is installed. If that isn t the problem, follow the steps below. 9 Jan :00:22 (ERROR:5396:6396):[2032] Error connecting to :41025: Unknown Error; Out of range. 9 Jan :00:22 (ERROR:5396:6396):[4042] smtp_direct: failed to connect to SMTP server. To correct this problem 1 Delete the following directory:.../tomcat/jakarta-tomcat-version/work 2 Reboot the computer where Spam Quarantine is installed.

140 140 Working with Spam Quarantine Configuring Spam Quarantine Users receive notification messages, but can t access messages If some users at your company can successfully log into Spam Quarantine and read their spam messages, but others get a message saying that there are no messages to display after logging in to Spam Quarantine, there may be a problem with the Active Directory (LDAP) configuration. If the users who can t access their messages are in a different Active Directory domain than the users who can access their messages, configure LDAP in the Control Center to use a Global Catalog, port 3268, and verify that the ncname attribute is replicated to the Global Catalog as described below. Configure access to a global catalog To configure your computer to access a Global Catalog, specify the port for the Global Catalog, usually 3268, in the your LDAP server settings page in the Control Center. In addition, verify that the ncname attribute is replicated to the Global Catalog. To replicate the ncname attribute to the Global Catalog using the Active Directory Schema snap-in 1 Click Start > Run, type regsvr32 schmmgmt.dll and click OK. 2 Click Start > Run, type mmc and click OK. 3 Click File > Add/Remove Snap-in. 4 Click Add and select Active Directory Schema from the list. 5 In the left pane, expand Active Directory Schema, and click Attributes. 6 In the right pane, locate and double-click the ncname attribute. 7 Check the Replicate this attribute to the Global Catalog check box. If an error occurs after performing the steps above, make sure that the current domain controller has permission to modify the schema. To grant permission to the current domain controller (if necessary) 1 Open the Active Directory Schema snap-in as described above. 2 In the left pane, click Active Directory Schema to select it. 3 Click Action > Operations Master. 4 Check the check box for The Schema may be modified on this Domain Controller. If replication to the Global Catalog cannot be modified as described above, contact your Symantec representative for a work-around.

141 Working with Spam Quarantine Configuring Spam Quarantine 141 Duplicate messages appear in Spam Quarantine You may notice multiple copies of the same message when logged into Spam Quarantine as an administrator. When you read one of the messages, all of them are marked as read. This behavior is intentional. If a message is addressed to multiple users at your company, Spam Quarantine stores one copy of the message in its database, although the status (read, deleted, etc.) of each user s message is stored per-user. Because the administrator views all users messages, the administrator sees every user s copy of the message. If the administrator clicks on Release, a copy of the message is redelivered to each affected user mailbox. Maximum number of messages in Spam Quarantine Note: If you don t set any Spam Quarantine thresholds and your system has adequate capacity, there is a 1 TB (terabyte) MySQL limit on the number of messages that can be stored in Spam Quarantine (the same message sent to multiple recipients counts as one message). For more information about Spam Quarantine thresholds, see Specifying Spam Quarantine message and size thresholds on page 136. Copies of misidentified messages aren t delivered to administrator If you typed an address in the Administrator box under Misidentified Messages on the Quarantine Settings page but messages aren t being delivered to the address, make sure the address is not an alias. The administrator address for misidentified messages must be a primary address including the domain name, such as [email protected]. Message Unable to release the message is displayed This message may occur if there is a problem with message traffic on your inbound or outbound MTA.

142 142 Working with Spam Quarantine Configuring Spam Quarantine

143 Chapter 6 Working with Suspect Virus Quarantine This chapter includes the following topics: About Suspect Virus Quarantine Accessing Suspect Virus Quarantine Configuring Suspect Virus Quarantine About Suspect Virus Quarantine The Suspect Virus Quarantine provides short-term storage of messages that are suspected to contain viruses. Messages can be held for examination in the Suspect Virus Quarantine for up to 24 hours. Suspect Virus Quarantine functions are governed in part by specific settings, and in part by defined virus filter policies associated with one or more groups. Quarantined messages and associated databases are stored on the Control Center. To use Suspect Virus Quarantine, configure your system such that one or more groups has an associated filter policy that both enables virus scanning for messages and that delays, or strips and delays messages containing suspicious attachments. For example, you can create a policy called potential_virus that delays messages containing suspicious attachments and set it as the inbound and outbound suspicious attachment message policy for the Default group. Accessing Suspect Virus Quarantine Access Suspect Virus Quarantine by logging into the Control Center. All administrators can work with messages in Suspect Virus Quarantine, but

144 144 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine administrators with full privileges or Manage Quarantine rights (View or Modify) can make all Quarantine setting changes. Users with only 'view' rights for manage quarantine will see the 'Settings' tab, but cannot make changes to those settings, and they cannot release or delete messages. Checking for new Suspect Virus Quarantine messages New messages that have arrived since logging in and checking quarantined messages are not shown in the message list until you do one of the following: Click Quarantine > Suspect Virus Quarantine. Make selections in Show Filters if necessary, then click Display All to cancel a search. Except for immediately after these two actions, newly arrived messages are not displayed in Suspect Virus Quarantine. Suspect Virus Quarantine messages page The Suspect Virus Quarantine messages page provides a summary of the messages in Suspect Virus Quarantine. Virus message quarantine procedures The following steps describe how to perform some common tasks on the Virus Message quarantine page. To get to the virus message quarantine page From the Control Center, click Quarantine > Suspect Virus Quarantine. To sort messages Click on the To, From, Subject, or Date column heading to select the column by which to sort. A triangle appears in the selected column that indicates ascending or descending sort order. Click on the selected column heading to toggle between ascending and descending sort order. By default, messages are listed in date descending order, meaning that the newest messages are listed at the top of the page. To view messages Click on a message subject to view an individual message.

145 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine 145 To redeliver misidentified messages Click on the check box to the left of a misidentified message and then click Release to redeliver the message to the intended recipient. This also removes the message from Suspect Virus Quarantine. Note: Releasing messages requires access to the IP address of the Control Center. If you are limiting inbound or outbound SMTP access, refer to the Inbound Mail Settings and Outbound Mail Settings definitions in SMTP Scanner settings on page 22. To delete individual messages 1 Click on the check box to the left of each message to select a message for deletion. 2 When you ve selected all the messages on the current page that you want to delete, click Delete. To delete all messages Click Delete All to delete all the messages in Suspect Virus Quarantine, including those on other pages. To release all messages Click Release All to release all the messages in Suspect Virus Quarantine, including those on other pages. To search messages Click Display Filtered to search messages for a specific recipient, sender, subject, or date range. See Searching messages on page 146. To navigate through messages Click one of the following buttons to navigate through message list pages: Go to beginning of messages Go to the end of messages. This button is displayed if there are less than 50 pages of messages after the current page. Go to previous page of messages

146 146 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine Go to next page of messages Choose up to 500 pages before or after the current page of messages To set the entries per page Searching messages On the Entries per page drop-down list, click a number. Details on the message list page Note the following Suspect Virus Quarantine behavior: When you navigate to a different page of messages, the status of the check boxes in the original page is not preserved. For example, if you select three messages in the first page of messages and then move to the next page, when you return to the first page, all the message check boxes are cleared again. The To column in the message list page indicates the intended recipient of each message as listed in the message envelope. When you display the contents of a single message in the message details page, the To: header (not envelope) information is displayed, which is often forged by spammers. Click Show Filters on the message list page to display the search fields. Type in one or more boxes or choose a time range to display matching messages in the Suspect Virus Quarantine. The search results are displayed in a page similar to the message list page. If you search for multiple characteristics, only messages that match the combination of characteristics are listed in the search results. For example, if you typed LPQTech in the From box and Inkjet in the Subject box, only messages containing LPQTech in the From: header and Inkjet in the Subject: header would be listed in the search results. Search messages The search results sometimes may not return the results you expect. See Search details on page 147. To display the search area On the Virus Message Quarantine page, click Show Filters.

147 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine 147 To search message envelope To recipient Type in the To box to search the message envelope RCPT TO: recipient in all messages for the text you typed. You can search for a display name, the user name portion of an address, or any part of a display name or user name. If you type a full address in the To box, only the user name portion of [email protected] is searched for. The search is limited to the envelope To:, which may contain different information than the header To: displayed on the message details page. To search from headers Type in the From box to search the From: header in all messages for the text you typed. You can search for a display name, address, or any part of a display name or address. The search is limited to the visible message From: header, which in spam messages is usually forged. The visible message From: header may contain different information than the message envelope. To search subject headers Type in the Subject box to search the Subject: header in all messages for the text you typed. To search using time range Choose a time range from the Time Range list to show all messages from that time range. Search details Note the following search behavior: All text searches match any instance of the term you type whether it occurs by itself, as a word or part of word or phrase. For example, if you typed finance into the Subject box, messages with the following subject lines would all be displayed in the search results: Finance Refinance your Mortgage Have you REFINANCED Yet? Wildcards such as * are not supported in search. All searches are literal. You don t have to put quote marks around search text that contains spaces. All text searches are case-insensitive, which means that, for example, if you typed emerson in the From box then messages with a From header

148 148 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine containing emerson, Emerson, and emerson would all be displayed in the search results. The amount of time required for the search is dependent on how many search boxes you filled in and the number of messages in the current mailbox. Searching in the administrator mailbox will take longer than searching in a user s mailbox. Spammers usually spoof or forge some of the visible messages headers such as From and To and the invisible envelope information. Sometimes they forge header information using the actual addresses or domains of innocent people or companies. Configuring Suspect Virus Quarantine The following sections are available to help you configure the Suspect Virus Quarantine: Configuring Suspect Virus Quarantine port for incoming Configuring the size for Suspect Virus Quarantine Configuring Suspect Virus Quarantine port for incoming By default, Suspect Virus Quarantine accepts quarantined messages from the Scanner on port To specify a different port, type it in the Spam and Suspect Virus Quarantine Port box, located at Settings > Quarantine. You don t need to change any Scanner settings to match the change in the Spam and Suspect Virus Quarantine Port box. To disable the Quarantine port, type 0 in the Spam and Suspect Virus Quarantine Port box. Disabling the Spam and Suspect Virus Quarantine port is appropriate if your computer is not behind a firewall and you re concerned about security risks. If you disable the Spam and Suspect Virus Quarantine port, disable any spam or virus filtering policies that quarantine messages. Otherwise, quarantined messages will back up in the delivery MTA queue until the expiration time elapses and will then be bounced back to the original sender. Configuring the size for Suspect Virus Quarantine You can choose the amount of disk space to be used by Suspect Virus Quarantine.

149 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine 149 To configure the size for your Suspect Virus Quarantine 1 Click Settings > Quarantine. 2 Specify your desired values for the options provided in Maximum size of suspect virus quarantine. The default is 10 GB.

150 150 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine

151 Chapter 7 Testing Symantec Mail Security for SMTP This chapter includes the following topics: Verifying normal delivery Verifying spam filtering Testing antivirus filtering Verifying filtering to the Spam Quarantine The following are sample tests by which you can verify that Symantec Mail Security for SMTP is filtering your as intended. Use these tests as models for additional tests that you can perform periodically. Verifying normal delivery You can verify whether the Windows SMTP Service or your installed MDA is working properly with the Scanner to deliver legitimate mail by sending an to a user. To test delivery of legitimate mail 1 Send an with the subject line Normal Delivery Test to a user. 2 Verify that the test message arrives correctly in the normal delivery location on your local host. Verifying spam filtering This test assumes you are using default installation settings for spam message handling.

152 152 Testing Symantec Mail Security for SMTP Testing antivirus filtering To test spam filtering with subject line modification 1 Create a POP3 account on your MDA. For the SMTP Server setting on this account, specify the IP address of an enabled Scanner. 2 Compose an message addressed to an account on the machine running the Scanner. 3 Give the message a subject that is easy to find such as Test Spam Message. 4 To classify the message as spam, include the following URL on a line by itself in the message body: 5 Send the message. 6 Check the account to which you sent the message. You should find a message with the same subject prefixed by the word [Spam]. 7 Send a message that is not spam to the same account used in step 5. 8 In the Control Center, click Status > Overview after several minutes have passed. The Spam counter on the Overview page increases by one if filtering is working. Testing antivirus filtering You can verify that antivirus filtering is working correctly by sending a test message containing a pseudo-virus. This is not a real virus. To test Antivirus filtering 1 Using your preferred program, create an message addressed to a test account to which a policy is assigned to allow for the cleaning of virusinfected messages. For information on virus policies, see Creating virus policies on page Attach a virus test file such as eicar.com to the . Virus test files are located at 3 Send the message. 4 Send a message that does not contain a virus to the same account referenced in step 1. 5 In the Control Center, click Status > Overview after several minutes pass.

153 Testing Symantec Mail Security for SMTP Verifying filtering to the Spam Quarantine 153 Typically, this will be sufficient time for statistics to update on the Control Center. The Viruses counter on the Overview page increases by one if filtering is working. 6 Check the mailbox for the test account to verify receipt of the cleaned message with the text indicating cleaning has occurred. Verifying filtering to the Spam Quarantine If you configure Symantec Mail Security for SMTP to forward spam messages to Spam Quarantine as described below, you should see spam messages when you enter the Spam Quarantine. There can be a slight delay until the first spam message arrives, depending on the amount of spam received at your organization. If new spam messages arrive for a user while that user is viewing quarantined messages, the new spam messages will be displayed after a page change. For example, if you re viewing an individual message and then return to the message list, any new messages that have just arrived will be added to the message list and displayed in accordance with the sorting order. Symantec Mail Security for SMTP must be configured to forward spam messages to Spam Quarantine. If the default configuration is not changed, Symantec Mail Security inserts [Spam] in the subject line of spam messages and delivers them to users normal inbox rather than to Spam Quarantine. Any antispam message category can be configured via policy to forward messages to Spam Quarantine for groups assigned to that policy. You can choose to have all, some or none of the available message types forwarded to Spam Quarantine, depending on the policies set for each. To set up delivery of messages to Spam Quarantine, see To deliver messages to Spam Quarantine on page 126. To verify sending a spam message to Spam Quarantine 1 Using an client such as Microsoft Outlook Express, open an addressed to an account that belongs to a group configured to filter spam to Spam Quarantine. See Delivering messages to Spam Quarantine on page 117 for step-by-step instructions on creating such a configuration policy for a group. 2 Give the message a subject that is easy to find such as Test Spam Message. 3 To classify the message as spam, include the following URL on a line by itself:

154 154 Testing Symantec Mail Security for SMTP Verifying filtering to the Spam Quarantine 4 Send the message. 5 Send a message to the same account that is not spam and that does not contain any viruses. 6 In the Control Center, click the Spam Quarantine tab and click Search. 7 Search under Subject for a message with the subject Test Spam Message.

155 Chapter 8 Configuring alerts and logs This chapter includes the following topics: Configuring alerts Viewing logs Configuring logs Configuring alerts Alerts are notifications sent automatically by Symantec Mail Security for SMTP to inform system administrators of conditions potentially requiring attention. You can choose the types of alerts sent, the From: header shown in alerts, and which administrators receive them. The following alert settings are available: Table 8-1 Alert settings Alert setting Send from System detected n viruses in the past interval Spam filters are older than Virus filters are older than Explanation The address that will appear in the notification s From: header. An alert is sent because the system detects that the number of virus outbreaks occurring over a certain time period exceeds a set limit. An alert is sent because of the age of your spam filters. Spam filters update periodically, at different intervals for different types of filters. To avoid unnecessary alerts, a minimum setting of two hours is recommended. An alert is sent because of the age of your virus filters. Virus filter updates typically occur several times a week. To avoid unnecessary alerts, a setting of seven days is recommended.

156 156 Configuring alerts and logs Configuring alerts Table 8-1 Alert settings (Continued) Alert setting New virus rules are available A message queue is larger than Available Spam Quarantine disk space is less than LDAP synchronization errors LDAP Scanner replication errors Antivirus license expired Antispam license expired SSL/TLS certificate expiration warning A component is not responding or working Service start after improper shutdown Service shutdown Service start Explanation An alert is sent because new virus rules are available for download from Symantec Security Response. New virus rules are updated daily, Rapid Response rules are updated hourly. An alert is sent when the size of a message queue exceeds the size specified next to the alert description. Message queues include Inbound, Outbound and Delivery. Queues can grow if the MTA has stopped, or if an undeliverable message is blocking a queue. An alert is sent when the size of the Quarantine exceeds a certain number. An alert is sent because of LDAP synchronization errors. These errors are caused by problems in directory synchronization. Only messages that log at the error level cause alerts. An alert is sent because of replication errors. These errors are caused by problems in the replication of LDAP data from the Control Center to attached and enabled Scanners. Only messages that log at the error level cause alerts. An alert is sent when your antivirus license has expired. Contact your Symantec sales representative for assistance. An alert is sent when your antispam license has expired. Contact your Symantec sales representative for assistance. An alert is sent when a certificate expires. You can check the status of your certificates by going to the Settings > Certificates page and clicking View. The first expiration warning is sent seven days prior to the expiration date. A second warning is sent one hour later. No more than two warnings per certificate are sent. An alert is sent because of a nonresponsive component. Components include the Conduit, Filtering Hub, and MTA. An alert is sent because a service restarted after an improper shutdown. An alert is sent because a service was shut down normally. An alert is sent because a service was started.

157 Configuring alerts and logs Viewing logs 157 Viewing logs Configure alerts Follow these procedures to configure alerts. To specify which administrators receive alerts 1 In the Control Center, click Administration. 2 In the Administrators list, click the name of an administrator. 3 Under Administrator, check or uncheck Receive alert notifications. 4 Click Save. 5 Repeat steps 2-4 as needed for other administrators. To specify the From: header displayed in alert notifications 1 In the Control Center, click Settings > Alerts. 2 Under Notification Sender, enter an address in the Send from field. To specify alert conditions 1 Under Alert Conditions, check the alert conditions for which alerts are to be sent. Specify duration or size parameters where necessary using the appropriate boxes and drop-down lists. 2 Click Save. The View Logs page lets you view various performance logs for Scanners, the Control Center, and Quarantine. The View Logs page includes the following filters: Table 8-2 Item Host (drop-down) View Logs page Description Select a host from the list. This option is only available for Scanner logs. Severity (drop-down) Select a severity level from the list. This option is only available for Scanner logs.

158 158 Configuring alerts and logs Viewing logs Table 8-2 Item View Logs page (Continued) Description Time range (drop-down) Component (drop-down) Log type (drop-down) Log actions (drop-down) Display Settings Save Log Clear All Scanner Logs Entries per page (drop-down) Display (drop-down) Select a time range from the list or create a custom time range. If you have recently changed time zones on the Control Center, this change is not reflected immediately, but requires you to stop and restart Tomcat or to reboot the system. Select a component for which to view logs: Scanner, Control Center, or Quarantine. Select a log type from the list. Scanner logs record the workings of Scanner components, including the filter-hub; conduit; LiveUpdate Client and Scheduler; and MTA. Control Center logs show information on the Control Center, the database, and LDAP. Quarantine Release logs indicate which mail messages were released from the Quarantine and when. Select the type of actions to log: system events, message actions, blocking actions, or all. Search for and display logs that fit your criteria. Go to the Log Settings page. Save the current log filter settings. Clear log records on all Scanner machines. Set the number of resulting log records to display per page. Select a range of log entries to display. Work with logs Follow these procedures to perform common logging tasks. To view a list of logs 1 In the Control Center, click Status > Logs. 2 Under Filter, specify selection criteria for the logs you wish to view, and then click the Display button. To go to the Logs Settings page Click the Settings button.

159 Configuring alerts and logs Configuring logs 159 To sort logs Click a column label in the log file list. Logs are sorted in either ascending or descending order. To open a log Click a log name. To save a log Select a log from list, and then click the Save Log button. To purge the log list Click the Clear All Scanner Logs button. Note: Log files are updated every five minutes. If no information is displayed when you click Display, wait a few minutes then click Display again. Configuring logs You can configure log settings for Symantec Mail Security for SMTP components on each Scanner in your system. The severity of errors you want written to the log files can be chosen for the following components: Conduit Filter Engine LiveUpdate Scheduler Mail Transfer Agent The superset of logging options is shown in Table 8-3. Table 8-3 Item Host Conduit Filter Engine Log Settings page Local Log Type Description The host machine Set the logging level for the Conduit. Available values are Errors, Warnings, Notices, Information, and Debug. Set the logging level for the Filter Engine. LiveUpdate Scheduler Set the logging level for the LiveUpdate Scheduler.

160 160 Configuring alerts and logs Configuring logs Table 8-3 Item Log Settings page Local Log Type (Continued) Description Mail Transfer Agent Apply to All Hosts Maximum log size Maximum number of days to retain Log Expunger frequency Log Expunger start time Enable message logs Event Viewer/Syslog Settings Set the logging level for the Mail Transfer Agent. Apply these log settings to all hosts in your system. If desired, set the maximum size for logs. If desired, set the retention period for logs. Set the frequency for flushing logs. Set the start time for flushing logs. Select this option to trace all messages through the mail flow. Enable remote system logging. Configure logs Follow these procedures to configure log settings. To configure log settings for local hosts 1 In the Control Center, click Settings > Logs. 2 Click the Local tab. 3 Under Logging, choose a Scanner from the Host drop-down list. 4 Use the component drop-down lists to select the logging level for each component. 5 Select Apply to all Hosts to propagate these settings to all Scanners in your system. 6 To reduce the size of the log table under Log Storage Limits, check Maximum log size. As the table exceeds the size specified, the oldest entries are removed. If you check Maximum log size, indicate an upper limit for log size in KB, MB, or GB. The default is 50 MB. 7 Type a numeric value in Maximum number of days to retain. The default is seven. 8 Under Log Expunger, choose a frequency and a start time when the Control Center runs the Log Expunger to delete log data. The default is once per day. 9 To trace the path of particular messages through the mail flow, click Enable message logs.

161 Configuring alerts and logs Configuring logs 161 For more information, see Message tracking on page 184. Warning: Because logging data for each message can impair system performance, you should use this feature judiciously. To configure log settings for remote hosts 1 In the Control Center, click Settings > Logs. 2 Click the Remote tab. 3 Click Enable Syslog to enable remote system logging. On Solaris, remote logs are written to Syslog. On Windows, they are written to System Event Viewer. Note: If you are running the product on Solaris, you must configure syslogd to accept remote syslog messages via UDP. 4 In the Host field, specify the Syslog server s IP address. 5 In the Port field, specify the port on the Syslog server that transmits log data. 6 Specify the Syslog protocol, UDP or TCP in the Protocol field. 7 Click Save to save your changes.

162 162 Configuring alerts and logs Configuring logs

163 Chapter 9 Working with reports This chapter includes the following topics: About reports Choosing a report About charts and tables Selecting report data to track Setting the retention period for report data Running reports Saving and editing Favorite Reports Running and deleting favorite reports Troubleshooting report generation Printing, saving, and ing reports Scheduling reports to be ed About reports Symantec Mail Security for SMTP reporting capabilities provide you with information about filtering activity at your site, including the following features: Analyze consolidated filtering performance for all Scanners and investigate spam and virus attacks targeting your organization. Create pre-defined reports that track useful information, such as which domains are the source of most spam and which recipients are the top targets of spammers.

164 164 Working with reports Choosing a report Export report data for use in any reporting or spreadsheet software for further analysis. Schedule reports to be ed at specified intervals. Choosing a report Tables 9-1 through 9-8 show the names of pre-set reports that you can generate and their contents. The third column lists the reporting data that you must instruct Symantec Mail Security for SMTP to track before you can generate the specified report. You can choose from a selection of reports, all of which can be customized to include specific date ranges, time period grouping per row, and delivery. For some reports, you can filter based on specific recipients and senders of interest. Note: If any Scanners are accepting relayed messages from a gateway computer, the SMTP HELO name or IP connection address will be the name or connection of the gateway computer, rather than the external Internet address you might expect. Affected reports are: all Top Sender HELO Domains reports, all Top Sender IP Connections reports, Top Succeeded Connections SMTP report, Top Failed Connections SMTP report, and Top Rejected Connections SMTP report. Table 9-1 Available Message reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Average Message Size Total Message Size Number of Messages Number of Recipients A summary of total messages and messages that matched for spam, suspected spam, attacks, blocked, allowed, viruses, suspected viruses, worms, unscannable, scan error, malware (spyware/adware), encrypted attachments, malformed MIME, and content (compliance policy). The average size of messages in KB. Total size in KB of all messages in the report, and total size of each grouping. Number of all messages in the report, and number for each grouping. Number of recipients in the report, and number of recipients in each grouping. Every recipient in a message (To:, Cc:, and Bcc) counts as one. None None None None None

165 Working with reports Choosing a report 165 Table 9-1 Available Message reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender Domains Top Senders Specific Senders Domains from which the most messages have been processed. For each domain, the total processed and number of virus and spam messages are listed. Specify the maximum number of domains to list for the specified time range. addresses from which the most messages have been processed. For each address, the total processed and number of virus and spam messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of messages processed for a sender address that you specify. For each grouping, the total processed and number of virus and spam messages are listed. Sender domains Senders, Sender domains Senders, Sender domains Top Sender HELO Domains Top Sender IP Connections SMTP HELO domain names from which the most messages have been processed. For each HELO domain, the total processed and number of virus and spam messages are listed. Specify the maximum number of HELO domains to list for the specified time range. IP addresses from which the most messages have been processed. For each IP address, the total processed and number of virus and spam messages are listed. Specify the maximum number of IP addresses to list for the specified time range. Sender HELO domains Sender IP connections Top Recipient Domains Top Recipients Specific Recipients Recipient domains for which the most messages have been processed. For each recipient domain, the total processed and number of virus and spam messages are listed. Specify the maximum number of recipient domains to list for the specified time range. addresses for which the most messages have been processed. For each address, the total processed and number of virus and spam messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of messages processed for a recipient address that you specify. For each grouping, the total processed and number of virus and spam messages are listed. Recipient domains Recipients, Recipient domains Recipients, Recipient domains

166 166 Working with reports Choosing a report Table 9-2 Available Virus reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Top Sender Domains Top Senders Specific Senders A summary of total messages that matched for each virus type. For each grouping, the virus to total processed percentage, total processed, and number of virus, suspected virus, worm, unscannable, scan error, malware (spyware/adware), encrypted attachment, and malformed MIME messages are listed. Domains from which the most virus messages have been detected. For each domain, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of senders to list for the specified time range. addresses from which the most virus messages have been detected. For each address, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of virus messages detected from a sender address that you specify. For each grouping, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. None Sender domains Senders, Sender domains Senders, Sender domains Top Sender HELO Domains SMTP HELO domain names from which the most virus messages have been detected. For each HELO domain, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of HELO domains to list for the specified time range. Sender HELO domains Top Sender IP Connections Top Recipient Domains IP addresses from which the most virus messages have been detected. For each IP address, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of IP addresses to list for the specified time range. Recipient domains for which the most virus messages have been detected. For each recipient domain, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of recipient domains to list for the specified time range. Sender IP connections Recipient Domains

167 Working with reports Choosing a report 167 Table 9-2 Available Virus reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Recipients Specific Recipients Top Viruses and Worms addresses for which the most virus messages have been detected. For each address, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of virus messages detected for a recipient address that you specify. For each grouping, the virus to total processed percentage, total processed, and number of virus, worm, and unscannable messages are listed. Names of the most common viruses detected. For each grouping, the virus to total processed percentage, virus to total virus and worm percentage, and last occurrence of the virus are listed. Recipients, Recipient domains Recipients, Recipient domains None Table 9-3 Available Spam reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Top Sender Domains Top Senders Specific Senders A summary of total detected spam messages (spam, blocked, allowed and suspected spam messages). Domains from which the most spam messages have been detected. For each domain, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of senders to list for the specified time range. addresses from which the most spam messages have been detected. For each address, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of spam messages detected from a sender address that you specify. For each grouping, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. None Sender domains Senders, Sender domains Senders, Sender domains

168 168 Working with reports Choosing a report Table 9-3 Available Spam reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender HELO Domains SMTP HELO domain names from which the most spam messages have been detected. For each HELO domain, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of HELO domains to list for the specified time range. Sender HELO domains Top Sender IP Connections Top Recipient Domains Top Recipients Specific Recipients IP addresses from which the most spam messages have been detected. For each IP address, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of IP addresses to list for the specified time range. Recipient domains for which the most spam messages have been detected. For each recipient domain, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of recipient domains to list for the specified time range. addresses for which the most spam messages have been detected. For each address, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Specify the maximum number of addresses to list for the specified time range. Number of spam messages detected for a recipient address that you specify. For each grouping, the spam to total processed percentage, total processed, and number of spam, suspected spam, blocked, and allowed messages are listed. Sender IP connections Recipient Domains Recipients, Recipient domains Recipients, Recipient domains Table 9-4 Available Content Compliance reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Total messages processed and number and percentage of content compliance policies triggered. None

169 Working with reports Choosing a report 169 Table 9-4 Available Content Compliance reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender Domains Domains from which the most compliance matches have been detected. For each domain, the total messages processed and number and percentage of content compliance policies triggered are listed. Sender domains Top Senders addresses from which the most compliance matches have been detected. For each address, the total messages processed and number and percentage of content compliance policies triggered are listed. Senders, Sender domains Specific Senders Number of compliance policies triggered from a sender address that you specify. For each grouping, the total messages processed and number and percentage of content compliance policies triggered are listed. Senders, Sender domains Top Sender HELO Domains SMTP HELO domain names from which the most compliance matches have been detected. For each HELO domain, the total messages processed and number and percentage of content compliance policies triggered are listed. Specify the maximum number of HELO domains to list for the specified time range. Sender HELO domains Top Sender IP Connections Top Recipient Domains IP addresses from which the most compliance matches have been detected. For each IP address, the total messages processed and number and percentage of content compliance policies triggered are listed. Specify the maximum number of IP addresses to list for the specified time range. Recipient domains for which the most compliance matches have been detected. For each recipient domain, the total messages processed and number and percentage of content compliance policies triggered are listed. Specify the maximum number of recipient domains to list for the specified time range. Sender IP connections Recipient domains Top Recipients addresses for which the most compliance matches have been detected. For each address, the total messages processed and number and percentage of content compliance policies triggered are listed. Specify the maximum number of addresses to list for the specified time range. Recipients, Recipient domains Specific Recipients Top Policies Number of compliance policies triggered for a recipient address that you specify. For each grouping, the total messages processed and number and percentage of content compliance policies triggered are listed. Names of the most common compliance matches, number of policies triggered, and percentage of policies triggered versus total processed messages. Recipients, Recipient domains None

170 170 Working with reports Choosing a report Table 9-5 Available Attack reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Total messages processed and number and percentage of directory harvest, spam, and virus attacks versus messages processed. None Top Directory Harvest Attacks IP addresses from which the most directory harvest attacks have been detected. For each IP address, the total messages processed and number and percentage of directory harvest attacks versus messages processed are listed. Sender IP connections Top Virus Attacks Top Spam Attacks IP addresses from which the most virus attacks have been detected. For each IP address, the total messages processed and number and percentage of virus attacks versus messages processed are listed. IP addresses from which the most spam attacks have been detected. For each IP address, the total messages processed and number and percentage of spam attacks versus messages processed are listed. Sender IP connections Sender IP connections Table 9-6 Available Sender Authentication reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Top Attempted Senders Top Not Attempted Senders Total messages processed and number and percentage of sender authentication sessions that were attempted, not attempted, successful, and failed versus messages processed. addresses from which the most sender authentication attempts have been detected. For each address, the total messages processed and number and percentage of sender authentication attempts versus messages processed are listed. addresses from which the fewest sender authentication attempts have been detected. For each address, the total messages processed and number and percentage of not attempted sender authentication sessions versus messages processed are listed. None Senders Senders

171 Working with reports Choosing a report 171 Table 9-6 Available Sender Authentication reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Succeeded Senders Top Failed Senders addresses from which the most successful sender authentication attempts have been detected. For each address, the total messages processed and number and percentage of successful sender authentication attempts versus authentication attempts are listed. addresses from which the most failed sender authentication attempts have been detected. For each address, the total messages processed and number and percentage of failed sender authentication attempts versus authentication attempts are listed. Senders Senders Table 9-7 Available SMTP connection reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Top Succeeded Connections Top Failed Connections Top Rejected Connections Number and percentage of SMTP connections attempted, successful, failed, rejected, and deferred. IP addresses from which the most successful SMTP connections were detected. IP addresses from which the most failed SMTP connections were detected. IP addresses from which the most rejected SMTP connections were detected. None Sender IP connections Sender IP connections Sender IP connections Table 9-8 Available Spam Quarantine reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Total number of quarantined messages and quarantine releases. None

172 172 Working with reports About charts and tables About charts and tables When running a report, creating a favorite report, or scheduling a report, you can choose to display the report data in a chart, table, or both. Table 9-9 Format Chart overview Chart all others (non-overview) Table Report charts and tables Description Line graph of each category of report data. This chart does not contain the summary information (sums and averages for the entire time period) listed in the overview table. Bar graph(s) for each item in the report type chosen. A maximum of 20 items can be displayed in a bar graph. Numeric representation of the report data. A table report can list more than 20 items. Selecting report data to track By default, Symantec Mail Security for SMTP tracks data for several basic reports. Before you can generate other reports, you must configure Symantec Mail Security for SMTP to track and store data appropriate for the report. For example, to generate recipient-based reports, such as Spam/Virus: Specific Recipients, you must configure Symantec Mail Security for SMTP to store recipient information. See tables 9-1 through 9-8 for a list of reports and the data you must store for each type of report. Note: Because the data storage requirements for some reports can be high, refer to Setting the retention period for report data on page 173 to learn how to keep the report data manageable. In particular, the sender statistics usually consume a large amount of disk space. To enable data tracking for reports 1 In the Control Center, click Settings > Reports. 2 Under Report Data, select the report data you want to track. 3 Click Save. Symantec Mail Security for SMTP will begin to store the specified report data.

173 Working with reports Setting the retention period for report data 173 Setting the retention period for report data You can specify the number of days or weeks that Symantec Mail Security for SMTP should keep track of report data. Depending on your organization s size and message volume, the disk storage requirements for reports data could be quite large. You should monitor the storage required for reporting over time and adjust the retention period accordingly. To specify the retention period for report data 1 In the Control Center, click Settings > Reports. 2 Under Report Expunger Settings, use the Time to store report data before deleting drop-down lists to choose how long Symantec Mail Security for SMTP will keep your reporting data. 3 Optionally, you can click Clear All to remove all report data stored to date. 4 Click Save. Running reports Provided that report data exists to generate a given report type, you can run an ad hoc report to get a summary of filtering activity. The results will display in the browser window. To run a report 1 Ensure that you have configured Symantec Mail Security for SMTP to track the appropriate data for the report. See Selecting report data to track on page In the Control Center, click Reports > View Reports. 3 Click a report in the Report drop-down list. See tables 9-1 through 9-8 for a description of each report. 4 For reports that filter on specific recipients, such as Spam: Specific Recipients or Virus: Specific Recipients, type an address in the Recipient name or Sender name box, such as [email protected]. 5 In the Direction drop-down list, select the message directions to include in the report. 6 In the Time range drop-down list, do one of the following: To specify a preset range, click Past Hour, Past Day, Past Week, or Past Month.

174 174 Working with reports Saving and editing Favorite Reports To specify a different time period, click Customize, and then click in the Start Date and End Date fields and use the popup calendar to graphically select a time range. You must have JavaScript enabled in your browser to use the calendar. 7 In the Group By drop-down list, select Hour, Day, Week, or Month. 8 Check Chart, Table, or both. See About charts and tables on page For reports that rank results, such as Spam: Top Senders, specify the maximum number of entries you want to display for each time range specified in the Group by drop-down list. 10 For some reports, you can choose columns to include or exclude. Click Column Selection to display or hide the column names, then check the columns you want to include. 11 Click Run Report. If there is data available, the report you selected appears in the browser window. Depending on how much data is available for the report you selected, this may take up to several minutes. Saving and editing Favorite Reports You can save a report for quick access later, and also edit saved reports. Save and edit Favorite Reports Follow these steps to save or edit Favorite Reports. To save a Favorite Report 1 Follow steps 1 through 9 in Running reports on page Click Add to Favorites. The fields under Report Filter show your choices from the previous page. 3 In the Name box, type a name for the saved report. 4 Click Save. You can also save Favorite Reports can by clicking the Add button on the Reports > Favorite Reports page. To edit a Favorite Report 1 In the Control Center, click Reports > Favorite Reports. 2 Click the desired report in the Favorite Reports drop-down list.

175 Working with reports Running and deleting favorite reports Click Edit. 4 Change the values in the report as desired. 5 Click Save. Running and deleting favorite reports You can run or delete Favorite Reports using the buttons on the Favorite Reports page. To run or delete a Favorite Report 1 In the Control Center, click Reports > Favorite Reports. 2 Click the desired report in the Favorite Reports drop-down list. 3 Click Run Report to run the report, or Delete to delete the report. Troubleshooting report generation Check the following information if you re having trouble with reports. No data available for the report type specified Instead of displaying the expected reports, Symantec Mail Security for SMTP might display the following message: No data is available for the report type and time range specified." If you received this message, verify the following: Data exists for the filter you specified. For example, perhaps you specified a recipient address that received no mail during the specified period, for a Specific Recipients report. Symantec Mail Security for SMTP is configured to keep data for that report type. See Selecting report data to track on page 172 for more information. Keep in mind that occasionally you will be able to produce reports even if you are not currently tracking data. This will happen if you were collecting data in the past and then turned off data tracking. The data collected will be available for report generation until they are old enough to be automatically purged. After that period, report generation will fail. The Keep for x days setting on the Report Settings page controls this retention period.

176 176 Working with reports Troubleshooting report generation Sender HELO domain or IP connection shows gateway information If any Scanners are accepting relayed messages from a gateway computer, the SMTP HELO name or IP connection address will be the name or connection of the gateway computer, rather than the external Internet address. Reports presented in local time of Control Center Symantec Mail Security for SMTP stores statistics in the stats directory on the individual hosts that run Scanners. The date and hour for each set of these statistics are recorded in Greenwich Mean Time (GMT). A single Control Center that is connected to all the Scanners generates reports that represent all the connected hosts. The combined numbers from all Scanners in the reports are presented in the local time zone of the Control Center. Although the reports themselves do not list times they only list a date you should be aware of the implications of the GMT/local time conversion. The boundaries for splitting the reporting data into groups of days, weeks, or months are set from the perspective of the Control Center. For example, during the summertime, California is 7 hours behind GMT. Assume that a Scanner receives and marks a message as spam at 5:30pm local time on April 23, Friday (12:30am, April 24, Saturday GMT). When generating the report, Symantec Mail Security for SMTP determines what day the belongs to based on where the report is being generated. If the Control Center is in Greenwich, the resulting report will count it in GMT (the local time zone) so it will increase the spam count for April 24. If the Control Center is in San Francisco, California, the report will count it in Pacific Daylight Time (the local time zone), and will accordingly increase the spam count for April 23. See the following URL to translate GMT into your local time: By default, data are saved for one week By default, statistics are retained for seven days. If Symantec Mail Security for SMTP already has seven days of data, the oldest hour of statistics will be deleted as each new hour of statistics is stored. To keep the data longer, see Setting the retention period for report data on page 173. Processed message count recorded per message, not per recipient For reports that list the number of processed messages, the number of processed messages is counted per message, not per recipient. For example, if a single message lists 12 recipients, that message will be delivered to all 12. The

177 Working with reports Printing, saving, and ing reports 177 processed count increases by 1, not 12. If a policy for any of the recipients determines that this message is spam, it will also increase the spam count by 1 for that day. The spam count will be 1 no matter how many of the recipients have policies that determine the message is spam. If you run a Spam: Specific Recipients report in this situation and list one of the 12 recipients, the processed count will include this message, and, if the message matches for spam, the spam count will include the message, too. Recipient count equals message count For reports that list the number of recipients, each received message counts as one message, even if the same recipient receives more than one message. For example, if 10 messages are sent to the same recipient, the number of recipients will be 10, not 1. If 10 messages are sent to the same recipient and another recipient is listed on the Cc line, the number of recipients will be 20, not 2. Deferred or rejected messages are not counted as received For reports that list the number of recipients, if a spam or virus message is deferred or rejected, it is not counted as received. If 100 messages are deferred or rejected, the recipient count for those messages is 0. Reports limited to 1,000 rows The maximum size for any report, including a scheduled report, is 1,000 rows. Printing, saving, and ing reports After running a report, you can choose to print, save, or a report. Printing Saving Print a report from your local computer using the operating system print dialog box Save a report to your local computer using the operating system save dialog box. Choose one of the following file types: Save as HTML The type of file saved depends on the format of the report chosen: Table saved file is HTML Chart saved file is.png graphics format Table and chart saved file is a.zip containing an HTML and a.png file Save as CSV The report is saved as a comma separated values file, no matter which of the Table and Chart boxes are checked. ing Type an address to which to send the report. Scheduled reports are also ed, see Scheduling reports to be ed on page 178.

178 178 Working with reports Scheduling reports to be ed Print, save, or reports Follow these steps to print, save, or reports. To print a report 1 After creating and running a report as described in Running reports on page 173, click Print. 2 Click Print again to print the report. 3 Choose the appropriate options on the print dialog box to print the browser window. 4 Click Close to close the current browser window. To save a report 1 After creating and running a report as described in Running reports on page 173, click the desired save button. 2 Choose the appropriate options on the save dialog box. To reports 1 After creating and running a report as described in Running reports on page 173, type an address, such as [email protected], in the box next to . 2 Click . Scheduling reports to be ed You can schedule some reports to run automatically at specified intervals. You can specify that scheduled reports be ed to one or more recipients. Note: You can t select a saved favorite report to be scheduled. However, you can duplicate the settings from a saved favorite report. Schedule, Edit, or Delete Reports Follow these steps to schedule, edit, or delete reports. To schedule a report 1 Ensure that you have configured Symantec Mail Security for SMTP to track the appropriate data for the report. See Selecting report data to track on page 172.

179 Working with reports Scheduling reports to be ed In the Control Center, click Reports > Scheduled Reports. 3 Click Add. 4 In the Report Name box, type a name for the report. 5 Using the procedure under Running reports on page 173 as a guide, select the desired report and report settings. 6 Under Report Schedule, set the time of day to generate the report using the Generate report at drop-down lists. 7 Under Report Schedule, specify the time intervals at which you want to generate the report. If you specify 29, 30, or 31 in the Day of every month box, and a month doesn t have one of those days, the report won t be sent. Choose the Last day of every month option to avoid this problem. 8 Under Report Format, click one of the following to specify the format: HTML formats the report in HTML format. Check Chart, Table, or both. See About charts and tables on page 172. CSV formats the report in comma-separated-values format Note: To view a CSV file containing double-byte characters in Microsoft Excel, specify a comma delimited, UTF-8 file in the MS Excel Text Import Wizard. 9 Under Report Addresses, type an address, such as [email protected], in the Send from the following address box. 10 Under Report Addresses, type at least one address in the Send to the following addresses box. You can use spaces, commas, or semi-colons as separators between addresses. 11 Click Save. A report can also be scheduled by clicking the Schedule button on the View Reports page. To edit a scheduled report 1 In the Control Center, click Reports > Scheduled Reports. 2 Check the box next to the scheduled report that you want to edit, and then click Edit. You can also click the underlined report name to jump directly to the edit page for the report. 3 Make any changes to the settings.

180 180 Working with reports Scheduling reports to be ed 4 Click Save. To delete a scheduled report 1 In the Control Center, click Reports > Scheduled Reports. 2 Check the box next to the scheduled report that you want to delete, and then click Delete. 3 Click Save.

181 Chapter 10 Administering the system This chapter includes the following topics: Getting status information Managing Scanners Administering the system through the Control Center Administering the Control Center Starting and stopping UNIX and Windows services Periodic system maintenance Getting status information Symantec Mail Security for SMTP provides a comprehensive means of checking and displaying system, host and message status. Status information is combined with options for changing what is displayed as well as with actions you can take based on the information shown. LDAP synchronization and Scanner replication management facilities are also available within the status area. Status and management control facilities are available to inform you about the following system activities: Overview of system information Message status Host status LDAP synchronization Log details Scanner replication Version Information

182 182 Administering the system Getting status information Overview of system information An overview of system status is provided to give you a snapshot of system activity including spam processed, virus filter updates, Quarantine utilization, and similar general information. To examine overview status for Symantec Mail Security for SMTP In the Control Center, click Status > Overview. Use the Reset button to refresh status information for the Totals-Since table to reflect the current day. Note: Upon initial startup, even if messages go through the Filtering Engine, the Last 24 Hours and Last 30 Days graphs display no data, even though the Last 60 Minutes and Totals Since tables show data. The Last 24 Hours graph displays data for the past 24 hours, not including the current hour. The Last 30 Days graph displays data for the past 30 days, not including today. At the next hour, data from :00 to :59 minutes will be displayed in the Last 24 Hours graph. At midnight, data from the last day will be displayed in the Last 30 Days graph. Message status The following sections provide information about messages that have been processed and assigned a verdict by Symantec Mail Security for SMTP: Message details Message queues Message tracking Symantec Mail Security for SMTP provides complete information about individual messages and their verdicts, message queues, and a means of tracking down a specific message, its verdict, and current location. Message details Totals data is provided via time period for the following categories of messages: Inbound Outbound Rejected SMTP Connections Virus Mass-Mailing Worm Spam

183 Administering the system Getting status information 183 Suspected Spam Content Compliance Columns list the numbers of messages for each of the following time periods: Past Hour Past Day Past Week Past Month Uptime: the period since the software was last started Lifetime: the period since the software was installed To view totals information In the Control Center, click Status > Message Details. Message queues You can view messages from the message queues on a specified host. The following message queues are available for selection: Inbound Outbound Delivery Work with a message Queue The following steps describe how to perform some common tasks on the Message Queues page. To view message queue information In the Control Center, click Status > Message Queues. To tailor information on a message queue 1 On the Message Queues page, select a host and queue. 2 Type search values for the fields provided. 3 Click Display Filtered. Additional display options are also configurable, such as setting display options and modifying queue contents.

184 184 Administering the system Getting status information Message tracking Symantec Mail Security for SMTP provides a message tracking component allowing you to search for messages and find out what has happened to them. When enabled, message tracking provides administrators of Symantec Mail Security for SMTP with a trail of detailed information about every message that has been accepted and processed by the software. Auditing information is used to track what decisions were made within a single scanner framework. Message tracking and its associated logs is not intended to replace debug or information level logging. Where message tracking is distinctly different from standard scanner logging is that logged information is specifically associated with a message. To use message tracking, employ the information and procedures described in the following sections. Enable message tracking By default, message tracking is disabled. You must enable this feature before any tracking information is available for viewing or searching. It is important to realize that logs for message tracking can become large, and searching the logs can create high demand for Scanner processing time. To enable message tracking 1 In the Control Center, click Settings > Logs. 2 Select the host on which to enable message tracking. 3 Under Message Tracking Logs, check Enable message logs. 4 Click Save. Searching for a message A query facility is provided to search the message tracking log to determine if one or more messages meet the criteria for the message you want to find. The Message Tracking logs page enables you to specify either one or two criteria and related supplementary information as follows: Host One or more Scanners running Symantec Mail Security for SMTP. In order to find all details about a message, search on all attached Scanners. Time range Period of time for the search to query the audit log. While it is possible to search for longer periods, it is recommended that message searches not exceed one week. Mandatory filter Required search criteria that can be any one of the following: Sender Name of the message sender

185 Administering the system Getting status information 185 Recipient Name of the message recipient Subject Message subject Audit ID Unique identifier generated by Symantec Mail Security for SMTP and included as a message header Optional filter Search criteria that can be entered as an option and can be any one of the following: Sender Name of the message sender Recipient Name of the message recipient Subject Message subject Message ID Unique identifier typically generated by the software initiating the sending of the message and included as a message header. Because the Message ID is not generated by Symantec Mail Security for SMTP the uniqueness of the ID cannot be guaranteed. At times, distributors of spam have used this header to mask the identity of a message originator. Disposition Verdict and/or other characteristics of a message such as Message has malformed mime. A dropdown list of disposition choices is provided. Action taken What happened to the message. A dropdown list of actions is provided. Connection IP Connection IP used to receive the message Target IP IP address of the message destination Group policy Name of the group policy applied to the message Filter policy Name of the filter policy applied to the message Virus Name of a virus attached to the message Attachment Name of a file attached to the message Source Whether the message is internal or external. With the filtering criteria selected, you are ready to search through the message tracking logs for as many messages as match or partially match the chosen criteria. While searching, the following rules are used: No more than 250 messages are allowed per search on each Scanner being searched. Freeform text fields are case insensitive substring searches. Next, examine the results returned from the search. By clicking a specific message, you can view the filters placing this message into the queue. Also, you can view other details about the specific message by selecting it.

186 186 Administering the system Getting status information View or search the message audit log Follow these procedures to view or search the message audit log. To view message tracking information In the Control Center, click Status > Message Tracking. To search information in the message audit log 1 In the Control Center, click Status > Message Tracking. 2 On the Message Tracking Logs page, select the Scanners whose logs you wish to search from the Hosts dropdown. 3 Complete the desired search criteria. These criteria are fully described in Searching for a message on page Click Display Filtered. Host status The following sections provide you status information on your hosts. Host details You can view details about the status of components on selected hosts. The following information categories can be available for the selected host: Control Center Scanner Work with the Host Details page The following steps describe some common tasks on the Host Details page. To view details about available hosts In the Control Center, click Status > Host Details. To view additional component information Click the plus sign, when available, next to any component to view additional information. To make changes to host configuration Select a host and click Configure Scanner.

187 Administering the system Getting status information 187 LDAP synchronization To enable or disable the Conduit, Live Update, Filter Engine or MTA Select a host and click the Status link which reports either Running or Stopped depending on the status of the service being selected. This will take you to the Services page in Editing Scanners. For more information about this page, see Working with the Services page on page 20. From the Services page, either stop or start the desired service. You can synchronize user, alias, group and distribution list data and view synchronization details from LDAP directories with the Control Center. When an LDAP server initially is attached to the Control Center, a full synchronization is performed automatically. Synchronization is then performed according to the defined schedule. The default schedule is once per day. Work with the LDAP Synchronization page The following steps describe how to perform some common tasks on the LDAP Synchronization page. To view information about LDAP synchronization In the Control Center, click Status > LDAP Synchronization. To synchronize fewer than 1,000 directory entries before the next update On the LDAP Synchronization page, check the box next to the source to synchronize and click Synchronize Changes. Note: The Synchronize Changes option is not available to Domino users. Use Full Synchronization instead. To synchronize more than 1,000 directory entries before the next update On the LDAP Synchronization page, check the box next to the source to synchronize and click Full Synchronization. When a full synchronization is performed, all LDAP source records are erased from the Control Center and synchronized to new LDAP source records. Synchronization takes some time to be initiated and performed, depending on the number of records being synchronized. As a benchmark, a user population of 25,000 users and 5,000 distribution lists (with nesting levels ranging from 1-10), can take as much as 7.5 hours on a Dell 1850 running Linux.

188 188 Administering the system Managing Scanners Log details You can examine performance logs for Scanners and the Control Center. Log data is based on time range, log type, and error severity. See Viewing logs on page 157. Scanner replication Version Information Status information is available to show you your most recent replication activity. The Replication process moves updated information from the Control Center to each attached and enabled Scanner host. Work with the Scanner replication status page The following steps describe how to perform some common tasks on the Scanner Replication page. To view the status of replication for a host In the Control Center, click Status > Scanner Replication. To perform an immediate (unscheduled) replication From the Scanner Replication page, click Replicate Now. You can check the versions of your installed software by going to: where port is the port that Tomcat uses. You can view the installed versions of the following software when logged on to the Control Center: Control Center Spam Quarantine Virus Quarantine Java MySQL Managing Scanners You can edit, enable and disable, or delete scanners.

189 Administering the system Managing Scanners 189 Editing Scanners Once you set up a Scanner, you can go back and edit the configuration. For example, you can suspend the flow of mail or enable different components and services. Edit a scanner Follow either of these procedures to edit a scanner. To edit a Scanner 1 In the Control Center, click Settings > Hosts. 2 Check the host to edit. 3 Click Edit. 4 Make any changes to the host or its included components and services. From this page, you can: Start and stop services Start and stop the flow of data to and from a Scanner. Enable and disable Scanner replication Alter Conduit proxy settings Define SMTP settings Define internal mail servers for your site For more details on these categories, see Configuring host (Scanner) settings on page 20. To edit a Scanner (alternative method) 1 In the Control Center, click Status > Host Details. 2 Select a host from the drop-down list. 3 Click Configure Host. 4 Make any changes to the host or its included components and services. See To edit a Scanner on page 189 for a list of the types of changes you can make. Enabling and disabling Scanners For troubleshooting or testing purposes, you can disable and then re-enable Scanners. Also, It is strongly recommended that you disable a Scanner before deleting it. Otherwise, you run the risk of losing messages within the Scanner queues. Bear in mind that a Scanner will not process mail while it is disabled.

190 190 Administering the system Managing Scanners Deleting Scanners Disable or enable a Scanner Follow these procedures to disable or enable a Scanner. To disable a Scanner 1 In the Control Center, click Settings > Hosts. A red x ( ) in the Enabled column indicates that the Scanner is disabled. A green check mark ( ) in the Enabled column indicates that the Scanner is enabled. 2 To disable a Scanner that is currently enabled, check the box next to the Scanner and click Edit. 3 Click Do not accept incoming messages. 4 Click Save. 5 Allow messages to drain from the queue. You can check message queue status in Status > Message Queues. 6 Check the box next to the Scanner you want to disable and click disable. Check as many Scanners as needed before clicking Disable. The Scanner list updates to reflect your choice. Clicking Enable for an enabled Scanner or Disable for a disabled Scanner has no effect on the Scanner. To enable a Scanner 1 In the Control Center, click Settings > Hosts. A red x ( ) in the Enabled column indicates that the Scanner is disabled. A green check mark ( ) in the Enabled column indicates that the Scanner is enabled. 2 To enable a Scanner that is currently disabled, check the box next to the Scanner and click Enable. Check as many Scanners as needed before clicking Enable. The Scanner list updates to reflect your choice. Clicking Enable for an enabled Scanner or Disable for a disabled Scanner has no effect on the Scanner. When you delete a Scanner using the Control Center, you permanently remove that Scanner s services from the Control Center. To prevent a Scanner from continuing to run after deleting it, disable the Scanner before deleting it.

191 Administering the system Administering the system through the Control Center 191 To delete a Scanner 1 In the Control Center, click Settings > Hosts. 2 Check the box next to the scanner you want to delete. 3 Click Delete. Administering the system through the Control Center The following administrative tasks can be performed through the Control Center: Managing system administrators Managing software licenses Managing system administrators You can add, delete, and edit information for administrators of the Control Center from the Administrators page. Manage administrators Follow these steps to add, edit, or delete administrators. To add an administrator 1 In the Control Center, click Administration > Administrators. 2 Click Add. 3 Type the user name and password, and confirm the password. 4 Enter the address of the administrator. 5 If this Administrator is to receive system alerts, check Receive alert notifications. 6 Choose the administrative rights you want to assign. You can do this in either of the following ways: Click Full Administration Rights to allow the administrator to view and modify all available rights, and then skip to step 9. Click Limited Administration Rights to choose specific rights for this administrator. 7 Check the specific tasks you want this Administrator to manage. 8 For each task selected, click View or Modify.

192 192 Administering the system Administering the system through the Control Center 9 Click Save. To edit an administrator 1 In the Control Center, click Administration > Administrators. 2 Select an Administrator from the list and click Edit. 3 Change the Administrator definition as needed. 4 Click Save. Managing software licenses To delete an administrator 1 In the Control Center, click Administration > Administrators. 2 Select administrators by checking the boxes next to administrator names. 3 Click Delete. You will be asked to confirm deletion of the selected administrator(s). Licenses determine which features are enabled in your system. To view and add licenses through the Control Center 1 In the Control Center, click Administration > Licenses. 2 Review the license information for Symantec Mail Security for SMTP. Next to each licensed entry, a status of Licensed is shown. For an unlicensed product, ask your Symantec representative about getting a license file through which to register the product. License files must be placed on the same machine on which the browser is open unless you have specifically mapped a drive to an external machine. 3 To license a Symantec product, either browse to or enter the full path and license filename in the Specify a license file edit box. 4 Click Register. You can use the same license file to register multiple Scanners.

193 Administering the system Administering the Control Center 193 Administering the Control Center The following sections describe common Control Center administrative tasks. Starting and stopping the Control Center The Control Center is configured to start when Symantec Mail Security for SMTP is turned on and to stop when it is shut down. However, there may be times when you need to manually stop and later start the Control Center, such as to investigate a problem. Start or stop the Control Center To start or stop the Control Center, you must start or stop its processes. The main processes are Tomcat and MySQL. To start the Control Center processes To start Tomcat and related processes such as the Expunger and Notifier on Windows, use the Control Panel > Services window to start Tomcat. On Linux or Solaris, log in as root or use sudo to run the following command: /etc/init.d/bcc start To start MySQL, on Windows, use the Control Panel > Services window to start MySQL. On Linux or Solaris, log in as root or use sudo to run the following command: /etc/init.d/smssmtp_mysql start To stop Control Center processes To stop Tomcat and related processes such as the Expunger and Notifier on Windows, use the Control Panel > Services window to stop Tomcat. On Linux or Solaris, log in as root or use sudo to run the following command: /etc/init.d/bcc stop To stop MySQL, on Windows, use the Control Panel > Services window to stop MySQL. On Linux or Solaris, log in as root or use sudo to run the following command: /etc/init.d/smssmtp_mysql stop

194 194 Administering the system Administering the Control Center Checking the Control Center error log Periodically, you should check the Control Center error log. All errors related to the Control Center are written to the BrightmailLog.log file. Follow the procedure at the end of this section to view it. Each problem results in a number of lines in the error log. For example, the following lines result when Spam Quarantine receives a message too large to handle: com.mysql.jdbc.packettoobigexception: Packet for query is too large ( > ) at com.mysql.jdbc.mysqlio.send(mysqlio.java:1554) at com.mysql.jdbc.mysqlio.send(mysqlio.java:1540) at com.mysql.jdbc.mysqlio.sendcommand(mysqlio.java:1005) at com.mysql.jdbc.mysqlio.sqlquerydirect(mysqlio.java:1109) at com.mysql.jdbc.connection.execsql(connection.java:2030) at com.mysql.jdbc.preparedstatement.executeupdate(preparedstatement.ja va:1750) at com.mysql.jdbc.preparedstatement.executeupdate(preparedstatement.ja va:1596) at org.apache.commons.dbcp.delegatingpreparedstatement.executeupdate (DelegatingPreparedStatement.java:207) at com.brightmail.dl.jdbc.impl.databasesqlmanager.handleupdate(unknown Source) at com.brightmail.dl.jdbc.impl.databasesqlmanager.handleupdate(unknown Source) at com.brightmail.dl.jdbc.impl.databasesqltransaction.create(unknown Source) at com.brightmail.bl.bo.impl.spammanager.create(unknown Source) at com.brightmail.service.smtp.impl.smtpconsumer.run(unknown Source) To view BrightmailLog.log 1 In the Control Center, click Status > Logs. 2 Next to Component, click Control Center. 3 Click BrightmailLog.log to open it. It s located under Log Files.

195 Administering the system Administering the Control Center 195 Increasing the amount of information in BrightmailLog.log If you have problems with the Control Center, you can increase the detail of the log messages saved into BrightmailLog.log by changing settings in the log4j.properties file. The BrightmailLog.log contains logging information for the Control Center, including Spam Quarantine. When you increase the logging level of log4j.properties, it creates a lot of log information, so it s recommended to increase the maximum size of the BrightmailLog.log as described below. To increase the detail of logging messages saved into BrightmailLog.log 1 Open the following file in a text editor such as WordPad or vi: On Solaris or Linux: /opt/symantec/smssmtp/tomcat/webapps/brightmail/web-inf/ classes/log4j.properties On Windows: C:\Program \ WEB-INF\classes\log4j.properties 2 Find the following line: #log4j.rootlogger=warn, file 3 Change the word WARN to DEBUG. 4 Find the following line: log4j.appender.file.maxfilesize=5mb 5 Change the 5MB to the desired number, such as 10MB. 6 Find the following line: log4j.appender.file.maxbackupindex=10 7 Change the number after MaxBackupIndex to the desired number, such as 40. This setting determines the number of saved BrightmailLog.log files. For example, if you specify 2, BrightmailLog.log contains the newest information, BrightmailLog.log.1 contains the next newest, and BrightmailLog.log.2 contains the oldest information. When BrightmailLog.log reaches the size indicated by log4j.appender.file.maxfilesize, then it s renamed to BrightmailLog.log.1, and a new BrightmailLog.log file is created. The original BrightmailLog.log.1 is renamed to BrightmailLog.log.2, etc. This number times the value of log4j.appender.file.maxfilesize determines the amount of disk space required for these logs. 8 Save and exit from the log4j.properties file. 9 On Windows, use Control Panel > Services to restart Tomcat.

196 196 Administering the system Starting and stopping UNIX and Windows services On Solaris or Linux. log in as root or use sudo to run the following command: # /etc/init.d/bcc restart Note: Change the settings of the log4j.properties file back to the original settings when you re finished debugging the Control Center. Starting and stopping UNIX and Windows services Although you should perform routine administration using the Control Center, you may occasionally need to start and stop Symantec Mail Security for SMTP services outside of the Control Center. For example, the Control Center itself can t be stopped using the Control Center. Starting and stopping Windows services Table 10-1 describes the Windows services of Symantec Mail Security for SMTP. Table 10-1 Windows services Service display name Service short name Process in Task Manager Description SMS Active Directory Notification Agent SMSADCNASVC AD_CNA.exe Tracks changes in Active Directory for SyncService SMS Agent BMIAGENTSVC bmagent.exe Transfers configuration information between the Control Center and each Scanner SMS Conduit BMICONDUITSVC conduit.exe Downloads antispam filters from Symantec Security Response and manages antispam statistics SMS Exchange 5.5 Notification Agent SMSEX55CNASVC Ex55_CNA.exe Tracks changes in Exchange 5.5 for SyncService SMS Filter Hub BMIFLTRHUBSVC filter-hub.exe Filters messages

197 Administering the system Starting and stopping UNIX and Windows services 197 Table 10-1 Windows services Service display name Service short name Process in Task Manager Description SMS IPlanet Notification Agent SMS Live Update Controller SMS-SMTP- MySQL SMS SMTP Tomcat SMS Sync Server SMS Virtual Directory Server SMSIPLANETCNASVC iplanet_cna.exe Tracks changes in iplanet/sun ONE for SyncService BMIJLUSVC jlu-controller.exe Downloads updated virus definitions SMS-SMTP-MySQL mysqld-nt.exe Retrieves data stored in the MySQL database SMSTomcat tomcat5.exe Serves Control Center pages via HTTP SMSENSURESVC ensure.exe Synchronizes user and group data from LDAP directories SMSENQUIRESVC Enquire.exe Provides unified view of LDAP data to SyncService Start or stop Windows services You can start and stop Windows services from the Services window. You can also stop services from the Task Manager, but not start them. To start or stop Windows services using the Services window 1 On the Windows taskbar, click Start > Administrative Tools > Services. 2 Locate the service and click it to highlight it. 3 Click one of the symbols at the top of the window to start or stop the service. To stop services from the Task Manager 1 Press Ctrl+Alt+Delete. 2 Click Task Manager. 3 Right click the name of the service and then click End Process Tree. Note: Be sure to use End Process Tree option, not the End Process option.

198 198 Administering the system Periodic system maintenance Starting and stopping UNIX services Table 10-2 describes the UNIX services of Symantec Mail Security for SMTP. Table 10-2 Service bcc sms_ldapsync smssmtp_mysql smssmtpbase UNIX services Description Serves Control Center pages via HTTP Synchronizes user and group data from LDAP directories Retrieves data stored in the MySQL database Transfers configuration information between the Control Center and each Scanner. Smssmtpconnector smssmtpmta Downloads updated virus definitions and antispam filters Mail transfer agent that routes Start or stop UNIX services Follow these procedures to start or stop UNIX services. To start UNIX services Log in as root or use sudo to type a command of the form: /etc/init.d/<service> start For example: /etc/init.d/bcc start To stop UNIX services Log in as root or use sudo to type a command of the form: /etc/init.d/<service> stop For example: /etc/init.d/bcc stop Periodic system maintenance System maintenance of the Symantec software should be done as part of your regular server maintenance schedule, including the tasks below. Backing up logs data In general, there is no reason to store stale logs. For troubleshooting purposes, logs that are not set to Information (which provides the most detail) have

199 Administering the system Periodic system maintenance 199 limited utility, especially if you need assistance from Symantec Support personnel. It is best to view and save current logs as needed on the Logs page and set the appropriate retention period for logging data. Backing up the Spam and Virus Quarantine databases The messages in Spam and Virus Quarantines are stored in MySQL databases. You can back up the Spam and Virus Quarantine databases together, using MySQL. Or you can backup each database separately. If you have a large number of messages in Spam Quarantine, backing up may take some time. Backups can be done while the Symantec software is running. MySQL must be running when you perform backups. For complete instructions on performing backups of MySQL data, see MySQL documentation. The following MySQL commands are suggested for your use. Note: In the instructions in this section, replace the value PASSWORD with the following text on Solaris or Linux: cat /opt/symantec/smssmtp/.brightmailuser On Windows, open the following file in a text editing application and use the file contents as the value of PASSWORD: C:\Program Files\Symantec\SMSSMTP\.brightmailuser Back up and restore Quarantine database information Use the following procedures for backing up or restoring quarantine databases. To save Spam Quarantine and Suspect Virus Quarantine tables mysqldump --user=brightmailuser --password=password --opt brightmail user user_spam_message spam_message spam_message_summary spam_message_release_audit settings_quarantine day_zero_message settings_ldap --host= > quarantine.sql To restore Spam Quarantine and Suspect Virus Quarantine tables from backup mysql --user=brightmailuser --password=password --host= brightmail < quarantine.sql To save Spam Quarantine tables mysqldump - user=brightmailuser - password=password --opt brightmail user user_spam_message spam_message spam_message_summary spam_message_release_audit

200 200 Administering the system Periodic system maintenance settings_quarantine settings_ldap --host= > spam_quarantine.sql To restore Spam Quarantine tables from backup mysql --user=brightmailuser --password=password --host= brightmail < spam_quarantine.sql To save Suspect Virus Quarantine tables mysqldump - user=brightmailuser - password=password --opt brightmail settings_quarantine day_zero_message --host= > virus_quarantine.sql To restore Suspect Virus Quarantine tables from backup mysql --user=brightmailuser --password=password --host= brightmail < virus_quarantine.sql Maintaining adequate disk space Use standard file system monitoring tools to verify that you have adequate disk space. Remember that the storage required by certain Symantec Mail Security for SMTP features, such as extended reporting data and Spam Quarantine, can become large.

201 Appendix A Feature Cross-Reference This appendix includes the following topics: New features for all users Changes for Symantec Mail Security for SMTP users Changes for Symantec Brightmail Antispam users About filtering and message handling options All users will find significant new features in this release of Symantec Mail Security for SMTP. You will also find familiar features, in many cases improved and expanded. In some cases the names of features are the same; in some cases the names have changed, and the changes are noted in this appendix. Note: By default, inbound and outbound messages containing a virus or massmailing worm, and unscannable messages, including malformed MIME messages, will be deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages.

202 202 Feature Cross-Reference New features for all users New features for all users Table A-1 lists features that are new for both Symantec Mail Security for SMTP users and Symantec Brightmail Antispam users. Table A-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam Category Features Description Threat protection features Inbound and outbound content controls Flexible mail management Improved Firewall Sender Authentication Improved virus protection True file type recognition for content compliance filtering Keywords filtering within attachments, keyword frequency filtering Regular expression filtering Support for third party archival tools LDAP integration and synchronization for policies Expanded variety of actions and combinations Expanded mail controls Aliasing Protects against directory harvest attacks, denial of service attacks, spam attacks, and virus attacks. Protects against phishing attacks, using the Sender Policy Framework (SPF), Sender ID, or both. Additional virus verdicts protect against suspected viruses, spyware and adware, and encrypted attachments. messages that may contain viruses can be delayed in the Suspect VIrus Quarantine, then refiltered, with updated virus definitions, if available. This feature can be effective in defeating virus attacks before they are widely known. View a continuously updated list available of virus definitions. Automatically detects file types without relying on file name extensions or MIME types. Scan within attachments to find keywords from dictionaries you create or edit. Specify a number of occurrences to look for. Use regular expressions to further customize filter conditions by searching within messages and attachments. Specify conditions that result in being sent to an archival address or disk location. Dynamic group population via any of several supported LDAP servers More than two dozen actions that can be taken on messages, with many combinations of multiple actions available. SMTP connection management, support for secure (TLS encryption), user-based routing, address masquerading, invalid recipient handling, control over delivery queue processing, support for static routes Distribution lists automatically expanded, mail filtered and delivered correctly for each user

203 Feature Cross-Reference Changes for Symantec Mail Security for SMTP users 203 Table A-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam Category Features Description Improved reporting and monitoring Extensive set of pre-built reports, scheduled reporting, additional alert conditions, remote syslog support More than 50 graphical reports that you can generate ad-hoc or on a scheduled basis. Reports can be exported for offline analysis and ed. Expanded administration capabilities Message tracking IP-based access control Control over Quarantine size limits View a trail of detailed information about a message, including the filtering processing applied to a message. Control which hosts and networks can access your Control Center. Specify user-based and total limits, configure automatic message deletions. Changes for Symantec Mail Security for SMTP users For users of Symantec Mail Security for SMTP 4.1, Version 5.0 provides a host of expanded and improved capabilities. In addition to the new features listed in Table A-1, additional new features for Symantec Mail Security for SMTP users only are listed in Table A-2. Table A-2 New features for Symantec Mail Security for SMTP users Category Features Description Flexible mail management Centralized, Webbased administration Use the Control Center to manage all aspects of management and spam, virus, and content filtering across all servers with one interface. Inbound and outbound content controls Group Policies Expanded notification capabilities Improved attachment blocking Create separate inbound and outbound policies for an unlimited number of groups of users. You can specify groups of users based on addresses, domains, LDAP groups, or IP addresses. For each category of , you can specify custom message handling for each group. Automatically send s notifying specific persons or groups when certain message conditions are encountered during message filtering. Create different notifications for different conditions or user groups. Strip attachments within container files. Search within attachments using regular expressions. Improved reporting and monitoring Aggregated logging and reporting Access logs for all messages from all servers via the Control Center. Manage reports for all servers via the Control Center. Note that many of the reporting features in SMS for SMTP 4.1 have been replaced in SMS for SMTP 5.0 by the message tracking feature.

204 204 Feature Cross-Reference Changes for Symantec Mail Security for SMTP users Table A-2 New features for Symantec Mail Security for SMTP users Category Features Description Expanded administration capabilities Delegated administration Multiple administrator roles with view only or modify access to different portions of the management interface. New feature names Group Policies introduce expanded flexibility in mail filtering and message handling. Group Policies enable you to specify groups of users, based on addresses, domains, or IP addresses, and customize mail filtering for each group. See About filtering and message handling options on page 206 for more information. In addition, if you were using Version 4.1 without Premium AntiSpam, Version 5.0, with or without Premium AntiSpam provides much more extensive capabilities for customizing both message filtering and the actions taken on filtered messages. Most features in Version 5.0 have similar names to the corresponding Version 4.1 features. Table A-3 provides a cross-reference between selected Symantec Mail Security for SMTP 4.1 features and Symantec Mail Security for SMTP 5.0 features that have different names. Table A-3 Version 4.1 to Version 5.0 Symantec Mail Security for SMTP 4.1 Feature Name Accounts Custom disclaimer Scan policy Routing Symantec Mail Security for SMTP 5.0 Feature Name Administration Annotation Settings > Virus > Exclude Scanning tab Settings > Hosts > Edit > SMTP tab Discontinued features The following Symantec Mail Security for SMTP 4.1 features are not included in Symantec Mail Security for SMTP 5.0: Auto-generated whitelist Logging of SMTP conversations Hold Queue, automatic reordering of the Slow Queue

205 Feature Cross-Reference Changes for Symantec Brightmail Antispam users 205 Return code support for DNS Blacklists Configurable administrator timeout for the management interface Changes for Symantec Brightmail Antispam users Although the product name has changed, if you were a Symantec Brightmail Antispam user you will find the user interface for Symantec Mail Security for SMTP 5.0 quite familiar. Most features are named similarly, and the organization of the user interface is quite similar. Most of the changes are new features. For users of Symantec Brightmail Antispam, Symantec Mail Security for SMTP Version 5.0 provides significant new and expanded capabilities. In addition to the new features listed in Table A-1, additional new features for Symantec Brightmail Antispam users only are listed in Table A-4. Table A-4 New features for Symantec Brightmail Antispam users Category Features Description Threat protection features Flexible mail management Inbound and outbound content controls Improved virus processing Outbound filtering More flexible Group Policies Multiple actions Expanded content compliance filtering capabilities Attachment blocking Annotations Notifications LiveUpdate support for virus definitions, list of file types to exclude from virus scanning, expanded container limit controls Provides spam, virus, and content compliance filtering on outbound messages. Specify different outbound and inbound policies for each user group. Use LDAP groups to populate groups for Group Policies. Specify more than one action to take on specific categories of messages to specific groups of recipients. Expanded set of actions available on filtered messages, support for multiple actions on the same messages Create lists of attachment types to remove. Strip attachments within container files. Automatically append or prepend text, such as legal disclaimers or marketing tag lines, to messages. Automatically send s notifying specific persons or groups when certain message conditions are encountered during message filtering. Create different notifications for different conditions or user groups.

206 206 Feature Cross-Reference About filtering and message handling options Table A-4 New features for Symantec Brightmail Antispam users Category Features Description Improved reporting and monitoring Expanded administration capabilities Expanded virus monitoring Expanded logging Global reject or pause of message scanning Virus outbreak alerts, expanded logging of virus events Symantec Security Information Manager (SSIM) logging support During a virus outbreak, you can temporarily pause scanning until new virus filters are in place. While the names of features are largely the same, you will find some changes to the organization of menus. Most importantly, you will now find a Policies menu at the top level, breaking out Group Policies (under the Settings menu in Symantec Brightmail Antispam 6.0.3), and including other items as well. See About filtering and message handling options on page 206 for an updated explanation of how settings and policies interact. About filtering and message handling options In Symantec Mail Security for SMTP 5.0, there are five types of choices you can make about filtering options. These choices provide much greater flexibility, and it is important to understand how your choices for various options interact with each other, as follows: Scanning Settings: Settings determine system-wide policies for handling . These include: Address Masquerading Aliases Spam Settings Virus Settings Invalid Recipients Local Domains Scanning (including Container Limits) Filter Policies: Specific sets of conditions that identify categories of , and specific sets of actions to take on those messages. You can specify multiple filter policies for the same categories, and then use different filter policies for different groups of users. Filter policies include: Spam policies Virus policies

207 Feature Cross-Reference About filtering and message handling options 207 Content compliance policies Firewall Policies: Like settings, these policies affect all users. However, they enable you to create specific system-wide strategies for handling , including: Attacks: Create strategies for automatic response to directory harvest attacks, spam attacks, and virus attacks. Sender Authentication: Authenticate senders using either the Sender Policy Framework (SPF), or Sender ID, or both. Sender Groups: Manage three types of Allowed Sender Lists, specify actions for three types of Blocked Senders Lists, and enable or disable three Symantec-managed Reputation Service lists. Policy Resources: Create sets of data that enable further customization of filtering and the actions taken on filtered . You can employ policy resources when you create filter policies. Policy resources include: Annotations (called Custom Disclaimers in Version 4.1): Add custom text to the beginning or end of the message body. Archive: Send messages to a specific address for storage. Attachment Lists: Specify lists of attachment types for use in filtering, based on file naming or on the true type of each file, or use any of five pre-filled lists. Dictionaries: Specify sets of words for use in filtering, or use of several predefined dictionaries. Notifications: Create messages that can be sent to specific parties when filtering finds specific kinds of messages. Group Policies: Tie all of the above categories together by specifying which filter policies apply to each group of users. You can specify groups of users based on addresses, domains, LDAP groups, or IP addresses. Group Policies specify filter policies. Filter policies can make use of policy resources. firewall policies and scanning settings can affect all messages.

208 208 Feature Cross-Reference About filtering and message handling options

209 Appendix B Spam foldering and the Symantec Outlook Spam Plug-in This appendix includes the following topics: About foldering and the plug-in Installing the Symantec Outlook Spam Plug-in Configuring automatic spam foldering Enabling automatic spam foldering Enabling language identification About foldering and the plug-in This chapter tells you how to install and configure the Symantec Outlook Spam Plug-in and spam foldering agents for Microsoft Exchange and Lotus Domino users. The Symantec Outlook Spam Plug-in is an alternative to the personal Allowed Senders and Blocked Senders Lists and language preferences offered by the Control Center. For a comparison of the native language processing offered by Symantec Mail Security for SMTP, and the Symantec Outlook Spam Plug-in, see Choosing language identification type on page 52. Note: The Symantec Outlook Spam Plug-in and foldering software described in this chapter is available on your Symantec Mail Security for SMTP CD.

210 210 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Usage scenarios End user experience The Symantec Outlook Spam Plug-in makes it easy for Outlook users to submit missed spam and false positives to Symantec. Depending on how you configure the plug-in, user submissions can also be automatically sent to a local system administrator. The Symantec Outlook Spam Plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders Lists as well as to specify languages in which they do or do not wish to receive . You can use Symantec Outlook Spam Plug-in with the following other components: Symantec Spam Folder Agent for Exchange Spam Quarantine Both Symantec Spam Folder Agent for Exchange and Spam Quarantine Neither Symantec Spam Folder Agent for Exchange nor Spam Quarantine Note: Documentation for end users is provided in the Symantec Outlook Spam Plug-in help system.

211 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in 211 After performing a simple installation process, users will have a new toolbar in their Outlook window: This is Spam This is Not Spam Empty Spam Folder Spam Quarantine Symantec Users click this button to submit the message to Symantec Security Response and move it from their Inbox to their Spam folder Users click this button to submit the message to Symantec and move it from their Spam folder to their Inbox. Users click this button to empty their Spam folder (if configured) Users click this button to launch Spam Quarantine in their default Web browser (if configured). By choosing an item from this pull-down menu, users can get information on using the plug-in, view a report (if configured), and administer their personal Blocked Senders and Allowed Senders Lists The Symantec menu includes the following options: Symantec Help Spam Report Launch a help page for the Symantec Outlook Spam Plug-in using your default Web browser. View spam statistics (if configured).

212 212 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Options About Symantec Set plug-in properties and administer your private Blocked Senders and Allowed Senders Lists, specify languages in which you do or do not wish to receive . Get information on the current version of the software. Software requirements The Symantec Outlook Spam Plug-in can be used with Outlook 2000, Outlook 2002, Outlook XP, and Outlook 2003, on Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, and Windows Note: If you are using Symantec Spam Folder Agent for Exchange, the plug-in retrieves the name of the spam folder from the Symantec Spam Folder Agent for Exchange Inbox Rule. Absent the Symantec Spam Folder Agent for Exchange, the plug-in retrieves the SPAM_FOLDER value from the Windows registry. If there is no SPAM_FOLDER value in the Windows registry, it creates a Spam folder during installation. Set up and configure Symantec Outlook Spam Plug-in Follow these procedures to enable your users to install the Symantec Outlook Spam Plug-in. To set up the Symantec Outlook Spam Plug-in 1 Navigate to the folder containing the Symantec Outlook Spam Plug-in software. 2 Copy all the files in the Plugin\Outlook folder to a network directory that is accessible to your users. 3 If desired, modify the setup.ini file to configure optional system-wide settings. See Table B-1, Symantec Outlook Spam Plug-in setup variables, on page Either your users a link to the setup.exe file in this directory, or use remote distribution software to install it on your users computers. You can install silently by running setup.exe with the following switches: /s /v"/qn"

213 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in 213 Note: If you run setup.exe with the command /s /v"/qn", the silent install option ignores changes made to setup.ini. To preserve your changes, add /qn to the end of the CmdLine attribute in setup.ini, and then run the silent install using: /s. Note: Instruct users to close Outlook before running the installer by clicking File, and then clicking Exit. If they close Outlook in any other way, Outlook may continue to run in memory and return an error. To configure system-wide settings for the Symantec Outlook Spam Plug-in (optional) 1 Open the setup.ini file for editing. This file contains the initial settings for launching the Symantec Outlook Spam Plug-in installation package. All the settings you need to use can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file. The settings will be added as values for the following Windows Registry key: HKLM\Software\Brightmail\OutlookPlugin 2 Change the settings in Table B-1 as desired. Example: CmdLine=SPAM_FOLDER="Junk" ADMIN_FALSE_ADDRESS="[email protected]" 3 Save your changes to the setup.ini file. These settings will be used during each installation of the Symantec Outlook Spam Plug-in to modify the Windows Registry on each user s computer. Table B-1 Variable Name Symantec Outlook Spam Plug-in setup variables Description ADMIN_FALSE_ADDRESS ADMIN_JUNK_ADDRESS The address of the administrator to copy with false positive submissions. The default for this is an empty string. If this value is empty, then the message will not be sent to the administrator. The address of the administrator to copy with missed spam submissions. The default for this is an empty string. If this value is empty, then the message will not be sent to the administrator.

214 214 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Table B-1 Variable Name Symantec Outlook Spam Plug-in setup variables (Continued) Description ALLOWED_CONTACTS AUTO_ADD_BLOCKED AUTO_ADD_ALLOWED AUTO_ALLOWED CHECK_ALLOWED CHECK_BLOCKED DELETE_SPAM DELETE_X_DAYS If set to 1 (the default) or any non-zero value, treat all entries of the Outlook Contacts folder as members of the Allowed Senders List. If set to 0, do not treat any members of the Outlook Contacts folder as members of the Allowed Senders List. When submitting a spam message to Symantec Security Response, add the sender of the message to the Blocked Senders List. The default is 1. When submitting a false positive message to Symantec Security Response, add the sender of the message to the Allowed Senders List. The default is 1. If set to 1 (the default) or any non-zero value, automatically generate the Allowed Senders List. If set to 0, do not automatically generate the Allowed Senders List. If set to 1 (the default) or any non-zero value, move messages directly to the Spam folder. If a message sender is in the user s Allowed Senders List or (optionally) Outlook Contacts list, or if ANY of the message s recipients are in the user s Allowed Recipients List, the message is moved to the Inbox. Otherwise it stays in the Spam folder. If set to 0, messages are delivered normally (to the Inbox). If set to 1 (the default) or any non-zero value, move messages directly to the Spam folder. If a message sender is in the user s Allowed Senders List or (optionally) Outlook Contacts list, or if ANY of the message s recipients are in the user s Allowed Recipients List, the message is moved to the Inbox. Otherwise it stays in the Spam folder. If set to 0, messages are delivered normally (to the Inbox). If set to 1 or any non-zero value, spam messages will be deleted. If set to 0 (the default value), spam messages will be moved to the Spam folder. Deletes messages in the Spam folder which are more than x days old. The default is 7. Set this value to 0 to disable this feature.

215 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in 215 Table B-1 Variable Name Symantec Outlook Spam Plug-in setup variables (Continued) Description DISPLAY_ARE_YOU_SURE_MSGS DISPLAY_CONFIRMATION_MSG EMPTY_SPAM_FOLDER HIDE_NOT_SPAM HIDE_SPAM MANUAL_ALLOWED MANUAL_BLOCKED MARK_AS_READ Specifies whether the confirmation dialog is displayed after a message is submitted. If this variable is set to 1 (the default value) the confirmation message will be displayed. If this variable set to any other value or left empty, the message will not be displayed. Specifies whether the confirmation dialog is displayed after a message is submitted. If this variable is set to 1 (the default value) the confirmation message will be displayed. If this variable set to any other value or left empty, the message will not be displayed. If set to 0 (the default), do not display the Empty Spam button. If set to 1 or any non-zero value, display the Empty Spam button. This button allows users to delete the contents of their Spam folders. Specifies whether the This is Not Spam button is hidden. The default is 0 (displayed). Any non-zero value, including an empty value, will cause the button to be hidden. Specifies whether the This is Spam button is hidden. The default is 0 (displayed). Any non-zero value, including an empty value, will cause the button to be hidden. If set to 1 (the default) or any non-zero value, allow users to add entries to the Allowed Senders and Allowed Recipients Lists. If set to 0, do not allow users to add entries. If set to 1 (the default) or any non-zero value, allow users to add entries to the Blocked Senders and Blocked Recipients Lists. If set to 0, do not allow users to add entries. If set to 1 (the default) or any non-zero value, messages are marked as Read when moved to the Spam folder. If set to 0, messages are not marked as Read when moved to the Spam folder.

216 216 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Table B-1 Variable Name Symantec Outlook Spam Plug-in setup variables (Continued) Description MODIFY_OPTIONS MULTI_CONFIRM_MSG SENDER_NOT_IN_ALLOWED SINGLE_CONFIRM_MSG SPAM_FOLDER SPAM_QUARANTINE_URL REPORT_URL If set to 1 (the default) or any non-zero value, allow users to view/edit the Submissions and Preferences tabs. If set to 0, do not allow users to view/edit the Submissions and Preferences tabs. The confirmation message for multiple successful submissions. The default value for this string is: Thank you for submitting messages to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement. Specify the action to take if the message sender is not in the Allowed Senders List. Normal Move the message to the Inbox. Delete Delete the message. SpamFolder Move the message to the Spam folder. The default is Normal. The confirmation message for a single successful submission. The default value for this string is: Thank you for submitting a message to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement. The name of the Spam folder. The default is Spam. If specified, this setting causes the Spam Quarantine button to appear in the toolbar. Clicking the button displays the Spam Quarantine login page in a Web browser. If unspecified (the default), the Spam Quarantine button does not appear in the toolbar. If specified, this setting causes the Spam Report item to appear in the Symantec menu. Clicking Spam Report displays the Spam Report application. If unspecified (the default), Spam Report does not appear in the menu.

217 Spam foldering and the Symantec Outlook Spam Plug-in Configuring automatic spam foldering 217 Configuring automatic spam foldering You can route users spam into a special folder so they can review it using the Symantec Spam Folder Agent for Exchange or the Symantec Spam Folder Agent for Domino. To enable spam foldering after configuring it, see Enabling automatic spam foldering on page 221. Configuring the Symantec Spam Folder Agent for Exchange Follow these steps to configure the Symantec Spam Folder Agent for Exchange. Note: Symantec Mail Security for SMTP does not support native spam foldering for Exchange As an alternative, you can deploy the Symantec Spam Folder Agent for Exchange on Exchange 2003 systems. To install the Symantec Spam Folder Agent for Exchange 1 Navigate to the folder containing the setup.exe file and double-click it. 2 Click Next to skip the introductory dialog box. 3 After reading the license agreement, click I accept the terms of this license agreement, and then click Next. 4 Choose a setup type, and then click Next. Setup options include Complete and Custom. The Complete option installs all software in a predefined set of folders and files. The Custom option allows you to tailor installation options. 5 Under Service Account, specify an account to be used by the Symantec Spam Folder Agent for Exchange. Type the Active Directory or NT Domain, as well as the user name and password. 6 In the Mailbox field, specify the mailbox alias of a valid mailbox for the Symantec Spam Folder Agent for Exchange to use. To find this alias, click Active Directory Users and Computers, right-click User properties, and then click the General tab. The account specified in the last step must have Full Access to this mailbox. 7 In the Spam folder name field, specify the name of the folder in each end user s mailbox where spam will be foldered, 8 In the Spam expiration field, specify the period in days for which you want to retain spam messages. The default period is 30 days. You may need to adjust this setting based on the volume of spam you receive at your organization.

218 218 Spam foldering and the Symantec Outlook Spam Plug-in Configuring automatic spam foldering 9 Click Next. Maintenance occurs once daily; the flag is activated by the main thread when the current hour (local time) is between the maintenance window begin hour and end hour. When all worker threads have completed, the maintenance flag will be marked as completed. When the time has passed the maintenance end hour, the maintenance flag is reset. If the Symantec Spam Folder Agent for Exchange is restarted during the maintenance window, it will rerun maintenance immediately. 10 Click OK. Note: If the installation process is unable to verify the existence of the spam folder because you have insufficient user rights, a Warning dialog is displayed. You can either continue without verification, or return to the Configuration dialog box and halt installation. 11 Click Install to begin the installation process. 12 Click Finish. The Installer configures the Symantec Spam Folder Agent for Exchange as a Windows service that will run automatically. For information on how to change this default configuration, see Enabling automatic spam foldering on page 221. Configuring the Symantec Spam Folder Agent for Domino To enable automatic foldering of spam for your Lotus Domino users, install the Symantec Spam Folder Agent for Domino on each Lotus Domino mail server. Before you install, ensure that your computer meets the following software and configuration requirements: Windows NT 4.0 (SP 3), Windows 2000 (SP 2), or Windows Lotus Notes Release or later. To install the Symantec Spam Folder Agent for Domino 1 Navigate to the folder containing the setup.exe file and double-click it. 2 Click Domino Agent. 3 Follow the displayed instructions to start Lotus Notes and open the Symantec Spam Folder Agent for Domino database. The Domino Agent Installation Wizard panel is displayed. 4 Select the Install Domino Agent radio button, and then click Next. The License Agreement panel is displayed.

219 Spam foldering and the Symantec Outlook Spam Plug-in Configuring automatic spam foldering After reading the license agreement, click I accept the terms of the license agreement, and then click Next. The Preparing to Install panel is displayed. 6 Complete all prerequisite steps if you haven t already done so. Warning: On each server in your environment running Lotus Notes Release 5.x, you must add the following variable to the Notes.INI file: Amgr_Disabl Lookup=1 Notes.INI is usually found in the server s root Notes folder. You should then restart each server running Release 5. (This setting is not required for servers running Release 6.) For more information, search for document # on the Lotus support page: 7 Click Next. The Selecting Options panel is displayed. 8 Select the option(s) you wish to configure and click Next. The Configuring Spam Folder Information panel is displayed. Note: This screen appears only if you chose to configure spam foldering. 9 Under Spam Folder, specify the name of the folder in each end user s mailbox where spam will be sidelined, and then click Next. The default is Spam. 10 Specify a spam expiration between 1 and 365 days. Messages will be automatically deleted from the Spam folder after the specified number of days. The default is 30 days. 11 Click Next. The Configuring Submissions panel is displayed. Note: This panel appears only if you chose to configure missed spam and false positive submissions. 12 Under Submission Types, select Missed Spam, False Positives, or both. 13 Under Local Administrator for Submissions, either select an address from the drop down list adjacent the submission type(s) you wish to configure, or type the address. 14 Click Next. The Configuring Server Information panel is displayed.

220 220 Spam foldering and the Symantec Outlook Spam Plug-in Configuring automatic spam foldering 15 Specify a mail server. If your mail template files are replicas (as they are when shipped), you need only install the Symantec Spam Folder Agent for Domino on one server. 16 Specify a mail template filename. You must repeat this process for each mail template used at your site. 17 Click Install. The Installation Completed panel is displayed. 18 Click Finish. The mail server on which you install the Symantec Spam Folder Agent for Domino distributes changes to all other mail servers in your environment as part of the Design task, which runs overnight. The Symantec Spam Folder Agent for Domino will not be visible on each user s mail file until the following conditions occur: Replication distributes the change to the template on the user s home mail server. The nightly Design process runs on the user s home mail server. The user reopens his or her mail file after installation. This only applies if the user s mail file was open when its design was refreshed. The Symantec Spam Folder Agent for Domino will take effect when the design is refreshed, though the folder will not be visible. See the Lotus Notes online help for information on forcing changes immediately. Note: To reconfigure the Symantec Spam Folder Agent for Domino, you must first uninstall it, then reinstall it. Distributing end-user help The Symantec Spam Folder Agent for Domino installer includes an MS Word file (BMIEndUser.doc) detailing the submission process. You can distribute this information to your users in the following two ways: Import BMIEndUser.doc or it as an attachment to all end users. Add the information in BMIEndUser.doc to the Help Using document of the mail template so that users have it available at all times.

221 Spam foldering and the Symantec Outlook Spam Plug-in Enabling automatic spam foldering 221 Uninstalling the Symantec Spam Folder Agent for Domino Use the following procedure to uninstall the Symantec Spam Folder Agent for Domino. To uninstall the Symantec Spam Folder Agent for Domino 1 Click Domino Agent in the Installer screen. The Installation Wizard is displayed. 2 Click Uninstall Domino Agent, and then click Next. The Uninstall panel is displayed. 3 Click Uninstall. If your mail template files are replicas (as they are when shipped), you need only uninstall once. The Successfully Uninstalled panel is displayed. 4 Click Finish. Enabling automatic spam foldering Follow these steps to enable automatic spam foldering for Exchange 5.5, Exchange 2000, Exchange 2003, or Lotus Domino. To deliver spam messages to users spam folders 1 In the Control Center, click Policies > Spam. 2 Click Add. 3 Under Policy Name, type Folder or a descriptive name of your choice. 4 Under Apply to, click Inbound messages. 5 Under Groups, check the box next to the groups that should have their spam foldered. 6 Under Conditions, choose If a message is spam or suspected spam. 7 Under Perform the following action, click Deliver the message to the recipient s spam folder. 8 Click Add Action. 9 Click Save. For more information about Group Policies, see Choosing language identification type on page 52.

222 222 Spam foldering and the Symantec Outlook Spam Plug-in Enabling language identification Enabling language identification Symantec Mail Security for SMTP must be configured to work with the clientside language processing offered by the Symantec Outlook Spam Plug-in. See Enabling and disabling end user settings on page 79.

223 Appendix C Integrating Symantec Mail Security with Symantec Security Information Manager This chapter includes the following topics: About Symantec Security Information Manager Interpreting events in the Information Manager About Symantec Security Information Manager In addition to using the Symantec Mail Security for SMTP logging features, you can also log events to the Symantec Security Information Manager appliance for event management and correlation. Symantec Security Information Manager (SSIM) integrates multiple Symantec Enterprise Security products and thirdparty products to provide a central point of control of security within an organization. It provides a common management framework for Information Manager-enabled security products, such as Symantec Mail Security for SMTP, that protect your IT infrastructure from malicious code, intrusions, and blended threats. The Information Manager increases your organization s security posture by simplifying the task of monitoring and managing the multitude of security-related events and products that exist in today s corporate environments. The event categories and classes include threats, security risks, content filtering, network security, spam, and systems management. The range of events varies depending on the Symantec applications that are installed and

224 224 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager managed by the Information Manager. The Information Manager provides you with an open, standards-based foundation for managing security events from Symantec clients, gateways, servers, and Web servers. SSIM Agents collect events from Symantec security products and send the events to the Symantec Security Information Manger which uses a sophisticated set of rules to filter, aggregate, and correlate the events into security incidents and allows for full tracking and response. The Symantec Security Information Manager allows you to manage and respond to incidents from threat and vulnerability from discovery through resolution. The Symantec Incident Manager evaluates the impact of incidents on the associated systems and assigns incident severities. A built-in Knowledge Base provides information about the vulnerabilities that are associated with the incident. The Knowledge Base also suggests tasks that you can assign to a help desk ticket for resolution. Symantec Security Information Manager is purchased and installed separately. The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to the SSIM. For more information, see the Symantec Security Information Manager documentation. Interpreting events in the Information Manager SSIM provides extensive event management capabilities, such as common logging of normalized event data for Information Manager-enabled security products like Symantec Mail Security for SMTP. The event categories and classes include threats (such as viruses), security risks (such as adware and spyware), content filtering rule violations, network security, spam, and systems management. For more information about interpreting events in the Information Manager and on the event management capabilities of the Information Manager, see the Symantec Security Information Manager documentation. Symantec Mail Security for SMTP can send the following types of events to the Information Manager: Firewall events Definition Update events Message events Administration events

225 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager 225 Note: Although some of the Information Manager Event IDs are the same for multiple events, the event descriptions and occasionally the severity is different. Configuring data sources You must configure the following data sources on the Information Manager to receive events from Symantec Mail Security for SMTP. You can add a new sensor for each data source. Once you have configured these sources, you must distribute the configuration to the Collector for it to take effect. For more information, refer to the Symantec Security Information Manager documentation. Table C-1 Setting Type: Settings for Message statistics Value Message stats Path for Linux/Solaris: Path for Windows: Filename: Configure as: /opt/symantec/smssmtp/scanner/stats/ c:\program Files\Symantec\SMSSMTP\scanner\stats\ bmi_eng_stats Monitor in Real Time Table C-2 Setting Type: Settings for Firewall statistics Value Firewall stats Path for Linux/Solaris: Path for Windows: Filename: Configure as: /opt/symantec/smssmtp/scanner/stats/ c:\program Files\Symantec\SMSSMTP\scanner\stats\ bmi_fw_stats Monitor in Real Time Table C-3 Setting Type: Settings for Administrative and Definition Update statistics Value Admin and Definition Update stats Path for Linux/Solaris: /opt/symantec/smssmtp/logs/tomcat/bmi_sesa/ Brightmail_SESA_Events.2

226 226 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Table C-3 Setting Path for Windows: Filename: Configure as: Settings for Administrative and Definition Update statistics Value c:\program Files\ Symantec\SMSSMTP\logs\tomcat\BMI_SESA\Brightmail_ SESA_Events.2 Brightmail_SESA_Events Dynamic Filename & Monitor in Real Time Firewall events that are sent to the Information Manager Table C-4 lists the firewall events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-4 Event ID (SES_EVENT_<Unique ID>) SES_EVENT_CONNECTION_ACCEPTED (512000) SES_DETAIL_CONNECTION_REJECTED (517242) SES_DETAIL_CONNECTION_REJECTED (517247) Firewall events that are sent to the Information Manager Severity Event class Rule description (Reason sent) Informational symc_firewall_network Connection Permitted Informational symc_firewall_network Connection Rejected Informational symc_firewall_network Connection Deferred Definition Update events that are sent to the Information Manager Table C-5 lists the definition update events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-5 Event ID (SES_EVENT_<Unique ID>) SES_EVENT_VIRUS_DEFINITION_UPDAT E (92004) Definition Update events that are sent to the Information Manager Severity Event class Rule Description (Reason sent) Informational symc_def_update Antivirus definition update SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update Body hash definition update SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update BLRM definition update SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update Spamsig definition update

227 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager 227 Table C-5 Event ID (SES_EVENT_<Unique ID>) Definition Update events that are sent to the Information Manager Severity Event class Rule Description (Reason sent) SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update Spamhunter definition update SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update Intsig definition update SES_EVENT_LIST_UPDATE (92009) Informational symc_def_update Permit definition update Message events that are sent to the Information Manager Table C-6 lists the message events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-6 Event ID (SES_EVENT_<Unique ID>) Message events that are sent to the Information Manager Severity Event class Rule Description (Reason sent) SES_EVENT_VIRUS (122000) Informational symc_data_virus_incident Virus message SES_EVENT_UNSCANNABLE_VIOL ATION (112056) SES_EVENT_MALWARE_CONTENT (122001) SES_EVENT_SPAM_CONTENT (132001) SES_EVENT_GENERIC_CONTENT (132000) SES_EVENT_SENSITIVE_CONTENT _VIOLATION (182000) SES_EVENT_GENERIC_CONTENT (132000) Informational symc_data_incident Unscannable violation Informational symc_data_virus_incident Malware message Informational symc_data_incident Spam Message Informational symc_data_incident Suspect Spam Informational symc_data_incident Content violation message Informational symc_data_incident Encrypted message

228 228 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Administration events that are sent to the Information Manager Table C-7 lists the administration events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-7 Event ID (SES_EVENT_<Unique ID>) SES_EVENT_CONFIGURATION_CHANGE (92008) Administration events that are sent to the Information Manager Severity Event class Rule Description (Reason sent) Informational symc_config_update Registration success SES_EVENT_CONFIGURATION_FAILED (92058) Warning symc_config_update Registration failure SES_EVENT_APPLICATION_STOP (92002) Informational symc_base BCC/service stopping SES_EVENT_APPLICATION_START (92001) Informational symc_base BCC/service starting SES_EVENT_HOST_INTRUSION ( ) Informational symc_host_intrusion User login successful SES_EVENT_HOST_INTRUSION ( ) Informational symc_host_intrusion User logout successful SES_EVENT_HOST_INTRUSION ( ) Warning symc_host_intrusion User login failed SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) Informational symc_config_update Enable/add host Informational symc_config_update Disable/remove host SES_EVENT_HOST_INTRUSION ( ) Minor symc_host_intrusion Prohibited action SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) Informational symc_config_update Delete all Informational symc_config_update Change group policy SES_EVENT_LIST_UPDATE_FAILED (92059) Minor symc_defupdate Antispam filters old SES_EVENT_VIRUS_DEFINITION_UPDATE_FAI LED (92054) Major symc_defupdate Antivirus filters old SES_EVENT_LIST_UPDATE_FAILED (92059) Critical symc_defupdate Antispam license expired SES_EVENT_VIRUS_DEFINITION_UPDATE_FAI LED (92054) SES_EVENT_CONFIGURATION_CHANGE (92008) Critical symc_defupdate Antivirus license expired Informational symc_config_update Certificate imported

229 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager 229 Table C-7 Event ID (SES_EVENT_<Unique ID>) SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) SES_EVENT_CONFIGURATION_CHANGE (92008) Administration events that are sent to the Information Manager Severity Event class Rule Description (Reason sent) Informational symc_config_update Dictionary items imported Informational symc_config_update Sender group members imported Informational symc_config_update Group policy members imported Informational symc_config_update Component is not active Informational symc_config_update Administrator account change SES_EVENT_VIRUS (122000) Major symc_config_update Virus outbreak

230 230 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager

231 Appendix D Editing antivirus notification messages Whenever Symantec Mail Security for SMTP sidelines and processes a message for virus cleaning, it extracts the appropriate text from the notification file and creates an advisory message that informs the recipient of the action taken. Symantec Mail Security for SMTP then inserts the original message as an attachment to the advisory message. This method ensures that the advisory message is always presented to the user, and that the original message is included unless it has been deleted as uncleanable. Although it is not necessary for you to edit these messages, you can do so if you wish. This section explains the format of the file that contains the messages and the procedure for modifying it. Modifying notification files The notification files are located at: C:\Program Files\Symantec\SMSSMTP\scanner\etc\ Windows /opt/symantec/smssmtp/scanner/etc/ UNIX The notification file used by Symantec Mail Security for SMTP depends on your locale: Notification.en_US.UTF-8.xml Notification.ja_JP.UTF-8.xml Notification.xml US English Japanese Default for locales that aren t US English or Japanese

232 232 Editing antivirus notification messages Modifying notification files Changing the notification file character set The notification file includes the advisory-list tag with a char-set attribute. You can edit this tag to specify a different character set for notification messages. For example, to use the Latin 2 character set (ISO ), which contains characters for 15 Eastern European languages, you would edit the tag to appear as follows: <advisory-list char-set="iso "> For a list of all the languages that use the ISO 8859 character sets, see: Note: The Notification.xml file also contains a content-transfer-encoding element. However, it is not used. Symantec Mail Security for SMTP chooses the encoding method (quoted-printable or base64) that results in the shortest message. Editing messages in the notification file The notification messages can be edited. In the XML file, each notification message is constructed with an <advisory> tag. There are several <advisory> tags, each containing a block of information, depending on the disposition of the message. For example, after Symantec Mail Security for SMTP successfully cleans a message, it retrieves text from the cleaned_sentence advisory, shown in the next example. Warning: When making changes to the XML file, modify only customizable text. If you adjust the placement of the variable tags identified by the <t> tag, ensure that you don t change the values of the tokens within the tag. Do not modify any other tags or structures. To make changes to the text Symantec Mail Security for SMTP inserts for cleaned messages, only edit the boldface text, as shown in the following example: <advisory name="cleaned_sentence"> <t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been cleaned.</advisory> To view all customizable <advisory> elements in the notification file, see the next section.

233 Editing antivirus notification messages Notification file contents 233 Notification file contents This section shows the full contents of the Notification.en_US.UTF-8.xml file which contains text for notifications issued by Symantec Mail Security for SMTP as it sidelines and processes messages. The other notification files are similar. You can modify certain text in <advisory> elements as described in the previous section. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE advisory-list SYSTEM "AdvisoryStore.dtd"> --> <advisory-list char-set="utf-8"> <!-- The following eleven notification sentences are the new v2 notification scheme. --> <advisory name="cleaned_sentence"> <t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been cleaned.</advisory> <advisory name="deleted_cant_clean_sentence"> <t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been deleted because the file cannot be cleaned.</advisory> <advisory name="deleted_cant_replace_sentence"> <t name="file_name"/> was infected with the malicious virus <t name="virus_name"/> and has been deleted because the Symantec decomposer cannot modify its container.</advisory> <advisory name="deleted_too_large_sentence"> <t name="file_name"/> was deleted because it is too large.</ advisory> <advisory name="deleted_cant_rebuild_sentence"> <t name="file_name"/> was deleted because the Symantec decomposer cannot rebuild its container.</advisory> <advisory name="virus_still_there_sentence"> <t name="file_name"/> is still infected with the malicious virus <t name="virus_name"/> because the Symantec decomposer cannot modify its container.</advisory> <advisory name="cant_scan_container_corrupted_sentence"> The container <t name="file_name"/> was not scanned because it is corrupted (Symantec decomposer reports <t name="error"/>). If you are able to open it, use caution when doing so as it may contain files with viruses.</advisory>

234 234 Editing antivirus notification messages Notification file contents <advisory name="cant_scan_oless_corrupted_sentence"> The Microsoft document <t name="file_name"/> was not scanned because it is corrupted (Symantec decomposer reports <t name="error"/>). If you are able to open it, use caution when doing so as it may contain embedded files with viruses.</advisory> <advisory name="cant_scan_encrypted_sentence"> <t name="file_name"/> was not scanned for viruses because it is encrypted.</advisory> <advisory name="cant_scan_too_large_sentence"> <t name="file_name"/> was not scanned for viruses because it is too large.</advisory> <advisory name="scan_error_sentence"> <t name="file_name"/> was not scanned for viruses because of the error: <t name="error"/></advisory> <advisory name="too_many_levels_sentence"> <t name="file_name"/> was not scanned for viruses because too many nested levels of files were found.</advisory> <advisory name="too_complex_sentence"> The message was not scanned for viruses because the maximum time for scanning was exceeded.</advisory> <!--The following nine notifications are varieties of boilerplate text that can be used with any of the notifications above. --> <advisory name="rcpt_text"> This message has been processed by Symantec AntiVirus. <t name="file_actions"/> </advisory> <advisory name="rcpt_html"> <![CDATA[ <HTML> <BODY> <P> This message has been processed by Symantec AntiVirus.<BR> <BR> <PRE> ]]> <t name="file_actions"/> <![CDATA[

235 Editing antivirus notification messages Notification file contents 235 </PRE> <BR> </P> </BODY> </HTML> ]]> </advisory> <advisory name="error_text"> ERROR: During the processing of this an error occurred. Contact the sender of this message so he or she can resend it to you. </advisory> <advisory name="error_html"> <![CDATA[ <HTML> <BODY> <P>ERROR: During the processing of this an error occurred. Contact the sender of this message so he or she can resend it to you. <BR> <BR> </P> </BODY> </HTML> ]]> </advisory> <advisory name="sender_text"> The message you sent has been processed by Symantec AntiVirus. <t name="file_actions"/> You may want to install or update antivirus software on your computer. For more information on antivirus tips and technology, visit Headers of infected message: <t name="message_headers"/>

236 236 Editing antivirus notification messages Notification file contents </advisory> <advisory name="sender_html"> <![CDATA[ <HTML> <BODY> <P> The message you sent has been processed by Symantec AntiVirus.<BR> <BR> <PRE> ]]> <t name="file_actions"/> <![CDATA[ </PRE> <BR>You may want to install or update antivirus software on your computer.<br> For more information on antivirus tips and technology, visit <A HREF=" <BR> </P> <p> Headers of infected message: <PRE> ]]> <t name="message_headers"/> <![CDATA[ </PRE> </BODY> </HTML> ]]> </advisory> </advisory-list>

237 Glossary administrator adware Agent Allowed Senders List annotation antivirus 1. A person who oversees the operation of a network. 2. A person who is responsible for installing programs on a network and configuring them for distribution to workstations. The administrator may also update security settings on workstations. Programs that secretly gather personal information through the Internet and relay it back to another computer. This is done by tracking browsing habits, generally for advertising purposes. A component of Symantec Mail Security for SMTP that facilitates communicating configuration information between the Control Center and each Scanner. In Symantec Mail Security for SMTP, a list of senders whose messages are omitted from most types of filtering (but not from virus filtering). A phrase or paragraph placed at the beginning or end of the body of an message. Symantec Mail Security for SMTP allows you to specify up to 1000 distinct annotations to use in specific categories of messages for specific groups of recipients. You can use this feature to automate disclaimers. A subcategory of a security policy that pertains to computer viruses. API (application programming interface) The specific methodology by which a programmer writing an application program can make requests of the operating system or another application. archive attachment list Audit ID authentication An action that can be performed on messages by Symantec Mail Security for SMTP, which consists of forwarding the messages to a specific SMTP address. A list of attachment types for use in filtering. You can create attachment lists based on file naming (for example, based on the file extension), or on the true type of each file, or you can use any of five pre-filled lists. A unique identifier generated by Symantec Mail Security for SMTP and included as a message header in all processed messages. The process of determining the identity of a user attempting to access a network. Authentication occurs through challenge/response, time-based code sequences, or other techniques. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network.

238 238 Glossary bandwidth Blocked sender Blocked Senders List bounce broadcast address CA (Certificate Authority) certificate Certificate Authoritysigned SSL CIDR clean Conduit Content Compliance The amount of data transmitted or received per unit time. In digital systems, bandwidth is proportional to the data speed in bits per second (bps). Thus, a modem that works at 57,600 bps has twice the bandwidth of a modem that works at 28,800 bps. A sender identified as blocked, either by address or originating IP address, or on a Blocked Senders List. You can configure how messages from blocked senders are handled. A list used by Symantec Mail Security for SMTP in filtering . from senders on a Blocked Senders List is processed according to your configuration choices. An action that can be performed on an message by an server, which consists of returning the message to its From: address with a custom response. Symantec Mail Security for SMTP also delivers the message, when possible, to its intended recipient. A common address that is used to direct (broadcast) a message to all systems on a network. The broadcast address is based upon the network address and the subnet mask. A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the entity granting the unique certificate is, in fact, who it claims to be. This means that the CA usually has an arrangement with the requesting entity to confirm a claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be. A file that is used by cryptographic systems as proof of identity. It contains a user's name and public key. A type of Secure Sockets Layer (SSL) that provides authentication and data encryption through a certificate that is digitally signed by a Certificate Authority. Classless Inter-Domain Routing is a way of specifying a range of addresses using an arbitrary number of bits. For instance, a CIDR specification of /25 would include any address in which the first 25 bits of the address matched the first 25 bits of An action that consists of deleting unrepairable virus infections and repairing repairable virus infections. A component of a Symantec Mail Security for SMTP Scanner that retrieves new and updated filters from Symantec Security Response through secure HTTPS file transfer. Once retrieved, the Conduit authenticates filters, and then alerts the Filter Hub that new filters are to be received and implemented. Finally, the Conduit manages statistics for use by Symantec Security Response and for generating reports. A set of features in Symantec Mail Security for SMTP that enable administrators to enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements. These features include annotations, streamlined filter creation using multiple criteria and multiple actions, flexible sender specification, dictionary filters, and attachment management.

239 Glossary 239 Control Center defer dialog box dictionary A Web-based configuration and administration center for Symantec Mail Security for SMTP. Each site has one Control Center. The Control Center also houses Spam Quarantine and supporting software. You can configure and monitor all of your Scanners from the Control Center. An action that an MTA receiving an message can take, which consists of using a 4xx SMTP response code to tell the sending MTA to try again later. A secondary window containing command buttons and options available to users for carrying out a particular command or task. A list of words and phrases against which messages can be checked for noncompliant content. Symantec Mail Security for SMTP allows you to create Content Compliance filters that screen against a specific dictionary. You can use the provided dictionaries, add terms to the provided dictionaries, or add additional dictionaries. directory harvest attack A high volume campaign addressed to dictionary-generated recipient addresses on a specific domain. Directory harvest attacks (DHAs) not only consume resources on the targeted server, they also provide the spammers with a valuable list of valid addresses (targets for future spam campaigns). Symantec Mail Security for SMTP allows you to identify and defuse directory harvest attacks. DMZ (de-militarized zone) DNS (Domain Name Server) proxy DNS (Domain Name System) DNS server domain downstream A network added between a protected network and an external network to provide an additional layer of security. Sometimes called a perimeter network. An intermediary between a workstation user and the Internet that allows the enterprise to ensure security and administrative control. A hierarchical system of host naming that groups TCP/IP hosts into categories. For example, in the Internet naming scheme, names with.com extensions identify hosts in commercial businesses. A repository of addressing information for specific Internet hosts. Name servers use the Domain Name System (DNS) to map IP addresses to Internet hosts. 1. A group of computers or devices that share a common directory database and are administered as a unit. On the Internet, domains organize network addresses into hierarchical subsets. For example, the.com domain identifies host systems that are used for commercial business. 2. A group of computers sharing the network portion of their host names, for example, raptor.com or miscrosoft.com. Domains are registered within the Internet community. Registered domain entities end with an extension such as.com,.edu, or.gov or a country code such as.jp (Japan). At a later point in the flow of . A downstream server is an server that receives messages at a later point in time than other servers. In a multiple-server system, inbound mail travels a path from upstream mail servers to downstream mail servers. Downstream can also refer to other types of networking paths or technologies.

240 240 Glossary Firewall server encrypted attachment Ethernet Expunger extension false positive filter Filtering Engine Filtering Hub filter policy firewall A set of features of Symantec Mail Security for SMTP that provide perimeter defense, similar to a regular firewall, focused on traffic. The Firewall analyzes incoming SMTP connections and enables preemptive responses and actions before messages progress further in the filtering process. The Firewall provides attack preemption for spam, virus, and directory harvest attacks, and sender blocks based on IP address, domain, third party lists, or Symantec lists. An application that controls the distribution and storage of messages. A message attachment that has been converted into a form that is not easily understood by unauthorized persons. Symantec Mail Security for SMTP does not scan encrypted attachments, but allows you to choose an action to take when an encrypted attachment is detected. A local area network (LAN) protocol developed by Xerox Corporation in cooperation with DEC and Intel in Ethernet uses a bus or star topology and supports data transfer rates of 100 Mbps. A component of Spam Quarantine, which resides on the Control Center computer in Symantec Mail Security for SMTP. Expunger can be configured to periodically remove older or unwanted messages from the Spam Quarantine database. A suffix consisting of a period followed by several letters at the end of a file that, by convention, indicates the type of the file. A piece of legitimate that is mistaken for spam and classified as spam by Symantec Mail Security for SMTP. A method for analyzing messages, used to determine what action to take on each message. Symantec Mail Security for SMTP uses a variety of types of filters to process messages. A filter can be provided by Symantec, created by a local administrator, created by an end user, or provided by a third party. A component of a Symantec Mail Security for SMTP Scanner that performs message filtering. A component of a Symantec Mail Security for SMTP Scanner that manages message filtering processes. In Symantec Mail Security for SMTP, a set of actions that apply to a category of messages. The actions specified in a filter policy are only applied to users who are members of a Group Policy that includes the filter policy. There are three types of filter policies: spam, virus, and content compliance policies. Filter policies can also make use of policy resources. See also Group Policy, policy resources. A program that protects the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet will want a firewall to prevent outsiders from accessing its own private data resources. See also Firewall.

241 Glossary 241 FTP (File Transfer Protocol) gateway Group Policy heuristic host HTML (Hypertext Markup Language) HTTP (Hypertext Transfer Protocol) HTTPS (Hypertext Transfer Protocol Secure) IP (Internet Protocol) IP address language identification LDAP (Lightweight Directory Access Protocol) The simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers , FTP is an application protocol that uses the Internet's TCP/IP protocols. A network point that acts as an entrance to another network. A gateway can also be any computer or service that passes packets from one network to another network during their trip across the Internet. In Symantec Mail Security for SMTP, a set of filter policies that apply to a specified group of users. Users can be specified by address or domain. See also filter policy. Filters that pro-actively target patterns common in spam and viruses. 1. In a network environment, a computer that provides data and services to other computers. Services might include peripheral devices, such as printers, data storage, , or Web access. 2. In a remote control environment, a computer to which remote users connect to access or exchange data. A standard set of commands used to structure documents and format text so that it can be used on the Web. The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Similar to the TCP/IP suite of protocols (the basis for information exchange on the Internet), HTTP is an application protocol. A variation of HTTP that is enhanced by a security mechanism, which is usually Secure Sockets Layer (SSL). The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one address that uniquely identifies it to all other computers on the Internet. A unique number that identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network must be assigned a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example, ). In Symantec Mail Security for SMTP, a feature that allows you to block or allow messages written in a specified language. For example, you can choose to only allow English and Spanish messages, or block messages in English and Spanish and allow messages in all other languages. Administrators can set language identification for groups of users, or allow users to specify their own settings. See also Symantec Outlook Spam Plug-in. A software protocol that enables anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet. LDAP is a lightweight (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network.

242 242 Glossary LDIF (LDAP Data Interchange Format) list box mailing list malware messaging gateway MIME (Multipurpose Internet Mail Extensions) MTA (Mail Transfer Agent) name server network notification An Internet Engineering Task Force (IETF) standard format for representing directory information in a flat file, specified in RFC A dialog box containing a list of items from which a user can choose. An automatic system that allows members to carry on a discussion on a particular topic. Subscribers to the mailing list automatically receive messages that are posted to the list. Mailing lists are commonly used for subscribers to post questions, answers, and opinions based on the topic to which the list is devoted. Programs and files that are created to do harm. Malware includes computer viruses, worms, and Trojan horses. The outermost point in a network where mail servers are located. All other mail servers are downstream from the mail servers located at the messaging gateway. A protocol used for transmitting documents with different formats via the Internet. A generic term for programs such as Sendmail, postfix, or qmail that send and receive mail between servers. Each Symantec Mail Security for SMTP Scanner uses the following three separate MTAs: Delivery MTA: The component that sends inbound and outbound messages that have already been filtered to their required destinations. To do this, the delivery MTA uses the filtering results and the configuration settings for relaying inbound and outbound mail. Inbound MTA: The component that receives inbound mail and forwards it to the Filtering Hub for processing. Outbound MTA: The component that receives outbound mail and forwards it to the Filtering Hub for processing. A computer running a program that converts domain names into appropriate IP addresses and vice versa. See also DNS server. A group of computers and associated devices that are connected by communications facilities (both hardware and software) for the purpose of sharing information and peripheral devices such as printers and modems. See also LAN (local area network). 1. In Symantec Mail Security for SMTP, a separate that can be automatically sent to the sender, recipients, or other addresses when a specified condition is met. For example, if you have a policy that strips.exe attachments from incoming messages, you may want to also notify the sender that the attachment has been stripped. 2. In Symantec Mail Security for SMTP, a periodic summary sent by Spam Quarantine to users, listing the newly quarantined spam messages, and including links for users to immediately release messages to their inbox or to log in to their personal quarantines. See also Notifier.

243 Glossary 243 Notifier Open Proxy Senders packet parameter password phishing ping (Packet Internet Groper) policy policy resources POP3 (Post Office Protocol 3) A component of Spam Quarantine, which resides on the Control Center in Symantec Mail Security for SMTP. Notifier sends periodic messages to users, providing a digest of their spam. The Notifier message (notification) is customizable; it can contain a list of the subject lines and senders of all spam messages. A dynamic list of IP addresses of identity-masking relays, including proxy servers with open or insecure ports, provided by Symantec based on data from the Probe Network. Because open proxy servers allow spammers to conceal their identities and off-load the cost of ing to other parties, spammers will continually misuse a vulnerable server until it is brought offline or secured. Part of the Sender Reputation Service, Open Proxy Senders is a sender group in Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group. A unit of data that is formed when a protocol breaks down messages that are sent along the Internet or other networks. Messages are broken down into standard-sized packets to avoid overloading lines of transmission with large chunks of data. Each of these packets is separately numbered and includes the Internet address of the destination. Upon arrival at the recipient computer, the protocol recombines the packets into the original message. A value that is assigned to a variable. In communications, a parameter is a means of customizing program (software) and hardware operation. A unique string of characters that a user types as an identification code to restrict access to computers and sensitive files. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows access at the security level approved for the owner of the password. An attempt to illegally gather personal and financial information by sending a message that appears to be from a well known and trusted company. A phishing message typically includes at least one link to a fake Web site, designed to mimic the site of a legitimate business and entice the recipient to provide information that can be used for identity theft or online financial theft. A program that system administrators and hackers or crackers use to determine whether a specific computer is currently online and accessible. Pinging works by sending a packet to the specified IP address and waiting for a reply; if a reply is received, the computer is deemed to be online and accessible. A set of message filtering instructions that Symantec Mail Security for SMTP implements on a message or set of messages. See also filter policy, Group Policy. In Symantec Mail Security for SMTP, sets of data that enable customization of filtering and the actions taken on filtered . You can employ policy resources when you create filter policies. Policy resources include annotations, archive, attachment lists, dictionaries, and notifications. See also filter policy, annotation, archive, attachment list, dictionary, and notification (definition 1). An protocol used to retrieve from a remote server over an Internet connection.

244 244 Glossary port probe accounts Probe Network 1. A hardware location used for passing data into and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, and external ports, for connecting modems, printers, mouse devices, and other peripheral devices. 2. In TCP/IP and UDP networks, the name given to an endpoint of a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 for transporting HTTP data. addresses assigned to Symantec by our Probe Network Partners, and used by Symantec Security Response to detect spam. A network of accounts provided by Symantec s Probe Network Partners. Used by Symantec Security Response for the detection of spam, the Probe Network has a statistical reach of over 300 million addresses, and includes over 2 million probe accounts. Probe Network Partners ISPs or corporations that participate in the Probe Network. protocol proxy proxy server radio button reject release replication report A set of rules for encoding and decoding data so that messages can be exchanged between computers and so that each computer can fully understand the meaning of the messages. On the Internet, the exchange of information between different computers is made possible by the suite of protocols known as TCP/IP. Protocols can be stacked, meaning that one transmission can use two or more protocols. For example, an FTP session uses the FTP protocol to transfer files, the TCP protocol to manage connections, and the IP protocol to deliver data. An application (or agent) that runs on the security gateway and acts as both a server and client, accepting connections from a client and making requests on behalf of the client to the destination server. There are many types of proxies, each used for specific purposes. See also gateway, proxy server. A server that acts on behalf of one or more other servers, usually for screening, firewall, or caching purposes, or a combination of these purposes. Also called a gateway. Typically, a proxy server is used within a company or enterprise to gather all Internet requests, forward them out to Internet servers, and then receive the responses and in turn forward them to the original requester within the company. A click button used to select one of several options. An action that an MTA receiving an message can take, which consists of using a 5xx SMTP response code to tell the sending MTA that the message is not accepted. In Symantec Mail Security for SMTP, an action that end users or administrators can take on messages in the Spam Quarantine database. Releasing removes the message from the Spam Quarantine database and returns the message to the end user s inbox. See also Spam Quarantine. In Symantec Mail Security for SMTP, the process of duplicating configuration data from the Control Center to Scanners. A formatted query that is generated from a database. Administrators can modify reports to create custom reports of specific event data.

245 Glossary 245 reporting router Safe Senders Scanner security sender group Sender ID Sender Reputation Service server session The output generated by products and services that illustrates the information (sometimes the data) that is collected. This output can be in static or customized formats, text-based or text with graphical charts. See also report. A device that helps local area networks (LANs) and wide area networks (WANs) achieve interoperability and connectivity. A list of IP addresses from which no outgoing is spam, provided by Symantec based on data from the Probe Network. Part of the Sender Reputation Service, Safe Senders is a sender group in Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group. The component in Symantec Mail Security for SMTP that filters mail. Each site can have one or many Scanners. The configuration of each Scanner is managed via the Control Center. The policies, practices, and procedures that are applied to information systems to ensure that the data and information that is held within or communicated along those systems is not vulnerable to inappropriate or unauthorized use, access, or modification and that the networks that are used to store, process, or transmit information are kept operational and secure against unauthorized access. As the Internet becomes a more fundamental part of doing business, computer and information security are assuming more importance in corporate planning and policy. A category of senders that Symantec Mail Security for SMTP manages using the Firewall feature. Sender groups can be based upon IP addresses, domains, third party lists, or Symantec lists. You can configure the Firewall to take a variety of actions on messages from each group. A set of standard practices for authenticating . If the sender s domain owner participates in Sender ID, the recipient MTA can check for forged return addresses. Symantec Mail Security for SMTP allows you to specify an action for messages that fail Sender ID authentication. A service that provides comprehensive reputation tracking, as part of Symantec Mail Security for SMTP. Symantec manages the following three lists as part of the Sender Reputation Service: Open Proxy Senders, Safe Senders, and Suspected Spammers. Each operates automatically and filters your messages using the same technology as Symantec s other filters. A computer or software that provides services to other computers (known as clients) that request specific services. Common examples are Web servers and mail servers. In communications, the time during which two computers maintain a connection and, usually, are engaged in transferring information.

246 246 Glossary signature site SMTP (Simple Mail Transfer Protocol) spam spam attack Spam Quarantine spam scoring SSH (Secure Shell) SSL (Secure Sockets Layer) SPF (Sender Policy Framework) spyware 1. A state or pattern of activity that indicates a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. 2. Logic in a product that detects a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. This can also be referred to as a signature definition, an expression, a rule, a trigger, or signature logic. 3. Information about a signature including attributes and descriptive text. This is more precisely referred to as signature data. A collection of one or more computers hosting Symantec Mail Security for SMTP, in which exactly one computer hosts a Control Center, and one or more computers host Scanners. If the site consists of one computer, that computer will include the Control Center and a Scanner. The protocol that allows messages to be exchanged between mail servers. Then, clients retrieve , typically via the POP or IMAP protocol. 1. Unsolicited commercial bulk An message identified as spam by Symantec Mail Security for SMTP, using its filters. A series of spam s from a specific domain. Symantec Mail Security for SMTP allows you to choose an action to perform on these messages; by default, messages received from violating senders are deferred. A database that stores messages separately from the normal message flow, and allows access to those messages. In Symantec Mail Security for SMTP, Spam Quarantine is located on the Control Center computer, and provides users with Web access to their spam messages. Users can browse, search, and delete their spam messages and can also redeliver misidentified messages to their inbox. An administrator account provides access to all quarantined messages. Spam Quarantine can also be configured for administratoronly access. The process of grading messages when filtering for spam. Symantec Mail Security for SMTP assigns a spam score to each message that expresses the likelihood that the message is actually spam. See also suspected spam. A program that allows a user to log on to another computer securely over a network by using encryption. SSH prevents third parties from intercepting or otherwise gaining access to information sent over the network. A protocol that allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection, thus ensuring the secure transmission of information over the Internet. See also TLS. A set of standard practices for authenticating . If the sender s domain owner participates in SPF, the recipient MTA can check for forged return addresses. Symantec Mail Security for SMTP allows you to specify an action for messages that fail SPF authentication. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay the information back to another computer.

247 Glossary 247 subnet mask Suspected Spammers Suspect Virus Quarantine suspicious attachment Used to subdivide an assigned network address into additional subnetworks by using some of the unassigned bits to designate local network addresses. Subnet masking facilitates routing by identifying the network of the local host. The subnet mask is a required configuration parameter for an IP host. A local bit mask (set of flags) that specifies which bits of the IP address specify a particular IP network or a host within a subnetwork. Used to "mask" a portion of an IP address so that TCP/IP can determine whether any given IP address is on a local or remote network. Each computer configured with TCP/IP must have a subnet mask defined. A list of IP addresses from which virtually all of the outgoing is spam, identified by Symantec based on data from the Probe Network. Part of the Sender Reputation Service, Suspected Spammers is a sender group within Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group. In Symantec Mail Security for SMTP, a database that temporarily holds messages suspected of containing viruses. Messages with suspicious attachments can be held in Suspect Virus Quarantine for a number of hours, then filtered again, with updated filters, if available. This processing delay capability enables Symantec Mail Security for SMTP to more effectively deal with new virus threats as they emerge. A message attachment that Symantec Mail Security for SMTP has determined may contain a virus. You can choose what action to take when a suspicious attachment is detected. Symantec Outlook Spam Plug-in An application that makes it easy for Outlook users to submit missed spam and false positives to Symantec. Depending on how you configure the plug-in, user submissions can also be sent automatically to a local system administrator. The Symantec Outlook Spam Plug-in also gives users the option to administer their own Allowed Senders List and Blocked Senders List, and to specify their own language identification settings. See also language identification.

248 248 Glossary Symantec Security Response Symantec Spam Folder Agent for Domino Symantec Spam Folder Agent for Exchange synchronize Symantec Security Response is a team of dedicated intrusion experts, security engineers, virus hunters, threat analysts, and global technical support teams that work in tandem to provide extensive coverage for enterprise businesses and consumers. Symantec Security Response also leverages sophisticated threat and early warning systems to provide customers with comprehensive, global, 24x7 Internet security expertise to proactively guard against today s blended Internet threats and complex security risks. Security Response covers the full range of security issues to provide complete protection for customers including the following areas: Viruses, worms, Trojan horses, bots and other malicious code Hackers Vulnerabilities Spyware, adware, and dialer programs Spam Phishing and other forms of Internet fraud Security Response keeps Symantec and its customers ahead of attackers by forecasting the next generation of threats using its worldwide intelligence network and unmatched insight. The team delivers the bi-annual Internet Security Threat Report that identifies critical trends & statistics for the entire security community, placing Symantec at the forefront of the rapidly shifting landscape. With the steadily increasing sophistication of today s threats, a holistic approach to defending your digital assets is the key to repelling attackers. With a unified team covering the full range of security issues, Symantec Security Response helps provide its customers with fully integrated protection as it combines the collective expertise of hundreds of security specialists to bring updates and security intelligence to the full range of Symantec s products and services. Symantec has research and response centers located around the world. An application designed to work with Lotus Domino. Installed separately, the Symantec Spam Folder Agent for Domino creates a subfolder and a server-side filter in each user s mailbox. This filter gets applied to messages that a Scanner identifies as spam, routing spam into each user s spam folder, relieving end users and administrators of the burden of using their mail clients to create filters. The Symantec Spam Folder Agent for Domino also allows users to submit missed spam and false positives to Symantec. An application designed to work on Microsoft Exchange Servers. Installed separately, the Symantec Spam Folder Agent for Exchange creates a subfolder and a server-side filter in each user s mailbox. The filter gets applied to messages that a Scanner identifies as spam, routing spam into each user s spam folder, relieving end users and administrators of the burden of using their mail clients to create filters. To copy files between two folders on host and remote computers to make the folders identical to one another. Copying occurs in both directions. If there are two files with the same name, the file with the most current date and time is copied. Files are never deleted during the synchronization process.

249 Glossary 249 SyncService TCP (Transmission Control Protocol) TCP/IP (Transmission Control Protocol/ Internet Protocol) threat TLS (Transport Layer Security) toolbar Transformation Engine true file type recognition unscannable A feature of Symantec Mail Security for SMTP that provides automated synchronization between LDAP directory sources and Symantec Mail Security for SMTP. This feature enables alias expansion, facilitates application of filtering policies to users and groups, and provides enhanced performance. The protocol in the suite of protocols known as TCP/IP that is responsible for breaking down messages into packets for transmission over a TCP/IP network such as the Internet. Upon arrival at the recipient computer, TCP is responsible for recombining the packets in the same order in which they were originally sent and for ensuring that no data from the message has been misplaced in the process of transmission. The suite of protocols that allows different computer platforms using different operating systems (such as Windows, MacOS, or UNIX) or different software applications to communicate. Although TCP and IP are two distinct protocols, each of which serves a specific communications purpose, the term TCP/IP is used to refer to a set of protocols, including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and many others. This set of protocols allows computers on the Internet to exchange different types of information using different applications. A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service. A protocol that provides communications privacy over the Internet by using symmetric cryptography with connection-specific keys and message integrity checks. TLS provides some improvements over SSL in security, reliability, interoperability, and extensibility. See also SSL. The various rows below the menu bar containing buttons for a commonly used subset of the commands that are available in the menus. A component of a Symantec Mail Security for SMTP Scanner that performs actions on messages. A technology that identifies the actual type of a file, whether or not the file extension matches that type. In Symantec Mail Security for SMTP, you can specify filtering actions based on the true file type or true file class of a file, or you can filter based on the file name or extension. In Symantec Mail Security for SMTP, a message can be unscannable for viruses for a variety of reasons. For example, if it exceeds the maximum file size or maximum scan depth configured on the Scanning Settings page, or if it contains malformed MIME attachments, it may be unscannable. Compound messages such as zip files that contain many levels may exceed the maximum scan depth. You can configure how unscannable messages are processed.

250 250 Glossary virus virus attack Web browser worm A piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event. Viruses can be transmitted by downloading programming from other sites or present on a diskette. The source of the file you are downloading or of a diskette you have received is often unaware of the virus. The virus lies dormant until circumstances cause the computer to execute its code. Some viruses are playful in intent and effect, but some can be harmful, erasing data or causing your hard disk to require reformatting. A series of virus-infected s from a specific domain. Symantec Mail Security for SMTP allows you to choose an action to perform on these messages; by default messages received from violating senders are deferred. A client program that uses the Hypertext Transfer Protocol (HTTP) to make requests of Web servers throughout the Internet on behalf of the browser user. A special type of virus. A worm does not attach itself to other programs like a traditional virus, but creates copies of itself, which create even more copies. WWW (World Wide Web) An application on the Internet that allows for the exchange of documents formatted in Hypertext Markup Language (HTML), which facilitates text, graphics, and layout. As the World Wide Web has grown in popularity, its capabilities have expanded to include the exchange of video, audio, animation, and other specialized documents. The World Wide Web is also a system of Internet servers that support specially formatted documents. Another important aspect of the World Wide Web is the inclusion of hypertext links that allow users to click links and quickly navigate to other related sites. XML (extensible Markup Language) The common language of the Web that is used to exchange information.

251 Index A address masquerading 45 administrator add, delete, edit 191 administrator-only Spam Quarantine access 128 message details page, Spam Quarantine 122 message list page, Spam Quarantine 119 rights of 191 search messages, Spam Quarantine 120, 123, 125 search messages, Virus Quarantine 145, 146, 147 advanced SMTP settings 25, 27 agents Symantec Spam Folder Agent for Domino 218 Symantec Spam Folder Agent for Exchange 217, 218 alerts conditions 155 configure settings 155 aliases manage 48 aliases and distribution lists configure 47 import 49 notification 130 notification, enable 133 separate notification templates 131 Spam Quarantine 130 Allowed Senders Lists about 97 add, delete senders 100 disable, edit, enable senders 101 end user lists 79 end user lists, via Symantec Outlook Spam Plug-in 210 export data from 104 import data for 104 reasons to use 97 annotate messages 106 antispam filters creating antispam policies 85 language-based 80 sender authentication 105 Spam Quarantine 117 verify filtering 151 verify filtering to Spam Quarantine 153 antivirus filters create antivirus policies 83 Suspect Virus Quarantine 143 test 152 architectural overview 13 archive messages 109 attachment lists 110 attachments determining your policy 84 use dictionaries to scan 58 attachments, Spam Quarantine 121 Audit ID 185 authentication, sender 105 automatic spam foldering, configure 217 B backup, of log data 198 Blocked Senders Lists about 97 add senders 100 delete senders 101 disable, edit, enable senders 101 end user lists 79 end user lists, via Symantec Outlook Spam Plug-in 210 export data from 104 import data for 104 reasons to use 97 Bloodhound 56 Brightmaillog.log 195 C certificate

252 252 Index add, delete, view 18 assign for Control Center 17 assign TLS or HTTPS 19 assign to a Scanner 17, 19, 23, 24 configure settings 17 Control Center 42 delete 19 view 19 Certification Authority Signed certificate add 18 checking software versions 188 Cleaner notification file customization 231 conditions, in Content Compliance filters 88 container settings configure 57 Content Compliance filters create compliance policies 86 create conditions 88 create dictionaries 112 disable, enable 93 for all messages 89 guidelines for creating 86 language-based 52, 80 order 93 types of tests available 90 use Perl regular expressions in 91 Control Center 12 administer 193 assign certificate for 17 designate a certificate 42 error log, check 194 registration 192 start and stop 193 custom filter. See Content Compliance filters customizing Cleaner notification file 231 D data backup log data 198 choose data to track in reports 172 data retention for reports 176 delivery deliver messages to Spam Quarantine 126 misidentified message redelivery, Spam Quarantine 119, 122 misidentified message redelivery, Suspect Virus Quarantine 145 test delivery of legitimate mail 151 to user Spam folders 221 undeliverable quarantined messages 139 verify normal delivery 151 deployment, firewall policies 99 dictionaries, create 112 disk space maintenance 200 distribution lists. See aliases and distribution lists does Not Match and Match tests 91 domains add to Allowed Senders Lists 100 add to Blocked Senders Lists 100 import local domains 51 specify routing for local domains 50 double-byte character sets configure the Control Center for 44 duplicate messages in Spam Quarantine 141 E addresses add to Allowed Senders Lists 100 add to Blocked Senders Lists 100 aliases. See aliases and distribution lists filtering 61 firewall policies 93 end user experience, Symantec Outlook Spam Plugin 210 end user settings 79 errors the operation could not be performed 137 log file error, no Spam Quarantine disk space 139 Spam Quarantine, disk or work directory full 139 Spam Quarantine, graphics appear as gray rectangles 121 Spam Quarantine, very large spam messages 137 F features 11, 201 discontinued from Symantec Mail Security for SMTP name changes 204 new features 202 Symantec Brightmail Antispam, new or changed features from 205 Symantec Mail Security for SMTP, new or changed features 203

253 Index 253 Filtering Engine 14 Filtering Hub 13 filters assign filter policies to groups 75 attachment, lists 110 configure order 93 create filter policies 82 disable, enable, edit 93 categories for 61 for all messages 89 sender authentication 105 spam settings 51 test filtering 151 tests for matching, Content Compliance 91 verdicts 61 virus settings 54 firewall See firewall policies firewall events 226 flow, of messages 13 foldering configure 217 enable automatic spam foldering 221 enable Symantec Spam Folder Agent for Exchange 221 Symantec Spam Folder Agent for Domino 218 Symantec Spam Folder Agent for Exchange 217, 218 From headers, search in Spam Quarantine 124 From headers, search in Suspect Virus Quarantine 147 functional overview 12 G global replication settings, configure 43 group policies add 72 delete 82 delete member 74 disable, enable, edit 82 export members to file 75 import members from file 74 manage 81 H headers display full or brief, Spam Quarantine 123 search From headers in Spam Quarantine 124 search From headers in Suspect Virus Quarantine 147 search Message ID header in Spam Quarantine 124 search Subject headers in Spam Quarantine 124 search Subject headers in Suspect Virus Quarantine 147 search To headers in Spam Quarantine 124 search To headers in Suspect Virus Quarantine 147 help 14 configuring login help 128 specify custom Login help page 129 heuristics spam score 52 virus scanning 56 host details, status 186 how Symantec Mail Security appliances work 12 HTML text add to messages 107 HTTP proxies 21 HTTPS certificate assignment 19 I invalid recipients, drop 56 K key features 11 L language identification filter based on 52, 80 Symantec Outlook Spam Plug-in 52 LDAP add LDAP server 29 cancel an LDAP synchronization cycle 36 configure settings 29 delete LDAP server 36 edit LDAP server 33 initiate an LDAP synchronization cycle 35 synchronization 187 license, add, manage, view 192 lists Allowed Senders Lists 97 attachment lists 110 Blocked Senders Lists 97

254 254 Index configure aliases and distribution lists 47 delete senders from lists 101 import aliases and distribution lists 49 import Local Routes list 50 select Sender Reputation Service lists 105 separate notification templates for, Spam Quarantine 131 LiveUpdate configure 54 local domains configuring 50 import 51 specify routing for 50 local domains and addresses add, configure, delete 50 local replication, configure 43 Local Routes list importing 50 log back up 198 log backup 198 log in help, configuration 128 problems 137 specify custom Login help page 129 logs configure settings 159 configure settings for local hosts 160 configure settings for remote hosts 161 increase amount of information logged 195 Spam Quarantine error log, check 194 status, details 188 view 157 M mail flow 13 maintenance disk space 200 system 198 maintenance of the system, periodic 198 masquerading, address 45 matches exactly and does not match tests 91 message delivery. See delivery message filters. See filters Message ID 124, 185 message queue information 183 messages add HTML text 107 add plain text 107 annotate 106 archive 109 configure misidentified message submissions 129 configure Spam Quarantine message and size thresholds 136 configure Spam Quarantine message retention period 135 delete Spam Quarantine messages 119 delete Suspect Virus Quarantine messages 145 delete unresolved setting 135 drop invalid recipients 56 duplicate Spam Quarantine messages 141 maximum allowed, Spam Quarantine 141 message navigation in Spam Quarantine 120, 122 message navigation in Suspect Virus Quarantine 145 redeliver misidentified, Spam Quarantine 119, 122 search Message ID header in Spam Quarantine 124 search messages in Spam Quarantine 120, 123 search messages in Suspect Virus Quarantine 145, 146 sent to postmaster mailbox, display 139 sorting in Spam Quarantine 119 sorting in Suspect Virus Quarantine 144 view 119, 144 MySQL backup 198 N network, firewall policy considerations 99 non-default virus definitions install 55 notification files change file character set 232 contents 233 edit messages 232 modify 231 notification, Spam Quarantine change frequency of 131 choose format 134 configuring digests 130 edit template, subject, address 133 for distribution lists, aliases 130 notifications 114

255 Index 255 O Open Proxy Senders enable 105 Outlook Plug-in. See Symantec Outlook Spam Plugin overview architectural 13 functional 12 overview of system information 182 P periodic system maintenance 198 Perl, use in Content Compliance policies 91 plain text add to messages 107 policies add group policy 72 compliance policies, assign to groups 78 compliance policies, create 86 delete group policy 82 delete group policy member 74 disable group policies 82 edit group policy 81 firewall 93 enable group policy 82 export group members to file 75 filter policies, assign to groups 75 filter policies, create 82 import group policy members from file 74 language-based 52, 80 notifications 114 sender authentication 105 spam policies, assign to groups 77 spam policies, create 85 virus policies, assign to groups 75 virus policies, create 83 policy resources 106 ports, SMTP configuration, Spam Quarantine 136 postmaster mailbox, display messages 139 processed message details, status 182 proxy add information 21 edit settings 21 proxy settings, add or edit 21 Q queue details, status 183 tailor information on 183 R Rapid Response. See LiveUpdate recipients, drop invalid ones 56 redeliver misidentified messages, Spam Quarantine 119, 122 registration 192 Scanners, Control Center 192 regular expressions, use in Content Compliance policies 91 replication check status of 39 configure settings 20 enable 42 immediate 188 resolve errors 40 schedule 42 status information 38 reports 163 choose data to track 172 configure report data retention period 173 data retention 176 delete 180 edit scheduled reports 179 pre-set attack reports available 170 pre-set compliance reports available 168 pre-set message reports available 164 pre-set Sender Authentication reports available 170 pre-set SMTP connection reports available 171 pre-set Spam Quarantine reports available 171 pre-set spam reports available 167 pre-set virus reports available 166 print 177 run 173 save 178 schedule 178 size limit 177 time shown 176 troubleshoot report generation 175 types of pre-set reports available 164 Reputation Lists enable 105 Reputation Service configure 105 select lists 105 restore

256 256 Index Spam Quarantine tables 200 Suspect Virus Quarantine tables 200 retention configure report data retention period 173 configure Spam Quarantine message retention period 135 data retention for report information, default 176 routing specify for local domains 50 S Safe Senders enable 105 Scanners 12 assign certificates for 17, 19, 23, 24 delete 190, 191 disable, enable 189 edit, alternative method 189 modify SMTP settings for 22 registration 192 replication 188 test 28 scenarios, configuration 210 scheduled reports 178 delete 180 edit 179 search details, Spam Quarantine 125 details, Suspect Virus Quarantine 147 From headers in Spam Quarantine 124 From headers in Suspect Virus Quarantine 147 Message ID header in Spam Quarantine 124 messages in Spam Quarantine 120, 123 messages in Suspect Virus Quarantine 145, 146 Spam Quarantine, using multiple characteristics 123 Spam Quarantine, using time range 125 Subject headers in Spam Quarantine 124 Subject headers in Suspect Virus Quarantine 147 Suspect Virus Quarantine, using multiple characteristics 146 Suspect Virus Quarantine, using time range 147 To headers in Spam Quarantine 124 To headers in Suspect Virus Quarantine 147 self-signed certificate, add 18 sender authentication 105 Sender Reputation Service 105 configure 105 customize 105 select lists 105 senders delete from lists 101 disable, enable 101 edit senders in lists 101 export data from senders lists 104 how identified, details 98 identifying senders, methods for 98 import sender information 102 reasons to use blocked senders 97 settings end user 79 spam 51 SMTP advanced parameter configuration 27 port for SMTP , Spam Quarantine 136 Scanner settings for 22 SMTP host 44 software acceleration 53 software licenses, manage 192 software requirements, Symantec Outlook Spam Plug-in 212 software versions, checking 188 spam filters configure spam settings 51 creating antispam policies 85 language-based 52, 80 sender authentication 105 Spam Quarantine 117 verify filtering 151 verify filtering to Spam Quarantine 153 spam foldering, enable 221 Spam Quarantine 117 access 118 administer 193 administrator-only access 128 aliases and distribution lists 130 attachments 121 check new messages 118 delete messages 119 deliver messages to Spam Quarantine 126 differences between administrator and user message list pages 121 differences between administrator and user message pages 123

257 Index 257 differences between administrator and user search pages 126 duplicate messages 141 error log, check 194 Expunger 135 login help page, customize 129 maximum number of messages 141 message details page 122 message list page 119 message navigation 120, 122 message redelivery 119, 122 message retention period 135 message sorting 119 notification 130 port for SMTP configuration 136 redeliver misidentified messages 119, 122 search messages 120, 123, 125 size and message thresholds, configure 136 start and stop 193 tables, restore 200 tables, saving 199 templates 131 troubleshooting 137 undeliverable messages 139 spam score set 52 SSIM see also Symantec Security Information Manager 223 status host information 186 LDAP synchronization 187 log information 188 overview information 182 processed message information 182 queue information 183 Scanner replication 188 subdomain expansion 99 subject headers, search in Spam Quarantine 124 subject headers, search in Suspect Virus Quarantine 147 subject line modification, test 152 submissions configure recipients for misidentified messages 129 redeliver misidentified messages 119, 122, 145 Suspect Virus Quarantine 143 access 143 administer 193 delete messages 145 message navigation 145 message redelivery 145 message sorting 144 search messages 145, 146, 147 tables, restore 200 tables, saving 200 suspected spam configure 52 Suspected Spammers enable 105 suspicious attachments determining your policy 84 Symantec Outlook Spam Plug-in administrator setup 212 configuration 213 end user experience 210 installation 210 language identification 52 software requirements 212 Symantec menu items 211 Symantec Security Information Manager about 223 administration events 228 data source, configuring 225 definition update events 226 events 224 firewall events 226 message events 227 Symantec Security Information Manager (SSIM) integrating with 223 Symantec Spam Folder Agent for Domino configure 218 distribute end-user help 220 enable 221 install 218 uninstalling 221 Symantec Spam Folder Agent for Exchange configure 217 enable 221 install 217 synchronization LDAP 187 status information 36 synchronize less than 1,000 directory entries before next scheduled update 187 troubleshooting procedure 39 verify completion of 39 system

258 258 Index log details 188 system administrator. See administrator system locale 44 system maintenance 198 T tests anti-virus filtering 152 delivery of legitimate mail 151 for matching in Content Compliance filters 91 Scanners 28 spam filtering 151 spam filtering to Spam Quarantine 153 Subject line modification 152 third-party lists add to Allowed Senders List 100 add to Blocked Senders List 100 thresholds, set Spam Quarantine message and size 136 time search Spam Quarantine using Time Range 125 search Suspect Virus Quarantine using Time Range 147 shown on reports 176 TLS certificate assignment 19 To headers, search in Spam Quarantine 124 To headers, search in Suspect Virus Quarantine 147 totals information 182 Transformation Engine 13 troubleshoot replication 39 Spam Quarantine 137 status message 40 synchronization 39 virus definitions non-default 55 virus filters configure virus settings 54 create virus policies 83 LiveUpdate 54 Suspect Virus Quarantine 143 virus 54 virus scanning exclude files from 55 general settings 56 Z zip bombs. See container settings U undeliverable Spam Quarantine messages 139 unresolved setting configure delete 128 configure Spam Quarantine Expunger 135 update virus filters 54 V verdicts 61 filtering actions available 64 version, how to check 188