Version 6.0 SurfControl Filter for SMTP

Transcription

1 Version 6.0 SurfControl Filter for SMTP Administrator's Guide

2 Notices NOTICES Copyright 2007 SurfControl plc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner. SurfControl is a registered trademark, and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners. RSA MD5 by RSA Data Security (Open Source) Portions of this product contain or are derived from: MD5C.C RSA Data Security, Inc., MD5 message-digest algorithm. MDDRIVER.C test driver for MD2, MD4 and MD5 Copyright , RSA Data Security, Inc. Created All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. The Apache Software License, Version 1.1 Copyright (c) 2000 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation ( Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. 4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org. 5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. SurfControl Filter for SMTP Administrator s Guide i

3 Notices THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Apache Software License, Version 2.0 This product includes the Xerces-C software developed by the Apache Software Foundation ( Copyright 2004 The Apache Software Foundation. All Rights Reserved. The following LICENSE file terms are associated with the XERCES-C-SRC_2_6_0 code of Filter for SMTP Apache License Version 2.0, January TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. ii Administrator s Guide SurfControl Filter for SMTP

4 Notices 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. SurfControl Filter for SMTP Administrator s Guide iii

5 Notices 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. OpenSSL This product includes software developed by the OpenSSL project. Use of the OpenSSL is governed by the OpenSSL license: Copyright The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. ( 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( iv Administrator s Guide SurfControl Filter for SMTP

6 Notices THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). SSLeay Copyright Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape s SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. That is, this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] SurfControl Filter for SMTP Administrator s Guide v

7 Notices OddButton Copyright Paolo Messina and Jerzy Kaczorowski The contents of this file are subject to the Artistic License (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License at: THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. You can download a copy of the unmodified code from ICU License - ICU and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) International Business Machines Corporation and others. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. August 2007 vi Administrator s Guide SurfControl Filter for SMTP

8 Comments on this Guide? COMMENTS ON THIS GUIDE? You can view updated documentation and support information at Was this guide helpful? us at to suggest changes or make a correction. TECHNICAL SUPPORT For the latest support information on SurfControl products, visit You can find the following information on the Technical Support Web pages: Read the Top Issues This page has a quick list that covers the most common support issues encountered with SurfControl products. Search our Knowledge Base Our constantly updated Knowledge Base contains articles, FAQs and glossary items to answer your questions about all SurfControl products. If your question or problem cannot be answered by the Top Issues or is not in the Knowledge Base, complete an On-line Support Request Form. Telephone Support numbers If you would like to speak with a Technical Support Representative, our excellent SurfControl Technical Support is just a phone call away. SURFCONTROL SALES For product and pricing information, or to place an order, contact SurfControl. To find your nearest SurfControl office, please visit our Web site. SurfControl Filter for SMTP Administrator s Guide vii

9 SurfControl Sales viii Administrator s Guide SurfControl Filter for SMTP

10 TABLE OF CONTENTS Notices... i Comments on this Guide?...vii Technical Support...vii SurfControl Sales...vii INTRODUCTION In This Chapter... 2 About SurfControl Filter Filter Reporting... 2 New Features in Version FINDING YOUR WAY AROUND FILTER In This Chapter... 6 How Filter Works Filter Services Filter Components Filter Additional Components... 9 Opening Filter Components...10 From the Start Menu...10 System Tray Icon Right-Click Menu...11 Opening Filter Components From Within Other Components...12 SETTING UP FILTER In This Chapter...14 Connecting to a Different Filter Server...14 Adding an Filter Server...14 Editing Server Details...15 Selecting an Server...16 Disconnecting From an Filter Server...16 Opening Server Configuration...17 Configuration Workflow...18 Configuring the Receive Service...19 Receive Service - General Settings...20 SMTP Properties...21 Connections...23 ESMTP Commands...24 SurfControl Filter for SMTP Administrator s Guide ix

11 Configuring Connection Management...26 Protected Domains...27 Mail Relays...31 Blacklist...38 Reverse DNS Lookup...43 Reputation/DNS Blacklist...46 Directory Harvest Detection...49 Denial of Service (DoS) Detection...53 Remote User Authentication...56 SPF Check...58 Configuring the Rules Service...59 Rules Service - General Settings...60 Rules Service Configuration...62 Queue Management...64 Configuring the Send Service...71 Send Service - General Settings...71 SMTP Properties...73 Connections...74 Routing...76 Smart Host Routing...83 Requeuing...87 Configuring the Administration Service...89 Administration Settings - General...89 Configuring Administrators...91 Certificate Management...96 Configuration Complete...99 Backing Up Your Server Configuration...99 THE MONITOR In This Chapter Opening the Monitor Parts of the Monitor Window Service Panels The Server Status Panels Queue Statistics and Status Bar QueueView Opening QueueView QueueView Window Re-Sending Queued or Dead Messages Deleting a Queued or Dead THE RULES ADMINISTRATOR In This Chapter Opening the Rules Administrator Rules Administrator Window Rules Panel Rules Object Panel How Filter Uses Rules x Administrator s Guide SurfControl Filter for SMTP

12 Rules Objects Building a Rule Connecting Rules Objects Creating Rules Deleting a Rule Positioning of Rules Moving Rules Pre-defined Rules The Rule Configuration Wizard Editing Pre-defined Rules Rule Groups Creating a Rule Group Moving a Rule into a Group Working with Groups of Rules Exporting Rules Importing Rules Configuring the Rules Administrator Configuring Dictionary Scanning Configuring Password Protected Archives Configuring Document Decomposition Configuring HTML Parsing RULES OBJECTS In This Chapter Who Objects From Users and Groups Object Inbound/Outbound Mail Object To Users and Groups Object Retrieving User Information From a Data Source Configuring an LDAP Connection Testing the LDAP Connection What Objects Anti-Spam Agent Object Anti-Virus Malware Scanning (AVMS) Object Dictionary Threshold Object External Program PlugIn Object File Attachment Object Illegal MIME Format Object Internet Threat Database Object LexiMatch Object Loop Detection Object Message Size Object Number of Recipients Object Third-party Virus Scanning Object Virtual Image Agent Object The Virtual Learning Agent Object When Object SurfControl Filter for SMTP Administrator s Guide xi

13 Operations Objects Save Copy Object Compress Attachments Object Footers and Banners Object Header Modification Object HTML Stripper Routing Object Strip Attachments Object Notify Objects Blind Copy Object Notification Object Actions Objects Allow Message Object Delay Message Object Discard Message Object Isolate Message Object MESSAGE ADMINISTRATOR In This Chapter Opening the Message Administrator The Message Administrator Window Configuring Message Administrator Opening Message Administrator Options General Tab Messages Tab File Types Tab HTML Viewer Tab Columns Tab Using Message Administrator Message Search Panel Queues Panel Logs Panel Message List Panel Message Parts Panel Message Contents Panel Working with Queues The Queues Toolbar Viewing Properties Analyzing s Forwarding a Copy of the Selected Replying to the Sender of an Submitting an to the Anti-Spam Agent Database Releasing s Moving s Saving Copies of s Deleting s Deleting All s From a Queue Working with Queues on Multiple Servers Working with Logs xii Administrator s Guide SurfControl Filter for SMTP

14 Using Queues and Logs with Multiple Servers DICTIONARY MANAGEMENT In This Chapter Opening Dictionary Management The Dictionary Management Window Adding a Dictionary Adding Words or Phrases to a Dictionary Editing Dictionary Words Deleting Words from a Dictionary Deleting a Dictionary Importing Dictionaries Importing a SurfControl Dictionary Pack Importing a Unicode Text File Exporting Dictionaries Exporting a Dictionary as a Dictionary Pack Exporting a Dictionary as a Unicode File SCHEDULER In This Chapter Opening the Scheduler Scheduler Window Scheduled Events Options for Scheduled Events Scheduling Anti-Spam Agent Updates Scheduling Anti-Virus Agent Updates Scheduling Anti-Virus Malware Scanning Updates Scheduling Database Management Tasks Purging a Database Archiving a Database Shrinking a Database Scheduling Internet Threat Database Updates Scheduling Queue Synchronization REMOTE ADMINISTRATION In This Chapter Administration Client Web Administrator Opening Web Administrator Message Administrator Sorting s Moving, Releasing and Deleting s Viewing the Properties of Individual s Analyzing s SurfControl Filter for SMTP Administrator s Guide xiii

15 Dictionary Management Adding a Dictionary Adding Words or Phrases to a Dictionary Viewing Logs PERFORMANCE MONITORING In This Chapter Windows Performance Monitoring VIRTUAL LEARNING AGENT In This Chapter Workflow Before You Begin Opening the VLA Training Wizard VLA Tutorial Training File Keywords VLA Accuracy Counter Category Trivial Words DATABASE TOOLS In This Chapter Opening Database Tools Configuration Database Management Backing Up the Configuration Database Restoring the Configuration Database Log Database Management Creating a New Log Database Archiving the Log Database Restoring an Archived Log Database Deleting a Log Database Truncating the Log Database Transaction Log SQL User Management Creating a New SQL User Account Changing the Password on a SQL User Account Deleting a SQL/MSDE Account Managing Database Authentication APPENDIX A Anti-Spam Agent Categories and Criteria Core/Liability Categories Productivity Categories xiv Administrator s Guide SurfControl Filter for SMTP

16 APPENDIX B Supported File Types Where File Types are Referenced Document Decomposition APPENDIX C Anti-Virus Return Codes APPENDIX D Editing Autoreply.txt APPENDIX E Reporting Using the STEMLog Database MessageDetails Relationships ReceiveLog and DeniedConnection Relationships SendLog Relationships PolicyLog Relationships AuditLog Relationships IsolatedMessage Relationships AuditMessage Relationships SystemLog Relationships INDEX SurfControl Filter for SMTP Administrator s Guide xv

17 xvi Administrator s Guide SurfControl Filter for SMTP

18 1 Introduction In This Chapter page 2 About SurfControl Filter page 2 New Features in Version page 3

19 1 INTRODUCTION In This Chapter IN THIS CHAPTER This chapter introduces SurfControl Filter and its features. ABOUT SURFCONTROL FILTER SurfControl Filter is a server-based software solution that enables you to implement an Acceptable Use Policy (AUP) for within your organization by: 1 Scanning the content, sender, destination, attachments and size of all s to and from the Internet. 2 Applying rules that you have established to support your AUP. For further information about developing an AUP, visit SurfControl Filter comprises the following core components: Monitor The Monitor shows the progress of s through SurfControl Filter in real time, and also server status and the number of s in each queue. Rules Administrator Use the Rules Administrator to set up rules to meet the needs of your AUP. Configuring rules requires careful planning initially, but is then easy to set up and apply. If an triggers a rule, Filter uses the actions specified in the rule to delay, discard or isolate the . Delayed or isolated s are placed in dedicated queue folders. If an does not trigger a rule, it is placed in a folder for delivery to its destination. Message Administrator Use the Message Administrator to review, manage and analyze s that have been placed in queue folders, and view logs of Filter activity. Filter also contains additional components that enhance the capabilities of the Filter core components. For more information, see Filter Additional Components on page 9. FILTER REPORTING You can also create reports for Filter v6.0 data by using SurfControl Report Central (SRC). See the SurfControl Report Central v2.6 Administrator s Guide for details of Filter v6.0 reports. 2 Administrator s Guide SurfControl Filter for SMTP

20 INTRODUCTION New Features in Version NEW FEATURES IN VERSION 6.0 Table 1-1 describe the advances in functionality that version 6.0 delivers. Table 1-1 New features in version 6.0 Feature Multiple Anti-Virus Scanning Rules Object Zero-Hour Virus Protection Document Decomposition Image Spam Filtering Reputation Service Compliance Dictionaries Identification of True Source IP Address Support for VMWare Support for 64-bit Operating Systems Description The new Multiple Anti-Virus Scanning rules object in the Rules Administrator enables you to use multiple supplied anti-virus scanners within a rule to protect your network from viruses contained in s. This latest version of SurfControl Filter includes new Zero-Hour Virus Protection technology, protecting your network from viruses as they emerge. This enhances the existing feature by enabling you to decompose a greatly enhanced set of documents, including Microsoft Office You can now block s that contain spam text within attached images. Incoming s are automatically checked against SurfControl s on-line Reputation service. This determines whether a sender s IP address can be trusted. New compliance dictionaries and associated default rules, including HIPAA, GLBA and Personal Identifiers, will help you to manage regulatory compliance and good corporate governance. Organisations choosing to deploy SurfControl Filter behind a firewall can now take full advantage of Filter's Connection Management. The original source IP address of the inbound connection can now be identified, allowing all Filter users to benefit from this highly effective protection layer, including the additional security offered by the new SurfControl Reputation Service. This latest release of SurfControl Filter will be supported on a VMware platform, offering greater deployment flexibility and reduced total cost of ownership of security infrastructure. SurfControl Filter 6.0 is now supported on the 64-bit version of Windows Server 2003, giving customers greater flexibility and choice of platforms. SurfControl Filter for SMTP Administrator s Guide 3

21 1 INTRODUCTION New Features in Version Administrator s Guide SurfControl Filter for SMTP

22 2 Finding Your Way Around Filter In This Chapter page 6 How Filter Works page 7 Filter Services page 8 Filter Components page 9 Opening Filter Components page 10

23 2 FINDING YOUR WAY AROUND FILTER In This Chapter IN THIS CHAPTER This chapter explains how SurfControl Filter works, and the basics of navigating around the product. 6 Administrator s Guide SurfControl Filter for SMTP

24 FINDING YOUR WAY AROUND FILTER How Filter Works 2 HOW FILTER WORKS Figure 2-1 shows how an is processed by Filter. Figure 2-1 The filtering process SurfControl Filter for SMTP Administrator s Guide 7

25 2 FINDING YOUR WAY AROUND FILTER Filter Services FILTER SERVICES SurfControl Filter s functionality is managed by four software services: Receive service Rules service Send service Administration service. Figure 2-2 shows how the services fit together. Figure 2-2 Flow of through Filter services You can stop or start any of the services see System Tray Icon Right-Click Menu on page Administrator s Guide SurfControl Filter for SMTP

26 FINDING YOUR WAY AROUND FILTER Filter Components 2 FILTER COMPONENTS There are three core components in Filter that you will use to manage . Table 2-1 Filter core components Component Description Find out more Monitor Rules Administrator Message Administrator The Monitor shows the progress of s through SurfControl Filter in real time. Use the Rules Administrator to set up rules to meet the needs of your Acceptable Use Policy (AUP). Use Message Administrator to review, manage and analyze s that have been placed in queues, and view logs of Filter activity. You can also search for inbound and/or outbound s within supplied, selectable date ranges, or your own custom date range. The Monitor on page 101 The Rules Administrator on page 113 and Rules Objects on page 143 Message Administrator on page FILTER ADDITIONAL COMPONENTS Filter also contains the following additional components, which enhance the capabilities of the Filter core components. Table 2-2 Filter additional components Component Description Find out more QueueView Dictionary Management Use QueueView to display information about s that are queued, pending or dead. You can use dictionaries in rules to detect particular types of content in s, for example, adult, offensive, and so on. Use the Dictionary Management component to configure the supplied dictionaries or create and configure your own dictionaries. QueueView on page 107 Dictionary Management on page 255 SurfControl Filter for SMTP Administrator s Guide 9

27 2 FINDING YOUR WAY AROUND FILTER Opening Filter Components Table 2-2 Filter additional components (Continued) Component Description Find out more Scheduler Web Administrator Virtual Learning Agent (VLA) Use the Scheduler to automate tasks such as: Anti-Spam Agent, Internet Threat Database, Anti-Virus Agent and Anti- Virus Malware Scanning updates. Database Maintenance Queue Synchronization The Web Administrator component enables you to access the following Filter functions from a remote computer: Message Administrator Dictionary Management View logs. The VLA enables you to train Filter to identify specific types of content in s, for example, confidential information that is specific to your organization. Scheduler on page 273 Web Administrator on page 300 Virtual Learning Agent on page 317 OPENING FILTER COMPONENTS You can open Filter components from: The Start menu The system tray right-click menu Within other open components. FROM THE START MENU To open Filter from the Start menu, select Start > All Programs > SurfControl Filter and then select the component. 10 Administrator s Guide SurfControl Filter for SMTP

28 FINDING YOUR WAY AROUND FILTER Opening Filter Components 2 Figure 2-3 Opening Filter from the Start menu SYSTEM TRAY ICON RIGHT-CLICK MENU When Filter is running, the following icon is displayed in the system tray. Right-click the icon to display the following menu. You can use this menu to open Filter components, configure the server, and stop and start the services. Figure 2-4 Filter icon right-click menu SurfControl Filter for SMTP Administrator s Guide 11

29 2 FINDING YOUR WAY AROUND FILTER Opening Filter Components OPENING FILTER COMPONENTS FROM WITHIN OTHER COMPONENTS When you open one Filter component, you can open some other components from within that component. If you are able to open another component, its icon is shown on the toolbar of the open component. Table 2-3 Filter component icons Component Icon Dictionary Management Message Administrator Monitor Queue View Rules Administrator Scheduler Virtual Learning Agent (VLA) Web Administrator 12 Administrator s Guide SurfControl Filter for SMTP

30 3 Setting Up Filter In This Chapter page 14 Connecting to a Different Filter Server page 14 Opening Server Configuration page 17 Configuration Workflow page 18 Configuring the Receive Service page 19 Configuring Connection Management page 26 Configuring the Rules Service page 59 Configuring the Send Service page 71 Configuring the Administration Service page 89 Configuration Complete page 99

31 3 SETTING UP FILTER In This Chapter IN THIS CHAPTER This chapter explains how to connect to SurfControl Filter, and how to configure Connection Management, the Receive, Rules, Send and Administration services so that is filtered correctly. CONNECTING TO A DIFFERENT FILTER SERVER If you have more than one server running Filter, you can select the server that the Monitor connects to. For example, you can view the activity taking place on server A using an installation of Filter on server B. Server B can be running either a full installation or just the Filter Administration Client. You can manage your Filter server connections from any of the following Filter components: Monitor Message Administrator Rules Administrator Dictionary Management. ADDING AN FILTER SERVER To monitor activity taking place on another server, you need to add its connection details to the list of available servers. To add a new server to the list: 1 From any of the Filter components, select File > Select Server > Add New The Add a New Server dialog box is displayed. 14 Administrator s Guide SurfControl Filter for SMTP

32 SETTING UP FILTER Connecting to a Different Filter Server 3 2 In the Server Name: field, enter or browse to the name of the server whose traffic you want to monitor. 3 Enter the user name and password for accessing the server. 4 Enter the connection port for the mail server you want to add. This is the port used by the Administration Service. 5 Click OK to confirm your changes. Filter will automatically try to monitor activity on the server that you have added. If it fails to do this, check that you have entered the server details correctly. EDITING SERVER DETAILS You can change the details of a mail server that you have added to the list. To edit server details: 1 From any of the Filter components, select File > Select Server > Edit The Select Server dialog box is displayed. 2 Select the server to edit, and then click OK. The Edit Server dialog box is displayed. SurfControl Filter for SMTP Administrator s Guide 15

33 3 SETTING UP FILTER Connecting to a Different Filter Server 3 Change the details as needed, and then click OK. Note: You cannot change the server name. SELECTING AN SERVER When you add an server, it is displayed on the Select Server drop-down menu. To select a server: 1 From any of the Filter components, select File > Select Server. The available servers are displayed on the Select Server menu. The current server is marked. 2 Select the server to connect to. If the connection fails, check that the server details are correct. DISCONNECTING FROM AN FILTER SERVER To disconnect from the server you are currently connected to, select File > Disconnect from Server activity on that server will no longer be displayed in Filter. 16 Administrator s Guide SurfControl Filter for SMTP

34 SETTING UP FILTER Opening Server Configuration 3 OPENING SERVER CONFIGURATION To open the Server Configuration console, open the Monitor, and then select File > Server Configuration Alternative: On the Monitor toolbar, click. Figure 3-1 Server Configuration console typical Each function controls a group of Server Configuration settings When you select a function, the settings display in the right-hand panel of the console. SurfControl Filter for SMTP Administrator s Guide 17

35 3 SETTING UP FILTER Configuration Workflow CONFIGURATION WORKFLOW To set up Filter correctly, you need to configure each of the services. Some of the services have more than one group of configuration settings in a series of dialog boxes. Table 3-1 details the functions in the Server Configuration console, and where to find out more information about each function. Table 3-1 Configuration tasks Service Function Find out more Receive service General Settings page 20 SMTP Properties page 21 Connections page 23 ESMTP Commands page 24 Connection Management Protected Domains page 27 Mail Relays page 31 Blacklist page 38 Reverse DNS Lookup page 43 Reputation/DNS Blacklist page 46 Directory Harvest Detection page 49 Denial of Service Detection page 53 Remote User Authentication page 56 SPF Check page 58 Rules service General settings page 60 Configuration page 62 Queue Management page Administrator s Guide SurfControl Filter for SMTP

36 SETTING UP FILTER Configuring the Receive Service 3 Table 3-1 Configuration tasks (Continued) Service Function Find out more Send service General Settings page 71 SMTP Properties page 73 Connections page 74 Routing page 76 Smart Host Routing page 83 Requeuing scheme page 87 Administration Properties page 89 Configuration page 91 Certificate Management page 96 CONFIGURING THE RECEIVE SERVICE The Receive service accepts SMTP traffic on port 25 and checks each against a series of Connection Management criteria. If the passes these checks, Filter accepts the and passes it to the Rules service for further processing. It is important to configure the Receive service correctly to keep your system running efficiently and securely, and to maintain the flow of legitimate . The Receive service has general settings and these functions: SMTP Properties Connections ESMTP Commands. SurfControl Filter for SMTP Administrator s Guide 19

37 3 SETTING UP FILTER Configuring the Receive Service RECEIVE SERVICE - GENERAL SETTINGS In the Service Configuration dialog box navigation panel, select Receive Service. The Receive Service dialog box is displayed in the right-hand panel. Figure 3-2 shows a typical Receive Service dialog box. Figure 3-2 Receive service general settings Received Mail Drop-off Folder When an has passed the Connection Management checks, Filter accepts the and deposits it in the Received mail drop-off folder (the \In folder). The default path is: C:\Program Files\SurfControl Filter\In You can enter a different path, or click Browse... to select another location. Enabling Administrator Alerts You can select to notify the administrator if a set number of s in the \In folder is reached. When the limit is reached, an entry is logged in the Windows Event Viewer (Control Panel > Administrative Tools > Event Viewer > Application). To be alerted automatically about this event, you can use a third-party application, such as EventSentry Light. 20 Administrator s Guide SurfControl Filter for SMTP

38 SETTING UP FILTER Configuring the Receive Service 3 Logging The Logging options control where details of s handled by the Receive service are recorded. Select one or more check boxes for the required type of logging. Table 3-2 describes the logging options. Table 3-2 Logging options Logging option Real-time console System log Connection log/receive log What it does Details of inbound s are displayed in the Receive panel of the Monitor. For more information about the Monitor consoles, see Service Panels on page 103. System events related to inbound mail, such as the sending of notification s are displayed in the System log in Message Administrator. See Working with Logs on page 253. Information about connections from the host servers to Filter and s that have been received by Receive service. This information is displayed in the Connection log and Receive log in Message Administrator. See Working with Logs on page 253. SMTP PROPERTIES The SMTP properties affect how Filter receives incoming for filtering. Figure 3-3 shows a typical SMTP Properties dialog box. Figure 3-3 SMTP Properties dialog box SurfControl Filter for SMTP Administrator s Guide 21

39 3 SETTING UP FILTER Configuring the Receive Service Table 3-3 describes the options for SMTP Properties. Table 3-3 SMTP Properties settings Field Receive Service SMTP Port Enable Secure SMTP over SSL (SMTPS) Computer Name SMTP greeting text Description The port used by Filter to receive SMTP traffic. This is displayed in the Receive Service SMTP Port. You can change the port by entering a different port number here. Select this to secure the entire SMTP conversation, that is, from connection to receiving the , through secure connection over SSL (Secure Socket Layer). Default (recommended) port = 465 If this is selected and an SMTP port specified, the sending mail clients must send s that are encrypted using SSL. You can specify which computer name the Receive service uses in its greeting when it receives a connection: Windows Computer Name The Receive service will use the fully-qualified primary domain name of the computer where Filter is installed. Specify Computer Name The Receive service will use the computer name you specify. You can use any commonly accepted form of host name, for example the domain name or the IP address. By default Filter will use the Windows Computer Name. The SMTP greeting is the greeting which is sent to a remote computer when it initiates a connection by sending a HELO or EHLO command. By default, the SMTP greeting is: 220 [server name].[domain name] If this text is added, the SMTP greeting consists of the default text plus any additions. You can use the SMTP greeting text to communicate your organization s policy on how that mail server can be used. For example if you do not allow the mail server to be used as a relay host you can warn mail clients not to try to relay mail through your server. To change greeting, click Customize. The Customize Greeting Text dialog box is displayed. Note: You cannot delete or edit the default greeting text. When a HELO or an EHLO command is received, all the text visible in the box will be sent as a greeting. 22 Administrator s Guide SurfControl Filter for SMTP

40 SETTING UP FILTER Configuring the Receive Service 3 CONNECTIONS The Connections settings affect how many connections the Receive service can accept, and how much incoming s it can process at any one time. It is important to set these limits at appropriate levels for your system s capacity; network performance can be reduced if too many connections are accepted. Figure 3-4 shows a typical Connections dialog box. Figure 3-4 Connections dialog box Table 3-4 describes the connections that you can limit. Select the check boxes of the limits you want to set. If a check box is cleared, Filter does not limit the number of connections. Table 3-4 Connection options Option Description Default Maximum Connection Settings Maximum active inbound connections Limit maximum connections for each trusted IP address The total number of incoming connections that Filter will accept at any one time. Limit the number of connections Filter will accept from the IP addresses on the Trusted IPs List. See Mail Relays on page 31. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections SurfControl Filter for SMTP Administrator s Guide 23

41 3 SETTING UP FILTER Configuring the Receive Service Table 3-4 Connection options (Continued) Option Description Default Maximum Limit maximum connections for each non-trusted IP address Idle connection timeout Data Size Limit maximum message size Limit maximum data per connection SMTP Options Limit maximum messages per connection Limit the number of connections from IP addresses not on the trusted IP addresses list. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. The number of seconds the receive service will wait to receive data before terminating the connection. Limit the size (in MB) of inbound s that Filter will accept. Limit the total amount (in MB) of data that Filter will accept in a single connection. Limit the total number of s that Filter will accept in a single connection MB MB ESMTP COMMANDS The ESMTP Commands options enable you to select the ESMTP commands to be used by the Receive service in the response to the SMTP EHLO command. Figure 3-5 shows a typical ESMTP Commands dialog box. 24 Administrator s Guide SurfControl Filter for SMTP

42 SETTING UP FILTER Configuring the Receive Service 3 Figure 3-5 Receive service - ESMTP Commands dialog box Table 3-5 describes the ESMTP commands that are available. Select the check boxes of the commands to be used. Table 3-5 ESMTP options Setting What it does Authentication Options Enable AUTH-LOGIN Enable AUTH-PLAIN Enable AUTH-CRAM-MDS To enable or disable the ESMTP AUTH-LOGIN function. To enable or disable the ESMTP AUTH-PLAIN function. To enable or disable the ESMTP AUTH-CRAM-MDS function. These functions are used by remote users. To add details of remote users, see Remote User Authentication on page 56. Transmission Optimizations Enable PIPELINING Enable CHUNKING Provides the ability to send a stream of commands without having to wait for a response after each command. This improves the speed of transmissions. The size of each SMTP data chunk is sent with the data. This means that the SMTP host does not have to scan continuously for the end of the data. This improves the speed of transmissions. SurfControl Filter for SMTP Administrator s Guide 25

43 3 SETTING UP FILTER Configuring Connection Management Table 3-5 ESMTP options (Continued) Setting What it does Secure SMTP over TLS Enable STARTTLS To enable a secure SMTP connection over Transport Layer Security (TLS). CONFIGURING CONNECTION MANAGEMENT You can add an extra layer of protection against unwanted s by setting up Connection Management. This means you can automatically drop connections from untrustworthy sources and control incoming before s are filtered. Connection Management has these functions: Protected Domains Mail Relays Blacklist Reverse DNS Lookup Reputation/DNS Blacklist Directory Harvest detection Denial of Service detection Remote user authentication SPF Check. 26 Administrator s Guide SurfControl Filter for SMTP

44 SETTING UP FILTER Configuring Connection Management 3 PROTECTED DOMAINS Note: There must always be at least one domain in the Protected Domains list. Use Protected Domains to identify the domains for which is to be filtered, and for which Filter will accept . When you installed Filter, you entered the primary domain name, but if your network has more than one domain, for example mycompany.co.uk and mycompany.com, you must enter the other domains so that they can send and receive . Caution: Do not add the protected domain to the blacklist. SurfControl Filter does not check the Protected Domains list for duplicate entries on the Blacklist. If protected domains are added to the Blacklist, s to the protected domain will be rejected. Adding Protected Domains To add a protected domain: 1 In the Server Configuration console, select Connection Management > Protected Domains The Protected Domains dialog box is displayed. SurfControl Filter for SMTP Administrator s Guide 27

45 3 SETTING UP FILTER Configuring Connection Management 2 Click Add The Protected Domain Properties dialog box is displayed. 3 In the Domain name: field enter the name of the domain you want Filter to accept for, for example mycompany.co.uk The Administrator address: field is completed automatically as Postmaster@ the domain you specify. For example, Postmaster@mycompany.co.uk You can edit this address for example, you could change it to admin@mycompany.co.uk 4 Click OK. Editing a Protected Domain To edit a protected domain: 1 In the Protected Domains dialog box, select the domain to change. 2 Click Edit The Protected Domain Properties dialog box is displayed. 3 Change the domain name and/or the administrator s address as needed. 4 Click OK. 28 Administrator s Guide SurfControl Filter for SMTP

46 SETTING UP FILTER Configuring Connection Management 3 Deleting a Protected Domain You can also delete a domain from the protected domain list so that Filter will no longer accept for that domain. To delete a protected domain: 1 In the Protected Domains dialog box, select the domain to change. 2 Click Delete. You will be asked to confirm your choice. 3 Click OK. The domain is removed from the list and Filter does not accept for that domain. Anti-Spoofing Sometimes spammers use a technique called spoofing to fake their From: address so that their s appear to be from a protected domain. By default SurfControl Filter will block these s. Filter can examine and authenticate the IP address of all incoming mail, and reject s that cannot be authenticated. If you do not enable this function, s from the protected domain will be accepted, without examining the From: address. If your organization includes users who send mail from the protected domain from an unlisted IP address, for example dial-up users, you should set up SurfControl Filter to authenticate addresses using Receive Service Remote User Authentication. This will allow legitimate mail from these users to get through, while still denying s from fraudulent addresses. See Remote User Authentication on page 56 for information about how to set up remote users. Caution: Disabling Anti-Spoofing makes it possible for spammers to send spoofed s into your organization. By default, Anti-Spoofing is enabled. SurfControl recommend that you keep it enabled. Anti-Relay Protection Spammers may attempt to relay s through your mail server using old-style routing techniques. These routing techniques are not commonly used any more but may still be recognized by your mail server. SurfControl Filter can detect various routing relay techniques and deny s that have been forwarded or routed using one of the routing methods in Table 3-6. Table 3-6 Routing relay techniques Relay method Bang routing Quoted routing Example domain2!domain1!user@domain.com SurfControl Filter for SMTP Administrator s Guide 29

47 3 SETTING UP FILTER Configuring Connection Management Table 3-6 Routing relay techniques (Continued) Relay method Source routing Percent hack routing Example If you do not deny Source routing, SurfControl Filter will strip any additional routing information from the incoming , so an from would be delivered as To change the Anti-Spoof/Anti-Relay settings: 1 In the Server Configuration console, select Connection Management > Protected Domains 30 Administrator s Guide SurfControl Filter for SMTP

48 SETTING UP FILTER Configuring Connection Management 3 2 Click Advanced The Anti-Spoof settings dialog box is displayed. 3 By default, all anti-spoofing and anti-relay protection options are enabled. To disable an option, clear the check box. SurfControl recommends you keep all options selected to protect your system. 4 Click OK. MAIL RELAYS Mail Relays are IP addresses of mail servers that are allowed to send to and/or from the protected domain. You should include details of all the mail servers for which you want to filter . The purpose of this list is to identify: The IP addresses of the protected domains. The IP addresses of any other nodes that need to access the protected domains from outside the network. When you add or edit a Mail Relay, you need to specify what can be relayed through that server by choosing a relay type, and also whether received from this IP address must be through an encrypted connection. You can select from the following options. Table 3-7 Relay options Option Trusted mail relay Outbound Description To identify the connection as trusted. Connection management is not applied to trusted mail relays. The mail server can send only to IP addresses outside the protected domain. Message sender: must be in the protected domain Message recipient: must be outside the protected domain SurfControl Filter for SMTP Administrator s Guide 31

49 3 SETTING UP FILTER Configuring Connection Management Table 3-7 Relay options Option Inbound Outbound and inbound Open relay received from this IP address must be via an encrypted connection Description The mail server can send only to IP addresses inside the protected domain. Message sender: must be outside the protected domain Message recipient: must be inside the protected domain. The mail server is allowed to send to any IP addresses (other than blacklisted ones). Message sender: can be inside or outside the protected domain. Message recipient: can be inside or outside the protected domain. One of these, either the sender or the recipient, must be inside the protected domain. The mail server is allowed to send to any other domain (including blacklisted domains) without any relay restrictions. Filter will accept any from the supplied IP address regardless of the domain name. Caution: Use with caution. Default = Cleared If selected, the sending mail server from this relay must send encrypted s to the Receive service using STARTTLS. If the mail server does not support TLS, the connection is dropped. Note: If selected, this overrides the Enable STARTTLS option in the ESMTP Commands dialog box. See ESMTP Commands on page 24. To specify that Filter will accept only from the mail relays in the list, select the Deny connections from all IP addresses not listed below check box. 32 Administrator s Guide SurfControl Filter for SMTP

50 SETTING UP FILTER Configuring Connection Management 3 Adding a Mail Relay To add a mail relay, you must: Define the direct mail relays These are the mail relays that communicate directly with Filter by using SMTP both inside and outside the network perimeter. Define the outlying mail relays These are the mail relays that exist within the network perimeter, but do not communicate directly with Filter by using SMTP. These relays cannot be marked as trusted, but are treated as such when determining True Source IP. Defining Direct Mail Relays. To define direct mail relays: 1 In the Server Configuration console, select Connection Management > Mail Relays > Direct tab 2 Click Add to open the Connected Mail Relay Properties dialog box. SurfControl Filter for SMTP Administrator s Guide 33

51 3 SETTING UP FILTER Configuring Connection Management 3 Enter the IP address or a range of IP addresses of the mail servers for which you want to be filtered. If you enter a range of IP addresses, it must be in Classless Inter-Domain Routing (CIDR) format. For example, for a 24-bit mask, enter /24, not You can also enter a description for the mail relay. This name is shown in the hostname field of the logging database (LogDB) and is very useful for identifying the mail server in reports. 5 Select a relay type and whether the should be through an encrypted connection. See Table 3-7 on page 31 for more information. 6 Click OK. Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message Duplicate entry, please try again. Defining Outlying Mail Relays. To define outlying mail relays: 1 In the Server Configuration console, select Connection Management > Mail Relays > Outlying tab 2 Click Add to open the Outlying Mail Relay Properties dialog box. 34 Administrator s Guide SurfControl Filter for SMTP

52 SETTING UP FILTER Configuring Connection Management 3 3 Enter the IP address or a range of IP addresses of the mail servers for which you want to be filtered. If you enter a range of IP addresses, it must be in Classless Inter-Domain Routing (CIDR) format. For example, for a 24-bit mask, enter /24, not You can also enter a description for the mail relay. This name is shown in the hostname field of the logging database (LogDB) and is very useful for identifying the mail server in reports. 5 Click OK. Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message Duplicate entry, please try again. Importing Mail Relays When you import an IP address or range of addresses for mail relays, the data in the file must have the following format: <ip address range>;<description>;<type>;<encrypted>[;<untrusted>] IP address range This can be a single IP address or a range of IPs in CIDR format. Description This description cannot contain a semicolon (;) Type A number that represents the type of connection: Valid Direct connection types 0 = Outbound 1 = Inbound 2 = Outbound/Inbound 3 = Open Valid Outlying connection type 4 = Outlying Encrypted Yes or no Untrusted For a trusted connection you can leave this field empty, or enter no. For an untrusted connection you must enter yes. SurfControl Filter for SMTP Administrator s Guide 35

53 3 SETTING UP FILTER Configuring Connection Management Examples of correct formats: ;inbound;1;yes;yes ;outbound;0;yes ;open relay; 3; no ;outlying;4;yes /24;outbound/inbound;2;yes To import the details of mail relays: 1 In the Server Configuration console, select Connection Management > Mail Relays 2 Select either the Direct tab or the Outlying tab. 3 Click Import. 4 Select the text (.txt) file, and then click Open. The entries are added to the list. Editing a Mail Relay To edit the details of a mail relay: 1 In the Server Configuration console, select Connection Management > Mail Relays 2 Select the IP address to edit. 3 Click Edit to open the Edit Relay Source dialog box. 4 Change the options needed. 5 Click OK. Deleting a Mail Relay To delete a mail relay: 1 In the Server Configuration console, select Connection Management > Mail Relays 2 Select the IP address to delete. 3 Click Delete. 4 You will be asked to confirm your choice. Click Yes to delete the IP address. 36 Administrator s Guide SurfControl Filter for SMTP

54 SETTING UP FILTER Configuring Connection Management 3 Receive Service Status Messages When a mail client attempts to connect to Filter, a status message is displayed in the Receive panel of the Monitor. Table 3-8 describes some common status messages and examples. Table 3-8 Receive service status messages Message The sender must be from a protected domain as its IP is in the Trusted Outbound list. The recipient must not be to a protected domain as the sender s IP is in the Trusted Outbound list. The sender must not be from a protected domain as the sender s IP is in the Trusted Inbound list. The recipient must be to a protected domain as the sender s IP is in the trusted Inbound list. Connection rejected deny connection for unknown [n.n.n.n] (sender in Deny Connection list). Description The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the sender is not in the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the recipient is inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender is inside the protected domain, or is spoofed to appear to be from inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender has attempted to send an to an IP address outside the protected domain. The IP address has been added to the Trusted IP list with a setting of Denied. The mail client is prohibited from making a connection to the Receive service. SurfControl Filter for SMTP Administrator s Guide 37

55 3 SETTING UP FILTER Configuring Connection Management BLACKLIST If there are domains, addresses or IP addresses from which you do not want to receive s, you can add them to the Blacklist. This is an important step in preventing unwanted content because: The Receive service will reject the before the content is transferred to your mail server. No hard disk space is wasted storing unwanted s. Fewer s have to be processed by the Rules service, which conserves system resources. To add an item to the Blacklist: 1 In the Server Configuration console, select Connection Management > Blacklist 2 Click Add 3 The Add/Edit deny list entry dialog box is displayed. Note: The text boxes are limited to 255 characters. 38 Administrator s Guide SurfControl Filter for SMTP

56 SETTING UP FILTER Configuring Connection Management 3 4 Enter the domain, address or IP address to be blacklisted. In the Comment field you can enter a brief description of the item, or an explanation of why it is blacklisted. You can blacklist an entire range of IP addresses by entering only the first three number sets in the IP address. For example: To blacklist all IPs from to , you could add to the Blacklist. Note: You cannot blacklist a partial range of numbers, for example IPs from Click OK. The blacklisted item is displayed in the list. When an has been added to the Blacklist, an Update Now message is displayed in the Monitor. If you click Yes, a status message Receive service configuration reloaded is displayed in the Receive panel of the Monitor. The Receive service will reject any mail client trying to send an from any of the set domains, addresses or IP addresses, unless the mail client s IP is added to the Trusted IP list with a setting of Open Relay. Caution: Do not add the protected domain to the Blacklist, or s to the protected domain will be rejected. SurfControl Filter for SMTP Administrator s Guide 39

57 3 SETTING UP FILTER Configuring Connection Management If you have added a domain to the Blacklist, but want filter to accept from individuals within that domain, you can exclude individuals from the Blacklist. For example, if your organization was pursuing a grievance with another organization, you might want to block all from that organization except for their legal department. Note: You can also Blacklist an IP address using the Trusted IPs (Relay Sources) list with a setting of Denied. See Mail Relays on page 31. Excluding an Item from the Blacklist To exclude an item from the Blacklist: 1 In the Server Configuration console, select Connection Management > Blacklist 2 Click Exclude 3 The Exclusions from the Blacklist dialog box is displayed. 40 Administrator s Guide SurfControl Filter for SMTP

58 SETTING UP FILTER Configuring Connection Management 3 4 Click Add The SMTP List Entry dialog box is displayed. 5 Enter the address to exclude from the Blacklist. You can specify that the address is for a Sender, Receiver, or Both. Note: The address must have fewer than 255 characters. 6 Click OK. Editing an Item on the Exclude List To edit an item on the Exclude list: 1 In the Server Configuration console, select Connection Management > Blacklist 2 Click Exclude. The Exclusions from the Blacklist dialog box is displayed. 3 Select the item to edit, and then click Edit The SMTP List Entry dialog box is displayed. 4 Make your changes to the item, and then click OK. Deleting an Item from the Exclude List To delete an item from the Exclude list: 1 In the Server Configuration console, select Connection Management > Blacklist 2 Click Exclude. The Exclusions from the Blacklist dialog box is displayed. 3 Click Delete. You will be asked to confirm your choice. 4 Click Yes to delete the item. Filter will no longer accept from this domain, address or IP address. SurfControl Filter for SMTP Administrator s Guide 41

59 3 SETTING UP FILTER Configuring Connection Management Importing a Blacklist If there are a large number of domains, addresses or IP addresses that you want to blacklist or exclude, you can create a text file containing all the items, and import it into Filter. The text file can contain the items to blacklist, and the items to be excluded from the Blacklist. To import a blacklist 1 Create a new.txt file using any text editor. 2 In the.txt file, enter the domains, addresses or IP addresses to be blacklisted. Each item on the list must follow this format: type;domain, address or IP address;comment Each item on the list must begin on a new line. If you do not want to add a comment, leave a blank after the final semicolon. type is a numerical code to identify whether the item is a domain, an address or an IP address: 0 = domain 1 = address 2 = address to be excluded from the Blacklist 3 = IP address. Example blacklist entries are: 0;yahoo.co.uk;internet mail 1;mailinglist.org.uk; known spammer 2;legitimat @mailinglist.org.uk; legitimate newsletter 3 When you have finished editing the file, save it to any location that is accessible to the server where Filter is installed. However, saving it within the SurfControl Filter folder will save time, as the import facility automatically looks there first. 4 In the Server Configuration console, select Connection Management > Blacklist 5 Select Import. 6 Select your saved blacklist file, and then click Open. If the blacklist file has been imported successfully, a confirmation message is displayed, and the blacklisted domains, addresses and/or IP addresses are displayed in the list. If the file does not import successfully, check that each entry has the correct syntax. 42 Administrator s Guide SurfControl Filter for SMTP

60 SETTING UP FILTER Configuring Connection Management 3 REVERSE DNS LOOKUP The Receive service can check that an is from a legitimate source by verifying that the domain name specified by the sending mail client in the HELO/EHLO greeting matches the domain name in its DNS record: 1 When a mail client requests a connection to the Receive service, the Receive service performs a reverse DNS lookup on that client s IP address to receive its PTR record. Note: The default timeout is usually 3 seconds. 2 If the PTR record does not exist, or if the DNS record doesn t match the host name specified in the HELO/EHLO command, the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. If a mismatch is detected, there are three actions that Filter can take. Table 3-9 describes each action. Table 3-9 Reverse DNS Lookup actions Action Log Only Deny if no DNS record found Deny if DNS record fails to match HELO string. What it does The mismatch of domain names is displayed in the Receive service panel of the Monitor, but the Receive service will accept the connection and continue to process the . If the Receive service cannot find a DNS record that corresponds to the IP address of the sending mail server, and the sending mail client fails to authenticate itself, the connection will be terminated at the MAIL FROM command. If the domain name in the DNS record does not match the one in the HELO/EHLO command the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. SurfControl Filter for SMTP Administrator s Guide 43

61 3 SETTING UP FILTER Configuring Connection Management Enabling Reverse DNS Lookup By default, Reverse DNS Lookup is not enabled: 1 In the Server Configuration console, select Connection Management > Reverse DNS Lookup 2 Select Enable Client Name DNS lookup. 3 Select an option for the Filter action if the domain names in the HELO string and the DNS record do not match. Excluding a Mail Server from Reverse DNS Lookup It is an RFC recommendation, but not a requirement that the HELO/EHLO command contains the fullyqualified domain name (FQDN) of the sending mail client. If you have chosen to deny the connection, you may find that legitimate is blocked because the sending mail client does not use the FQDN in its HELO/EHLO command. To avoid blocking legitimate you should either: Select only to log the mismatch Exclude any known legitimate servers which may have a mismatched DNS/HELO string. To exclude a mail server from Reverse DNS Lookup: 44 Administrator s Guide SurfControl Filter for SMTP

62 SETTING UP FILTER Configuring Connection Management 3 1 In the Server Configuration console, select Connection Management > Reverse DNS Lookup 2 Click Exclude 3 The Exclusion from Client DNS Lookup dialog box is displayed. 4 Click Add... 5 The SMTP List Entry dialog box is displayed. 6 Enter the IP address you want to exclude from Reverse DNS Lookup. 7 Click OK. SurfControl Filter for SMTP Administrator s Guide 45

63 3 SETTING UP FILTER Configuring Connection Management REPUTATION/DNS BLACKLIST Filter can check an sender s True Source IP address against a list of known spammers held on one or more DNS Blacklist servers. You need to know the domain name of the DNS Blacklist server. You can also check the IP addresses against SurfControl s own on-line Reputation service, which also contains a list of known spammers. Note: You must have a valid Anti-Spam Agent (ASA) license to continue to use the SurfControl Reputation service after the 30-day trial license expires. Checking IP Addresses Against DNS Blacklist Servers To check a sender s True Source IP address against one or more DNS Blacklist servers: 1 In the Server Configuration console, select Connection Management > Reputation/DNS Blacklist 2 Select Check IP addresses against Reputation/DNS Blacklist. 3 To add a DNS Blacklist server, click Add The SMTP List Entry dialog box is displayed. 46 Administrator s Guide SurfControl Filter for SMTP

64 SETTING UP FILTER Configuring Connection Management 3 4 Enter the domain name of the DNS Blacklist server to use. 5 Click OK. The server is displayed in the DNS Blacklist Servers: list. Checking IP Addresses Against the SurfControl Reputation Service To use this service, make sure that the Activate SurfControl Reputation Service check box is selected. This enables checks against the Reputation service. You can also edit the SurfControl Reputation Server address by clicking Edit. The Reputation Service Customer ID dialog box is displayed. Click Edit Server..., and then edit the address. Caution: Do not click Regenerate... unless specifically instructed by SurfControl Technical Support. Actions for Reputation/DNS Blacklist Checking In the Reputation/DNS Blacklist screen, select how you want Filter to deal with a connection from a sender s IP address that is contained on a DNS blacklist or the on-line SurfControl Reputation service: Log Only The information that the connection came from a sender on the Reputation/DNS Blacklist server is recorded in the Connection log and displayed in the Monitor. Deny connection The connection is dropped and from that sender is rejected. Excluding Mail Servers from Reputation/DNS Blacklist Server Checking A legitimate organization can sometimes be wrongly placed on a Reputation/DNS Blacklist server, for example if its domain name has been used by a spammer to send spoofed . You can exclude legitimate IP addresses from Reputation/DNS Blacklist server lookups, so that Filter will accept from those sources. If any you receive is mission-critical, you should make sure the sender s IP address is excluded from being checked against a DNS blacklist or the SurfControl Reputation service. SurfControl Filter for SMTP Administrator s Guide 47

65 3 SETTING UP FILTER Configuring Connection Management To exclude a mail server from Reputation/DNS Blacklist server lookups: 1 In the Server Configuration console, select Connection Management > Reputation/DNS Blacklist 2 Select Exclude The Exclusions dialog box is displayed. 3 Click Add the SMTP List Entry dialog box is displayed. 4 Enter the IP address to exclude from being checked against DNS Blacklist or Reputation servers. If you have set up Reverse DNS Lookup for a domain, you can enter that domain. Filter will then accept connections from this source. 5 Click OK. 48 Administrator s Guide SurfControl Filter for SMTP

66 SETTING UP FILTER Configuring Connection Management 3 DIRECTORY HARVEST DETECTION Spammers use a variety of methods to mine your organization for valid addresses. If they succeed it can not only cause an increase in spam, but also slow down the delivery of legitimate . A common technique is to flood a mail server with a large number of s using fabricated addresses. Those addresses that are not immediately rejected by your mail server are assumed to be valid addresses and are added to the spammer s database knowing that to these addresses will be received. Note: If you restart the Receive service, these counts are reset to zero. Filter can detect when a server is trying to send large numbers of s for the purposes of directory harvesting, by keeping a count of: the number of invalid addresses or domains per connection the number of invalid addresses or domains from each IP address per hour. You can configure the Receive service to terminate a connection when these counts reach a maximum. Directory Harvest Detection (DHD) uses LDAP to check the validity of addresses and domains. Domain Substitution You can use Domain Substitution if your recipient address could be in one of several domains but your LDAPserver is only configured with the primary domain. This feature enables you to configure a list of alternative domains so that if an alternative domain is in the Recipient field and LDAP is enabled, the LDAP lookup uses the primary domain for the lookup. Example: jane.mann@myco.com = primary domain jane.mann@myco_uk.com = alternative domain jane.mann@myco_us.com = alternative domain This feature is used so that s to the alternative domains do not trigger the DHD feature. When LDAP is enabled, the information is also used in the From Users and Groups Object (see page 145) and the To Users and Groups Object (see page 149) for lookups of the To address. SurfControl Filter for SMTP Administrator s Guide 49

67 3 SETTING UP FILTER Configuring Connection Management Enabling Directory Harvest Detection To enable Directory Harvest Detection: 1 In the Server Configuration console, select Connection Management > Directory Harvest Detection 2 Select Enable Directory Harvest Detection. 3 Click LDAP to configure and manage your LDAP servers and connections. The LDAP Connections dialog box is displayed. You can configure one or more LDAP connections. 4 If there are no connections in the list, or if you want to add more connections, click Add 50 Administrator s Guide SurfControl Filter for SMTP

68 SETTING UP FILTER Configuring Connection Management 3 5 The Add LDAP Connection dialog box is displayed. 6 Enter a name for the LDAP connection. Each LDAP connection must have a unique name. 7 In the Server Name: field, enter the name of the LDAP server that you want to connect to. 8 To make it compulsory that Filter uses a username and password to log on to the LDAP server, select Log on to the server and enter the user name and password to be used by Filter. 9 To specify additional information about the LDAP server, click the Advanced tab. 10 In the LDAP Port number: field, enter the LDAP port number. Default = To use a secure connection (SSL) to connect to the LDAP server, select Use Secure Connection. 12 Select search base details for users and/or groups. The information for LDAP users and groups is not stored on the SurfControl Filter server; it is requested from the LDAP server as necessary. Therefore specifying a Search Base makes the connection more efficient for locating specific users or groups. 13 In the Search timeout (seconds): text box, enter the amount of time that Filter will search for users and groups before timing out. Default = 120 seconds. SurfControl Filter for SMTP Administrator s Guide 51

69 3 SETTING UP FILTER Configuring Connection Management 14 In the Maximum number of search results: text box, enter the maximum number of users and groups to be included. 15 Click OK. Enabling Domain Substitution You can only use this after you have enabled DHD. To enable domain substitution: 1 Select Enable Domain Substitution Check. 2 Click Domain Substitution, and then click Add. 3 Enter the domain, and then click OK. 4 Add or edit more domains as needed, and then click OK to return to the Server Configuration screen. Exluding Legitimate Addresses or Domains To exclude one or more legitimate addresses or domains: 1 Click Exclude. The Exclusion from LDAP Lookup dialog box is displayed. 52 Administrator s Guide SurfControl Filter for SMTP

70 SETTING UP FILTER Configuring Connection Management 3 2 If the address or domain is not in the list, click Add. The SMTP List Entry dialog box is displayed. 3 Enter the address or domain, and then click OK. The address or domain is added to the list in the Exclusion from LDAP Lookup dialog box. DENIAL OF SERVICE (DOS) DETECTION Note: An incomplete SMTP session occurs when a connection is made but no is received. A Denial of Service (DoS) attack attempts to stop a network from functioning by flooding it with useless traffic or using up network resources. DoS attacks can take many forms; a well known example is the Ping of Death, which attempts to disrupt network traffic by repeatedly sending packets of data that exceed the standard length. Filter can detect when servers are trying to launch a DoS attack by monitoring the number of incomplete SMTP sessions per hour. If you restart the Receive service, this count is reset to zero. SurfControl Filter for SMTP Administrator s Guide 53

71 3 SETTING UP FILTER Configuring Connection Management To set up protection against DoS attacks: 1 In the Server Configuration console, select Connection Management > Denial of Service Detection 2 Select Enable Denial of Service detection. 3 Specify how many incomplete SMTP sessions Filter will accept per IP address per hour. Default = 30 4 Specify the action that Filter should take if a single IP address attempts more than the specified incomplete SMTP sessions per hour. You can: Log only Logs the DoS attack in the System Log and the Monitor. Deny any further connections from that IP address for a specified number of hours. Default =24 hours 54 Administrator s Guide SurfControl Filter for SMTP

72 SETTING UP FILTER Configuring Connection Management 3 Exluding Legitimate Addresses or Domains To exclude one or more legitimate IP addresses: 1 Click Exclude. The Exclusions from Denial of Service Detection dialog box is displayed. 2 If the IP address is not in the list, click Add. The SMTP List Entry dialog box is displayed. 3 Enter the IP address, and then click OK. The address or domain is added to the list in the Exclusion from LDAP Lookup dialog box. SurfControl Filter for SMTP Administrator s Guide 55

73 3 SETTING UP FILTER Configuring Connection Management REMOTE USER AUTHENTICATION Use this to configure the access of users who need to connect to your mail server from outside the protected domain, for example, home workers using a dial-up connection. To enable remote user authentication: 1 In the Server Configuration console, select Connection Management > Remote User Authentication 2 Click Add The User Authentication Information dialog box is displayed. 3 Enter the remote user a user name and password. The remote user will need to supply these details when they attempt to log on to Filter. 4 Click OK. The user name is displayed in the right-hand panel of the Remote User Authentication screen. 56 Administrator s Guide SurfControl Filter for SMTP

74 SETTING UP FILTER Configuring Connection Management 3 Importing a List of Remote Users If you have large numbers of remote users to configure, you can create a list as a text file and import it into Filter. To import a list of remote users: 1 Create a new.txt file using any text editor. 2 In the text file, list the remote users. Each item on the list must follow the following syntax: SEFAUTH;user name;password<cr><lf> For example: SEFAUTH;Rachel;abcd1234<CR><LF> SEFAUTH;Barney;xyz987<CR><LF> SEFAUTH;Homer;a1b2c3d4<CR><LF> SEFAUTH;Marge;z9y8x7<CR><LF> 3 Save the file to any location that is accessible to the server where Filter is installed. However, saving the file within the SurfControl Filter folder saves time, as the import facility automatically looks in this folder first. 4 In the Server Configuration console, select Connection Management > Remote User Authentication 5 Click Import 6 Select the file to import. 7 Select your saved list of users, and then click Open. 8 If your file is imported successfully, a confirmation message is displayed, and the remote users are displayed in the right-hand panel. If your file does not import successfully, check that all the items on the list have the correct syntax. SurfControl Filter for SMTP Administrator s Guide 57

75 3 SETTING UP FILTER Configuring Connection Management SPF CHECK Sender Policy Framework (SPF) verifies a sender s address, targets spam, and fights returnpath address forgery, which makes it easier to identify spoofs. An SPF check determines if a client or mail server is authorized to send s with a given mail from identity. To set up SPF checking: 1 In the Server Configuration console, select Connection Management > SPF Check 2 Select Perform SPF checking against sender, and then select an option for the connections that this check applies to. for all connections for all connections except when Connection Management uses True Source IP If you have set up mail relays to use True Source IP (see Adding a Mail Relay on page 33), you can use this option to remove SPF checking against senders using those mail relays. 3 Select the conditions that are needed to reject s from senders. Note: Some options might block legitimate mail servers. You should exclude these legitimate servers from the SPF check. 4 To exclude legitimate servers from the SPF check, click Exclude. 58 Administrator s Guide SurfControl Filter for SMTP

76 SETTING UP FILTER Configuring the Rules Service 3 5 The Exclusion from SPF check dialog box is displayed. 6 If the IP address of the legitimate server is not in the list, click Add. The Excluded servers list entry dialog box is displayed. 7 Enter the IP address of the server, and then click OK. CONFIGURING THE RULES SERVICE SurfControl Filter works by checking s against the rules you specify, to enforce your Acceptable Use Policy (AUP). The Rules Service controls how s are checked and processed. The Rules Service has general settings and these functions: Configuration Queue Management. SurfControl Filter for SMTP Administrator s Guide 59

77 3 SETTING UP FILTER Configuring the Rules Service RULES SERVICE - GENERAL SETTINGS The Rules Service general settings affect the folders used by the Rules service to access, hold and act upon s, and how the actions of the service are logged. Figure 3-6 shows a typical Rules Service dialog box. Figure 3-6 Rules Service - General Settings dialog box 60 Administrator s Guide SurfControl Filter for SMTP

78 SETTING UP FILTER Configuring the Rules Service 3 Rules Service Folders There are three folders used by the Rules service to pick up, store and act upon . Caution: The path of the rules mail pickup folder must be exactly the same as the received mail dropoff folder. Table 3-10 Rules service folders Folder Function Default path Rules mail pick-up folder (\In folder) Work folder Processed mail dropoff folder (\Out folder) The Rules service monitors this folder for incoming . s are held in this folder while they are being checked against the rules. If an has been checked against the rules and allowed to proceed, it is placed in the Processed mail dropoff folder. If it has been delayed or isolated it is placed in the folder specified by the rule it triggered. C:\Program Files\SurfControl Filter\In C:\Program Files\SurfControl Filter\Work C:\Program Files\SurfControl Filter\Out You can edit the path of these folders or browse to another location. Enabling Administrator Alerts You can select to notify the administrator if a set number of pending s in the \Out folder is reached. When the limit is reached, an entry is logged in the Windows Event Viewer (Control Panel > Administrative Tools > Event Viewer > Application). To be alerted automatically about this event, you can use a third-party application, such as EventSentry Light. SurfControl Filter for SMTP Administrator s Guide 61

79 3 SETTING UP FILTER Configuring the Rules Service Logging Options The Rules service logging options control how the actions of the Rules service are recorded and where they are displayed. Table 3-11 Rules service logging options Logging option Real-time console What happens when enabled The actions of the Rules service are displayed in the real-time console: For more information about the Real-time console, see Service Panels on page 103. System Log The status of the Rules service is displayed in the System Log in Message Administrator. For example, if you add and activate a new rule, a message is displayed, indicating that the rules configuration has been reloaded: For more information about the System log, see Working with Logs on page 253. RULES SERVICE CONFIGURATION Figure 3-7 shows a typical Rules Service - Configuration dialog box. Figure 3-7 Rules Service - Configuration dialog box 62 Administrator s Guide SurfControl Filter for SMTP

80 SETTING UP FILTER Configuring the Rules Service 3 Number of Rules Processing Threads Specify the number of s that the Rules service can process at any one time. Default = 4 Maximum = 16. Caution: If there are too many rules threads for your system to handle with its available memory, Filter will not function. Each extra thread you add requires approximately 16 MB of memory above the minimum system requirement of 512 MB RAM. Corrupted s If an has been corrupted, the Rules service may not be able to check it against the enabled rules. You can specify how Filter acts in the event that an becomes corrupted. Table 3-12 Handling corrupted s Action Release corrupted messages Move corrupted messages to folder Copy to folder and send corrupted message What happens The corrupted is not checked by the Rules service, and is sent directly to its recipient. A copy of the is left in the \In folder. The corrupted is moved to the folder that you specify. Enter or browse to the path of the folder. Filter takes a copy of the corrupted , saves it in the folder that you specify, and then sends the original to its recipient. Enter or browse to the path of the folder. SurfControl Filter for SMTP Administrator s Guide 63

81 3 SETTING UP FILTER Configuring the Rules Service QUEUE MANAGEMENT If the Rules service detects that an has triggered a rule, the automatically-managed actions that Filter can take are: Discard the . Release the . Isolate the . Delay the . s that are isolated or delayed are held in dedicated queue folders until they are either discarded or released and sent to their recipient. Filter is installed with pre-configured queues for easy management of , but you can set up others to suit your needs. Use Queue Management to configure and manage queues. The queues are displayed in the Queue Management dialog box. Figure 3-8 Queue Management dialog box The list of queues is displayed in the Queue Management dialog box 64 Administrator s Guide SurfControl Filter for SMTP

82 SETTING UP FILTER Configuring the Rules Service 3 Adding a Queue To add a queue: 1 In the Server Configuration console, select Receive Service > Rules Service > Queue Management 2 Click Add The Queue Configuration dialog box is displayed. 3 In the Queue Name box enter the name of the queue you want to create, for example Gambling. SurfControl Filter for SMTP Administrator s Guide 65

83 3 SETTING UP FILTER Configuring the Rules Service 4 In the Queue Folder box, enter the path of the folder where you want the queue to be held. To find a folder, click Browse To create a new folder click New Folder, and then enter the path and name of the new folder in the text box. 5 Either: Click OK to accept the defaults, or Configure the queue see Configuring Your Queue on page 67. Editing and Deleting Queues When you have created a queue, you can change its details. Editing Queues. To edit the details of a queue: 1 In the Server Configuration console, select Receive Service > Rules Service > Queue Management 2 Select the queue to be changed, and then click Edit. 3 The Queue Configuration dialog box is displayed. You cannot change the name of the queue, but you can save it to a different folder by browsing to an existing folder, or creating a new folder. 4 Configure the rest of the queue settings as normal see Configuring Your Queue on page 67. Deleting Queues. To delete a queue: 1 In the Server Configuration console, select Receive Service > Rules Service > Queue Management 2 Select the queue to delete, and then click Delete. A confirmation message is displayed. Note: You cannot delete a queue if it contains s or is being used by a rule. 66 Administrator s Guide SurfControl Filter for SMTP

84 SETTING UP FILTER Configuring the Rules Service 3 Configuring Your Queue When you have entered the queue name and set up the queue folder (see Adding a Queue on page 65), you can configure the details. Figure 3-9 The Queue Configuration screen SurfControl Filter for SMTP Administrator s Guide 67

85 3 SETTING UP FILTER Configuring the Rules Service Table 3-13 details the options. Table 3-13 Queue Management options Option Use Queue for Auditing Queue Administration Automated Queue Management Administrator alerts What it does You can set a queue to be used for auditing. For example, if you need to prove that a user has breached your organization s AUP. If you are using automated queue management, the Automated Action menu is unavailable; the only automated action possible is Delete. You can still move s from other queues into this queue. Note: The PEM Audit queue is created automatically as an audit queue for the Personal Manager application. For details of PEM, see the SurfControl Personal Manager Administrator's Guide. If there are multiple administrators in your organization you can assign administrators to queues for the management of . Select either: All Users All administrators will be able to view, release, delete and move s held in this queue. Selected Users In the list that is displayed, select the check boxes of the administrators who should have access to this queue. If there are no administrators in the list, you need to configure administrator accounts. See Configuring Administrators on page 91. Automated Queue Management allows you to automatically release, delete or move isolated s at a set time. See Automated Queue Management on page 69. Filter can automatically send an to the administrator of a queue when the number of s in that queue reaches a set number. 68 Administrator s Guide SurfControl Filter for SMTP

86 SETTING UP FILTER Configuring the Rules Service 3 Automated Queue Management You can automatically delete, release or move s that have been isolated or delayed for a specified amount of time. To configure automated queue management: 1 In the Queue Configuration dialog box, select Enable Automated Queue Management 2 Select the action to be applied to the s in the queue: Release Release each from its current queue folder a set time after it is placed there. Delete Permanently delete each a set time after it was placed in its current queue folder. This is the only option if you have selected to use the queue for auditing. Move to Move each to the specified queue a set time after it was placed in its current queue. Each queue is listed and when you add a new queue it will be added to the list. Note: If you have selected to use the queue for auditing, this list is unavailable. The only automated action is Delete. 3 To specify the time for the action, select Configure... SurfControl Filter for SMTP Administrator s Guide 69

87 3 SETTING UP FILTER Configuring the Rules Service 4 The Configure Automated Queue Management dialog box is displayed. To set the timing, select one option: Take Action after Time Delay: The period of time that each will be held in the queue before an action is applied to it. Minimum = 5 minutes Take Action at Specified Times: i Click Add The Time of Action dialog box opens. ii Enter the time for the action, and then click OK. You can also select to notify the queue administrator of the action. 5 Click OK. 70 Administrator s Guide SurfControl Filter for SMTP

88 SETTING UP FILTER Configuring the Send Service 3 CONFIGURING THE SEND SERVICE The Send service controls what happens to s after they have been allowed to proceed through the system by the Rules service. It is important to configure the Send service correctly, otherwise s that have passed through the system will not reach their intended recipients. The Send service has general settings and these functions: SMTP Properties Connections Routing Smart Host Routing Requeuing scheme. SEND SERVICE - GENERAL SETTINGS Figure 3-10 shows a typical Send Service dialog box. Figure 3-10 Send Service - general settings SurfControl Filter for SMTP Administrator s Guide 71

89 3 SETTING UP FILTER Configuring the Send Service Send Mail Pick-up Folder Caution: The Send Mail Pick-up folder must always be the same folder as the Rules service Processed Mail folder. When an has been checked and allowed to proceed, it is placed in the Send Mail pick-up folder (\Out folder), where the Send service can pick it up for delivery. The default path is: C:\Program files\surfcontrol Filter\Out You can change the path or browse to a different location. Enabling Administrator Alerts You can select to notify the administrator if a set number of queued s in the \Out folder is reached. When the limit is reached, an entry is logged in the Windows Event Viewer (Control Panel > Administrative Tools > Event Viewer > Application). To be alerted automatically about this event, you can use a third-party application, such as EventSentry Light. Logging When an is moved to the /Out folder for delivery, you can log the action in two places. Table 3-14 Send service logging options Option Real-time console System log What it does Details of s placed in the \Out folder are displayed in the Receive console of the Monitor. For more information about the Monitor consoles, see Service Panels on page 103 System events related to the Send Service are displayed in the System log in Message Administrator. See Working with Logs on page Administrator s Guide SurfControl Filter for SMTP

90 SETTING UP FILTER Configuring the Send Service 3 SMTP PROPERTIES The configurable SMTP properties are: SMTP EHLO/HELO command Transmission Optimizations. Figure 3-11 shows a typical Send Service - SMTP Properties dialog box. Figure 3-11 Send Service - SMTP Properties dialog box SurfControl Filter for SMTP Administrator s Guide 73

91 3 SETTING UP FILTER Configuring the Send Service SMTP EHLO/HELO Command The SMTP EHLO/HELO command is the SMTP statement that will be used to make an SMTP connection with the receiving mail server to send the in the \Out folder. There are two ways that Filter can connect. Table 3-15 SMTP EHLO/HELO Command settings Setting Use the Windows computer name as the Domain name Specify the Domain name: What happens When Filter initiates the outbound connection, the EHLO/HELO statement will use the host name of the machine where Filter is installed as a domain name, for example: HELO devserver When Filter initiates the outbound connection, the EHLO/HELO statement will contain the domain name you specify, for example: HELO mycompany.com Transmission Optimizations Filter can use one or more methods to optimize the Send service when sending s. Note: Some external servers do not support pipelining or chunking. Table 3-16 Transmission Optimizations settings Setting Enable CHUNKING Enable PIPELINING What happens The size of each SMTP data chunk is sent with the data. This means that the SMTP host does not have to scan continuously for the end of the data. This improves the speed of transmissions. Provides the ability to send a stream of commands without having to wait for a response after each command. This improves the speed of transmissions. CONNECTIONS The Connections function controls the type and number of connections that Filter can make when it is sending s. The configurable connection settings are: Connection properties SMTP options. 74 Administrator s Guide SurfControl Filter for SMTP

92 SETTING UP FILTER Configuring the Send Service 3 Figure 3-12 shows a typical Send Service - Connections dialog box. Figure 3-12 Send Service - Connections dialog box Connections Properties Table 3-17 describes the Connections settings. Table 3-17 Send service - Connections settings Option Description Default Maximum Maximum active outbound connections Maximum connections per IP address Idle connection timeout The maximum number of outbound connections that Filter can make at any one time. The maximum number of outbound connections that Filter can make to any single IP address. Note: This number must be less than, or equal to, the maximum active outbound connections. The number of seconds after which Filter will drop an attempted connection SurfControl Filter for SMTP Administrator s Guide 75

93 3 SETTING UP FILTER Configuring the Send Service SMTP Options You use SMTP options to limit the number of s that can be sent through a single connection. To limit s sent through a single connection: 1 In the Server Configuration console, select Send Service > Connections 2 In the SMTP options area, select Limit maximum messages per connection. 3 Enter or scroll to the maximum number of s that Filter can send for any one connection. ROUTING Use Routing to define routing tables for Filter. Figure 3-13 shows a typical Send Service - Routing dialog box. Figure 3-13 Send Service - Routing dialog box Routing table You can move items up and down the list using the arrows. The routing table defines the location of your mail servers so that Filter can identify where to send within the protected domain. 76 Administrator s Guide SurfControl Filter for SMTP

94 SETTING UP FILTER Configuring the Send Service 3 Static Routes By default, the protected domain you specified during installation is listed in the Static Routes list. If your organization has more than one protected domain, you need to add the other domains that you did not specify during installation. You can also add details of an external mail server, for example if your organization generates a lot of traffic with a particular company. To add a static route: 1 In the Server Configuration console, select Send Service > Routing 2 Click Add 3 The Domain Route properties dialog box is displayed. In the Domain Name for Static Route text box, enter the domain name. SurfControl Filter for SMTP Administrator s Guide 77

95 3 SETTING UP FILTER Configuring the Send Service 4 In the Route Host for this Domain text box, enter the IP address of a server that you want to handle for this domain. 5 In the IP port to use for this SMTP host text box, enter the port number of the server you want to handle for this domain. Default = 25 6 Set the preference number for the route. Default = 5 If multiple routing entries are defined for a single route, Filter attempts to send s to routes in order of preference, from the lowest (1) to the highest. If two or more routes have the same preference, Filter selects a random order for the routing. 7 If Filter will need to supply authentication details to connect to the server, select Server Requires Authentication and enter a valid user name and password. 8 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-18 for a description of the options. Table 3-18 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. When you have added static routes, you need to specify how Filter will route addressed to destinations outside the domains specified on the Static Routes list. You can: 78 Administrator s Guide SurfControl Filter for SMTP

96 SETTING UP FILTER Configuring the Send Service 3 Use a default route that you specify The Send service will pass any s addressed to domains not on the Static Routes list to the server you specify as the default route. This server then handles the and performs the MX lookups to send the to its destination. The default route is initially the route you specified during installation, but you can change its details or add further servers. See Configuring a Default Route. Use MX records Filter attempts to route the by performing the MX lookups itself. See Configuring MX Lookups on page 82. Configuring a Default Route To set the default route: 1 In the Server Configuration console, select Send Service > Routing 2 In the Undefined routes area, select Use default route. SurfControl Filter for SMTP Administrator s Guide 79

97 3 SETTING UP FILTER Configuring the Send Service 3 Click Configure. The Default Routes Configuration dialog box is displayed. The default route is the server you specified during installation. 4 You can either: Select the default server, and then click Edit to change the details of the server, or Click Add to add another server. 5 The Domain Route properties dialog box is displayed. 6 The name in the Domain Name for Static Route field is always Default. 7 In the Route Host for this Domain field, enter the IP address of the server you want to use as the default route. 8 In the IP Port to use for this SMTP Host field, enter the IP port that Filter will use to communicate with the server. 9 Set the preference number for the route. Default = 5 If multiple routing entries are defined for a single route, Filter attempts to send s to routes in order of preference, from the lowest (1) to the highest. If two or more routes have the same preference, Filter selects a random order for the routing. 10 If the server requires authentication, enter a valid user name and password. Confirm the password. 80 Administrator s Guide SurfControl Filter for SMTP

98 SETTING UP FILTER Configuring the Send Service 3 11 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-19 for a description of the options. 12 Click OK. The dialog box closes, and the server details are listed in the Default Routes Configuration dialog box. 13 Click OK to return to the Server Configuration console. Table 3-19 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. SurfControl Filter for SMTP Administrator s Guide 81

99 3 SETTING UP FILTER Configuring the Send Service Configuring MX Lookups To set Filter to perform MX Lookups: 1 In the Server Configuration console, select Send Service > Routing 2 In the Undefined route area, select Use MX Lookups. 3 Click Configure 4 The MX Lookup Properties dialog box is displayed. 5 If a domain exists, but Filter cannot find an MX record for it, it can try to connect to the domain directly using port Administrator s Guide SurfControl Filter for SMTP

100 SETTING UP FILTER Configuring the Send Service 3 6 Specify the action you want Filter to take if an MX Lookup fails: Always try direct connections Never try direct connections. The timeout value for direct connections is 60 seconds, so attempting direct connections can delay the delivery of mail. 7 If you want MX records to be cached, select Cache MX records and specify how long you want MX records to be cached for. Maximum = 24 hours 8 To cache non-existent MX records, select Cache non-existent domains and specify how long you want the non-existent records to be cached for. Maximum = 24 hours If a non-existent MX record is cached, Filter will not attempt further MX lookups for that domain. 9 You can select to send the encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Default = Cleared 10 Click OK to return to the Server Configuration console. SMART HOST ROUTING You can route s to a specific mail server or MTA according to their content, for example: If your organization uses an encryption server, Filter can redirect s that meet the criteria you specify for encryption. The encryption server encrypts the s and sends them to their destination. If your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original s as normal. Enabling Smart Host Routing Before you start to configure Smart Host Routing, make sure that the Smart Host server can accept all mail from the Filter Send service. Consult your Smart Host documentation for more information on how to do this. When you have enabled the Smart Host to accept mail, you need to: 1 Configure Smart Host Routing in the Server Configuration console. See Configuring Smart Host Routing. 2 Set up a rule in the Rules Administrator which specifies which s you want to be routed to the Smart Host. See Routing Object on page 212. SurfControl Filter for SMTP Administrator s Guide 83

101 3 SETTING UP FILTER Configuring the Send Service Configuring Smart Host Routing. To configure Smart Host Routing: 1 In the Server Configuration console, select Send Service > Smart Host Routing 2 Click Add 3 The Smart Host Properties dialog box is displayed. 4 In the Smart Host Name text box, enter the name of the Smart Host server to which you want s redirected. 84 Administrator s Guide SurfControl Filter for SMTP

102 SETTING UP FILTER Configuring the Send Service 3 5 Click Add the Relay Host properties dialog box is displayed. 6 Enter the DNS server name or IP address of the Smart Host to which you want s redirected, for example, the encryption server. 7 Enter the IP port number that Filter will use to connect to the Smart Host. Default = 25 8 Set the preference number for the route. Default = 5 If multiple routing entries are defined for a single route, Filter attempts to send s to routes in order of preference, from the lowest (1) to the highest. If two or more routes have the same preference, Filter selects a random order for the routing. 9 If Filter needs to be authenticated by the Smart Host, select the Server Requires Authentication box, and enter the username and password of an account that will be accepted by the Smart Host. 10 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-20 for a description of the options. 11 Click OK. SurfControl Filter for SMTP Administrator s Guide 85

103 3 SETTING UP FILTER Configuring the Send Service 12 The details of your Smart Host server are displayed in the Smart Host Properties dialog box. 13 Click OK. Smart Host routing supports fail-over. If you configure more than one relay host, the Send service will first try to send mail to the first relay host on the list. If it cannot send to that relay host, it will try each one in order. If the Send Service cannot send the to any of the Relay Hosts, the will be requeued. 14 You have now configured a smart host. To route s to this server when they trigger a rule, you need to set up a rule containing the Routing object. See Routing Object on page 212. Table 3-20 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. 86 Administrator s Guide SurfControl Filter for SMTP

104 SETTING UP FILTER Configuring the Send Service 3 Deleting a Smart Host You cannot delete a Smart Host that is being used in a rule. To delete a Smart Host: 1 In the Server Configuration console, select Send Service > Smart Host Routing 2 Select the Smart Host you want to delete, and then click Delete. 3 You will be asked to confirm that you want to delete the selected Smart Host. REQUEUING If SurfControl Filter cannot send an , for example because it cannot connect to a remote mail host, it will store the in a queue and try to send it again at intervals. You can specify how often these attempts to resend s take place. You can configure: How many times Filter will try to send the . The length of time between each attempt. You can decrease the number of attempts and increase the time between each attempt over four stages. Figure 3-14 shows a typical Requeuing Scheme dialog box. Figure 3-14 Requeuing Scheme SurfControl Filter for SMTP Administrator s Guide 87

105 3 SETTING UP FILTER Configuring the Send Service Table 3-21 describes the default requeuing intervals Table 3-21 Requeuing intervals Stage Retry attempts Retry intervals What happens min filter tries to send the once every 15 minutes for 12 attempts min filter tries to send the once every 60 minutes for 21 attempts min filter tries to send the once every 360 minutes for 8 attempts min filter tries to send the once every 1440 minutes for 0 attempts. You can change any of the retry attempts and retry intervals to suit your needs. However SurfControl recommends that you leave the default settings unchanged. To change the requeuing intervals: 1 In the Server Configuration console, select Send Service > Requeuing Scheme 2 Change the number of attempts, or the number of minutes between each attempt by entering new amounts in the boxes. The requeuing intervals are added together to make the total retry time. If the Filter cannot send the once the total retry time has elapsed, the is designated a dead message. Dead Messages Dead messages have the file extension.msg.d and are stored in the Out folder. When you configure the requeuing schedule, you can choose to automatically delete dead messages as soon as the total retry time is up. To delete dead messages automatically: 1 In the Server Configuration console, select Send Service > Requeuing Scheme 2 Select Delete dead messages. 3 When the total retry time expires, the is deleted. Note: Deleted s cannot be retrieved. 88 Administrator s Guide SurfControl Filter for SMTP

106 SETTING UP FILTER Configuring the Administration Service 3 Caution: If dead messages are allowed to build up in the \Out folder, this can impair the performance of the Send service and delay the delivery of . If you do not discard dead messages automatically, they remain in the \Out folder until you delete them manually. While they are held in the \Out folder you can attempt to re-send them using QueueView. See QueueView Window on page 108. CONFIGURING THE ADMINISTRATION SERVICE The Administration service controls general system settings and also has these functions: Configuration to configure remote administration access to Filter. Certificate Management to manage the certificate used for the Send and Receive services TLS and SMTPS security features. ADMINISTRATION SETTINGS - GENERAL Figure 3-15 shows a typical Administration Settings - General screen. Figure 3-15 Administration Settings General SurfControl Filter for SMTP Administrator s Guide 89

107 3 SETTING UP FILTER Configuring the Administration Service Administrator s Address When you set up a protected domain, you are asked to specify the address of the system administrator for that domain. If Filter needs to send a notification (for example an NDR), it examines each recipient of the and checks each domain against the Protected Domains list. When it finds a recipient in a protected domain, Filter sends the notification from the administrator of that domain. If none of the recipients are in any of the protected domains, Filter sends the notification from the address specified in the Administration settings. You cannot enter more than one address. However, if you create a group in Exchange that contains all the Filter administrators, you can enter the group address, for example, SEF_administrators@mycompany.com. Printing a Record of the System Configuration You can print a record of your system configuration by clicking Print Configuration. A text file is displayed, which shows all the Server Configuration settings. Figure 3-16 Configuration printout By default, the name of this file is STEFCFG_date_time (for example STEFCFG_27_Jun_2007), but you can save it under any name in any location. 90 Administrator s Guide SurfControl Filter for SMTP

108 SETTING UP FILTER Configuring the Administration Service 3 CONFIGURING ADMINISTRATORS Use the Configuration function to configure access to remote administration of Filter. There are two methods of remote access: Web Administrator The SurfControl Filter Web Administrator is a Web-based application that gives remote access to selected Filter functions from any computer through a Web browser. Administration Client You can install the Filter Administration Client on a remote computer and use it to access the Filter user interface. For details of how to install the client, see the SurfControl Filter Starter Guide. Remote Administration Permissions Table 3-22 describes the remote administration permissions you can set, and which method of remote access you can use for each permission setting. Table 3-22 Remote administration permissions Permission setting Access Access method All Permissions All of the permissions on the list below. Web Administrator Administration Client Message Administration View and work with isolated s using Message Administrator functions. You can select to enable the administrator to use the Message Search function, queues and logs, or only have access to either the queues or the logs. Yes Yes See Message Administrator on page 229 for more information about Message Administrator. Rules Administration Create and manage rules to enforce your organization s AUP using Rules Administrator functions. No Yes See The Rules Administrator on page 113 for more information about Rules Administrator. System Administration The administrator can: View the progress of s through Filter in real time. See The Monitor on page 101. Configure SurfControl Filter using the Server Configuration console. See Setting Up Filter on page 13. No Yes SurfControl Filter for SMTP Administrator s Guide 91

109 3 SETTING UP FILTER Configuring the Administration Service Table 3-22 Remote administration permissions (Continued) Permission setting Access Access method Dictionary Management Manage Dictionaries and their content. See Dictionary Management on page 255 for more information. Yes Yes User Management Set administrative access to Filter. No Yes Adding a Remote Administrator Account To use Remote Administration you need to add administrator accounts and set their permissions. If there are no administrator accounts, Remote Administration is unavailable. To add a remote administrator account: 1 In the Server Configuration console, select Administration > Configuration 2 Click Add 92 Administrator s Guide SurfControl Filter for SMTP

110 SETTING UP FILTER Configuring the Administration Service 3 3 The User Profile dialog box is displayed. 4 Enter a user name, password and address for the administrator. The password must have at least six characters. 5 Select the permissions for the administrator. See Table 3-22 on page 91 for a list of permissions. The Queues list displays the queues that are available to the administrator. Use Queue Management to change these settings. See Queue Management on page Click OK. SurfControl Filter for SMTP Administrator s Guide 93

111 3 SETTING UP FILTER Configuring the Administration Service Editing a Remote Administrator Account To edit a remote administrator account: 1 In the Server Configuration console, select Administration > Configuration 2 Select an administrator from the list, and then click Edit... 3 The User Profile dialog box is displayed. 4 Change the user details or the permissions as needed. 5 Click OK. 94 Administrator s Guide SurfControl Filter for SMTP

112 SETTING UP FILTER Configuring the Administration Service 3 Deleting a Remote Administrator Account To delete a remote administrator account: 1 In the Server Configuration console, select Administration > Configuration 2 Select an administrator from the list, and then click Delete... 3 To delete the profile, click Yes in the confirmation pop-up. SurfControl Filter for SMTP Administrator s Guide 95

113 3 SETTING UP FILTER Configuring the Administration Service CERTIFICATE MANAGEMENT You need to use a certificate for the TLS and SMTPS security features in the Send and Receive services. SurfControl supports two types of certificate: Self-signed Self-signed certificates are useful to secure internal traffic between mail servers because verification/authentication is not an issue; all servers are owned by the company, and therefore trusted. CA (Certification Authority) signed You can buy a certificate from a CA, such as Thawte or Verisign. To obtain a certificate, you need to submit a CSR (certificate signing request) to the CA. These CAs will only issue a certificate if they are satisfied that you own the domain that the certificate is being issued for. Note: Prior to managing Filter certificates, you must log in with the same user account that was specified during installation configuration. See the SurfControl Filter Starter Guide for details. If you are logged in as a different user, TLS is not enabled and you will not be able to use your certificate, whether it is self-signed or CA signed. Figure 3-17 shows a typical Certificate Management dialog box if there is no certificate installed and there is no pending certificate signing request (CSR). Figure 3-17 Administration - Certificate Management If there is a certificate installed, or a certificate is installed with a pending CSR, or there is a pending CSR and no certificate installed, the relevant details are displayed. 96 Administrator s Guide SurfControl Filter for SMTP

114 SETTING UP FILTER Configuring the Administration Service 3 Using the Certificate Wizard When you click Certificate Manager, the Certificate Wizard opens. Figure 3-18 Administration Certificate Management - Certificate Wizard The options available depend on the status of your certification. Using the Certificate Wizard, you can: Create a CSR. Create a self-signed certificate and install it. Assign an existing certificate, if you have one saved. Process a pending CSR and install the certificate. Delete a pending CSR. Remove the current certificate. Caution: If you do not have a certificate installed, your server will not be able to send or receive securely. Creating a Self-signed Certificate or CSR To create a self-signed certificate or CSR, you need to enter the following information in the Certificate Wizard: A common name for the server. If your server is on the Internet, use a valid DNS name. If your server is on an Intranet, you might want to use the computer s NetBIOS name. An easily-remembered, friendly name for the certificate. SurfControl Filter for SMTP Administrator s Guide 97

115 3 SETTING UP FILTER Configuring the Administration Service The number of bits to be used to generate the certificate. The certificate is more secure if you select a higher number. Default = 1024 Note: A higher strength security key might decrease performance. The name of your organization and your organizational unit (division or department). Your geographical information. CSR only. If you are creating a CSR, you also need to enter a file name (format *.txt) for the request file. Either accept the default file name, or enter or browse to the location of an existing file. When you have saved the file, you can send it (for example, by ) to your CA. Assigning an Existing Certificate If you have an existing certificate, you can select the file from a list of available certificates in the Certificate Wizard. Processing a Pending CSR If you select to process a pending CSR using the Certificate Wizard, you will enter or browse to the location of the.cer file that you received from the CA. Deleting a Pending CSR If you select to delete a pending CSR using the Certificate Wizard, any data from the pending CSR is removed, and you will not be able to process any future responses. Note: You might want to notify your CA that your CSR has been deleted. Removing a Current Certificate If you select to remove a current certificate using the Certificate Wizard, the current certificate is removed from the server. Caution: If you do not have a certificate installed, your server will not be able to send or receive securely. 98 Administrator s Guide SurfControl Filter for SMTP

116 SETTING UP FILTER Configuration Complete 3 CONFIGURATION COMPLETE When you have completed all your server configuration changes, click OK to confirm your changes. The following message is displayed. Figure 3-19 Configuration update message Filter will then stop and restart any services that have changed in their configuration. You are now ready to begin filtering and monitoring . BACKING UP YOUR SERVER CONFIGURATION You can back up the configuration settings you have chosen so that you can replicate it on other servers or restore it if, for any reason you have to reinstall Filter. Please see the Database Management Guide for details of how to use the database management utilities. SurfControl Filter for SMTP Administrator s Guide 99

117 3 SETTING UP FILTER Configuration Complete 100 Administrator s Guide SurfControl Filter for SMTP

118 4 The Monitor In This Chapter page 102 Opening the Monitor page 102 Parts of the Monitor Window page 102 QueueView page 107

119 4 THE MONITOR In This Chapter IN THIS CHAPTER This chapter explains how to use the Monitor to view the progress of s as they pass through Filter. OPENING THE MONITOR To open the Monitor, select Start > SurfControl Filter > Monitor The Monitor window is displayed. PARTS OF THE MONITOR WINDOW The Monitor window is divided into panels, each showing information about a different part of the filtering process. Figure 4-1 shows the default layout of the panels. Figure 4-1 The Monitor Service Panels Server status panel: shows how long each Filter service has been running for, and keeps count of all the actions applied to each . Receive panel: shows the activity of the Receive service. Rules panel: shows the activity of the Rules service. Queue statistics panel: shows how many s are held in each queue. Send panel: shows the activity of the Send service. Status bar: shows the status of the Receive, Rules and Send services You can drag the Server Status and Queue Statistics panels anywhere on the desktop. To hide or show the Server Status and Queue Statistics panels, click. 102 Administrator s Guide SurfControl Filter for SMTP

120 THE MONITOR Parts of the Monitor Window 4 The following sections explain the parts of the monitor window in more detail. SERVICE PANELS There are three service panels, which show the progress of s through Filter. Table 4-1 The service panels Panel Receive panel Rules panel Send panel Information displayed Shows activity by the Receive Service. When a mail server or firewall requests a connection with SurfControl Filter, a log entry is displayed in this panel. Shows activity by the Rules Service. When Filter checks an against enabled rules, a log entry is displayed in this panel. When an triggers an action (Isolate, Delay, Delete or Allow), the log entry is in red text. A log entry is also displayed in this panel when you update the Anti-Spam Agent. Shows activity by the Send Service. When Filter delivers an including those released from isolate or delay queues a log entry is displayed in this panel. Clearing the Service Panels To clear the service panels of all information: 1 Right-click a service panel. A shortcut menu is displayed. 2 Select Clear Console. The information is cleared from the selected panel. 3 When there is a new event, for example, the service is restarted or the service handles an , log entries are again displayed in the service panel. 4 To clear all three service panels simultaneously, select View > Clear Status Windows. Copying Service Panel Information to the Clipboard You can copy the information displayed in each service panel to the clipboard to paste into another application, for example Notepad. To copy service panel information: 1 Right-click a service panel. A shortcut menu is displayed. 2 Select Copy to Clipboard. 3 Paste the information into another application, for example, Notepad. SurfControl Filter for SMTP Administrator s Guide 103

121 4 THE MONITOR Parts of the Monitor Window Changing the Information Displayed in the Service Panels You can specify how much detail you want to be displayed in each service panel by changing the logging level. There are four levels. Note: SurfControl recommends you keep the logging level set to 0 or 1, unless necessary for support purposes. Level 0 Level 0 is the lowest logging level. At level 0 you will see only basic information about the status of processing, for example: Blue text to show when the receive service has accepted an . If the has triggered a rule Blue text to show when the send service has sent an . Level 1 With the logging level set to 1 you will see more detailed information about service activity, for example: The SMTP conversation between the receive service and the connecting mail client. The status of rule the checking process The SMTP conversation between the send service and the mail server it is connecting to. Levels 2 and 3 Levels 2 and 3 display very detailed technical information sometimes used for diagnostic purposes. If you are discussing an issue with SurfControl Customer Support, you may be asked to increase your logging level to 2 or 3. Changing the Logging Level. To change the logging level: 1 Right-click the service panel to change. A shortcut menu is displayed. 2 Select Console Logging Level, then select the logging level 0 = least detail 3 = most detail. 3 If you do not want information messages to be displayed, for example notification of configuration reloads, select Hide Info Messages. 104 Administrator s Guide SurfControl Filter for SMTP

122 THE MONITOR Parts of the Monitor Window 4 THE SERVER STATUS PANELS Note: To stop, start and pause services from the Server Status panel, right-click the service, and then select an action. The Server Status panels show information about the running of the services and the connections they are making. Information Displayed in the Server Status Panels Table 4-2 describes the information displayed in the Receive service panel. Table 4-2 Server Status panels Receive service Section Uptime Total messages Total MB Information displayed Time since the Receive service was last started. Number of s handled by the Receive service during Uptime. Amount of data in MB handled by the Receive service during Uptime. Connections Total Total number of connections accepted during Uptime. Active Denied Number of connections currently active. Number of connections denied during Uptime. Table 4-3 describes the information displayed in the Send service panel. Table 4-3 Server Status panels Rules service Section Uptime Enabled Rules Messages Pending Information displayed Time since the Rules service was last started. Number of rules currently enabled. Number of s in the \In folder awaiting checking against enabled rules. SurfControl Filter for SMTP Administrator s Guide 105

123 4 THE MONITOR Parts of the Monitor Window Table 4-3 Server Status panels Rules service Section Information displayed Statistics (Total) Messages Number of s checked by the Rules service during Uptime. Statistics (Last Hour) Isolated Delayed Discarded Messages Isolated Delayed Discarded Number of s moved to an Isolate folder during Uptime. Number of s moved to the Delay folder during Uptime. Number of s discarded during Uptime. Number of s checked by the Rules service in the last hour. Number of s moved to an Isolate folder in the last hour. Number of s moved to the Delay folder in the last hour. Number of s discarded in the last hour. Table 4-4 describes the information in the Send Service panel. Table 4-4 Server Status panels Send service Section Uptime Total Messages Total MB Active Connections Messages Pending Failed Requeued Dead Messages Information displayed Time since the Send service was last started. Total number of s delivered by the Send service during Uptime. Total amount of data in MB handled by the Send service during Uptime. Number of connections currently being made by the Send service. Number of s in the Out folder awaiting delivery. Number of s that have been requeued because of a temporary failure to connect to the intended mail server. Number of s that could not be delivered and have been designated dead messages. Clearing the Statistics If you start the Rules service, the Statistics (Total) and the Statistics (Last hour) displays will reset to 0. To reset these statistics, right-click Rules Service and selecting Clear Statistics. 106 Administrator s Guide SurfControl Filter for SMTP

124 THE MONITOR QueueView 4 QUEUE STATISTICS AND STATUS BAR The Queue Statistics panel shows information about queue folders and the s held in them. The Status bar shows activity by the Receive, Rules and Send services. Table 4-5 Queue Statistics and Status bar Area Queue Statistics Status bar Information displayed Shows all the queues currently set up, and the number of s held in each queue. Double-click on a queue to view the contents in Message Administrator. Each box on the status bar shows the status of an Filter service. From left to right, the boxes show the status of the Receive, Rules and Send services respectively: The left field (Receive service) shows the number of current connections to the Receive Service. The middle field (Rules service) shows the number of currently active Rules processing threads. This number is equal to the number of s currently being processed by the Rules service. The right field (Send service) shows the number of connections being made by the Send service. If a service stops, an X is displayed in its status field; if the services is running but connection cannot be made, a question mark is displayed. If a service is paused, a P is displayed in its status field. QUEUEVIEW If an cannot be delivered immediately it is held in a queue while Filter attempts to deliver it. You can view the status of queued s in the QueueView window. OPENING QUEUEVIEW You can open the QueueView window from the Start Menu, or from within the Monitor. From the Start Menu To open QueueView from the Start menu, select All Programs > SurfControl Filter > QueueView From the Monitor To open QueueView from the Monitor, Click on the Toolbar. SurfControl Filter for SMTP Administrator s Guide 107

125 4 THE MONITOR QueueView Figure 4-2 shows a typical QueueView window. Figure 4-2 QueueView window QUEUEVIEW WINDOW You can view information for three types of message file: Queued message files If Filter cannot send an immediately, it is requeued (see Requeuing on page 87) while Filter makes further attempts to send it. Pending message files Pending messages are s that are waiting for Filter to make an initial connection with a mail server so that they can be sent. If Filter attempts to make a connection but is unsuccessful, the will then be queued. Dead message files If Filter cannot send an and the total requeuing period has passed, it is designated a dead message. The file is given a file extension of.d and held in the \Out folder until you act upon it. Selecting a Type of Message to View To select a type of message file to view: 1 Open QueueView. 108 Administrator s Guide SurfControl Filter for SMTP

126 THE MONITOR QueueView 4 2 Select View > Queued files. The Queued Message Files view is displayed. 3 Select View > Pending files. The Pending Message Files view is displayed. 4 Select View > Dead files. The Dead Message Files view is displayed. Each view is divided into columns showing the following information. Table 4-6 QueueView columns Column File Name Date Time Recipient Sender Subject What it shows The file name of the . The is stored under this name in the Out folder. The date that the was placed in the Out folder The time that the was placed in the Out folder The recipient in the s To: field. The sender in the s From: field The subject in the s Subject: field SurfControl Filter for SMTP Administrator s Guide 109

127 4 THE MONITOR QueueView Table 4-6 QueueView columns (Continued) Column Attempts Reason for failure What it shows The number of attempts that Filter has made to send the . The reason Filter was unable to deliver the , for example if the recipient s address is invalid. You can drag the QueueView columns to rearrange the order. RE-SENDING QUEUED OR DEAD MESSAGES You can re-send queued or dead s. This means that SurfControl Filter will make a further attempt to deliver the . To re-sending a queued or dead 1 Open QueueView and select the view; either Queued Message Files or Dead Message Files. 2 Select the to be re-sent. Use Shift or Ctrl to select more than one . 3 Right-click the selected . A shortcut menu is displayed. 110 Administrator s Guide SurfControl Filter for SMTP

128 THE MONITOR QueueView 4 4 Select Resend Message. Note: When an is designated a dead message, a failure report is sent to the sender. If you re-send the and it still cannot be sent, further failure reports will be sent. You should therefore avoid re-sending dead messages unless you are sure that they will be delivered successfully. 5 You are asked to confirm that you want to re-send the selected . DELETING A QUEUED OR DEAD You can delete queued or dead s. This means that the will be irreversibly deleted, and will not be sent. T delete a queued or dead 1 Open QueueView, and then select the view that you want to work with either Queued Message Files or Dead Message Files. 2 Select the to be deleted. 3 Right-click the selected . A shortcut menu is displayed. SurfControl Filter for SMTP Administrator s Guide 111

129 4 THE MONITOR QueueView 4 Select Delete Message. 5 You are asked to confirm that you want to delete the selected . You can automatically delete dead messages immediately after the requeuing period has passed. See Dead Messages on page Administrator s Guide SurfControl Filter for SMTP

130 5 The Rules Administrator In This Chapter page 114 Opening the Rules Administrator page 114 How Filter Uses Rules page 117 Rules Objects page 118 Building a Rule page 118 Positioning of Rules page 124 Pre-defined Rules page 125 Rule Groups page 128 Exporting Rules page 131 Importing Rules page 132 Configuring the Rules Administrator page 133

131 5 THE RULES ADMINISTRATOR In This Chapter IN THIS CHAPTER You use the Rules Administrator to define, create and manage the rules that support your Acceptable Use Policy (AUP). This chapter explains how Filter uses the rules you specify to check . In this chapter you will also learn how to: Configure the Rules Administrator to suit your needs. Use SurfControl Filter s pre-configured rules and rule groups. Create your own custom rules using the Rules objects. Manage and organize rules for optimum performance. Chapter 6 describes each Rules object in detail. OPENING THE RULES ADMINISTRATOR To open the Rules Administrator, select Start > All Programs > SurfControl Filter > Rules Administrator Figure 5-1 Opening Rules Administrator from the Start menu 114 Administrator s Guide SurfControl Filter for SMTP

132 THE RULES ADMINISTRATOR Rules Administrator Window 5 RULES ADMINISTRATOR WINDOW Figure 5-2 shows a typical Rules Administrator window. Figure 5-2 The Rules Administrator window Toolbar: icons to manage rules and open other Filter components. Tabs: divide the Rules objects into logical groupings Rules panel: displays all available rule groups, rules, and their status Rules objects panel: displays all available Rules objects Rules palette: drag and drop the Rules objects here to build or modify a rule RULES PANEL The upper part of the window displays all the available rules. Figure 5-3 Rules panel The rules are grouped into a logical order. You can create and delete groups, and move rules from one group to another. Rule description: when you create a Rule you can give it a summary description. SurfControl Filter for SMTP Administrator s Guide 115

133 5 THE RULES ADMINISTRATOR Rules Administrator Window Figure 5-4 describes details of the information shown for rules. Figure 5-4 Rule information All the rules in the group are enabled if this box is selected The name of the rule group The type of policy attached to the group The rule is enabled if this check box is selected The name of the rule What the rule does Policy Type You can assign a policy type to a group or sub-group from a list of supplied policy types. Policy types are used by to identify the category (Confidential, Network Security, Virus, and so on) that an belongs to, and the rule that has triggered the blocking. SurfControl Report Central and SurfControl Personal Manager also use Policy Type to identify the number of s that are within specific categories. To apply a policy type to a rule group: 1 Double-click the rule group or sub-group. A Properties for <rule group> dialog box is displayed. Figure 5-5 Selecting a policy type for a rule group or sub-group 2 Select a policy type from the drop-down list. If you do not assign a policy type to a sub-group, that sub-group inherits the policy type from the group. Also, sub-sub groups inherit the policy type from the sub group, not the group setting. RULES OBJECT PANEL The lower part of the window shows: The list of Rules objects you can use to build a rule. The Rules palette, where you build and modify rules. 116 Administrator s Guide SurfControl Filter for SMTP

134 THE RULES ADMINISTRATOR How Filter Uses Rules 5 Figure 5-6 Rules objects and Rules palette The types of Rules object. When you select a type of Rules object, the individual Rules objects belonging to that type are displayed. When you select a Rule from the list, the Rules objects used to create the rule are displayed. HOW FILTER USES RULES The Rules service checks the against the list of enabled rules, starting at the top of the window and working through the enabled rules in order until the triggers a rule. If an triggers a rule, Filter uses the action specified in the rule. The four actions objects Allow, Delay, Discard, Isolate are terminating actions. When Filter performs a terminating action on an , no further processing takes place. If an passes all the rules checks without being isolated, delayed or discarded, it is placed in the \Out folder for delivery to its destination. SurfControl Filter for SMTP Administrator s Guide 117

135 5 THE RULES ADMINISTRATOR Rules Objects RULES OBJECTS Rules objects are the basic logical units that you use to create a rule. Starting with the Who object, Table 5-1 describes the types of Rules objects and the logical order in which they should be added to a rule. Table 5-1 Types of Rules object Type of Rule object Description Find out more Who What Operations Notify Actions A Who object in a rule affects who the rule applies to. For example, an individual, a department, senders or recipients of . If you do not include a Who object in a rule, the rule will apply to everybody sending and receiving in and out of your protected domain. A What object in a rule checks the characteristics of the against the criteria you specify for example size, content, type of attachments. An Operations object in a rule will modify the in some way for example by adding a footer. A Notify object in a rule will send an to the user you specify to notify them that a rule has been triggered. An Actions object in a rule will perform an action on the , for example isolating it. When an action has been carried out, no further processing takes place on the . Who Objects on page 144. What Objects on page 160. Operations Objects on page 202. Notify Objects on page 216. Actions Objects on page 222. BUILDING A RULE To build an effective rule, SurfControl have the following guidelines: Begin with a Who object. Work through the object types in the order they are shown on the Rules Object panel: Who > What > Operations > Notify > Actions You do not have to include every object type in every rule, but without a Who or What object, every will trigger the rule. Finish with an Action object. 118 Administrator s Guide SurfControl Filter for SMTP

136 THE RULES ADMINISTRATOR Building a Rule 5 CONNECTING RULES OBJECTS You can connect Rules objects together in different ways, depending on how you want the rule to work. Rules objects connected together form logic blocks, and you can connect these logic blocks to form a complete rule. The logical connections that you can use are: Table 5-2 Rule connectors Connector IF AND OTHERWISE IF THEN What it does The opening statement of a rule. Adds extra conditions to the logic block. Creates a new logic block that will trigger if the conditions of its preceding logic block are not met. Connects the conditions to an event which will take place if the conditions are met a Notify, Operations or Action object. For example, this rule has two logic blocks and uses all four connectors. SurfControl Filter for SMTP Administrator s Guide 119

137 5 THE RULES ADMINISTRATOR Building a Rule CREATING RULES When you create a rule, the procedure is the same for any rule and any Rules object. To creating a rule: 1 Right-click any rule in the Rules description area. A shortcut menu is displayed. 2 Select. The Properties for New rule dialog box is displayed. 3 Enter the name of the rule and a brief description of what the rule will do. 4 To enable the rule immediately, select the Enabled check box. Note: The rule will not be applied to s until you save your changes. 120 Administrator s Guide SurfControl Filter for SMTP

138 THE RULES ADMINISTRATOR Building a Rule 5 5 Click OK. The Rules palette is cleared. You can now add Rules objects. 6 Select the tab for the type of Rules object. The individual Rules objects are displayed in the tab. 7 Select a Rules object from the list, and then drag it into the Rule palette. SurfControl Filter for SMTP Administrator s Guide 121

139 5 THE RULES ADMINISTRATOR Building a Rule 8 In the dialog box for the Rules object, set the conditions. To learn more about Rules objects and how to configure them, see Rules Objects on page 143. Note: You do not have to use a Who object in all the rules you create. For example, if you want a rule to apply to everybody sending to or from your organization, do not use the Who object. 9 Click OK. A Continue Processing object is automatically added to the end of the logic block, and remains there until you select an Action object, which specifies how Filter will deal with s that trigger the rule. 10 Add further objects to develop your rule as needed. 122 Administrator s Guide SurfControl Filter for SMTP

140 THE RULES ADMINISTRATOR Building a Rule 5 11 If you did not select to enable the rule when you were creating it, select the check box next to the rule. 12 Click to save your changes. Note: Your rule will not be applied to s until you save your changes and enable the rule. DELETING A RULE To delete a rule: 1 Select the rule. 2 Click. 3 You will be asked to confirm if you want to delete the selected rule. 4 Click to save your changes. Note: If you do not save your changes, the rule will continue to apply to s. SurfControl Filter for SMTP Administrator s Guide 123

141 5 THE RULES ADMINISTRATOR Positioning of Rules POSITIONING OF RULES When Filter processes an , it checks the against each of the rules in order, from the top of the screen until it reaches a terminating action (Allow, Delay, Discard or Isolate) or until the all the has been checked against all the rules and allowed to continue. Changing the order of rules can therefore change which s trigger rules and which are allowed to reach their destination. Rules are always processed from the top of the screen to the end, regardless of the Rule Group they are in. Figure 5-7 Rules are processed from top to bottom. When an triggers a rule with an Action object (Allow, Delay, Discard or Isolate) it is not checked against any subsequent rules. In the example below, the user has placed a rule allowing all from the systems administrator above a rule to detect virus-infected . Figure 5-8 Example of bad rule positioning 124 Administrator s Guide SurfControl Filter for SMTP

142 THE RULES ADMINISTRATOR Pre-defined Rules 5 This means that if the administrator were to send a virus-infected , it would be checked by the first rule and allowed to continue without any further processing. The would not be checked against the Anti-Virus Malware Scanning rule because it had already encountered a terminating action (the Allow object in the first rule). MOVING RULES Use the arrow buttons and to move a selected rule up or down the order. Alternatively, use the mouse to drag the rule into position. A red line indicates where the rule will be placed. Figure 5-9 Moving a rule PRE-DEFINED RULES SurfControl Filter is supplied with a comprehensive series of pre-defined rules, so that you can start filtering immediately. Although the pre-defined rules are a quick and easy way to begin filtering , you will still need to enter some details to make the rules work correctly in your organization. For example, you will need to enter your domain name in the Footers & Banners rule, and specify the location of your anti-virus scanning software for the Virus rule. THE RULE CONFIGURATION WIZARD To configure a rule: 1 To enable a rule, select its check box. 2 If the rule needs to be configured, the Rule Configuration wizard is displayed. SurfControl Filter for SMTP Administrator s Guide 125

143 5 THE RULES ADMINISTRATOR Pre-defined Rules 3 Click Next. 4 Follow the instructions in the wizard to configure the rule. Note: If you enable a rule but don t fill in the Configuration wizard, the rule may not filter correctly. EDITING PRE-DEFINED RULES When you click a rule, its objects are displayed in the Rules palette. You can edit these pre-defined rules to suit your organization in the same way as if you were creating a new rule. See Building a Rule on page 118 to find out more about how to create rules, or the chapter Rules Objects on page 143 for a full list of Rules objects. 126 Administrator s Guide SurfControl Filter for SMTP

144 THE RULES ADMINISTRATOR Pre-defined Rules 5 The following table lists the pre-defined rules. Table 5-3 Pre-defined rules Rule Group Rule What it does Network Security Rules Loop Detection Isolates s that loop more than 5 times. Illegal MIME format Encrypted Compressed Isolates non-standard or malformed s. Detects if staff are transmitting S/MIME or PGP files. Isolates mail that fails automatic decompression. Virus Protection Rules VBS Scripts Strips VBS attachments from s. Anti-Virus Malware Scanning Third-party Virus Scanning Executables Isolates s that contain a virus or malware that cannot be cleaned. Isolate s that contain virus-infected or suspect attachments. Isolates s that contain executable attachments. Spam Rules Whitelist Allows s from designated parties. Inappropriate Material Rules Anti-Spam Agent - DFP Anti-Spam Agent Internet Threat Database - Spam HTML Stripper Virtual Image Agent Graphics Sound Video Isolates s that trigger the Anti-Spam Agent Digital Fingerprinting component. Isolates s that trigger the Anti-Spam Agent Heuristics or LexiRules components. Isolates s from the database that contain spam-, phishing-, fraud- or spyware-related URLs. Strips active HTML components from s. Isolates s that contain explicit adult images. Isolates s containing graphics, sound or video files. Adult Dictionary Isolates s with an Adult dictionary score > 100. Gambling Dictionary Isolates s with a Gambling dictionary score > 100. Offensive or Derogatory Internet Threat Database - Inappropriate Isolates s with Hate or Violence Dictionary. Isolates s from the database that contain inappropriate URLs. SurfControl Filter for SMTP Administrator s Guide 127

145 5 THE RULES ADMINISTRATOR Rule Groups Table 5-3 Pre-defined rules (Continued) Rule Group Rule What it does Network Resources Rules Files > 5MB Files > 2MB Automatically compresses s larger than 5 MB. Delays s larger than 2 MB. More than 10 recipients Blind copies the administrator if has more than 10 recipients. Compliance Rules HIPAA Compliance Isolates s that contain individually identifiable health information. Relates to the Health Insurance Portability and Accountability Act regarding the security and privacy of health data. Confidential Information Rules GLBA Compliance Competitors Computer Security Confidential Information Isolates s that contain financial information. Relates to the Gramm-Leach-Bliley Act regarding the personal financial information held by financial institutions. Isolates transmission to competitors. Isolates outbound s containing the word username or the word password. Isolates outbound s containing intellectual property or confidential data. Other Footers Attaches an outbound or inbound footer. RULE GROUPS You can organize your rules by moving them into groups. Rule groups make it easier to manage and apply your rules, so that you can: Keep similar rules together Enable all similar rules (for example all the anti-spam rules) with a single mouse click. Delete a rule set you no longer need quickly and easily. Filter s pre-configured rules are already organized into five groups (see Table 5-3 on page 127). 128 Administrator s Guide SurfControl Filter for SMTP

146 THE RULES ADMINISTRATOR Rule Groups 5 CREATING A RULE GROUP To create a rule group: 1 Select Rule > New Group Alternative: click. 2 The New Group dialog box is displayed. 3 Enter a name for the group. 4 To create a new rule within the new group, select Create a New Rule. 5 Click OK. The new group is displayed in the Rules panel. 6 If you selected Create a New Rule, the New Rule dialog box is displayed automatically. The new rule you create is automatically placed inside the group that you have created. MOVING A RULE INTO A GROUP To move a rule into a group, click the Rule you want to move and drag it on to the group. A red arrow indicates the group that the rule is being moved into. Figure 5-10 Moving a rule into a group SurfControl Filter for SMTP Administrator s Guide 129

147 5 THE RULES ADMINISTRATOR Rule Groups WORKING WITH GROUPS OF RULES Note: You must save your selected rules to be able to activate them. You can enable or disable a complete group of rules, or enable or disable one or more rules within a group. Enabling a Group of Rules You can enable all the rules in a group by selecting the check box of the group. All the rules in the group are selected automatically. Figure 5-11 Enabling a group of rules Disabling a Group of Rules Clear the check box next to the group to disable all the rules in the group. Figure 5-12 Disabling a group of rules Enabling Rules Within a Rule Group If you do not select all of the rules in a group, the group check box is shown grayed to indicate that the group is partially selected. Figure 5-13 A partially enabled group 130 Administrator s Guide SurfControl Filter for SMTP

148 THE RULES ADMINISTRATOR Exporting Rules 5 EXPORTING RULES You can export rules into a separate.rul file, which you can then use to restore your saved rule set. This is useful if you are deploying Filter on multiple servers, if you are undertaking server maintenance and want to keep your current rule configuration in place, or if you want to make a backup of your rules. To export your rules to a.rul file: 1 In the Rules panel, select the Rules to export. You can select any number of rules or groups, or the entire rule set. Note: When you export a rule group, all the rules within that group are exported. 2 Select File > Export Rules The Save As dialog box is displayed. 3 Save your.rul file in the required location. 4 Click. A confirmation message is displayed when Filter has successfully exported the rules. SurfControl Filter for SMTP Administrator s Guide 131

149 5 THE RULES ADMINISTRATOR Importing Rules IMPORTING RULES You can import a.rul file containing Filter Rules. Note: If a rule you are importing already exists in the Rule panel, Filter will add an additional copy. Importing a rule does not overwrite any of your current rules. You can: Import a rule set that you have previously exported Import the same rule set onto each server running Filter in your organization. Restore the default rule set that is included in the Filter install. To import a.rul file into Filter: 1 From the File menu, select Import Rules. The Open dialog box is displayed. 2 Select the.rul file you want to import. 132 Administrator s Guide SurfControl Filter for SMTP

150 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 3 Click Open. The Import Rules dialog box is displayed, which shows a list of rules that the.rul file contains. 4 Select the rules to import. If you select a rule group, all the rules in that group are imported. 5 Specify where you want the selected rules to be placed in the Rules panel: Insert after the selected rule the imported rules will be placed after whichever rule is currently highlighted in the Rules panel. Insert after the last rule the imported rule will be placed at the end of the list of rules. 6 Click Import. The imported rules are displayed in the Rules panel. CONFIGURING THE RULES ADMINISTRATOR The Rules Administrator configuration settings affect the way s are checked against the Rules, and can affect the speed with which s proceed through the rules checking process. Table 5-4 describes the configuration settings. Table 5-4 Rules Administrator configuration settings Setting Dictionary Scanner Password Protected Archives What it does Dictionary scanning: Specifies which files are scanned against the dictionaries for content that could trigger a rule. Specifies how much of each file is scanned. Sets up decompression of encrypted and password protected files. SurfControl Filter for SMTP Administrator s Guide 133

151 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator Table 5-4 Rules Administrator configuration settings (Continued) Setting Document Decomposition HTML Parser What it does Set up the extraction of data from compound document files, so that Filter can check them against the rules. See Document Decomposition on page 389. Set up the parsing of HTML s to combat HTML spam. CONFIGURING DICTIONARY SCANNING Many rules check the contents of an and its attachments against the SurfControl dictionaries. However, some file types are more suitable for dictionary scanning than others. To save processing time, you can select not to scan certain file types, for example, image or audio files, or to only scan a specified amount of each . To configure dictionary scanning: 1 Open the Rules Administrator. 2 From the Tools menu, select Options. The System Options dialog box is displayed. 3 Select the Dictionary Scanner tab. 4 Specify how much of each is to be scanned against the dictionaries: Default = 10KB Maximum =10,000KB. The more of each file is scanned, the longer it takes to check each against the rules. 5 Select which file types are to be exempt from dictionary scanning. You can select groups of file types, for example audio files, or specific file types, for example, MP3s. 134 Administrator s Guide SurfControl Filter for SMTP

152 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 6 To add a file type to the list, click Add extension. 7 Enter the file type in the text box. Note: Do not include the period (. ) character. For example, enter txt, not.txt. 8 To remove a file type that you have added, select it, and then click Remove extension. Note: You cannot delete the preset file extensions. 9 Click OK. CONFIGURING PASSWORD PROTECTED ARCHIVES You can prevent unauthorized users and domains from receiving password protected archive files, such as a zip file with a password, by entering recipient/password pairs on the Password Protected Archives tab. You can specify which users are allowed to receive password protected archive files, and the password that was used to create these files. SurfControl Filter will use the password to decompress the file and scan the contents. If a user that has not specified a password is sent an with a password protected archive file, or is sent a password protected file with a different password, the will trigger the pre-configured rule, if enabled. SurfControl Filter for SMTP Administrator s Guide 135

153 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To add a recipient/password pair: 1 In the Rules Administrator, select Tools > Options The System Options dialog box is displayed. 2 Select the Password Protected Archives tab. 3 Click Add The Enter Recipient/Password Pair dialog box is displayed. 4 In the Recipient/Domain: text box, enter the name of the recipient or domain to add. 136 Administrator s Guide SurfControl Filter for SMTP

154 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 5 If you are using Windows authentication, you can find recipients or domains by clicking Browse. Note: If you are using SQL authentication, Browse... is not available. Please see the SurfControl Knowledge Base article 1294, which gives details of when and how to use the authentication methods. The Select Users dialog box is displayed. You can select to retrieve the following users: Monitored External users Monitored Internal users Imported users/groups database Windows address book Outlook address book Select which user you want to retrieve from the Select users from: drop-down menu. 6 Click Add. Retrieving Recipients Using LDAP If you are using Windows authentication, you can also retrieve a list of recipients or domains using an LDAP connection. If you have already configured a connection to the LDAP server, the connection will be listed in the Select users from: drop-down menu. To configure a connection to the LDAP server: 1 Click LDAP, and then configure the connection. See Configuring an LDAP Connection on page The recipients retrieved are displayed in the user list. To add a user, select the user, and then click Add. SurfControl Filter for SMTP Administrator s Guide 137

155 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator 3 When you have added the user, click OK. The user name or address will then be displayed in the Recipient/Domain: text box. CONFIGURING DOCUMENT DECOMPOSITION Filter can extract data from supported files, and apply the current filtering rules to that data. You can decompose documents and then: Scan extracted text with the Dictionary Scanner object. Examine extracted pictures with the Virtual Image Agent object. Detect executables that are embedded in a file. Scan extracted files with the Anti-Virus Agent or Anti-Virus Pack object. By default, decomposition of all documents is enabled. Filter can decompose nested and combined containers with up to twenty-five levels of depth. For example, a Word document inside a Zip container that is inside an Excel workbook. 138 Administrator s Guide SurfControl Filter for SMTP

156 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 To enable document decomposition: 1 Open Rules Administrator. 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the Document Decomposition tab. 4 Select Enable document decomposition. 5 Click OK. Choosing Which Files are Decomposed You can specify which document categories and types that you want to be decomposed. Database Formats Desktop Publishing Formats Formats Embedded Formats Other Formats Presentation Formats Spreadsheet Formats Word Processing Formats. For a full list of the types of document within these categories that Document Decomposition supports, see Table B-2 on page 389. SurfControl Filter for SMTP Administrator s Guide 139

157 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To select the file types that are to be decomposed: 1 Open Rules Administrator. 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the Document Decomposition tab. 4 Click Advanced. The Advanced Properties dialog box is displayed. 5 Select the document types you want document decomposition to extract data from. 6 Click OK. 140 Administrator s Guide SurfControl Filter for SMTP

158 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 CONFIGURING HTML PARSING A common spamming technique is to use HTML tags to break up the flow of text to defeat anti-spam filters. The HTML Parser extracts the user-visible text from the HTML document so that it can scanned by the Dictionary Scanner. User-visible text is text which is visible to the user, as opposed to white-on-white text, text in hidden HTML tags or text outside the valid parts of an HTML document. Note: As well as extracting visible text, the HTML parser will also extract any URLs from the body of the into a text file called SC_URL.txt. You can examine this file in Message Administrator. There are two types of HTML parsing that you can enable: HTML extraction from body this extracts the user-visible text from the body so that the text can be scanned. Text extraction from HTML attachments this extracts text from HTML attachments so that the text can be scanned. For example, here is the body of an HTML spam . Figure 5-14 HTML spam Here is a section of source code from the same <B>Re<!KQ>tail or online, big or small, we provide businesses o<!nj>f all <!KQ>t<!HOM>ypes an oppor<!kq>tuni <!KQ> t<!hom>y <!KQ> to have <!KQ> theirown no hassle Credi<!KQ>t Card Merchan<!KQ>t Accoun<!KQ>t. The spammer has inserted HTML tags into the middle of words to avoid detection. When the HTML Parser is enabled, the HTML tags are removed so that the remaining text can be scanned by the dictionary scanner. SurfControl Filter for SMTP Administrator s Guide 141

159 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To enable HTML parsing: 1 Open the Rules Administrator. 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the HTML Parser tab. 4 Select which types of HTML parsing you want to use with s. By default, both are enabled. 5 Click OK. 142 Administrator s Guide SurfControl Filter for SMTP

160 6 Rules Objects In This Chapter page 144 Who Objects page 144 What Objects page 160 Operations Objects page 202 Notify Objects page 216 Actions Objects page 222

161 6 RULES OBJECTS In This Chapter IN THIS CHAPTER This chapter describes: The types of Rules objects. How to configure the individual Rules objects within each type. The effects of using reverse logic in Rules objects. For details of the Rules Administrator and how to build rules, see Chapter 5. WHO OBJECTS A Who object checks the sender, recipients or the direction of s. If you do not include a Who object in a rule, the rule will apply to every sent to and from your protected domain. The Who objects are: From Users and Groups Inbound/Outbound mail To Users and Groups 144 Administrator s Guide SurfControl Filter for SMTP

162 RULES OBJECTS Who Objects 6 FROM USERS AND GROUPS OBJECT The From Users and Groups object checks if the is from the users, groups and/or domains that you specify. Configuring the From Users and Groups Object To configure the From Users and Groups object: 1 When you have placed the From Users and Groups object in the rule, the Properties for From Users and Groups dialog box is displayed. Message senders: Click either: Add To manually enter addresses for users, groups or domains. See step 2. Browse To select addresses for users, groups or domains from a data source. See Retrieving User Information From a Data Source on page 150. Reverse Logic If you select the Reverse logic check box, the rule is triggered if the is not from the user, group or domain that you specify. 2 If you clicked Add, the Add Senders dialog box is displayed. 3 Enter one or more users, groups or domains. Separate multiple entries with a semicolon. SurfControl Filter for SMTP Administrator s Guide 145

163 6 RULES OBJECTS Who Objects 4 Click OK. The senders are displayed in the Message senders: list. = Individual user = Group of users = Domain 5 Click OK. The users and groups that you added are displayed in the Rules palette. INBOUND/OUTBOUND MAIL OBJECT Caution: If you enable a rule that contains the Inbound/Outbound Mail object, you must have anti-spoofing enabled somewhere in your system, either in the Receive service (see Anti- Spoofing on page 29) or with an upstream MTA. Without anti-spoofing there is a risk that spoofed inbound mail will be treated as internal. Use the Inbound/Outbound Mail object to specify settings that apply to s within or outside protected domains. This avoids unnecessary processing. For example, you can apply anti-spam filtering to only s that are inbound to the protected domain. Table 6-1 describes the Message Type options. Table 6-1 Message Type options Option Inbound Outbound Internal External Relay What it does The rule will apply only to s sent from outside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient outside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from outside a protected domain to a recipient outside a protected domain. 146 Administrator s Guide SurfControl Filter for SMTP

164 RULES OBJECTS Who Objects 6 Configuring the Inbound/Outbound Mail Object To configure the Inbound/Outbound Mail object: 1 When you have placed the Inbound/Outbound Mail object in the rule, the Properties for Inbound/ Outbound Mail dialog box is displayed. Message Types Select the types of that the rule should apply to (see Table 6-1 on page 146). Protected domains Select the protected domains to include in the rule. By default, the rule checks against all protected domains. To use only specific domains, click Selected, and then select one or more of the protected domains in the list. Reverse Logic If you select the Reverse logic check box, see Reverse Logic Inbound/Outbound Mail Object on page 148 for an explanation of how this will affect the rule. 2 Click OK. SurfControl Filter for SMTP Administrator s Guide 147

165 6 RULES OBJECTS Who Objects Reverse Logic Inbound/Outbound Mail Object Table 6-2 describes the results of selecting the Reverse logic check box for the Inbound/Outbound Mail object, using the example protected domain mycompany.com. Table 6-2 Reverse logic Inbound/Outbound Mail object Message type Inbound Outbound Internal External Relay Result The rule is triggered if the is sent from: Inside mycompany.com to any recipient. Outside mycompany.com to a recipient outside mycompany.com The rule is triggered if the is sent from: Outside mycompany.com to any recipient. Inside mycompany.com to a recipient inside mycompany.com The rule is triggered if the is sent from: Outside mycompany.com to any recipient. Inside mycompany.com to a recipient outside mycompany.com The rule is triggered if the is sent from: Outside mycompany.com to a recipient inside mycompany.com Inside mycompany.com to a recipient outside mycompany.com Inside mycompany.com to a recipient inside mycompany.com 148 Administrator s Guide SurfControl Filter for SMTP

166 RULES OBJECTS Who Objects 6 TO USERS AND GROUPS OBJECT The To Users and Groups object checks if the is to the users, groups and/or domains that you specify. Configuring the To Users and Groups Object To configure the To Users and Groups object: 1 When you have placed the To Users and Groups object in the rule, the Properties for To Users and Groups dialog box is displayed. Message recipients: Click either: Add To manually enter addresses for users, groups or domains. See step 2. Browse To select addresses for users, groups or domains from a data source. See Retrieving User Information From a Data Source on page 150. Reverse Logic If you select the Reverse logic check box, the rule is triggered if the is not to the user, group or domain that you specify. 2 If you clicked Add, the Add Recipients dialog box is displayed. Enter one or more users, groups or domains. Separate multiple entries with a semicolon. SurfControl Filter for SMTP Administrator s Guide 149

167 6 RULES OBJECTS Who Objects 3 Click OK. The senders are displayed in the Message recipients: list. = Individual user = Group of users = Domain 4 Click OK. The users and groups that you added are displayed in the Rules palette. RETRIEVING USER INFORMATION FROM A DATA SOURCE As well as entering user details manually in a Rules object, you can also retrieve a list of users, groups or domains from your system. The advantages of this are: You can add multiple users, groups or domains at one time. You do not have to remember user details. You remove the risk of misspelling user details. The available data sources are described in the following table. Table 6-3 Data sources Data source Monitored external users Monitored internal users Imported Users/Groups database Windows address book Details Every time an from outside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules. Every time an from inside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules. If you created a users/groups database using the ScoutGroupDB, you can retrieve the users and groups details from there. For details of how to create a database of users and groups, see the SurfControl Filter Starter Guide, Chapter 2 - Pre-installation, section Creating a Database to Import Users and Groups in Rules. Retrieve user details from the Windows address book. 150 Administrator s Guide SurfControl Filter for SMTP

168 RULES OBJECTS Who Objects 6 Table 6-3 Data sources (Continued) Data source Outlook address book LDAP Details Retrieve user details from the Outlook address book. Retrieve user details from the LDAP server. To retrieve user details using LDAP, you must first configure a connection to the LDAP server, see Configuring an LDAP Connection on page 152. To retrieve a list of users: 1 When you have clicked Browse in a Rules object dialog box, the Select Users dialog box is displayed. 2 Select the data source from the drop-down list. The user details are displayed in the list. SurfControl Filter for SMTP Administrator s Guide 151

169 6 RULES OBJECTS Who Objects 3 Select the users, groups and/or domains, and then click Add. To remove a user, group or domain, select it, and then click Remove. CONFIGURING AN LDAP CONNECTION To use LDAP to retrieve user details, you need to set up a connection to the LDAP server. To configure an LDAP connection: 1 When you have clicked LDAP in the Select Users dialog box, the LDAP Connections dialog box is displayed. 152 Administrator s Guide SurfControl Filter for SMTP

170 RULES OBJECTS Who Objects 6 2 Click Add. The Add LDAP Connections dialog box is displayed. 3 Enter the details of the LDAP server. The unique name for the connection will be displayed in the Select users from: list in the Select Users dialog box. See Retrieving User Information From a Data Source on page 150. Log on to the server: check box: Selected = It is compulsory that Filter uses the user name, password and domain name to log on to the LDAP server. Cleared = Filter connects to the LDAP server anonymously. Log on using Secure Authentication If selected, Filter connects to the LDAP server using secure authentication. SurfControl Filter for SMTP Administrator s Guide 153

171 6 RULES OBJECTS Who Objects 4 To set advanced settings, click the Advanced tab. 5 Enter the LDAP port number of the LDAP server. Default = 389 If you select to connect to the LDAP server using a secure connection (Secure Sockets Layer), the default port number changes to Specifying a search base makes the connection to the LDAP server more efficient if you specify specific groups of users to locate (for example, domain controllers). To automatically enter the default search base, click Get Default. To manually specify a search base, click Specify Group Object. See step 7. 7 The LDAP Server Options dialog box is displayed. 8 By default, Filter uses the default group object, GroupofNames. To specify a different Group object, for example, sales, enter the name in the text box. 9 Click OK. 154 Administrator s Guide SurfControl Filter for SMTP

172 RULES OBJECTS Who Objects 6 10 If you have successfully configured the LDAP connection, it is prefixed by LDAP in the Select users from: drop-down list in the Select Users dialog box. The users and groups retrieved from the LDAP server are displayed in the list. 11 If the users and groups are not displayed successfully, you can test the LDAP connection. i Click OK, and then click the General tab on the Add LDAP Connection dialog box. ii Click Test Connection... See Testing the LDAP Connection for further details of testing the connection. TESTING THE LDAP CONNECTION You can test that Filter is able to make a successful connection to the LDAP Server. The testing process comprises three separate tests, carried out in this order: 1 Test Basic LDAP connection 2 Test LDAP Authentication 3 Test Search for Groups and Users filter will carry out each test in order until either the connection passes all the tests, or fails one. SurfControl Filter for SMTP Administrator s Guide 155

173 6 RULES OBJECTS Who Objects Test Basic LDAP Connection The Basic LDAP Connection test will fail if SurfControl Filter cannot make a TCP/IP connection with the server. If the test fails, a dialog box displays the details. Figure 6-1 Testing the LDAP connection failure dialog box Make sure you have specified the server name or IP address and LDAP Port number correctly remember that the server may not be using the default port number of 389. If the server and port number are correct, other possible causes of a connection failure are: The server is not running. The server is running but its LDAP service is not. SurfControl Filter cannot access the server, possibly because of firewall or DNS factors. Test LDAP Authentication The LDAP Authentication test will fail if the LDAP server cannot authenticate your user details (user name, password and domain name). If the test fails, a dialog box displays the details. 156 Administrator s Guide SurfControl Filter for SMTP

174 RULES OBJECTS Who Objects 6 Figure 6-2 Testing LDAP authentication failure dialog box Make sure that the user name, password and domain name you supplied are correct. If the I must log on to this server check box is selected, SurfControl Filter uses simple authentication, that is, the password is passed in clear text. If you also check the Log on using Secure Authentication check box, the program uses secure authentication. Therefore, if you experience an invalid credentials error and you are using simple authentication, try switching to secure authentication, and vice versa. Test Search for Groups and Users The Search for Groups and Users test will fail if: You have not specified a search base. You have specified a search base incorrectly. If the test fails, a dialog box displays the details. SurfControl Filter for SMTP Administrator s Guide 157

175 6 RULES OBJECTS Who Objects Figure 6-3 Test Search for Groups and Users failure dialog box If you have not specified a search base, click the to the Advanced tab in the Add LDAP Connection dialog box. Click Get Default to get the default search base. Note: If you connect to the server through an anonymous connection, the test may be successful without finding any groups. This is because the client has not been authenticated by the server and so does not have permission to retrieve groups. If you have entered a search base and the test still fails, check the search base for errors and check with the LDAP server administrator that you have specified a valid search base for this server. 158 Administrator s Guide SurfControl Filter for SMTP

176 RULES OBJECTS Who Objects 6 Successful Tests When all three tests have been successful, a dialog box is displayed that confirms that all the tests have been passed. Figure 6-4 Successful testing dialog box SurfControl Filter for SMTP Administrator s Guide 159

177 6 RULES OBJECTS What Objects WHAT OBJECTS Table 6-4 describes the What objects. Table 6-4 What objects What object Description Find out more Anti-Spam Agent Anti-Virus Malware Scanning Dictionary Threshold External Program PlugIn Digital Fingerprinting Tool Checks s against the known spam and junk mail in SurfControl s Anti-Spam database. SurfControl continually update this database with the electronic signatures of known spam circulating on the Internet. Heuristics The ASA analyzes the and assesses its characteristics in relation to known spam. LexiRules The ASA uses LexiRules to check the for word combinations and patterns commonly seen in spam. Uses multiple third-party anti-virus (AV) scanners to detect viruses in s and attachments. Scans the for words in one or more of the SurfControl dictionaries, or from a dictionary you have created. Integrates SurfControl Filter with an external executable or batch file. page 162 page 162 page 162 page 165 page 172 page 174 File Attachment Identifies the file type of an attachment. page 177 Illegal MIME Format Internet Threat Database LexiMatch Loop Detection Detects whether the or its attachments contain non-standard or malformed MIME content. Detects URLs in s and checks those URLs against the SurfControl Internet Threat Database. This database contains URLs that contain material that has been categorized as adult/sexually explicit, drugs, gambling, hacking/spyware, and so on. Inspects the for specified word combinations from the filter dictionaries. Detects looping of s between mail servers, for example loops due to Auto-forwarding rules on servers and auto-replies to delivery failure s. page 180 page 182 page 183 page Administrator s Guide SurfControl Filter for SMTP

178 RULES OBJECTS What Objects 6 Table 6-4 What objects (Continued) What object Description Find out more Message Size Number of Recipients Third-party Virus Scanning Sets the maximum size for a whole or the largest attachment to an . Checks whether an is being sent to more recipients than you have allowed in a rule. Integrates with your own anti-virus software to detect viruses in s and attachments. page 191 page 192 page 193 Virtual Image Agent Checks if a graphic contains explicit adult graphics. page 199 Virtual Learning Agent Scans s for patterns of words and phrases. You can train this object to recognize, for example, content that is confidential and specific to your organization. page 200 When Controls the day and time that a rule is enabled. page 201 ANTI-SPAM AGENT OBJECT The Anti-Spam Agent (ASA) object is a powerful tool that: Checks against a database of known spam. Analyzes content to detect spam characteristics. The ASA requires an activation key. However, if you are running an evaluation copy of SurfControl Filter, you can use the ASA during your 30-day evaluation period without an activation key. SurfControl Filter for SMTP Administrator s Guide 161

179 6 RULES OBJECTS What Objects Anti-Spam Agent Object Tools The Anti-Spam Agent object uses the following tools. You can enable or disable any combination of these tools for use in a rule. Table 6-5 Anti-Spam Agent tools ASA tool Digital Fingerprinting Heuristics LexiRules What it does Checks the digital fingerprint of an against the SurfControl Anti-Spam database, which classifies spam and junk content into categories, such as adult, chain letters, illegal material, and so on. For a full description of each category, see Appendix A on page 369. Analyzes the header and body, or just the header, to determine how closely the contents resemble spam. You can specify how sensitive the Heuristics tool is in evaluating s. The higher the sensitivity, the fewer spam-like traits are needed to trigger the rule. By default, the Heuristics tool will scan the entire . However, if you have a highvolume environments, you can select to scan only the header, which will result in a faster scan. Analyzes the for word combinations and patterns that are commonly seen in spam. Configuring the Anti-Spam Agent Object To include the Anti-Spam Agent object in a rule: 1 Place the Anti-Spam Agent object in the rule. The Properties for Anti-Spam Agent dialog box is displayed. 162 Administrator s Guide SurfControl Filter for SMTP

180 RULES OBJECTS What Objects 6 Digital Fingerprinting. When you have enabled the tool, select the check boxes of the categories to be used when scanning s. Heuristics. When you have enabled the tool, select to scan either: The header and body, or The header only. Use the slider to set a sensitivity level. The higher the slider, the fewer spam-like traits are need to trigger the rule. LexiRules. Select Enable LexiRules. Reverse Logic Anti-Spam Agent Object If you select the Reverse logic check box, the rule is triggered if none of the enabled ASA tools detect spam content in the . SurfControl Filter for SMTP Administrator s Guide 163

181 6 RULES OBJECTS What Objects Anti-Spam Agent Object Best Practice The Anti-Spam Agent object detects spam in two ways: The Digital Fingerprinting tool detects that is known to be spam because it has been seen and categorized by SurfControl in the ASA database. The Heuristics and LexiRules tools detect that has the characteristics of spam. The Digital Fingerprinting tool is extremely accurate at detecting known spam and returns virtually no false positives. The Heuristics and LexiRules tools are highly effective in detecting new, unclassified spam. However, because they assess the likelihood that an is spam, it is possible that legitimate will trigger the rule. For example, a marketing newsletter could share some characteristics with a spam (such as its use of HTML) and therefore trigger the rule. Because of this difference, there are two default rules that use the ASA object: The first ASA rule enables only digital fingerprinting. If an has the digital signature of known spam, it is isolated in the Anti-Spam Agent DFP folder. The second ASA rule enables the Heuristics and LexiRules tools. If any of these tools detect a likely spam it is isolated in the Anti-Spam Agent folder. Separating these functions into two rules means that: Known spam is detected and isolated you can be confident that isolated by the Digital Fingerprint tool into the Anti-Spam Agent DFP folder is spam, and manage it accordingly. isolated by the Heuristics and LexiRules tools are kept in a separate folder, so that you can monitor which s are isolated and assess whether you need to change the sensitivity of the Heuristics tool. Updating the Anti-Spam Agent Object SurfControl continuously updates the Anti-Spam Agent object. SurfControl recommend that you schedule regular updates to the ASA using the Scheduler. See Scheduling Anti-Spam Agent Updates on page Administrator s Guide SurfControl Filter for SMTP

182 RULES OBJECTS What Objects 6 ANTI-VIRUS MALWARE SCANNING (AVMS) OBJECT The Anti-Virus Malware Scanning object uses multiple supplied third-party anti-virus (AV) scanners to detect viruses in s and attachments. Filter uses multiple types of AV scanner to give a comprehensive scan of suspect files. SurfControl Filter breaks up an into its component parts and passes them to the supplied AV scanners for analysis. The AV scanners report the results of the scan using the standard set of codes listed in Appendix C. Filter then deals with the as specified in your rule set. The AVMS object works independently of the Anti-Virus Agent object. You do not need an specific version of your AV software, but you must disable any automatic file-level or directory-level scanning that your AV software performs; at least on the SurfControl Filter subdirectories. Zero-Hour Virus Protection This function detects new borne viruses as they are released to the Internet. To ensure immediate protection against these viruses, it is recommended that you use this function: With at least one scanner in the Anti-Virus Malware Scanning object, and Within a rule that includes an Isolate Action object. Note: You must have a valid Anti-Spam Agent (ASA) and/or AVMS license to continue to use the Zero-Hour Virus Protection feature after the 30-day trial license expires. Configuring the Anti-Virus Malware Scanning Object When you include the AVMS object in a rule, you need to specify: What kind of virus threats the AVMS will scan for. What action the AVMS will take if it finds a virus. Which files are exempt from AVMS scanning. The message that users receive if a virus has been removed or cleaned from their . SurfControl Filter for SMTP Administrator s Guide 165

183 6 RULES OBJECTS What Objects To include the Anti-Virus Malware Scanning in a rule: 1 When you have placed the AVMS object in the rule, the Properties for Anti-Virus Malware Scanning dialog box is displayed. 2 Select a virus scanner, and then click Configure to set the scan options. See Table 6-6 on page 168 and Table 6-7 on page 169 for details of the options. 166 Administrator s Guide SurfControl Filter for SMTP

184 RULES OBJECTS What Objects 6 3 In the Properties for Anti-Virus Malware Scanning screen, select the action that the AVMS should take if it finds a virus: No Action The AVMS takes no action, but the rule is triggered. This is the default action. Delete Virus The AVMS attempts to delete the virus. If it cannot delete it, the rule is triggered. Clean Virus The AVMS attempts to clean the virus. If it cannot clean it, the rule is triggered. Note: For the Authentium scanner, the actions Delete and Clean are the same. 4 If you have selected to delete or clean a virus, you can enter text to be used for the footer of a notification . This text is used when the AVMS has successfully cleaned or deleted the virus from an infected . You can use the variables listed in Table 6-8 on page 170, but the default message is Virus $V was detected in $A, by SurfControl Anti-Virus Malware Scanning. The infected file contents have been removed. 5 To ensure that borne virus threats are detected as they are released to the Internet, click the Zero-Hour Virus Protection tab, and then select the Enable Zero-Hour Virus Protection check box. SurfControl Filter for SMTP Administrator s Guide 167

185 6 RULES OBJECTS What Objects 6 To specify which files will not be scanned, in the Properties for Anti-Virus Malware Scanning dialog box, click Exclude Files. The Exclude Files dialog box is displayed. 7 Click Add. The Add Filename dialog box is displayed. 8 Enter the filename of the file to be excluded from scanning, and then click OK. The file is listed in the Exclude Files dialog box. The AVMS will not scan any of the files listed. 9 Add more files as needed. Scan Options - McAfee Configuration You can specify what kind of virus threats the AVMS will detect when using the McAfee scanner. Select one, multiple or all of the options. Table 6-6 AVMS scan options McAfee configuration Scanning method Treat Errors as Infected Treat Encrypted Files as Infected Treat Macros as Infected Heuristic Analysis What it does All errors found when scanning s will be assumed to be virus-related and treated in the same way. All encrypted files found when scanning s will be assumed to be virusrelated and treated in the same way. All macros found when scanning s will be assumed to be virus-related and treated in the same way. Heuristic Analysis means anti-virus software can recognize a virus without ever having seen that virus before. If the anti-virus software detects virus-like traits in a file, the AVMS will treat that file as if it was infected with a virus. 168 Administrator s Guide SurfControl Filter for SMTP

186 RULES OBJECTS What Objects 6 Table 6-6 AVMS scan options McAfee configuration (Continued) Scanning method Macro Analysis Scan All Files for Macros Delete All Macros Malicious Applications Joke/Hoax Viruses What it does All macros found will be dissected and scanned for the presence of viruses. If the analysis of a macro within any scanned file reveals it to be infected, it is reported to the Anti-Virus Malware Scanning object. By default, the Anti-Virus Agent submits only files from the Document Files group to the Anti-Virus Malware Scanner for analysis. With this option selected, all files are scanned for macros, regardless of their file type and if a macro is found, it is reported to the Anti-Virus Malware Scanning object. Deletes all macros found in files. Malicious applications include any software that has effects unintended by or prejudicial to the user; usually where these effects are hidden. If the anti-virus software detects a malicious application, it will report it to the Anti-Virus Malware Scanning object Joke or Hoax viruses do not destroy or interfere with the working of the computer system. They do, however, act as a nuisance to the user and can place an load on your server. With this option selected, the anti-virus software will scan files for the presence of joke/hoax viruses and if detected, a positive virus return code is reported back to the AVMS object. Scan Options - Authentium Configuration You can specify what kind of virus threats the AVMS will detect when using the Authentium scanner. Select one, multiple or all of the options. Table 6-7 AVMS scan options Authentium configuration Scanning method Treat Errors as Infected Treat Encrypted Files as Infected Treat Suspicious Files as Infected Neural Network Heuristics Description All errors found when scanning s will be assumed to be virus-related and treated in the same way. All encrypted files found when scanning s will be assumed to be virusrelated and treated in the same way. All suspicious files found when scanning s will be assumed to be virusrelated and treated in the same way. To use Neural Networks to scan for viruses. (Authentium description) Heuristic Analysis means anti-virus software can recognize a virus without ever having seen that virus before. If the anti-virus software detects virus-like traits in a file, the Anti-Virus Malware Scanning object will treat that file as if it was infected with a virus. SurfControl Filter for SMTP Administrator s Guide 169

187 6 RULES OBJECTS What Objects Table 6-7 AVMS scan options Authentium configuration (Continued) Scanning method Paranoid Delete All Macros Guess OLE2 Description To set the engine to be totally paranoid. Not recommended. (Authentium description) Deletes all macros found in files. To force the engine to guess OLE2 files. Not recommended. (Authentium description) Notification Footer If the AVMS deletes or cleans a virus from an you can add a footer to tell the recipient that this has happened. As well as free text, you can insert the following variable codes into the footer. Table 6-8 Virus notification footer variables Variable What it means $A The name of the infected file $B The subject $D The date that the was processed $F The filename $N The name of the triggered rule $R The recipient s name $S The senders name $T The time of processing $V The name of the virus detected by McAfee DLL anti-virus $Z The size 170 Administrator s Guide SurfControl Filter for SMTP

188 RULES OBJECTS What Objects 6 So, for example, you could type the text: Virus $V was detected in $A, by SurfControl Anti-Virus Malware Scanning. The infected file contents have been removed. This would add the following text to the infected Virus (virus name) was detected in (file name) by SurfControl Anti-Virus Malware Scanning. The infected file contents have been removed. Updating Anti-Virus Malware Scanning You can schedule regular updates to the Anti-Virus Malware Scanner using the Scheduler. This will keep your system safe against new viruses. If you are evaluating Filter, you can download updates for the duration of the 30-day evaluation period. For more details, see Scheduling Anti-Virus Malware Scanning Updates on page 281. SurfControl Filter for SMTP Administrator s Guide 171

189 6 RULES OBJECTS What Objects DICTIONARY THRESHOLD OBJECT The Dictionary Threshold object uses a library of dictionaries to detect content that your organization may want to avoid. These dictionaries contain words associated with different aspects of unwanted content, for example adult material, hate speech and gambling. Filter is pre-configured with the following dictionaries: Adult Alcohol/Tobacco/Drugs Arts/Entertainment Computing/Internet/hacking Compliance - Credit Cards Compliance - Finance Compliance - Medical Procedures Compliance - Personal Identifiers Confidential Finance Gambling Hate speech/offensive Job search Medical/Healthcare Shopping Spam Spam Misspellings Sports Travel Violence/Weapons Each word in these dictionaries is assigned a value, which is used in the Dictionary Threshold object. You can edit these dictionaries by adding or deleting words, or by changing the values. You can also create new dictionaries see Dictionary Management on page 255. Configuring the Dictionary Threshold Object To configure the Dictionary Threshold object you need to specify: What kind of content you want the rule to detect. Which parts of the you want to scan for dictionary content. The dictionary score required to trigger the rule. 172 Administrator s Guide SurfControl Filter for SMTP

190 RULES OBJECTS What Objects 6 How the Dictionary Threshold Object Works If words in an match the entries in one or more dictionaries, the values of the words are added to produce a total. If this total is equal to, or greater than, the threshold specified in the Dictionary Threshold object, the rule is triggered. Example: 1 Set a rule to trigger the Dictionary Threshold object for the Gambling dictionary at The SurfControl server receives an that contains the words baccarat, blackjack and slot machine. 3 Each of these words has a value of 50. Therefore = 150, which equals the threshold. 4 The rule is triggered. To include the Dictionary Threshold object in a rule: 1 When you have placed the Dictionary Threshold object in the rule, the Properties for Dictionary Threshold dialog box is displayed. 2 Select the categories of content you want to detect, or select All Categories. 3 Message Parts: Select the parts of the you want to scan for dictionary content: Entire Message Header Body Attachments. SurfControl Filter for SMTP Administrator s Guide 173

191 6 RULES OBJECTS What Objects 4 Threshold: The threshold that will trigger the rule. Default = 100 Note: If you have selected more than one dictionary, the threshold is cumulative across all of the selected dictionaries. 5 Click OK. Reverse Logic Dictionary Threshold Object If you select the Reverse logic check box, the rule is triggered if the selected part of the has a score equal to or lower than the threshold. EXTERNAL PROGRAM PLUGIN OBJECT The External Program PlugIn object integrates SurfControl Filter with an external executable or batch file. You can use an external program to run a third-party command-line executable that does not require user input. You can use this executable to either check s for a condition, or to perform an action when an meets a condition. The command must return a standard code (Return Value) for the external program to check for a condition. To include the External Program PlugIn object in a rule: 1 When you have placed the External Program PlugIn object in the rule, the Properties for External Program PlugIn dialog box is displayed. 2 Select the location of the external program. 174 Administrator s Guide SurfControl Filter for SMTP

192 RULES OBJECTS What Objects 6 3 Command Line Parameters: Enter the command line parameters and/or the message part operators. Command line parameters See the external program s documentation. Message part operators To automatically add text from the to form part of the external program trigger. See Message Part Operators on page You can set a return value and a logical condition that will trigger the rule for that value. See Return Value Conditions on page 176. See the external program s documentation for details of standard codes that the program returns. Will Return TRUE: The condition for the return value that will trigger the rule. Return Value: The return value that will trigger the rule if it meets the Will Return TRUE: condition. 5 Timeout Period: This is the time that Filter will allow for the external program to complete its function. If the external program takes longer than the period specified, the rule is triggered. Command Line Parameters You can enter parameters for the executable or batch file. A list of these parameters should be available in the documentation supplied with the PlugIn program. Message Part Operators. The following table describes the message part operators. Table 6-9 Message part operators Operator What it means $F The file name. $S The sender s address. $R The recipient s address. $D The date that the was processed. $T The time that the was processed. $B The subject. $Z The size of the . $N The name of the triggered rule. SurfControl Filter for SMTP Administrator s Guide 175

193 6 RULES OBJECTS What Objects Table 6-9 Message part operators Operator What it means $W Current working directory. $V The name of the virus detected by the Anti-Virus Agent. Return Value Conditions When you have set a return value, you must specify a condition that will trigger the rule when using that value. The following table describes how the rule is triggered using the value in the dialog box ( N ) and the condition. Table 6-10 Conditions for return values Logical condition The rule is triggered if... Always The return value returned is N. Never The value returned is any other value than N. Less than The value returned is less than N. Less than or equal to The value returned is less than or equal to N. Greater than The value returned is greater than N. Greater than or equal to The value returned is greater than or equal to N. Reverse Logic External Program Plugin Object Table 6-11 describes the results if you select the Reverse logic check box for the External Program Plugin object. Table 6-11 Reverse logic External Program Plugin object Logical condition Result Always The rule is triggered if the value returned is not N. Never The rule is triggered if the value returned is N. 176 Administrator s Guide SurfControl Filter for SMTP

194 RULES OBJECTS What Objects 6 Table 6-11 Reverse logic External Program Plugin object Logical condition Less than Result The rule is triggered if the value returned is greater than or equal to N. Less than or equal to The rule is triggered if the value returned is greater than N. Greater than The rule is triggered if the value is less than or equal to N. Greater than or equal to The rule is triggered if the value returned is less than N. FILE ATTACHMENT OBJECT The File Attachment object triggers a rule when it detects a selected, supported file type as an attachment to an . Filter can also detect the original format of a file, even if file has been renamed. You can add other file types if they are supported. For details of supported file types, see Table B-1 on page Filter can also scan archive files, which it attempts to split into individual files. If successful, Filter compares the individual file types with the file types defined in the object. If unsuccessful, Filter applies a rule condition If Message contains any archive files to the file. Note: If you configure the File Attachment object to trigger the rule when it detects document files, the rule is also triggered if it detects Web archive files (.mht). The following archive file types can be detected, but not decompressed: ARJ (password protected) ARC (password protected) BZ2 LBR LZH UUE. SurfControl Filter for SMTP Administrator s Guide 177

195 6 RULES OBJECTS What Objects Configuring the File Attachment Object To include the File Attachment object in a rule: 1 When you have placed the File Attachment object in the rule, the Properties for File Attachment dialog box is displayed. 2 You can select: Groups of file types, such as image files. Individual file types, such as.jpg,.mp3, and so on. The Any attachment check box. 3 Add extension... You can also add file types to the list. See Adding File Types on page Administrator s Guide SurfControl Filter for SMTP

196 RULES OBJECTS What Objects 6 4 Advanced... For archive files, you can select further processing: Trigger Archive file types only on archive files that cannot be decompressed The rule is triggered if the archive file cannot be decompressed. If Filter detects an archive file that it can decompress, it will scan the component files and apply the enabled rule set to them. Trigger Archive file types on any archive file The rule is triggered if any archive file is detected. You can also specify that the rule is triggered only if all the files attached to an are of the same type. Adding File Types Note: Ensure that the file type that you are adding is supported; Filter cannot detect unsupported file types if they have been renamed. To add a file type to the list: 1 When you have clicked Add extension... in the Properties for File Attachment dialog box, the Add File Extension dialog box is displayed. 2 Enter the file type, but do not include the period (. ) character in the extension. SurfControl Filter for SMTP Administrator s Guide 179

197 6 RULES OBJECTS What Objects 3 Click OK. The new file type is displayed in the list under the File extensions category. By default, the file type is not selected. Reverse Logic File Attachment Object If you select the Reverse logic check box, the rule is triggered if: No attachments are detected. More than one attachment is detected, but the attachments are not of the same file type. ILLEGAL MIME FORMAT OBJECT Multipurpose Internet Mail Extensions (MIME), is an Internet standard that specifies the format of s so that they can be exchanged between different systems. MIME s can contain text, images, audio, video, or other application-specific data. Mail clients translate (demime) s and attachments so that they can be read. However, in most mail clients, the tolerance of flawed coding can cause a security risk. A rule that contains the Illegal MIME Format object can be triggered if: A mail client produces a non-standard . An attachment is invalid. The contains malicious code. Recommendation: Implement the Illegal MIME Format object in a rule at the top of the rules list, and place any s that trigger the rule into a dedicated \Isolate folder for analysis. Caution: Some s that are detected and isolated by this object could contain viruses. 180 Administrator s Guide SurfControl Filter for SMTP

198 RULES OBJECTS What Objects 6 Configuring the Illegal MIME Format Object To include the Illegal Mime Format object in a rule: 1 When you have placed the Illegal MIME Format object in the rule, the Properties for Illegal MIME Format dialog box is displayed. 2 Select either or both of the check boxes: Detect non-standard message Scans only the body of an to detect non-rfc standards compliant s. Detect invalid attachments Scans only attachments to detect files that have an invalid format and have failed to demime correctly. Reverse Logic - Illegal MIME Format object If you select the Reverse logic check box, the rule is triggered if: Detect non-standard message Filter does not detect a non-rfc standards compliant . Detect invalid attachments Filter does not detect attachments that have an invalid format and have failed to demime correctly. SurfControl Filter for SMTP Administrator s Guide 181

199 6 RULES OBJECTS What Objects INTERNET THREAT DATABASE OBJECT Use the Internet Threat Database object to prevent inappropriate Web links being sent or received by . This object detects s containing a URL, and checks that URL against the Internet Threat Database. This database classifies billions of Web sites into the following categories: Adult/Sexually Explicit Criminal Skills Drugs, Alcohol and Tobacco Gambling Hacking/Spyware Intolerance/Hate Violence/Tasteless Weapons The Internet Threat Database is an optional component that needs a separate license. If you are an evaluating customer, you can use the Internet Threat Database object for the duration of your 30-day evaluation period. To buy a license, please contact SurfControl Sales. Configuring the Internet Threat Database Object To configure the Internet Threat Database, you need to specify the categories that are to be detected. To include the Internet Threat Database object in a rule: 1 When you have placed the Internet Threat Database object in the rule, the Properties for Internet Threat Database dialog box is displayed. 2 Select one or more categories of URL that are to be detected, or click Select all Categories. 182 Administrator s Guide SurfControl Filter for SMTP

200 RULES OBJECTS What Objects 6 Reverse Logic Internet Threat Database Object If you select the Reverse logic check box, the rule is triggered if an contains a URL that does not match any of the selected categories. LEXIMATCH OBJECT The LexiMatch object uses advanced Boolean searches to check for specific words or combinations of words. You can use this object to trigger a rule when words are used in one context, for example, breast enlargement, but allow the same word to be used in a different context, for example, breast cancer. Configuring the LexiMatch Object To configure the LexiMatch object, you need to: 1 Select which parts of the to scan for LexiMatch content. 2 Select words from the dictionaries and specify the relationship between them to create word patterns. Connecting Words There are three operators that you can use to join words from the dictionary. Table 6-12 describes the operators using the example words Red and Blue Table 6-12 Word operators Operator Example word pattern What it does AND Red AND Blue If the scanned part of the contains the word Red and the word Blue, the rule will trigger. The words can occur any distance apart and in any order. OR Red OR Blue If the scanned part of the contains either the word Red or the word Blue, the rule will trigger. NEAR Red NEAR Blue If the scanned part of the contains both Red and Blue within the number of characters specified in the NEAR distance, the rule will trigger. If the two words are further apart than the specified NEAR distance, the rule will not trigger. Using the NEAR Word Operator When you create a word pattern using the NEAR operator, Filter uses the distance between the first letter of the first word and the first letter of the second word as the NEAR distance. You can set a different NEAR distance in each rule that uses the LexiMatch object. SurfControl Filter for SMTP Administrator s Guide 183

201 6 RULES OBJECTS What Objects Joining Word Patterns Together You can also join word patterns together to form more sophisticated combinations by using JOIN commands. Table 6-13 describes the JOIN command by using examples Phrase A and Phrase B. Table 6-13 JOIN commands Command Example What it does AND Phrase A AND Phrase B The rule is triggered if the scanned part of the contains Phrase A and Phrase B. AND NOT Phrase A AND NOT Phrase B The rule is triggered if the scanned part of the contains Phrase A but NOT Phrase B. OR Phrase A OR Phrase B The rule is triggered if the scanned part of the contains either Phrase A or Phrase B. OR NOT Phrase A OR NOT Phrase B The rule is triggered if either: the scanned part of the contains Phrase A, or the scanned part of the does not contain Phrase A and also does not contain Phrase B. Including the LexiMatch Object in a Rule To include the LexiMatch object in a rule: 1 When you have placed the LexiMatch object in the rule, the Properties for LexiMatch dialog box is displayed. 184 Administrator s Guide SurfControl Filter for SMTP

202 RULES OBJECTS What Objects 6 2 Select the part of the that is t to be scanned for LexiMatch content: Entire Message Header Body Attachments Creating Word Patterns. To create a word pattern: 1 Select the dictionary, for example, Finance. Note: You can select a different dictionary for each word in your word pattern. 2 Select the first word in your word pattern, for example, Stocks. 3 Select the second word in your word pattern, for example, Shares. 4 Select the Operator to define the relationship between the two words, for example, Stocks AND Shares. SurfControl Filter for SMTP Administrator s Guide 185

203 6 RULES OBJECTS What Objects 5 If your word pattern uses the NEAR operator, you can change the NEAR distance. This is the number of characters between the first letter of the first word and the first letter of the second word. Joining Word Patterns Together. To join word patterns, join the two word patterns together using the JOIN operator. Reverse Logic LexiMatch Object If you select the Reverse logic check box, the rule is triggered if the does not contain the specified words or word patterns, or the word patterns do not meet the specified conditions, for example, NEAR distance. Reversing the logic of a LexiMatch object is useful if you combine the LexiMatch object with a Dictionary Threshold object. For example, you can create a rule that is triggered if it detects words from the Adult dictionary, which would not trigger if the same words were used in, for example, a medical context. Figure 6-5 shows the results of using reverse logic LexiMatch object with a Dictionary Threshold object. Figure 6-5 Using a Reverse logic Leximatch object with a Dictionary Threshold object 186 Administrator s Guide SurfControl Filter for SMTP

204 RULES OBJECTS What Objects 6 LOOP DETECTION OBJECT The Loop Detection object detects looping s between two or more servers. It can detect four different kinds of looping s: Single looping. Looping s due to Auto-Forwarding rules on servers. Outgoing reply to Delivery-failure looping s. Looping of Delivery-failure s to and from the same user. The Loop Detection object marks each passing through it with a unique domain ID. If the mark is already there the Loop Detection object recognizes that it has been processed before and checks it for looping. The best way to deal with looping s is to isolate them into a dedicated folder. Configuring the Loop Detection Object To include the Loop Detection object in a rule you need to specify: How many occurrences of an will trigger the rule. The condition that will identify the as looping: Greater than or equals if the occurrences of one reach the number specified in Message Occurrences, or higher, the loop detection object will trigger. Equals if the occurrences of one reach exactly the number specified in Message Occurrences, the loop detection object will trigger. The Loop Detection object also checks the header of s to detect delivery failure notices. Because looping is commonly caused by delivery failure notices, you can set the Loop Detection object to trigger the rule when it encounters the header of a delivery failure notice. By default, the loop detection object will trigger the rule if the header contains any of the following: <> could not be sent delivery failure postmaster report-type=delivery status. You can edit this list see Configuring Delivery Failure Loop Detection on page 189. However, s that contain a non-delivery item in the header need to loop only once to be isolated. This is independent of the number of occurrences that you set. Also, s that contain a non-delivery item in the header and also the same address for both sender and recipient will be isolated the first time they are detected. However, if anti-spoofing (see Anti-Spoofing on page 29) is enabled, the s will be isolated by the anti-spoofing function. SurfControl Filter for SMTP Administrator s Guide 187

205 6 RULES OBJECTS What Objects To include the Loop Detection object in a rule: 1 When you have placed the Loop Detection object in the rule, the Properties for Loop Detection dialog box is displayed. 2 Enter the number of occurrences of the same that will trigger the rule. Default = 5 3 Enter the condition that will trigger the rule: Greater than or equals The rule is triggered if the number of times that the passes through Filter is greater than or equal to the Message occurrences setting. Equals If the number of times that the passes through Filter is equal to the Message occurrences setting. 188 Administrator s Guide SurfControl Filter for SMTP

206 RULES OBJECTS What Objects 6 Configuring Delivery Failure Loop Detection. To configure delivery failure loop detection: 1 In the Delivery Failure loop detection area, click Configure The Delivery Failure Configuration dialog box is displayed. 2 Click Add The Add message header text dialog box is displayed. Enter the text to be used to identify delivery failure messages, for example Failure Notice. The Loop Detection object will check the message header to see if it contains this text string. 3 Click OK. The text string is displayed in the Delivery Failure Configuration dialog box. Advanced Settings You can configure the following advanced settings: Unique Identifier The Loop Detection object uses a unique identifier to track s as they pass through SurfControl Filter. The default number that is generated during installation is displayed in the box, but you can edit this number. If you are running Filter on more than one server, you should edit the number to ensure that all servers in your domain share the same Unique Identifier. Forwarded Messages Looping is sometimes caused by auto-forwarding s as attachments. You can specify the number of levels of nesting that are allowed in forwarded s before triggering the loop detection object. Default = 3 Maximum level of nesting = 25. SurfControl Filter for SMTP Administrator s Guide 189

207 6 RULES OBJECTS What Objects To configure the advanced settings: 1 In the Properties for Loop Detection dialog box, click Advanced The Advanced dialog box is displayed. 2 Unique Identifier Enter the code to be used as a unique identifier for s. Maximum = 36 characters. 3 Forwarded Messages Enter the number of levels of nesting to allow in forwarded s. Default = 3 Maximum = 25 Reverse Logic Loop Detection Object Table 6-14 describes the results of selecting the Reverse logic check box for the Loop Detection object. Table 6-14 Reverse logic Loop Detection object Condition Greater than or Equals Equals Result The rule is triggered if the passes through filter less than N times. The rule is triggered if the does not pass through Filter exactly N times. 190 Administrator s Guide SurfControl Filter for SMTP

208 RULES OBJECTS What Objects 6 MESSAGE SIZE OBJECT The Message Size object enables you to restrict the size (in KB) of s or files sent as attachments to s. Configuring the Message Size Object To configure the Message Size object: 1 When you have placed the Message Size object in the rule, the Properties for Message Size dialog box is displayed. 2 Select to restrict either: The total size of an , or The size of the largest file attachment in an . 3 Enter a value for the maximum file size to allow. Reverse Logic Message Size Object If you select the Reverse logic check box, the rule is triggered if an or attachment is smaller than the maximum size specified. SurfControl Filter for SMTP Administrator s Guide 191

209 6 RULES OBJECTS What Objects NUMBER OF RECIPIENTS OBJECT The Number of Recipients object limits the number of users that can receive a single . This is useful for managing your corporate bandwidth. Configuring the Number of Recipients Object To include the Number of Recipients object in a rule: 1 When you have placed the Number of Recipients object in the rule, the Properties for Number of Recipients dialog box is displayed. 2 Enter the maximum number of recipients for a single . The rule is triggered if an has more than this number of recipients. Reverse Logic Number of Recipients Object If you select the Reverse logic check box, the rule is triggered if an is sent to fewer than the maximum number of recipients specified. 192 Administrator s Guide SurfControl Filter for SMTP

210 RULES OBJECTS What Objects 6 THIRD-PARTY VIRUS SCANNING OBJECT The Third-party Virus Scanning object uses your third-party anti-virus (AV) scanning software to detect viruses in s and attachments. Filter can use multiple types of AV scanner to give a comprehensive scan of suspect files. SurfControl Filter breaks up an into its component parts and passes them to the AV scanners for analysis. The AV scanners report the results of the scan using the standardized set of codes listed in Appendix C. Filter then deals with the as specified in your rule set. The Third-party Virus Scanning object works independently of the Anti-Virus Agent object. You do not need an specific version of your AV software, but you must disable any automatic file level or directory-level scanning that your AV software performs, at least on the SurfControl Filter subdirectories. Configuring the Third-party Virus Scanning Object Filter is integrated with the AV scanners listed in Table Alternatively, you can configure the Third-party Virus Scanning object to use any other command line-based AV product. Table 6-15 Fully integrated AV scanners Type Scanner Find out more DLL based Sophos SAVI Selecting an Anti-Virus Scanner on page 194 Command line McAfee/Network Associates NetShield Executable (scan.exe) Configuring a Command Line Scanner on page 196 ICAP Symantec Anti-Virus Scan Engine (SAVSE) Configuring a SAVSE Scanner on page 197 Recommended: For sites with high volumes of traffic, SurfControl recommends using DLL based scanners rather than command line scanners. DLL scanners are usually faster because they reside in computer memory. SurfControl Filter for SMTP Administrator s Guide 193

211 6 RULES OBJECTS What Objects Selecting an Anti-Virus Scanner To select a scanner: 1 When you have placed the Third-Party Virus Scanning object in the rule, the Properties for Third-Party Virus Scanning dialog box is displayed. 2 Select Force Scan. 3 To select a scanner, click Add The Select Virus Scanner dialog box is displayed. 4 Select a scanner from the list, and then click OK. See the following procedures to configure each type of scanner: DLL No procedure, the scanner is displayed in the Selected Third-Party Virus Scanners: list. Command line Configuring a Command Line Scanner on page 196. If your scanner is not in the list, click Other Vendor. ICAP Configuring a SAVSE Scanner on page 197. When you have selected and configured your scanner, see step Administrator s Guide SurfControl Filter for SMTP

212 RULES OBJECTS What Objects 6 5 When you have selected and configured your scanner, select the scan evaluation code that will trigger the rule. If your scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object triggers the rule. For example, if you set the code to 001, and the anti-virus scanning software reports with code 010, this means that either: A virus has been found, or There was an error scanning the file. 6 Click OK. Reverse Logic Third-Party Virus Scanning Object If you select the Reverse logic check box, the rule is triggered if the third-party virus scanner returns a scan evaluation code less than the specified scan evaluation code. SurfControl Filter for SMTP Administrator s Guide 195

213 6 RULES OBJECTS What Objects Configuring a Command Line Scanner To configure a command line scanner: 1 In the Third-Party Virus Product Configuration dialog box, enter or browse to the location of the.exe file for your scanner. The default location for any product listed in Table 6-15 on page 193 is displayed automatically. 2 Default Parameters text box: This contains instructions for your anti-virus scanner. The default parameters for any product listed in Table 6-15 on page 193 are displayed automatically. Codes for any third-party virus scanner that is not in the list will be listed in the documentation supplied with your third-party virus scanning software. 3 Timeout Period text box: The amount of time that Filter will wait for the scan to complete. If the virus software does not respond within this time, Filter moves on to the next processing step in the rule. 4 Click OK. The scanner is displayed in the Properties for Third-Party Virus Scanning dialog box. 196 Administrator s Guide SurfControl Filter for SMTP

214 RULES OBJECTS What Objects 6 Configuring a SAVSE Scanner To configure a SAVSE scanner: 1 In the Third-Party Virus Product Configuration dialog box, select Add The SAVSE Server Configuration dialog box is displayed. 2 SAVSE Server IP text box: i Enter the IP address of the SAVSE Server. If SAVSE is installed on the same machine as Filter, enter ii Click Test If the connection is successful, a message shows the virus definition date. If Filter cannot connect to the SAVSE server, an error message is displayed. Check that the IP address is correct. 3 SAVSE Server Port Number text box: The port that Filter will use to communicate with the SAVSE server. 4 Fail Retry Time text box: The length of time in seconds that Filter will wait before retrying a connection if the first connection is unsuccessful. 5 Scan Timeout text box: The amount of time that Filter will wait for the scan to complete. If the virus software does not respond within this time, Filter moves on to the next processing step in the rule. SurfControl Filter for SMTP Administrator s Guide 197

215 6 RULES OBJECTS What Objects 6 Click OK. The SAVSE scanner is listed in the Third-Party Virus Product Configuration dialog box. 7 Click OK. The SAVSE scanner is listed on the Properties for Third-Party Virus Scanning dialog box. Multiple Virus Scans You can allow multiple virus scans of the same file to take place when: You have enabled more than one rule that uses the Third-Party Virus Scanning object. You have configured the Third-Party Virus Scanning object to use more than one third-party virus product. By default, once an has been scanned once, the results of the scan will be carried over and applied when there is a further instance of the Third-Party Virus Scanning object. To re-scan the each time, select the Force Scan check box on the Third-Party Virus Scanning object dialog box. Avoiding Conflicts with Third-Party AV Products Occasionally, there can be a conflict when third-party anti-virus software is installed on the SurfControl server, and the Filter Rules service and the anti-virus service try to access the \In folder simultaneously. This can occur whether or not the Anti-Virus Agent or SurfControl Third-Party Virus Scanning object are part of a rule. To prevent this conflict: Exclude the SurfControl root directory from real-time scanning. Do not use your anti-virus software to scan inbound files. You can continue the real-time scanning of outbound s. 198 Administrator s Guide SurfControl Filter for SMTP

216 RULES OBJECTS What Objects 6 VIRTUAL IMAGE AGENT OBJECT The Virtual Image Agent (VIA) uses intelligent scanning technology to analyze graphics files for explicit adult content. You can set the sensitivity of the analysis, but although a higher sensitivity will detect a higher number of explicit adult images, there will also be a higher number of false detections. The VIA is an optional component that needs a separate license. If you are an evaluating customer, you can use the VIA object for the duration of your 30-day evaluation period. To buy a license contact SurfControl Sales. Configuring the VIA Object To include the VIA object in a rule: 1 When you have placed the Virtual Image Agent object in the rule, the Properties for Virtual Image Agent dialog box is displayed. 2 Set the sensitivity, and then click OK. Reverse Logic VIA Object If you select the Reverse logic check box, the rule is triggered if an contains any images, and none of them are caught by the VIA using the specified settings. SurfControl Filter for SMTP Administrator s Guide 199

217 6 RULES OBJECTS What Objects THE VIRTUAL LEARNING AGENT OBJECT You can train the Virtual Learning Agent (VLA) to detect s that contain words or phrases that you have identified as company-confidential or business-critical. This protects your organization from security risks that can arise from leaked information. Note: Before you can use the VLA object in a rule, you must train the VLA to recognize the content that you want to detect. To train the VLA, see Virtual Learning Agent on page 317. Configuring the VLA Object To include the VLA object in a rule: 1 When you have placed the Virtual Learning Agent object in the rule, the Properties for Virtual Learning Agent dialog box is displayed. 2 Select the VLA category that the VLA object is to detect. Reverse Logic VLA Object If you select the Reverse logic check box, the rule is triggered if an does not contain any content that the VLA object recognizes as belonging to a trained VLA category. 200 Administrator s Guide SurfControl Filter for SMTP

218 RULES OBJECTS What Objects 6 WHEN OBJECT Use the When object to control the day and time that a rule is active. For example, you can combine a When object with a Message Size object so that large files are only allowed to be sent over your network outside working hours, when demand for bandwidth is lower. Configuring the When Object To include a When object in a rule: 1 When you have placed the When object in the rule, the Properties for When dialog box is displayed. The rule is triggered if s are detected within the time period that you set. 2 Enter the times that the rule is to start and finish. For example: Start 09:00:00 Finish 17:00:00 The When object uses the 24-hour clock. 3 Enter either: The days of the week that the rule will be active, such as Monday - Friday. The calendar day that the rule will start and/or finish. For example: Trigger after 19 January 2007 Trigger before 25 January This means the rule will be active between January 19 and 25, Reverse Logic When Object If you select the Reverse logic check box, the rule is triggered if the time is outside the start and finish times and days/dates that you have set. SurfControl Filter for SMTP Administrator s Guide 201

219 6 RULES OBJECTS Operations Objects OPERATIONS OBJECTS Operations objects make changes to either an or parts of an , such as the header. Table 6-16 details the Operations objects. Table 6-16 Operations objects Operations object What it does Find out more Save Copy Stores a copy of the in a specified location. page 202 Compress Attachments Compresses attachments into a single archive, reducing the s size. page 203 Footers & Banners Adds a footer or a banner to the . page 206 Header Modification Edits, removes or appends header fields. page 209 HTML Stripper Removes active HTML content from the . page 211 Routing Redirects s to the mail server or MTA you specify. page 212 Strip Attachments Removes attachments from an before sending to the recipient. page 214 SAVE COPY OBJECT Use the Save Copy object to save a copy of a sent or received to a folder that you specify. When you install filter, the setup program creates a folder at a default location that you can use to save a copy of s. However, you can specify a different location when you configure the object to use in a rule. You can also select whether the is to be saved in its current (after processing) or original (before processing) form. 202 Administrator s Guide SurfControl Filter for SMTP

220 RULES OBJECTS Operations Objects 6 Configuring the Save Copy Object To include the Save Copy object in a rule: 1 When you have placed the Save Copy object in the rule, the Properties for Save Copy dialog box is displayed. 2 Enter or browse to the folder where you want to save s. The default folder is in the folder \SurfControl Filter 3 Select how you want s to be saved: Copy original message Example, if the has had its HTML content stripped by a previous rule, a copy of the will be saved with its HTML content still present. Copy current message state Example, if the has had its HTML content stripped by a preceding rule, a copy of the will be saved without its HTML content. COMPRESS ATTACHMENTS OBJECT Use the Compress Attachments object to compress file attachments, which reduces file size and conserves network bandwidth. For details of supported file types, see Table B-1 on page 376. You can also: Select to create a log entry of this operation in the system database. Specify a name of the file that will contain the compressed attachments. SurfControl Filter for SMTP Administrator s Guide 203

221 6 RULES OBJECTS Operations Objects Configuring the Compress Attachments Object To include the Compress Attachments object in a rule: 1 When you have placed the Compress Attachments object in the rule, the Properties for Compress Attachments dialog box is displayed. 2 Select the file types that you want Filter to compress: All attachments Attachments of the type selected Go to step 3. Attachments of the type not selected Go to step 4. You can add supported file types to the list. See Adding File Types on page If you selected Attachments of the type selected, select the file types to compress. You can select groups of file types, such as audio files, or individual file types, such as.mp3 files. 4 If you selected Attachments of the type not selected, select those file types that are NOT to be compressed. 204 Administrator s Guide SurfControl Filter for SMTP

222 RULES OBJECTS Operations Objects 6 5 Click Advanced properties. The Advanced Properties dialog box is displayed. To record that an attachment has been compressed, select Log this operation to the database. If needed, enter the name of the file that will contain the compressed attachments. Default = attachments.zip 6 Click OK. Adding File Types If you have added a file type when configuring the File Attachment object (see File Attachment Object on page 177), the file type will already be included in the Compress Attachments list. For details of supported file types, see Table B-1 on page 376. To add a file type to the list: 1 When you have clicked Add extension... in the Properties for Compress Attachments dialog box, the Add File Extension dialog box is displayed. Enter the file type, but do not include the period (. ) character in the extension. SurfControl Filter for SMTP Administrator s Guide 205

223 6 RULES OBJECTS Operations Objects 2 Click OK. The new file type is displayed in the list under the File extensions category. By default, the file type is not selected. FOOTERS AND BANNERS OBJECT You can add footers and banners to an , for example to act as a disclaimer. A footer is attached at the end of an , a banner at the beginning. When you use the Footers and Banners object in a rule, you need to decide: To add either a footer or a banner. If the footer or banner is to be included in all s, or for selected users or groups. The text of the footer or banner. If the footer or banner will override the previous one. 206 Administrator s Guide SurfControl Filter for SMTP

224 RULES OBJECTS Operations Objects 6 Configuring the Footers and Banners Object To include the Footers and Banners object in a rule: 1 When you have placed the Footers and Banners object in the rule, the Properties for Footers and Banners dialog box is displayed. 2 Specify users that the footer and/or banner will apply to. This can be: a domain, for example mycompany.com an individual user, for example username@mycompany.com Leave the box blank to apply the footer to all users. 3 You can: Type the footer text, and include variables (see Table 6-17 on page 208) Import text from a text file (see step 6). 4 By default, a footer is added. To add banner text, select Add text as Banner. 5 If you have several footer objects in your rules, but only want one to be displayed on any individual , select Override previous footer or banner. This adds only the last footer of your rules logic to a . SurfControl Filter for SMTP Administrator s Guide 207

225 6 RULES OBJECTS Operations Objects 6 To import Footer/Banner text from a text file, click Import, and then select your text file from the Import Footer dialog box. There is example text for footers and/or banners in \SurfControl Filter\SampleFooter.txt 7 The text is displayed in the Text area. Footer and Banner Variables Table 6-17describes the variables that you can use in footer or banner text. Table 6-17 Footer and banner variables Variable Description $B The subject. $C The dictionary score. $D The date that the was processed. $F The filename. $N The name of the triggered rule. $R The recipient s name. $S The sender s name. $T The time of processing. $V The name of the virus detected by the Anti-Virus Agent. $Z The size of the Administrator s Guide SurfControl Filter for SMTP

226 RULES OBJECTS Operations Objects 6 HEADER MODIFICATION OBJECT You can use the Header Modification object to change header field values, such as the Subject, return path or To: fields. For example, for a generic account for incoming , such as customerservices@mycompany.com, you can use the Header Modification object to modify the To: field of the and replace it with the address of an individual in your organization. Therefore, customers can send an to the generic address, but the will always reach an individual who can respond to it. To include the Header Modification object in a rule you need to decide: Which field of the is to be changed. What changes you want to make to that field. Whether there are any exceptions or whether Filter will always change the field. Configuring the Header Modification Object To include the header modification object in a rule: 1 When you have placed the Header Modification object in the rule, the Properties for Header Modification dialog box is displayed. SurfControl Filter for SMTP Administrator s Guide 209

227 6 RULES OBJECTS Operations Objects 2 Click Add... The Edit Header Field Modification dialog box is displayed. 3 From the Action drop-down list, select how to change the header field (see Table 6-18). 4 Select the header field to change (see Table 6-19 on page 211). 5 Enter the field parameters. The fields that are available depend on the action that you selected. 6 A summary of your selected action is displayed. For example: Find customerservice@mycompany.com in the To:/cc field and replace with andy@mycompany.com; maewong@mycompany.com Header Modification Actions Table 6-18 describes the actions that you can perform on header fields. Not all actions are available for every header field. For example, you cannot perform a remove operation on path fields (X- Envelope-To, To/CC, From or Return Path). Table 6-18 Header modification actions Action Find/Replace Remove Add/Overwrite Add/Append Add/Prepend What it does Finds specific text in the header field and replaces it with your text. Removes the field. This has different results for different fields: If you remove the Subject field, only the subject description is removed and not the field itself. For example, an with Subject: Hello would read Subject:. If you remove the Received and Message ID fields, both the fields and the contents are removed. Overwrites all the contents of the field with your text. Adds your text after the contents of the field. Adds your text that before the contents of the field. 210 Administrator s Guide SurfControl Filter for SMTP

228 RULES OBJECTS Operations Objects 6 Header Modification Fields Table 6-19 describes the fields that you can modify. Table fields you can modify Field X-envelope - to To/cc: From Return path Reply-To Subject Received Message ID Description The delivery information of the . The addresses on the To: or cc: list. The sender s identity. The address that replies to the will be sent to. The originator of the . The text in the Subject line of an . The date and time the was received. The identifier. HTML STRIPPER Use the HTML Stripper object to remove HTML content and/or active HTML components from the body of s. Active content is code that can execute on a client PC (such as JavaScript, VBScript, Java applets or ActiveX objects), often without the user s permission. Active content can also include malicious actions executed by the mail client when the user is viewing the . Configuring the HTML Stripper Object To include the HTML Stripper in a rule: SurfControl Filter for SMTP Administrator s Guide 211

229 6 RULES OBJECTS Operations Objects 1 When you have placed the HTML Stripper object in the rule, the Properties for HTML Stripper dialog box is displayed. 2 Select how Filter will remove HTML content if the rule is triggered: Remove active HTML components You can select to remove various types of active HTML content, for example, scripts, active links, ActiveX, and so on. Remove the HTML from multi-part s and deliver the text-only body Multipart/alternative s contain both a plain text and an HTML part. Which part is shown to the recipient is determined by their client, and (in some cases) by their choice. The HTML Stripper object can remove the HTML from this kind of so that the recipient can only view the in its plain text form. Non-multipart alternative HTML s will be delivered with no body. You can select to either: Remove all active HTML components, or Remove the HTML content entirely. This could mean that the is empty ROUTING OBJECT The Routing object can redirect s that trigger rules to the mail server or MTA of your choice. For example, if your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original s as normal. Note: Before you can use the Routing object in rules, you need to configure Smart Host Routing in the Server Configuration console. See Smart Host Routing on page Administrator s Guide SurfControl Filter for SMTP

230 RULES OBJECTS Operations Objects 6 Configuring the Routing Object To include the Routing object in a rule: 1 When you have placed the Routing object in the rule, the Properties for Routing dialog box is displayed. 2 Select what to redirect: This message Filter continues to process the , and then redirects the to the selected Smart Host, unless further rules are triggered that lead to the being isolated or discarded. A copy of this message filter will immediately send a copy of the to the server you specify, without processing it any further. The original will be processed as normal. In current state Example, if the has had its HTML content stripped by a preceding rule, the will be redirected without its HTML content. In original state Example, if the has had its HTML content stripped by a previous rule, the will be delivered with its HTML content still present. 3 Select the Smart Host server that s are to be redirected to. To configure a Smart Host see Smart Host Routing on page 83. SurfControl Filter for SMTP Administrator s Guide 213

231 6 RULES OBJECTS Operations Objects STRIP ATTACHMENTS OBJECT Note: If an archive file (for example, a.zip file) contains a file type that triggers a rule containing the Strip Attachments object, the archive file is stripped from the . The Strip Attachments object removes attachments from s before allowing them to proceed to their destination. You can remove all attachments or just specific formats. For details of supported file types, see Table B-1 on page 376. Configuring the Strip Attachments Object To include the Strip Attachments object in a rule: 1 When you have placed the Strip Attachments object in the rule, the Properties for Strip Attachments dialog box is displayed. 2 You can select: Groups of file types, such as image files. Individual file types, such as.jpg,.mp3, and so on. The Remove all message attachments check box. 3 To add an extension to the list, click Add extension... For details of how to add an extension, see Adding File Types on page Administrator s Guide SurfControl Filter for SMTP

232 RULES OBJECTS Operations Objects 6 Adding File Types If you have added a file type when configuring the File Attachment object (see File Attachment Object on page 177), the file type will already be included in the Strip Attachments list. To add a file type to the list: 1 When you have clicked Add extension... in the Properties for File Attachment dialog box, the Add File Extension dialog box is displayed. 2 Enter the file type, but do not include the period (. ) character in the extension. 3 Click OK. The new file type is displayed in the list under the File extensions category. By default, the file type is not selected. SurfControl Filter for SMTP Administrator s Guide 215

233 6 RULES OBJECTS Notify Objects NOTIFY OBJECTS The Notify objects enable you to send an notification to a user when a rule has been triggered. Table 6-20 details the Notify objects. Table 6-20 Notify objects Notify object What it does Find out more Blind Copy Notification Copies an that has triggered a rule to an interested third party, such as the systems administrator. Notifies an interested party that a rule has been triggered, with the details of the rule. page 216 page 218 BLIND COPY OBJECT The Blind Copy object sends a blind copy of the that has triggered a rule to the user you specify. When you include the Blind Copy object in a rule you need to decide: Who you want to blind copy the to. For example you might want to blind copy the to your organization s HR manager. Whether you want to replace the subject text. You can replace the subject text of the so that the user knows that they are receiving a blind copy notification before they open the . For example, if you were notifying the HR department that a rule had been triggered you could change the subject line to this breaches the AUP. Whether you want the blind copy recipient to be able to reply directly to the sender, or to the systems administrator. 216 Administrator s Guide SurfControl Filter for SMTP

234 RULES OBJECTS Notify Objects 6 Configuring the Blind Copy Object To include the Blind Copy object in a rule: 1 When you have placed the Blind Copy object in the rule, the Properties for Blind Copy dialog box is displayed. 2 Specify who should receive the blind copy: Domain Administrator Select the check box only, or To blind copy another user, enter their address in the Add new bcc recipient: field, and then click Add. 3 The address is displayed in the address area. To remove an address, select it in the list, and then click Remove. 4 To replace the subject text, select Replace Subject Text, and then enter the new text in the field. For a list of variables that you can use in this field, see Table 6-21 on page For replies to the blind copy to be delivered to the Domain Administrator, select Return Path to Domain Administrator. Table 6-21 Subject line variables Variable Description $B The subject. $C The dictionary score. $D The date that the was processed. SurfControl Filter for SMTP Administrator s Guide 217

235 6 RULES OBJECTS Notify Objects Table 6-21 Subject line variables (Continued) Variable Description $F The filename. $N The name of the triggered rule. $R The recipient s name. $S The sender s name. $T The time of processing. $V The name of the virus detected by the Anti-Virus Agent. $Z The size. For example, the text: This has triggered $N and was sent by $S Would show the triggered rule and the sender in the subject line. NOTIFICATION OBJECT You can use the Filter Notification object to inform users that a rule has been triggered. For example, you can notify the sender and the recipient of an , the system administrator and an HR representative. Caution: Do not attach an that you suspect is infected with a virus. Before you include the Notification object in a rule, you need to decide: Who will be notified, for example, the sender and their line manager. The content of the notification . As well as free text, you can use the following variables in the subject line and body of the notification . Whether you want to include the that triggered the rule in the notification . There are two ways you can do this: Attach the original message. Attach the current message state. 218 Administrator s Guide SurfControl Filter for SMTP

236 RULES OBJECTS Notify Objects 6 Configuring the Notification Object To include the Notification object in a rule: 1 When you have placed the Notification object in the rule, the Properties for Notification dialog box is displayed. 2 Specify who the is from. You can: Select a standard option: Domain Administrator If the rule is triggered by an from a protected domain, this is the address that you set in the Protected Domain Properties dialog box in Server Configuration (see Adding Protected Domains on page 27). If the rule is triggered by an that is not from a protected domain, this is the address that you set in the Administration dialog box in Server Configuration (see Administration Settings - General on page 89). In the notification, the From and Return Path fields contain this address. Empty Return Path In the notification, the From field contains the Domain Administrator address, the Return Path field is empty. Enter any address. For example: test@mail.com. In the notification, the From and Return Path fields contain this address. SurfControl Filter for SMTP Administrator s Guide 219

237 6 RULES OBJECTS Notify Objects 3 Specify who to send the notification to. You can: Enter one or more recipients in the To text box. Separate multiple addresses by semicolons, and or Select one or more of the standard options: Message Sender Domain Administrator If the rule is triggered by an from a protected domain, this is the address that you set in the Protected Domain Properties dialog box in Server Configuration (see Adding Protected Domains on page 27). If the rule is triggered by an that is not from a protected domain, this is the address that you set in the Administration dialog box in Server Configuration (see Administration Settings - General on page 89). Message Recipients. 4 Enter the subject of the . Default = Autonotify $B. To edit the subject line using text or variables, see Table 6-22 on page To attach the that triggered the rule, select Include Message as Attachment, and then select one option: Attach original message Example, if the has had its HTML content stripped by a previous rule, a copy of the will be saved with its HTML content still present. Attach current message state Example, if the has had its HTML content stripped by a preceding rule, a copy of the will be saved without its HTML content. The next table describes the variables that you can use in the subject line. Table Notification object variables Variable Description $A The names of any attachments that have been stripped from the . $B The subject. $C The dictionary score. $D The date that the was processed. $F The filename. $N The name of the triggered rule. $R The recipient s name. $S The sender s name. 220 Administrator s Guide SurfControl Filter for SMTP

238 RULES OBJECTS Notify Objects 6 Table Notification object variables (Continued) Variable Description $T The time of processing. $V The name of the virus detected by the Anti-Virus Agent. $Y Inserts the first 10KB of the body of the . $Z The size. SurfControl Filter for SMTP Administrator s Guide 221

239 6 RULES OBJECTS Actions Objects ACTIONS OBJECTS The Actions objects determine what action to take if an meets the conditions of the rule. If an triggers a rule that contains an Action object, no more rules are applied to that . The is moved to the \Out folder ready for delivery into the recipient s mailbox. Without Actions objects, s pass through filter to their destination, even if they trigger a rule. Table 6-23 describes the Actions objects. Table 6-23 Actions objects Allow object What it does Find out more Allow Message Places the in the Out folder for delivery. page 223 Delay Message Delays the delivery of the until the time you specify. page 224 Discard Message Irrevocably deletes the page 225 Isolate Message Places the in the folder you specify so that you can review and analyze it. page Administrator s Guide SurfControl Filter for SMTP

240 RULES OBJECTS Actions Objects 6 ALLOW MESSAGE OBJECT Use the Allow Message object for positive filtering. For example, you could allow all s from your CEO to pass through Filter with the minimum of rules checking, but check s from other members of your organization more thoroughly. Configuring the Allow Message Object To include the Allow Message object in a rule: 1 When you have placed the Allow Message object in the rule, the Properties for Allow Message dialog box is displayed. 2 To create an entry in the logging database when a is allowed, select Log this Action to Rules Database. SurfControl Filter for SMTP Administrator s Guide 223

241 6 RULES OBJECTS Actions Objects DELAY MESSAGE OBJECT You can use the Delay Message object to delay the sending or receipt of s that are likely to place undue load on your network. For example, you could delay s over a certain size until non-working hours. When you use a Delay Message object in a rule, s that trigger the rule will be held in the \Delay folder until the time that you specify. To specify the time that delayed s will be released, you need to configure the Delay Queue in the Server Configuration console. See Queue Management on page 64. Configuring the Delay Message Object To include a Delay Message object in a rule: 1 When you have placed the Delay Message object in the rule, the Properties for Delay Message dialog box is displayed. 2 Click OK. 224 Administrator s Guide SurfControl Filter for SMTP

242 RULES OBJECTS Actions Objects 6 DISCARD MESSAGE OBJECT Use the Discard Message object to delete s, for example, s with attachments that are found to be virus infected. If an triggers a rule that contains a Discard Message object, the is deleted. Caution: You cannot retrieve s that have been discarded. You can select to log Discard Message activity to the SurfControl Filter database. However, if your 30-day evaluation period expires, activity logging stops. Configuring the Discard Message Object To include the Discard Message object in a rule: 1 When you have placed the Discard Message object in the rule, the Properties for Discard Message dialog box is displayed. 2 To create an entry in the logging database when a is discarded, select Log this Action to Rules Database. SurfControl Filter for SMTP Administrator s Guide 225

243 6 RULES OBJECTS Actions Objects ISOLATE MESSAGE OBJECT Using the Isolate Message object, s that have triggered a rule are moved to a separate folder, so that you can review and analyze them. When you install Filter, the following queues are created by default: Anti-Spam Agent Anti-Spam Agent - DFP Compliance Confidential Delay Dictionaries - Spam File Formats Internet Threat DB - Inappropriate Internet Threat DB - Spam Isolate Network Security Offensive PEM Audit Virtual Image Agent Virus VLA - Spam You can create other queues to suit your needs. See Adding a Queue on page 65. When you include the Isolate Message object in a rule, you specify which of the available queues will store s that trigger that rule. 226 Administrator s Guide SurfControl Filter for SMTP

244 RULES OBJECTS Actions Objects 6 Configuring the Isolate Message Object Note: If you are upgrading Filter from a previous version, the new queues will not be created. To include the Isolate Message object in a rule: 1 When you have placed the Isolate Message object in the rule, the Properties for Isolate Message dialog box is displayed. 2 Select the folder (for example \Isolate) that is to be used for isolated s that have triggered the rule. To add a queue, see Adding a Queue on page 65. SurfControl Filter for SMTP Administrator s Guide 227

245 6 RULES OBJECTS Actions Objects 228 Administrator s Guide SurfControl Filter for SMTP

246 7 Message Administrator In This Chapter page 230 Opening the Message Administrator page 230 Configuring Message Administrator page 231 Using Message Administrator page 236 Working with Queues page 245 Working with Logs page 253 Using Queues and Logs with Multiple Servers page 253

247 7 MESSAGE ADMINISTRATOR In This Chapter IN THIS CHAPTER You can use the Message Administrator to review, manage and analyze s that have been placed in queues, and view a record of Filter activity. This chapter explains how to: Configure the Message Administrator Manage s Analyze s. OPENING THE MESSAGE ADMINISTRATOR To open the Message Administrator, select Start > All Programs > SurfControl Filter > Message Administrator The Message Administrator window is displayed. THE MESSAGE ADMINISTRATOR WINDOW Figure 7-1 shows a typical Message Administrator window. Figure 7-1 The Message Administrator window Message Search panel search for s in the database. Message List panel displays the s or log entries in the queue or log that you select from the queues or logs panel. Queues and Logs panels select a queue or log to display their contents. Message Parts panel select components to view. The Message Contents panel view the contents of the selected component. 230 Administrator s Guide SurfControl Filter for SMTP

248 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 CONFIGURING MESSAGE ADMINISTRATOR You can configure the Message Administrator by using the Options dialog box. OPENING MESSAGE ADMINISTRATOR OPTIONS To open the Message Administrator options, select Tools > Options The Options dialog box is displayed. GENERAL TAB Use the General tab to: Specify which file SurfControl Filter uses to automatically reply to s. For example, to tell an sender that their has not been delivered. Specify whether files are automatically saved and their location. Figure 7-2 Message Administrator options General tab Auto-Reply File: The location of the auto-reply text file used to generate responses to specific types of s; the default is Autoreply.txt in your SurfControl Filter root directory. You can edit this file or create a new one by using a text editor, for example, Notepad. See Appendix D for more information. Automatically save files when selected: Select this check box to automatically save files to the identified directory when you click Save. If this check box is not selected, SurfControl Filter will always prompt you to confirm the save operation. Folder to save files: Select the directory where you want to automatically save files. SurfControl Filter for SMTP Administrator s Guide 231

249 7 MESSAGE ADMINISTRATOR Configuring Message Administrator MESSAGES TAB The Messages tab controls: The number of s displayed in the Message List panel for the Message Search and the queues, and log records. How SurfControl Filter behaves when you perform an action on an . Figure 7-3 Message Administrator options Messages tab You can set the number of pages to display, and the number of items to display on each page for the Message Search function, the queues, and the log records. Examples: If Filter is running on the same machine as the Message Administrator, or you have a fast connection, use the default settings. If you have a slow connection, for example, over a dial-up modem, it is recommended that you reduce the number of s and log records displayed. Table 7-1 Message Administrator - default settings Display Items per page Number of pages Message Search Queues Logs Administrator s Guide SurfControl Filter for SMTP

250 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 The Messages tab also contains the following options: Confirm when deleting messages: Select this to be prompted to confirm deletion of the selected . Confirm when releasing all messages: Select this to be prompted to confirm release of s from the selected queue when you click either Release or Release All. Notify when new messages arrive: Select this to display a notification pop-up when a new arrives at the Message Administrator. Select the following message part by default: Select the message part from the drop-down list. This is the part of an that is displayed when you click the in Message Administrator. FILE TYPES TAB The File Types tab controls which file types you can open through the Message Administrator. Figure 7-4 Message Administrator options File Types tab You can view only HTML files within the Message Administrator. To view any other type of file, you need an external viewer installed on your computer. You will be prompted to open non-html files using an external viewer. Click Always Open or Never Open to avoid being prompted. Note: Message Administrator does not control which viewer is used to view files. The viewer is determined by your Windows File Associations. For each file type, you can select one of the following options: Always Prompt: Select this option for the Message Administrator to display a prompt that asks if you want to display the file content for each instance of the file type. Always Open: - Select this option for the Message Administrator to automatically display the file contents of the file type in the associated viewer. SurfControl Filter for SMTP Administrator s Guide 233

251 7 MESSAGE ADMINISTRATOR Configuring Message Administrator Never Open: - Select this option for the Message Administrator to never open files of the selected type. HTML VIEWER TAB The HTML Viewer tab gives you the option of viewing the active HTML content of s while you are reviewing them in the Message Contents panel. This can represent a security risk, as active HTML content can contain malicious code. SurfControl recommend that all the check boxes are cleared, and you avoid viewing active HTML content if possible. Figure 7-5 Message Administrator options HTML Viewer tab COLUMNS TAB Use the Columns tab to specify which columns are visible when you are viewing queues and logs. Figure 7-6 shows a typical Columns tab. 234 Administrator s Guide SurfControl Filter for SMTP

252 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 Figure 7-6 Message Administrator options Columns tab From the Change the columns for: drop-down, select which set of columns is to be changed. The visible columns are shown in the Visible Columns list. Moving Columns To move a column: 1 Select the column in the Visible Columns list. 2 Click the arrows to move the column up or down in the list. Inserting Columns To insert a column: 1 Click Insert to open the Choose a Column... dialog box. 2 Select the column to insert, and then click OK. Hiding Columns To hide a column: 1 Select the column in the Visible Columns list. SurfControl Filter for SMTP Administrator s Guide 235

253 7 MESSAGE ADMINISTRATOR Using Message Administrator 2 Click Hide. 3 When you have made your changes, click Apply, and then click OK. The Options dialog box closes and you return to the Message Administrator. USING MESSAGE ADMINISTRATOR This section describes the panels in the Message Administrator: Message Search Queues Logs Message List Message Parts Message Contents. MESSAGE SEARCH PANEL When you open Message Administrator, the Message Search panel is the default view. You can search for inbound and/or outbound s within supplied, selectable date ranges, or your own custom date range. The Received: list refers to the date that Filter received the . You can select to search using friendly names and addresses, or only using addresses, which is faster. To select this, click the down arrow part of the Search button. 236 Administrator s Guide SurfControl Filter for SMTP

254 MESSAGE ADMINISTRATOR Using Message Administrator 7 Figure 7-7 Message Search panel Example Robert has sent an to a number of people, and Simon says that he has not received it. Robert contacts you to find out what happened. You use Message Search to search for recent s from Robert and/or to Simon. All matches are shown in the Message List panel; the search names or part names can be anywhere in the sender s and/or receiver s friendly name or address. By default, the results are shown in reverse chronological order. You select the likely , and its details are displayed in the Message Parts panel and the Message Contents panel. However, these views are only available for s that are in the queues. Message History. You can further examine details of the by clicking Message History on the toolbar. SurfControl Filter for SMTP Administrator s Guide 237

255 7 MESSAGE ADMINISTRATOR Using Message Administrator Figure 7-8 Message History The details in this view could, for example, tell you that the recipient s gateway was unavailable. If you want to send these details to other interested parties, you can save in the following formats: Complete Web page (*.htm, *.html) Web archive (*.mht) HTML-only Web page (*.htm, *.html) Text file (*.txt). QUEUES PANEL This panel shows: The Delay and Isolate queues. Any other queues that you have configured using Server Configuration. See Queue Management on page 64. You can display the contents of a queue for: Today Yesterday Last 7 days 238 Administrator s Guide SurfControl Filter for SMTP

256 MESSAGE ADMINISTRATOR Using Message Administrator 7 Last 30 days All records. Figure 7-9 Queues panel To the right of each queue is the number of records that it currently contains. Click a queue or log to display its contents in the Message List panel. LOGS PANEL For the period you select, this panel shows a list of: Connection log The connections from the host servers to Filter. Receive log s that have been received by Receive service. Rules log s that have triggered a rule, including the rule name, policy type and the size of the . Audit log Actions that have been carried out on s, including the audit user, audit type and activity for each . Send log s that have been received and released by the Send service, including the route, IP address of the mail server, size of the and the SMTP code. System log All system activity. You can display the contents of a queue for periods of: Today SurfControl Filter for SMTP Administrator s Guide 239

257 7 MESSAGE ADMINISTRATOR Using Message Administrator Yesterday Last 7 days Last 30 days All records. Figure 7-10 Logs panel To the right of each queue is the number of records that it currently contains. Click a log to display its contents in the Message List panel. MESSAGE LIST PANEL The Message List panel shows all s in a selected queue or log. Figure 7-11 shows a typical example of s in the Isolate queue. Figure 7-11 Message List panel Isolate queue Figure 7-12 shows a typical example of s in the System Log. 240 Administrator s Guide SurfControl Filter for SMTP

258 MESSAGE ADMINISTRATOR Using Message Administrator 7 Figure 7-12 Message List panel System log Arranging Columns You can show, hide, move or resize columns to show only the information that you need. Showing or Hiding Columns. To hide a column, right-click the column heading, and then select Hide. The column is removed from the Message List panel. To show the column, right-click any column heading, select Insert, and then select the column from the list. Moving Columns. To move a column, click the column heading and drag the column into position. A blue line indicates where the column will be dropped when you release the mouse button. Resizing Columns. To change the width of a column, drag the line between columns. Sorting. You can sort your list of s on any of the column headings displayed. Click the column heading once to sort in ascending order; click the column again to sort in descending order. Figure 7-13 shows an example of a list that has been sorted alphabetically by subject in ascending order. Figure s sorted by subject in ascending order Sorting a column generates a new search and adds it to the query list. You can then save the query by selecting Save Query from the view menu. The next time you open the queue, you can select the query from the list and the results will be sorted again. You can combine sorting with queries to give a powerful searching tool. For example this query shows s isolated on the same day, ordered alphabetically by subject. SurfControl Filter for SMTP Administrator s Guide 241

259 7 MESSAGE ADMINISTRATOR Using Message Administrator Figure 7-14 Sorting a query Listing isolated s by subject is a good way to keep track of spam, because spammers change their address regularly. To find out more about searching, see Searching for s Using Menu Functions on page 243. Quick Search Using the Shortcut Menu You can use the shortcut menu to search quickly for s with the same criteria, such as a specific date, rule name, subject, and so on. The text in the shortcut menu corresponds to the heading in the table. Example: If you select the Rule Name column for an , the first option in the shortcut list is Show other entries for this rule name. Example: If you select the Sender column for an , the first option in the shortcut list is Show other entries for this sender. To use the shortcut menu to search s quickly: 1 Right-click the column for an . The example uses the Loop Detection rule. 2 Select the first option Show other entries for this rule name. 3 The table is sorted to display only entries that have triggered the Loop Detection rule. 4 You can further search this sorted list using other criteria, such as recipients, subject, date, and so on. Example: Search for s that triggered the Adult rule, and then search these s for a specific sender s address. 242 Administrator s Guide SurfControl Filter for SMTP

260 MESSAGE ADMINISTRATOR Using Message Administrator 7 Searching for s Using Menu Functions In addition to the Message Search function (see Message Search Panel on page 236), you can use the menu functions to search for s. To use the menu functions to search for s: 1 To search queues and logs for one or more s, select View > Find. The Find dialog box is displayed. 2 From the Search field: drop-down list, select the field to be searched. You can search any of the fields within the Message Administrator. 3 In the Find what: text box, enter the words to search for. 4 Select the Match whole word only check box to find just the results that exactly match the text you have entered will be listed. Otherwise, the search will find text strings that contain the word you have entered; for example, a search for hotmail.com will match on gareth@hotmail.com, Susie@hotmail.com, dave@hotmail.com, and so on. 5 Click Find to start your search. 6 To save your search criteria, select View > Save Query. When you exit Message Administrator, unsaved search criteria is cleared. 7 Enter a name for the query in the Query name: field in the Search dialog box. If you do not name the query, Filter automatically assigns a name. 8 To use your search again, select it from the drop-down list. Saved queries are displayed in blue text in the query list; unsaved queries in black. Unsaved queries are lost if you select a different queue or log, or if you close Message Administrator. 9 To return to the previous query, click. SurfControl Filter for SMTP Administrator s Guide 243

261 7 MESSAGE ADMINISTRATOR Using Message Administrator MESSAGE PARTS PANEL Note: The Message Parts panel is only displayed if you are viewing s stored in a queue. If you are viewing a log, the Message Parts panel is not available. The Message Parts panel shows the following parts of the The header The body Attachments. Click the part of the to be displayed. Figure 7-15 Message Parts panel The contents of the selected part of the in the Message Contents panel. However, if the Message Administrator cannot display the selected component in the Message Contents panel, you are given the option to view the contents in an external viewer for that file type. Viewing Decomposed s When the Document Decomposition object is fully enabled, text, graphics and OLE embedded objects are also shown as parts of the . Figure 7-16 Decomposed typical 244 Administrator s Guide SurfControl Filter for SMTP

262 MESSAGE ADMINISTRATOR Working with Queues 7 MESSAGE CONTENTS PANEL Note: If Document Decomposition is enabled, HTML in the body of an or in an attachment is decomposed into two files: sc_text.txt containing the visible text, and sc_urls.txt containing any URLs. See Configuring Document Decomposition on page 138. The Message Contents panel displays the contents of the part of the that you have selected in the Message Parts panel. If available, you can also display attachments. Figure 7-17 and Figure 7-18 show typical displays. Figure 7-17 Message Contents panel - typical header display Figure 7-18 Message Contents panel - typical attachments display WORKING WITH QUEUES When you are viewing a queue in the Message List panel, you can: View the details of an Viewing Properties on page 247 Forward a copy of an Forwarding a Copy of the Selected on page 249 Reply to the sender of an Replying to the Sender of an on page 250 Submit an to the Anti-Spam Agent database Submitting an to the Anti-Spam Agent Database on page 251 SurfControl Filter for SMTP Administrator s Guide 245

263 7 MESSAGE ADMINISTRATOR Working with Queues Analyze an to understand why it triggered dictionary rules Analyzing s on page 248 Release individual or multiple s Releasing s on page 251 Move s to a different queue Moving s on page 251 Save a copy of s Saving Copies of s on page 251 Delete s Deleting s on page 252 Release all s from a queue Deleting All s From a Queue on page 252 Work with queues on multiple servers Working with Queues on Multiple Servers on page 252 THE QUEUES TOOLBAR The Queues toolbar is only available when viewing the contents of single or multiple s in the Message List panel. Some buttons are available for single selections only. Figure 7-19 The Message Administrator Queues toolbar For single selections only Table 7-2 describes the Queues toolbar buttons. Table 7-2 Message Administrator Queues toolbar buttons Show information about the selected , including details of recipients and file size. Single selections only. Analyze the contents of the selected using one or more of the SurfControl dictionaries. Single selections only. Forward a copy of the selected to any address. This does not delete the . Single selections only. Reply to the sender. Single selections only. Submit the selected to SurfControl for inclusion in the Anti-Spam Agent database. Single selections only. Release the selected (s) for delivery. Move the selected (s) from the current folder to an alternative folder. For example, move one or more s from the Delay queue to the Isolate queue. Save the selected (s). 246 Administrator s Guide SurfControl Filter for SMTP

264 MESSAGE ADMINISTRATOR Working with Queues 7 Table 7-2 Message Administrator Queues toolbar buttons (Continued) Delete the selected (s). Delete all s from the selected queue. VIEWING PROPERTIES You can display detailed information about an , including the name of the rule triggered by the , the time and date that the SurfControl Filter engine processed the rule, and the Dictionary score for the if it triggered a Dictionary Threshold rule. To view the details of an 1 Select the from the list. 2 Click. Detailed information about the is displayed in the Properties dialog box. 3 To perform a detailed dictionary analysis on the , click Analyze. See Analyzing s on page 248 for details. 4 Click OK. SurfControl Filter for SMTP Administrator s Guide 247

265 7 MESSAGE ADMINISTRATOR Working with Queues ANALYZING S When you analyze an , you can view each word that has triggered the dictionary rule, how often it occurs and its score. To analyze an 1 Select the from the list. 2 Click. The Analyze File dialog box is displayed. 3 You can filter the results further by selecting from the drop-down lists: Dictionary Message Part Scoring. 4 Select the dictionary that you want to use to analyze the . The list displays statistics for: The words from the that appear in the selected dictionary. The part of the in which the words occur. The value assigned to each word. The number of these words found. The individual word scores. The total word score. 248 Administrator s Guide SurfControl Filter for SMTP

266 MESSAGE ADMINISTRATOR Working with Queues 7 5 From the Message Part drop-down list, you can select which parts of the to scan: The entire The header The body The attachments. 6 From the Scanning drop-down list, select either: Threshold Total Displays the dictionary scoring words from only the highest scoring part of a multipart alternative with more than one Message Body. Depending on which part of an is the highest scoring part for the selected dictionary will decide from which part of the the words are displayed. Grand Total Displays the dictionary scoring words from all selected parts of an . In the case of a multi-part alternative with more than one Message Body, identical dictionary scoring words from alternative parts will have a cumulative effect on the final score for the selected dictionary. 7 Click OK to return to Message Administrator. FORWARDING A COPY OF THE SELECTED You can forward an from a queue. For example, you might want to forward a copy of the that has been isolated for inappropriate content to the sender s manager or the HR department. The is forwarded as an attachment. To forward a copy of an 1 Select the in the list. 2 Click. The Forward dialog box is displayed. 3 In the To: field, enter the addresses that you want the forwarded to. SurfControl Filter for SMTP Administrator s Guide 249

267 7 MESSAGE ADMINISTRATOR Working with Queues 4 Specify who you want to receive copies of the . Select any or all of the following: Message Sender Message Recipients Systems Administrator 5 By default, the subject of the forwarded is displayed in the Subject: text field, but you can change it. 6 You can type a message in the Body: text field. For example, This has been isolated because it contains material that could be deemed inappropriate. 7 Click Send. The is sent with annotation that identifies it as being from your Mail Administrator s mailbox. The original remains in its current queue. REPLYING TO THE SENDER OF AN To reply to the sender of an 1 Select the in the list. 2 Click. The Reply to Sender dialog box is displayed. 3 To send a copy of the reply to another person, enter their address in the BCC field. 4 To send a copy of the reply to the Systems Administrator, select the BCC Admin check box. 5 For the , you can either: Select from a range of standard auto-reply messages in the Auto-Reply message format: dropdown list. Select Clear from the Auto-Reply message format: drop-down list, and then enter your own message in the text box. 6 Click Send. The is sent with annotation that identifies it as being from your Mail Administrator s mailbox. The original remains in its current queue. 250 Administrator s Guide SurfControl Filter for SMTP

268 MESSAGE ADMINISTRATOR Working with Queues 7 SUBMITTING AN TO THE ANTI-SPAM AGENT DATABASE To submit an to the Anti-Spam Agent database: 1 Select the in the list. 2 Click. The Submit to Anti-Spam Agent dialog box is displayed. 3 The address and subject are entered automatically by Filter. You can change the Subject: field. 4 Click OK. The is sent to SurfControl, who will assess it for addition to the Anti-Spam Agent categories. The original remains in its current queue. RELEASING S To release one or more s: 1 Select one or more s in the list. 2 Click. The is moved to the Send queue. If you have selected the option Confirm when releasing all messages in the Message Administrator options, a confirmation pop-up is displayed. MOVING S To move one or more s: 1 Select one or s in the list. 2 Click. The Move to Queue... dialog box is displayed. 3 Select the queue to move the into. You can also drag an into a queue in the Queues panel. SAVING COPIES OF S To save a copy of one or more s: SurfControl Filter for SMTP Administrator s Guide 251

269 7 MESSAGE ADMINISTRATOR Working with Queues 1 Select either the in the list, or the individual part in the Message Parts panel. 2 Click to open the Save As dialog box. 3 Select the file name and location for the , and then click Save. DELETING S To delete one or more s: 1 Select the in the list 2 Click. If you have selected the option Confirm when deleting messages in the Message Administrator options, a confirmation message is displayed. DELETING ALL S FROM A QUEUE To delete all s from a queue: 1 Select the queue in the Queues panel. 2 Click. If you have selected the option Confirm when deleting messages in the Message Administrator options, a confirmation message is displayed. WORKING WITH QUEUES ON MULTIPLE SERVERS If you have SurfControl Filter installed on more than one server, but sharing an SQL database, the features of Message Administrator are available from any server. For example, an in the Isolate folder on Server A could be released using Message Administrator on Server B. However, you cannot use Message Administrator to move s from one server to another. To use Message Administrator on multiple servers, Filter must be configured as follows: All Filter servers must share the same domain. The Administration Server services on each machine must be logged on using a domain account with network privileges. An account on the local machine, or within a workgroup, is not sufficient. If the server is logging to a remote SQL Server using Windows Authentication, then all the services need to be logged on using this Domain account, and the account must have sufficient database access privileges as well. (You can use SQL Authentication for this). For more information about configuration options, see the SurfControl Filter Installation Guide. 252 Administrator s Guide SurfControl Filter for SMTP

270 MESSAGE ADMINISTRATOR Working with Logs 7 WORKING WITH LOGS You can view the following logs: Connection log The connections from the host servers to Filter. Receive log s that have been received by Receive service. Rules log s that have triggered a rule, including the rule name, policy type and the size of the . Audit log Actions that have been carried out on s, including the audit user, audit type and activity for each . Send log s that have been received and released by the Send service, including the route, IP address of the mail server, size of the and the SMTP code. System log All system activity. To display the properties of an individual log record, double-click the record in the Message List panel. USING QUEUES AND LOGS WITH MULTIPLE SERVERS If you are using more than one Receive service, for example, in a large organization with more than one mail server, it is possible that two different.msg files could be given the same name. To distinguish between servers, you can display the server name for each . To display the server name in the queue or log: 1 Select any log. 2 In the Message List panel, right-click any column heading. 3 Select Insert to display the Choose a Column dialog. SurfControl Filter for SMTP Administrator s Guide 253

271 7 MESSAGE ADMINISTRATOR Using Queues and Logs with Multiple Servers 4 Select Server Name, and then click OK. An extra column is displayed on the list panel. This shows the server that each belongs to. 254 Administrator s Guide SurfControl Filter for SMTP

272 8 Dictionary Management In This Chapter page 256 Opening Dictionary Management page 256 The Dictionary Management Window page 256 Adding a Dictionary page 257 Adding Words or Phrases to a Dictionary page 258 Editing Dictionary Words page 261 Deleting Words from a Dictionary page 262 Deleting a Dictionary page 263 Importing Dictionaries page 264 Exporting Dictionaries page 269

273 8 DICTIONARY MANAGEMENT In This Chapter IN THIS CHAPTER This chapter explains how to configure the dictionaries used by such tools as the Dictionary Threshold object and the LexiMatch object. By adding dictionaries and words, and by amending the score of words in the pre-configured dictionaries you can optimize filtering results. OPENING DICTIONARY MANAGEMENT To open Dictionary Management, select Start > All Programs > SurfControl Filter > Utilities > Dictionary Management The Dictionary Management window is displayed. THE DICTIONARY MANAGEMENT WINDOW Figure 8-1 shows a typical Dictionary Management window. Figure 8-1 The Dictionary Management window If you add a dictionary, it is displayed under Custom Dictionaries. The SurfControl preconfigured dictionaries are listed here. Click a dictionary to display the words it contains and their scores. Initially, the number of words in the dictionaries are displayed. When you click a dictionary in the lefthand panel, the words that it contains and their scores are displayed in the righthand panel. Navigation Panel Display Panel 256 Administrator s Guide SurfControl Filter for SMTP

274 DICTIONARY MANAGEMENT Adding a Dictionary 8 ADDING A DICTIONARY To add a dictionary: 1 Click. The Add/Edit Dictionary dialog box is displayed. 2 Enter a name and a description for the dictionary. 3 If needed, you can add a warning message that is displayed when the dictionary is opened. For example, This dictionary contains bad jokes. 4 Select Display this message when dictionary launches. 5 Click OK. The new dictionary is displayed under Custom Dictionaries. You can now also select the dictionary when using the dictionary-based rules objects, for example, the LexiMatch object. 6 Click to save your changes. SurfControl Filter for SMTP Administrator s Guide 257

275 8 DICTIONARY MANAGEMENT Adding Words or Phrases to a Dictionary ADDING WORDS OR PHRASES TO A DICTIONARY Note: To use the Confidential dictionary in rules, you need to add the words and phrases that signify confidential content in your organization. You can add words or phrases to a dictionary and give them a score. You can also use number pattern recognition, wildcards and/or binary sequences to make dictionary scanning tools more powerful. Using Number Pattern Recognition You can add any pattern of numbers to a dictionary by using the # character to signify a single number. For example #### #### #### #### would find the credit card number , but not the string abcd 1234 defg Using number pattern recognition can prevent users from transmitting potentially sensitive data, such as credit card details, account numbers or patient file numbers. Using Wildcards You can use wildcards to make the SurfControl Filter dictionary scanner more extensive. With no wildcards, a word is assumed complete and separated by white space or punctuation marks. With wildcards, you can scan parts of words. You can use the following wildcard characters. Note: You cannot place one wildcard character immediately next to another. Table 8-1 Wildcards Wildcard Description and example * One or more characters at the beginning or end of a word or phrase. Example: sex* finds sexy or sexily, but not Essex.? A single character in a word or phrase. Example: jo?n would match john and joan, but not johann. ^ One or more white-space characters. 258 Administrator s Guide SurfControl Filter for SMTP

276 DICTIONARY MANAGEMENT Adding Words or Phrases to a Dictionary 8 Table 8-1 Wildcards (Continued) Wildcard Description and example! A single white-space or punctuation character. \ An escape character. Using Binary Sequences You can also search for binary sequences. Use this ability to identify specific binary file sequences expressed as hexadecimal sequences. To enter a binary sequence, enter `~ followed by an even number of hexadecimal characters that represent the search sequence. For example `~ is the Binary representation of abcd A rule to detect this binary sequence would trigger if an contained the following strings: abcd abcdxxxabcdxxx The phrase ABCD would not trigger the rule because the binary code distinguishes between upper and lower case letters. To add words or phrases to a dictionary: 1 Click the dictionary in the left-hand panel. The list of existing words and scores in the dictionary is displayed in the right-hand panel. SurfControl Filter for SMTP Administrator s Guide 259

277 8 DICTIONARY MANAGEMENT Adding Words or Phrases to a Dictionary 2 Click. The Add/Edit Phrase dialog box is displayed. 3 Enter the word or phrase to be included in the dictionary. 4 Enter a value between 0 and 100 for the word or phrase. The higher the score, the fewer instances of the word or phrase need to appear in an to trigger a Dictionary Threshold rule. 5 Click OK. The word or phrase is added to the list of words in the dictionary. 6 Click to save your changes. 260 Administrator s Guide SurfControl Filter for SMTP

278 DICTIONARY MANAGEMENT Editing Dictionary Words 8 EDITING DICTIONARY WORDS To change a dictionary word or its score: 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Double-click a word or score, and then change the details. 3 Click to save your changes. SurfControl Filter for SMTP Administrator s Guide 261

279 8 DICTIONARY MANAGEMENT Deleting Words from a Dictionary DELETING WORDS FROM A DICTIONARY If you delete words used by objects in an enabled rule, the rule will be ineffective and the will ignore it and move on to the next processing step. To delete words from a dictionary: 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Select one or more words to delete. You can select multiple words by using Shift or Ctrl. 3 Click. The selected words are removed from the dictionary. 4 Click to save your changes. 262 Administrator s Guide SurfControl Filter for SMTP

280 DICTIONARY MANAGEMENT Deleting a Dictionary 8 DELETING A DICTIONARY You can delete any of the dictionaries. If you delete a dictionary, rules that use threshold scores from that dictionary or LexiMatch object will not be effective. If you delete a dictionary by mistake, you can restore it by importing the SurfControl dictionary pack. See Importing a SurfControl Dictionary Pack on page 264. To delete a dictionary: 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Click. A confirmation message is displayed. 3 Click Yes to delete the dictionary. 4 Click to save your changes. SurfControl Filter for SMTP Administrator s Guide 263

281 8 DICTIONARY MANAGEMENT Importing Dictionaries IMPORTING DICTIONARIES There are two ways to import dictionaries into Filter: Import a SurfControl dictionary pack. Import a Unicode text file. Note: You can import a Unicode text file to create a new dictionary or overwrite the contents of an existing dictionary. IMPORTING A SURFCONTROL DICTIONARY PACK By default, the product installs the English language dictionaries. You can add other language dictionaries using the Import-Export utility. SurfControl Filter 6.0 provides language dictionaries for the following languages: Dutch French German Italian Japanese Korean Portuguese Russian Spanish Traditional Chinese Simplified Chinese. 264 Administrator s Guide SurfControl Filter for SMTP

282 DICTIONARY MANAGEMENT Importing Dictionaries 8 To import a SurfControl dictionary pack: 1 From the Dictionary Management window, select File > Import/Export dictionary pack The Import/Export Utility wizard opens. 2 Click Next. The Select Source and Target dialog box is displayed. 3 Select Import from file. SurfControl Filter for SMTP Administrator s Guide 265

283 8 DICTIONARY MANAGEMENT Importing Dictionaries 4 Enter or browse to the location of the dictionary file to import. By default, the SurfControl dictionaries are in the folder SurfControl Filter\Language Packs The file is displayed in the File name: text box. 5 Click Next. The Select Dictionaries dialog box is displayed. 6 Select the dictionaries to be imported, or click Select All. 7 By default, the Import/Export wizard will import only those dictionary words which you have not changed. To import the entire dictionary and overwrite your changes select Import all words and overwrite any modifications 266 Administrator s Guide SurfControl Filter for SMTP

284 DICTIONARY MANAGEMENT Importing Dictionaries 8 8 Click Next. A summary screen is displayed, which lists your selections. 9 Click Finish to import the dictionaries, or Back to change your settings. IMPORTING A UNICODE TEXT FILE Importing a unicode text file is an easy way to add a large number of words or phrases to an existing custom dictionary, or create a new one. Note: To create a new custom dictionary, see Adding a Dictionary on page 257. To import a Unicode text file: 1 Open a text editor, such as Notepad. 2 Enter the words and scores in a list. The format must be Word or Phrase [tab space]score Examples: Football 30 Baseball 40 SurfControl Filter for SMTP Administrator s Guide 267

285 8 DICTIONARY MANAGEMENT Importing Dictionaries 3 Save the file as file type Unicode. Note: If the file is not saved as Unicode, the dictionary cannot be imported. 4 Open the Dictionary Management window. Overwriting an existing dictionary make sure that you have selected the correct dictionary in the left-hand panel. Creating a new dictionary select either SurfControl Dictionaries or Custom Dictionaries in the left-hand panel. 5 Select File > Import Unicode TXT file 6 Select the file to import. 7 The Import Dictionary dialog box is displayed. New Creates a new dictionary under Custom Dictionaries in the left-hand panel. Overwrite Overwrites the contents of the existing dictionary that you have selected in the left-hand panel. 268 Administrator s Guide SurfControl Filter for SMTP

286 DICTIONARY MANAGEMENT Exporting Dictionaries 8 8 To import the Unicode file as a new dictionary, click New. You will be asked to give your new dictionary a name and descriptions. 9 Click OK. You will see your new dictionary displayed in the Dictionary Management Window. 10 To overwrite the dictionary that is currently selected, click Overwrite. The selected dictionary is replaced by the new dictionary. If your file cannot be imported successfully, an error message is displayed. Check the format of the entries in the file (see step 2), and check that the file is saved as Unicode. EXPORTING DICTIONARIES Exporting dictionaries is useful if you have multiple installations of Filter; you can edit one or more dictionaries and export them from one installation, and then import them into the other installations. Therefore, you only have to edit once. There are two ways of exporting dictionaries: As a SurfControl dictionary pack (an XML file) As a Unicode file. You can only export one dictionary at a time to a Unicode file. SurfControl Filter for SMTP Administrator s Guide 269

287 8 DICTIONARY MANAGEMENT Exporting Dictionaries EXPORTING A DICTIONARY AS A DICTIONARY PACK To export a dictionary as a dictionary pack: 1 From the Dictionary Management window, select File > Import/Export dictionary pack The Import/Export Utility wizard opens. 2 Click Next. The Select Source and Target dialog box is displayed. 3 Select Export to file. 270 Administrator s Guide SurfControl Filter for SMTP

288 DICTIONARY MANAGEMENT Exporting Dictionaries 8 4 Enter or browse to the location of the dictionary file to export into. By default, the SurfControl dictionaries are in the folder SurfControl Filter\Language Packs The file is displayed in the File name: text box. 5 Click Next. The Select Dictionaries dialog box is displayed. 6 Select the dictionaries to be exported, or click Select All. SurfControl Filter for SMTP Administrator s Guide 271

289 8 DICTIONARY MANAGEMENT Exporting Dictionaries 7 Click Next. A summary screen is displayed, which lists your selections. 8 Click Finish to export the dictionaries, or Back to change your settings. EXPORTING A DICTIONARY AS A UNICODE FILE To export a dictionary as a Unicode file: 1 Open the Dictionary Management window. Select a dictionary in the left-hand panel, and then select File > Export Unicode TXT file 2 Save the file as a Unicode file type. Either use the default file name, or enter a different file name. 3 A confirmation message is displayed telling you that the file has been exported successfully. 272 Administrator s Guide SurfControl Filter for SMTP

290 9 Scheduler In This Chapter page 274 Opening the Scheduler page 274 Scheduler Window page 274 Scheduled Events page 275 Scheduling Anti-Spam Agent Updates page 276 Scheduling Anti-Virus Agent Updates page 279 Scheduling Anti-Virus Malware Scanning Updates page 281 Scheduling Database Management Tasks page 283 Purging a Database page 284 Archiving a Database page 288 Shrinking a Database page 291 Scheduling Internet Threat Database Updates page 293 Scheduling Queue Synchronization page 295

291 9 SCHEDULER In This Chapter IN THIS CHAPTER This chapter explains how to use the Scheduler for easy and effective management of SurfControl Filter. You can use the Scheduler to: Update tools that use SurfControl Content, such as the Anti-Spam Agent, ensuring that Filter is armed with the most up to date information about new kinds of spam and other threats. Automatically manage queues to avoid congestion and keep your system running efficiently. Manage the logging and configuration database. OPENING THE SCHEDULER To open the Scheduler, select Start > All Programs > SurfControl Filter > Scheduler. The Scheduler window is displayed. SCHEDULER WINDOW Figure 9-1 shows a typical Scheduler window. Figure 9-1 The Scheduler window Use the buttons to create and configure scheduled tasks The list displays scheduled tasks. 274 Administrator s Guide SurfControl Filter for SMTP

292 SCHEDULER Scheduled Events 9 SCHEDULED EVENTS You can use the Scheduler to schedule the following events. Table 9-1 Scheduled events Event What it does Find out more Anti-Spam Agent Update Anti-Virus Agent Update Anti-Virus Malware Live Update Database Management Internet Threat Database Update Queue Synchronization Download the latest Anti-Spam Agent files. Download the latest Anti-Virus Agent files. Download the latest Anti-Virus Malware Scanning files. Purge, archive or shrink the logging database. Download the latest Internet Threat Database files. Synchronizes the database with the actual status of the server. page 276 page 279 page 281 page 283 page 293 page 295 During installation, SurfControl Filter automatically creates the following scheduled events. Table 9-2 Default scheduled events Default Event Anti-Spam Agent Update Anti-Virus Agent Update Anti-Virus Malware Live Update Purge Database Shrink Database Time Daily every hour, seven days a week. Daily every hour, seven days a week. Daily every hour, seven days a week. Note: This event is not created automatically if you have upgraded from SurfControl Filter 5.2 or later. Weekly on Monday at 07:00. Purge data older than 30 days. Weekly on Monday, one hour after purge. SurfControl Filter for SMTP Administrator s Guide 275

293 9 SCHEDULER Scheduling Anti-Spam Agent Updates Table 9-2 Default scheduled events Default Event Internet Threat Database Update Time Daily every 12 hours, seven days a week. Queue Synchronization Weekly on Monday at 02:00. OPTIONS FOR SCHEDULED EVENTS Using the Options button on the Scheduler window, you can set the following options for the scheduled events: Database Query Timeout You can set a limit on the amount of time that the Database Management Archive task is allowed before it is stopped. See Archiving a Database on page 288. Notify System Administrator if a Scheduler event fails Use this to notify the administrator if any scheduled event fails. This is the address specified in the Server Configuration > Administration screen, see Administration Settings - General on page 89. SCHEDULING ANTI-SPAM AGENT UPDATES SurfControl constantly updates the Anti-Spam Agent files to ensure that you have access to the latest protection against spam. You should regularly update your Anti-Spam Agent to also keep your system upto-date with the latest protection. To schedule Anti-Spam Agent updates: 1 In the Scheduler window, click Add Item Administrator s Guide SurfControl Filter for SMTP

294 SCHEDULER Scheduling Anti-Spam Agent Updates 9 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Anti-Spam Agent Update from the drop-down list. 4 Select the frequency of the update: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure. SurfControl Filter for SMTP Administrator s Guide 277

295 9 SCHEDULER Scheduling Anti-Spam Agent Updates 7 The Product Registration dialog box is displayed. You must register for Anti-Spam Agent updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. i If the fields are blank, enter your details. ii Click OK to return to the Scheduler Item Configuration dialog box. 8 Click OK. The update event is listed in the Scheduler window. 278 Administrator s Guide SurfControl Filter for SMTP

296 SCHEDULER Scheduling Anti-Virus Agent Updates 9 SCHEDULING ANTI-VIRUS AGENT UPDATES SurfControl constantly updates the Anti-Virus Agent files to ensure that you have access to the latest protection against spam. You should regularly update your Anti-Virus Agent to also keep your system upto-date with the latest protection. To schedule Anti-Virus Agent updates: 1 In the Scheduler window, click Add Item... 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Anti-Virus Agent Update from the drop-down list. SurfControl Filter for SMTP Administrator s Guide 279

297 9 SCHEDULER Scheduling Anti-Virus Agent Updates 4 Select the frequency of the update: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure. 7 The Product Registration dialog box is displayed. You must register for Anti-Virus Agent updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. i If the fields are blank, enter your details. ii Click OK to return to the Scheduler Item Configuration dialog box. 280 Administrator s Guide SurfControl Filter for SMTP

298 SCHEDULER Scheduling Anti-Virus Malware Scanning Updates 9 8 Click OK. The update event is listed in the Scheduler window. SCHEDULING ANTI-VIRUS MALWARE SCANNING UPDATES SurfControl constantly updates the Anti-Virus Malware Scanning files to ensure that you have access to the latest protection against viruses. You should regularly update your Anti-Virus Malware Scanning tool to also keep your system up-to-date with the latest protection. To schedule Anti-Virus Malware Scanning updates: 1 In the Scheduler window, click Add Item... 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Anti-Virus Malware Live Update from the drop-down list. SurfControl Filter for SMTP Administrator s Guide 281

299 9 SCHEDULER Scheduling Anti-Virus Malware Scanning Updates 4 Select the frequency of the update: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure. The Product Registration dialog box is displayed. You must register for Anti-Virus Malware Scanning live updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. i If the fields are blank, enter your details. ii Click OK to return to the Scheduler Item Configuration dialog box. 7 Click OK. The update event is listed in the Scheduler window. 282 Administrator s Guide SurfControl Filter for SMTP

300 SCHEDULER Scheduling Database Management Tasks 9 SCHEDULING DATABASE MANAGEMENT TASKS Note: SurfControl Filter services stop when database management tasks are running. Therefore, you should schedule these tasks at times of low traffic so that they have minimal impact on your system. SurfControl Filter continually records a log of all traffic in your system and stores the data in a logging database. As the size of this database increases very quickly, you should schedule the Database Management event to perform regular management tasks. You can automate the following tasks. Table 9-3 Database management tasks Task Purge Database Archive Database Shrink Description Deletes selected data from the database. You can select to purge all the logs, or the individual logs (such as, Connection Log, Rules Log, and so on) from the database. Copies or moves selected data from the database to a specified file. Reduces the size of the database by removing redundant space, but does not delete any data from the database. SurfControl Filter for SMTP Administrator s Guide 283

301 9 SCHEDULER Purging a Database PURGING A DATABASE The data that you delete from the database will not be available for reports. To delete data from the logging database: 1 In the Scheduler window, click Add Item. 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Database Management from the drop-down list. 284 Administrator s Guide SurfControl Filter for SMTP

302 SCHEDULER Purging a Database 9 4 Select the frequency of the task: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure... SurfControl Filter for SMTP Administrator s Guide 285

303 9 SCHEDULER Purging a Database 7 Click Purge Database... The Purge dialog box is displayed. 8 Select the log to purge from the database in this event: All logs Connection Log Receive Log Rules Log Audit Log Send Log System Log. 9 Select one option for the data to delete: Purge All Deletes all database entries. Purge data older than 24 hours. Purge data older than n days Deletes data older than the number of days that you set. Purge data older than date Deletes data older than the date that you set. Purge Range Deletes data between the two dates that you set. 10 To remove all address data that is not currently being used by the database, select Purge unused address data. Example: You might use this after your system has been subject to a large spam attack, which has filled the database. To remove all data that has not been synchronized by the reporting, select Purge unsynchronized address data. 11 Click OK to return to the Scheduler Item Configuration dialog box. 286 Administrator s Guide SurfControl Filter for SMTP

304 SCHEDULER Purging a Database 9 12 Click OK. The Purge Database event is listed in the Scheduler window. SurfControl Filter for SMTP Administrator s Guide 287

305 9 SCHEDULER Archiving a Database ARCHIVING A DATABASE You can copy or move all or specific data from a database into a specific file. To archive the database: 1 In the Scheduler window, click Add Item. The Scheduler Item Configuration dialog box is displayed. 2 Select Database Management from the drop-down list. 3 Select the frequency of the task: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: 288 Administrator s Guide SurfControl Filter for SMTP

306 SCHEDULER Archiving a Database 9 A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 4 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 5 Click Configure... 6 Click Archive Database... The Archive dialog box is displayed. SurfControl Filter for SMTP Administrator s Guide 289

307 9 SCHEDULER Archiving a Database 7 Select one option for the data to archive: Archive All Archives all database entries. Archive data older than 24 hours. Archive data older than n days Archives data older than the number of days that you set. Archive data older than date Archives data older than the date that you set. Archive Range Archives data between the two dates that you set. 8 Archive to: Enter or browse to the location of the archive file. The default archive folder is C:\Program files\surfcontrol Filter\Archive To automatically base the archive file name on the date that the archive is performed, select Unique date-based filename. To delete the original data from the logging database, select Purge Archived Data. 9 Click OK to return to the Scheduler Item Configuration dialog box. 10 Click OK. The Archive Database event is listed in the Scheduler window. 290 Administrator s Guide SurfControl Filter for SMTP

308 SCHEDULER Shrinking a Database 9 SHRINKING A DATABASE Shrinking reduces the file size of the database by eliminating redundant space but without removing any useful data. To shrink the database: 1 In the Scheduler window, click Add Item. The Scheduler Item Configuration dialog box is displayed. 2 Select Database Management from the drop-down list. SurfControl Filter for SMTP Administrator s Guide 291

309 9 SCHEDULER Shrinking a Database 3 Select the frequency of the task: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 4 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 5 Click Configure... 6 Click Shrink... The Shrink/Compact Database dialog box is displayed. 292 Administrator s Guide SurfControl Filter for SMTP

310 SCHEDULER Scheduling Internet Threat Database Updates 9 7 Specify the percentage of the current database size that you want to shrink the database to (between 1% and 99%). Default = 10% (of the current size) 8 Click OK to return to the Scheduler Item Configuration dialog box. 9 Click OK. The Shrink Database event is listed in the Scheduler window. SCHEDULING INTERNET THREAT DATABASE UPDATES SurfControl constantly updates the Internet Threat Database files to ensure that you have access to the latest protection against Internet threats, such as s that contain links for inappropriate Web sites. You should regularly update your Internet Threat Database to also keep your system up-to-date with the latest protection. To schedule Internet Threat Database updates: 1 In the Scheduler window, click Add Item. SurfControl Filter for SMTP Administrator s Guide 293

311 9 SCHEDULER Scheduling Internet Threat Database Updates The Scheduler Item Configuration dialog box is displayed. 2 Select Internet Threat Database Update from the drop-down list. 3 Select the frequency of the update: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 4 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 294 Administrator s Guide SurfControl Filter for SMTP

312 SCHEDULER Scheduling Queue Synchronization 9 5 Click Configure The Product Registration dialog box is displayed. You must register for Internet Threat Database updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. If the fields are blank, enter your details. 6 Click OK to return to the Scheduler Item Configuration dialog box. 7 Click OK. The update event is listed in the Scheduler window. SCHEDULING QUEUE SYNCHRONIZATION Note: You should schedule this event at a time when there is little or no traffic on the network. The contents of the queues can sometimes be different from the s listed in the STEMLog database, for example if you delete s directly from the Queue folders. The Queue Synchronization event synchronizes the two. This improves the performance of the Message Administrator and supports the use of multiple servers. It also maintains the integrity between database and s files so that they are unlikely to be lost. However, queue synchronization can also retrieve lost s. Manage your queued s to avoid large numbers of delayed or isolated s; this reduces the time taken for queue synchronization to complete. SurfControl Filter for SMTP Administrator s Guide 295

313 9 SCHEDULER Scheduling Queue Synchronization To schedule a Queue Synchronization event: 1 In the Scheduler window, click Add Item. The Scheduler Item Configuration dialog box is displayed. 2 Select Queue Synchronization from the drop-down list. 3 Select the frequency of the synchronization: Daily You can set either: A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: A specific date in every month and the hour and minute on that date, or Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. 296 Administrator s Guide SurfControl Filter for SMTP

314 SCHEDULER Scheduling Queue Synchronization 9 Yearly You can set either: A specific date in a specific month and the hour and minute on that date, or Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 4 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 5 Click Configure... The Queue Synchronization dialog box is displayed. 6 By default, all queues are synchronized. To exclude one or more queues from the synchronization, click Add. The Add Queue dialog box is displayed. 7 Select the queue that you do not want to be synchronized, and then click OK. Note: You can only select one queue at a time. SurfControl Filter for SMTP Administrator s Guide 297

315 9 SCHEDULER Scheduling Queue Synchronization 8 Repeat steps step 5, step 6 and step 7 for all the queues that you do not want to synchronize. The excluded queues are shown in the Exclude selected queues: list. 9 Set the maximum number of s to be synchronized. Default = Click OK to return to the Scheduler Item Configuration dialog box. 11 Click OK. The Queue Synchronization event is listed in the Scheduler window. 298 Administrator s Guide SurfControl Filter for SMTP

316 10 Remote Administration In This Chapter page 300 Administration Client page 300 Web Administrator page 300 Message Administrator page 303 Dictionary Management page 308 Viewing Logs page 312

317 10 REMOTE ADMINISTRATION In This Chapter IN THIS CHAPTER This chapter describes how to administrate SurfControl Filter from a remote computer using: Administration Client Web Administrator. ADMINISTRATION CLIENT Note: When you install the Administration Client on the remote computer(s), you can select the components that you need to administrate. See the SurfControl Filter Installation Guide for instructions. Depending on the Filter components that you selected, using the Administration Client, you have remote access to the following functions: Message Administrator See the chapter Message Administrator on page 229. Rules Administrator See the chapter The Rules Administrator on page 113. Monitor (including Server Configuration) See the chapter The Monitor on page 101. Dictionary Management See the chapter Dictionary Management on page 255. You can also configure administrators. To set up remote users and specify their access permissions, see Configuring Administrators on page 91. WEB ADMINISTRATOR The Web Administrator enables you to access the following Filter functions from a remote computer: Message Administrator Dictionary Management View logs. For more detailed information of these functions, see Message Administrator on page Administrator s Guide SurfControl Filter for SMTP

318 REMOTE ADMINISTRATION Web Administrator 10 OPENING WEB ADMINISTRATOR You can open Web Administrator from either: The Filter server, or A remote computer. For both methods, the Web Administrator Start screen is displayed in your Web browser, see Web Administrator Start screen on page 302. Opening Web Administrator From the Filter Server To open Web Administrator from the Filter server, select Start > All Programs > SurfControl Filter > Web Administrator Opening Web Administrator From a Remote Computer Before you can use Web Administrator remotely, you need to set up Administrators in the Server Configuration console. The Administrator s permission settings must include Message Administration. See Configuring Administrators on page 91. Enter the following address into your internet browser: address of your SurfControl Filter server>:<standard port number>/index.htm. For example, to access an installation on a server with an IP address of and a standard port of 82 specified during installation, the URL would be: The log on screen is displayed. Figure 10-1 Web Administrator log on screen Enter your username and password. SurfControl Filter for SMTP Administrator s Guide 301

319 10 REMOTE ADMINISTRATION Web Administrator When you have logged on, the Web Administrator Start screen is displayed in your browser window. Figure 10-2 Web Administrator Start screen Note: You can access all of these features through any screen in the Web Administrator. 302 Administrator s Guide SurfControl Filter for SMTP

320 REMOTE ADMINISTRATION Message Administrator 10 MESSAGE ADMINISTRATOR Use the Message Administrator functions to manage s within queues. Figure 10-3 shows a typical Message Administrator browser screen. Figure 10-3 Remote Message Administrator functions Use these links to: Work with queues View logs Manage dictionaries Select the actions to apply to s The Message List, Logs or dictionaries are displayed here. For more details of working with queues, see Working with Queues on page 245. SORTING S To sort the list, click a column heading. For example, if you click the Subject heading once, the whole list is sorted by subject in descending order; click the column heading again to reverse the sort order. MOVING, RELEASING AND DELETING S To move, release or delete any or all of the in the list: 1 Select the check box of each that you need. Alternatively, select all the s on the list by selecting the Select all displayed messages check box. SurfControl Filter for SMTP Administrator s Guide 303

321 10 REMOTE ADMINISTRATION Message Administrator 2 In the Action: drop-down, select what you want to do with the selected s: Release Moves the s into the Send queue, which enables them to be sent to their destination. Delete Deletes the s. Note: You cannot retrieve deleted s. Move Moves the s to another queue. Each queue is listed separately. 3 To complete the action, click the button next to the Action: drop-down list. VIEWING THE PROPERTIES OF INDIVIDUAL S Click an to view its properties. Figure properties Actions: A list of the actions you can perform on the . File area: Displays the filename, the address it was sent from, and the date it was received. Message Contents: If Document Decomposition is enabled, you can view the component parts of the here. Rule log information: Brief information from the rule log, such as the name of the rule triggered and the action taken. Message Header 304 Administrator s Guide SurfControl Filter for SMTP