Filter. SurfControl Filter 5.0 for SMTP Administrator's Guide. The World s #1 Web & Filtering Company

Transcription

1 Filter SurfControl Filter 5.0 for SMTP Administrator's Guide The World s #1 Web & Filtering Company

2 CONTENTS NOTICES... I Notices...ii Comments on this Guide?...ii Technical Support...iii SurfControl Sales...iii INTRODUCTION...1 In This Chapter...2 About SurfControl Filter...3 What s New in Version FINDING YOUR WAY AROUND...7 In This Chapter...8 How Filter Works...9 Filter Core Components Filter Services...11 Launching SurfControl Filter...12 Launching Filter Components...13 SETTING UP FILTER...15 In This Chapter...16 Connecting to a Different Filter Server...16 Adding An Filter Server...17 Editing Server Details...18 Selecting an Server...19 Disconnecting from An Filter Server...19 Launching Server Configuration...20 Configuration Workflow...21 Configuring the Receive Service...22 General Receive Service Settings...22 Receive Service Configuration...24 Pre-Screening...29 Configuring the Rules Service...53 Rules Service Properties...53 Rules Service Configuration...55 Queue Management...56 Configuring the Send Service...65 Send Service General Settings...66 Connections...67 Routing...69 Smart Host Routing...74 Requeuing...77 SurfControl Filter for SMTP 5.0 Administrator s Guide 1

3 Configuring The Administration Service...80 Administration: Properties...80 Configuring Administrators...81 Configuration Complete...86 Backing up your Server Configuration...86 MONITORING In This Chapter...88 Launching the Monitor...88 Parts of the Monitor Window...89 Service Panes...90 The Server Status Panes...93 Queue Statistics and Status Bar...95 QueueView...96 Launching QueueView...96 QueueView Window...97 Deleting a Queued or Dead WORKING WITH RULES In This Chapter Launching the Rules Administrator Rules Administrator Window Rules Pane Rules Object Pane How Filter Uses Rules Rules Objects Building a Rule Connecting Rules Objects Enabling a Rule Deleting A Rule Positioning of Rules Moving rules around Pre-defined Rules Rule Groups Exporting Rules Importing Rules Configuring the Rules Administrator Configuring Dictionary Scanning Configuring Password Protected Archives Configuring Document Decomposition Configuring HTML Parsing RULES OBJECTS In This Chapter Adding A Rule Object to a Rule Reverse Logic Administrator s Guide SurfControl Filter for SMTP 5.0

4 Who Objects From Users and Groups Configuring The From Users and Groups Object Configuring an LDAP Connection Testing the LDAP Connection Inbound / Outbound Mail Object Configuring the Inbound / Outbound Mail Object To Users and Groups Configuring The To Users and Groups Object What Objects Anti-Spam Agent Object Anti-Spam Agent Tools Configuring the Anti-Spam Agent Object Updating the Anti-Spam Agent Object Anti-Virus Agent Configuring the Anti-Virus Agent Object The Pre-configured Anti-Virus Agent Rule Updating the Anti-Virus Agent Anti-Virus Scanning Object Configuring the Anti-Virus Scanning Object Multiple Scans Avoiding Conflicts with Third-Party AV Products Dictionary Threshold Object Configuring the Dictionary Threshold Object External Program PlugIn Object Configuring the External Program Plugin Object File Attachment Object Configuring the File Attachment Object Illegal MIME Format Configuring the Illegal MIME Format Object LexiMatch Object Configuring the LexiMatch Object Loop Detection Object Configuring the Loop Detection Object Message Size Object Configuring the Message Size Object Number of Recipients Object Configuring the Number of Recipients Object URL Category List Object Configuring the URL Category List Object Virtual Image Agent Object Configuring the VIA Object The Virtual Learning Agent Object Configuring the VLA Object When Object Configuring the When Object Operations Objects SurfControl Filter for SMTP 5.0 Administrator s Guide 3

5 Archive Message Configuring the Archive Message Object Compress Attachments Objects Configuring the Compress Attachments Object Footers and Banners Object Configuring the Footers and Banners Object Header Modification Object Configuring the Header Modification Object HTML Stripper Configuring the HTML Stripper Object Routing Object Configuring the Routing Object Strip Attachments Object Configuring the Strip Attachments Object Notify Objects Blind Copy Object Configuring the Blind Copy Object Notification Object Configuring the Notification Object Actions Objects Allow Object Configuring the Allow Object Delay Message Object Configuring the Delay Message Object Discard Message Object Configuring the Discard Message Object Isolate Message Object Configuring the Isolate Message Object MESSAGE ADMINISTRATOR In This Chapter Launching the Message Administrator The Message Administrator Window Configuring Message Administrator Launching Message Administrator Options General Tab Messages Tab File Types Tab HTML Viewer Tab Columns Tab The Message Toolbar The Queues and Logs Panel The Message List Panel Arranging Columns Quick Search using the Shortcut Menu The Message Parts Panel Viewing Decomposed Messages Administrator s Guide SurfControl Filter for SMTP 5.0

6 The Message Contents Panel Examining Messages Analyzing Messages Working with Queues Working with Queues on Multiple Servers Forwarding a Copy of the Selected Message Using Logs Using Queues and Logs with Multiple Servers DICTIONARY MANAGEMENT In This Chapter Launching Dictionary Management The Dictionary Management Window Adding a Dictionary Adding Words to a Dictionary Editing Dictionary Words Deleting Words From A Dictionary Deleting a Dictionary Importing Dictionaries Importing a SurfControl Dictionary Pack Importing a Unicode Text File Exporting Dictionaries Exporting a Dictionary as a Dictionary Pack Exporting a Dictionary as a Unicode File SCHEDULER In This Chapter Launching the Scheduler Scheduler window Scheduled Events Scheduling Anti-Virus Agent Updates Scheduling Anti-Spam Agent Updates Scheduling URL Category Updates Scheduling Queue Synchronization Scheduling Database Management Tasks Purging the Database Archiving the Database Shrinking the Database REPORTING In This Chapter Installing Report Central Allocating memory to the tembdb transaction log Logging On for the First Time Remote Access SurfControl Filter for SMTP 5.0 Administrator s Guide 5

7 System requirements for remote access Getting Started With Report Central Launching SurfControl Report Central Finding your way around Configuration Options Setting up Users Specifying logon details Specifying user permissions Specifying Report permissions Changing User Details Specifying a Mail Server Databases Connecting to a Different Database Resolving Database Memory Issues Increasing Memory to the Java Virtual Machine Increasing the TempDB Transaction File Archiving / Deleting Reports Enabling report archiving / deletion Deleting reports Archiving reports Reporting Standard Reports Rules Reports Traffic Statistics Reports Setting up Reports Selecting a report Specifying report criteria Specifying Running Options Schedule Options Generating Reports Saving Reports Public Folder Private Folder Sub-Folders Completed Reports REMOTE ADMINISTRATION In This Chapter Administration Client Web Administrator Launching Web Administrator Launching Web Administrator Locally Launching Web Administrator From a Remote Location Message Administrator Dictionary Management Adding a Dictionary Adding Words to a Dictionary Administrator s Guide SurfControl Filter for SMTP 5.0

8 Viewing Logs Remotely PERFORMANCE MONITORING In This Chapter Windows Performance Monitoring VIRTUAL LEARNING AGENT In This Chapter Workflow Before You Begin Starting the VLA Training Wizard VLA Tutorial Training File Keywords Counter Category Trivial Words DATABASE TOOLS In This Chapter Launching Database Tools Configuration Database Backing up the Configuration Database Restoring the Configuration Database Log Database Creating a New Log Database Archiving the Log Database Restoring an Archived Log Database Deleting a Log Database Truncating the Log Database Transaction Log SQL User Management Creating a New SQL User Account Changing the Password on a SQL User Account Deleting a SQL / MSDE Account Managing Database Authentication APPENDIX A Anti-Spam Agent Categories & Criteria Core / Liability Categories Productivity Categories APPENDIX B Supported File Types File Attachments Object Document Decomposition APPENDIX C Anti-Virus Return Codes SurfControl Filter for SMTP 5.0 Administrator s Guide 7

9 APPENDIX D Editing Autoreply.txt APPENDIX E Third-Party Reporting Database Schema SMTP Relationships System Log Relationships Message Relationships Administrator s Guide SurfControl Filter for SMTP 5.0

10 Chapter 2 Notices

11 2 NOTICES NOTICES Copyright 2004 SurfControl plc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner. This product includes software developed by the Apache Software Foundation ( This product contains work based on the wvware program, which is licensed under the Free Software Foundation General Public License. This product incorporates code from GoAhead Software Inc., Copyright 2003 GoAhead Software, Inc. All Rights Reserved. SurfControl is a registered trademark, and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners. COMMENTS ON THIS GUIDE? You can view updated documentation and support information at Was this guide helpful? us at [email protected] to suggest changes or make a correction. Version 5.0, printed June 2005 ii Administrator s Guide SurfControl Filter for SMTP 5.0

12 NOTICES 2 TECHNICAL SUPPORT For the latest support information on SurfControl products, visit Read the Top Issues - This page has a quick list that covers the most common support issues with the SurfControl products. If your problem is here, you will have an immediate answer. Search our Knowledge Base - our new, constantly updated Knowledge Base contains articles, FAQs and glossary items to answer your questions about all SurfControl products. If your question or problem cannot be answered by the Top Issues or is not in the Knowledge Base, fill out an Online Support Request Form Telephone Support - If you would like to speak with a Technical Support Representative, our excellent SurfControl Technical Support is just a phone call away. SURFCONTROL SALES For product and pricing information, or to place an order, contact SurfControl. To find your nearest SurfControl office, please visit our Website. SurfControl Filter for SMTP 5.0 Administrator s Guide iii

13 2 NOTICES iv Administrator s Guide SurfControl Filter for SMTP 5.0

14 Chapter 1 Introduction In This Chapter page 2 About SurfControl Filter page 3 What s New in Version 5.0 page 4

15 1 INTRODUCTION IN THIS CHAPTER This chapter introduces SurfControl Filter and its features. 2 Administrator s Guide SurfControl Filter for SMTP 5.0

16 INTRODUCTION 1 ABOUT SURFCONTROL FILTER SurfControl Filter is a server-based software solution that enables you to implement an Acceptable Usage Policy for within your organization. SurfControl Filter does this by scanning the content, sender, destination, attachments and size of all to and from the Internet then applying rules that you have established to support your Policy. The Rules Administrator makes it easy to configure rules that exactly match your requirements. Properties are added to the rules using a simple drag and drop technique which though requiring careful planning initially is then easy to set up and apply. If a message triggers a rule then the Filter can selectively allow, isolate, delay or discard the message. Other options include Add a Footer, Blind Copy an Administrator / Manager, reply to the sender and notify the recipient. You can also have a message sent to an archive file for future reference. The action taken is defined by the rules that you set up and configure. Further information about developing an Acceptable Usage Policy for your business can be found on our website at SurfControl Filter for SMTP 5.0 Administrator s Guide 3

17 1 INTRODUCTION WHAT S NEW IN VERSION 5.0 Table 1 describe the advancements in functionality that version 5.0 delivers. Table 1 New Features in version 5.0 Feature Advanced Anti-Spam Protection Enhanced Anti-Spam Agent Directory Harvest attack detection Web Threat Protection What it does Digital Fingerprinting, Heuristics, Neural Net, and LexiRules provide industry-leading anti-spam effectiveness with zero administration cost. Prevents spammers stealing your addresses by brute-force attacks. URL Category List Protects against the inappropriate and fraudulent Web links in e- mails. Confidential Data Protection Expanded Dictionaries support Easier Virtual Learning Agent Includes 10 pre-packaged language packs, including: English, French, Spanish, Dutch, Italian, German, Portuguese, Japanese, Chinese Traditional, and Chinese Simplified. Uses adaptive reasoning technology tool to understand and protect your confidential data. Improved Security Denial of Service protection Detects and manages suspicious SMTP connections and offers fine-tuning of all SMTP connections, internal and external. Secure Remote Access Locks down remote administration by user logon. Expanded Scalability Unlimited Connection Threads Pipelining and Chunking (esmtp) LDAP Organizational Units Easier Administration Grouping of Rules Expanded Filtering in Rules Supports unlimited simultaneous connections, scaling up to meet requirements of the most demanding mail gateways. Significantly improves mail throughput between mail servers that support these commands, such as MS Exchange and Lotus Domino. Tailors message-processing rules based on organizational structures already defined in LDAP. Organize your rules by the type of threats being managed. The default ruleset includes anti-spam, network security, and other useful groupings. Supports inbound/outbound Who functionality, filtering of PDF, TNEF, and RTF, and supports Office 2003 and Web Archive formats. 4 Administrator s Guide SurfControl Filter for SMTP 5.0

18 INTRODUCTION 1 Table 1 New Features in version 5.0 Feature Redesigned Server Configuration notifications of failed events Report Central Single Management Console What it does Offers more powerful way to configure any server and view settings by service. Instant awareness that any scheduled event has not been successful. Provides web-based reporting of filtering activity, with ability to lock down reporting access by user. Allows easy administrative access to each SurfControl server within the organization, providing a single portal view of multiple SurfControl & Web Filter deployments. SurfControl Filter for SMTP 5.0 Administrator s Guide 5

19 1 INTRODUCTION 6 Administrator s Guide SurfControl Filter for SMTP 5.0

20 Chapter 2 Finding Your Way Around In This Chapter page 8 How Filter Works page 9 Launching SurfControl Filter page 12 Launching Filter Components page 13

21 2 FINDING YOUR WAY AROUND IN THIS CHAPTER This chapter explains how SurfControl Filter works, and the basics of navigating around the product. 8 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

22 FINDING YOUR WAY AROUND 2 HOW FILTER WORKS Figure 1 shows how a message is processed by Filter: Figure 1 The filtering process SurfControl Filter 5.0 for SMTP Installation Guide 9

23 2 FINDING YOUR WAY AROUND FILTER CORE COMPONENTS There are three core components that you will use to manage Table 1 Filter Core Components Component What it does Find out more Message Administrator Monitor Rules Administrator The Message Administrator displays isolated s so that you can release, move or delete them. It also shows the activity logs. The Monitor shows the progress of s through SurfControl Filter in real time. Use the Rules Administrator to set up rules to meet the needs of your Acceptable Use Policy. See Message Administrator on page 255. See Monitoring on page 87. See Working with Rules on page 101. and Rules Objects on page 131 As well as the three core components, Filter contains the following additional components which enhance Filter s capabilities. Table 2 Additional Components Component What it does Find out more Dictionary Management Dictionaries are used in rules to detect particular kinds of content use the Dictionary Management tool to configure Dictionaries to suit your needs. See Dictionary Management on page 281. Scheduler Queue View Virtual Learning Agent (VLA) Web Administrator Use the Scheduler to automate tasks such as: Anti-Spam Agent, URL Category List and Anti-Virus Agent updates. Database Maintenance Queue Synchronization Queue View displays information about messages currently held in queues. The VLA is a unique tool that you can train to understand and detect specific content. Use the Web Administrator to Manage isolated s View logs Manage dictionaries from a remote location. See Scheduler on page 301. See QueueView on page 96. See In This Chapter on page 390. See Web Administrator on page Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

24 FINDING YOUR WAY AROUND 2 FILTER SERVICES SurfControl Filter s functionality is managed by four software services: Receive Service Rules Service Send Service Administration Service The services fit together like this: Figure 2 Flow of through Filter Services. You can stop or start any of the services see page 12. SurfControl Filter 5.0 for SMTP Installation Guide 11

25 2 FINDING YOUR WAY AROUND LAUNCHING SURFCONTROL FILTER From the Start Menu, select Programs SurfControl Filter, then select the Filter component you want to launch. Figure 3 Launching Filter When Filter is running, you will see the following icon in the system tray: If you right-click the icon, a menu will display from which you can launch any of the Filter Components and stop and start the services: 12 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

26 FINDING YOUR WAY AROUND 2 LAUNCHING FILTER COMPONENTS When you launch one Filter component you can launch a selection of other components from within the application. If you can launch a component, you will see the icon for it on the toolbar: Table 3 Launching Filter Components Component Dictionary Management Icon Message Administrator Monitor Queue View Rules Administrator Scheduler Virtual Learning Agent (VLA) Web Administrator SurfControl Filter 5.0 for SMTP Installation Guide 13

27 2 FINDING YOUR WAY AROUND 14 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

28 Chapter 3 Setting Up Filter In This Chapter page 16 Connecting to a Different Filter Server page 16 Launching Server Configuration page 20 Configuration Workflow page 21 Configuring the Receive Service page 22 Configuring the Rules Service page 53 Configuring the Send Service page 65 Configuring The Administration Service page 80 Configuration Complete page 86

29 3 SETTING UP FILTER IN THIS CHAPTER This chapter explains how to connect to SurfControl Filter, and how to configure the Receive, Rules and Send services so that is filtered correctly. CONNECTING TO A DIFFERENT FILTER SERVER If you have more than one server running Filter, you can choose which of these servers you want the Monitor to connect to. For example you can view the activity taking place on server A using an instance of Filter installed on server B. Server B can be running either a full install or just the Filter Administration Client. You can manage your Filter Server connections from any of the following Filter components: Monitor Message Administrator Rules Administrator Dictionary Management 16 Administrator s Guide SurfControl Filter for SMTP 5.0

30 SETTING UP FILTER 3 ADDING AN FILTER SERVER If you want monitor activity taking place on another server, you need to add its connection details to the list of available servers. To add a new server to the list, follow procedure 1 Procedure 1: Adding an Server Step Action 1 From any of the Filter components listed above, select File > Select Server > Add New The Add a New Server dialog will display. 2 In the Server Name field, enter the name of the server whose traffic you want to monitor. Alternatively, click Browse to navigate to a server. 3 Enter the user name and password for accessing the server. 4 Enter the connection port for the mail server you want to add. This is the port used by the Administration Service. 5 Click OK to confirm your changes. Filter will automatically try to monitor activity on the server you have added. If it fails to do this, check that you have entered the server details correctly. SurfControl Filter for SMTP 5.0 Administrator s Guide 17

31 3 SETTING UP FILTER EDITING SERVER DETAILS You can change the details of a mail server that you have added to the list: Procedure 2: Editing Server Details Step Action 1 From any of the Filter components listed on page 16, select File > Select Server > Edit. The Select Server dialog will display. 2 Select the server whose details you want to edit. 3 Click OK. The Edit Server dialog will display. 4 You can change the user name, password and connection port. You cannot change the server name. When you have made your changes click OK. 18 Administrator s Guide SurfControl Filter for SMTP 5.0

32 SETTING UP FILTER 3 Procedure 3: Selecting a Server Step Action SELECTING AN SERVER When you add a server, it is displayed on the Select Server menu so that you can select it: 1 From any of the Filter components listed on page 16, select File > Select Server 2 The available servers are displayed on the Select Server menu. The current server is marked with a check. 3 Select the server you want to connect to 4 Filter will attempt to monitor activity on that server. If the connection fails, check that the server details are correct. DISCONNECTING FROM AN FILTER SERVER To disconnect from the server you are currently connected to, select File > Disconnect from Server. activity taking place on that server will no longer be displayed in Filter. SurfControl Filter for SMTP 5.0 Administrator s Guide 19

33 3 SETTING UP FILTER LAUNCHING SERVER CONFIGURATION To open the Server Configuration console, launch the Monitor, then select File Server Configuration. Alternatively, click the Server Configuration icon on the Monitor toolbar. The Server Configuration console looks like this: Each branch of the console tree controls a group of Server Configuration settings When you select a branch the settings display in the right hand pane of the console. Figure 1 Server Configuration console 20 Administrator s Guide SurfControl Filter for SMTP 5.0

34 SETTING UP FILTER 3 CONFIGURATION WORKFLOW To set up Filter correctly, you need to configure each of the four Services. Some of the Services have more than one group of configuration settings, over a series of branches. Table 1 shows how the Server Configuration console is structured, which branches relate to which Service, and where to find out more about each one. Table 1 Configuration tasks Service Branch Sub-branch Find out more Receive service General settings page 22 Configuration SMTP settings page 24 Connections page 27 Pre-Screening Protected Domains page 30 Trusted IPs page 33 Blacklist page 37 Reverse DNS Lookup page 42 Realtime Black hole List page 45 (RBL) Directory Harvest detection Denial of Service detection Remote User Authentication page 47 page 50 page 51 Rules service General settings page 53 Configuration page 55 Queue Management page 56 Send service General settings page 66 Connections page 67 Routing page 69 Smart Host Routing page 74 Requeuing scheme page 77 Administration Properties page 80 Configuration page 81 SurfControl Filter for SMTP 5.0 Administrator s Guide 21

35 3 SETTING UP FILTER CONFIGURING THE RECEIVE SERVICE The Receive service accepts SMTP traffic on port 25 and checks each against a series of pre-screening criteria. If the message passes these checks, Filter accepts the message and hands it over to it to the Rules Service for further processing. It is important to configure the Receive Service correctly to keep your system running efficiently and securely, and to maintain the flow of legitimate . GENERAL RECEIVE SERVICE SETTINGS The General Receive Service Settings branch looks like this: Figure 2 Receive service: General settings Received mail drop-off folder When an has passed the pre-screening checks, Filter accepts the message and deposits it in the Received mail drop-off folder (also called the In folder). By default the path of the Received mail drop-off folder is: C:\Program Files\SurfControl Filter\In\ You can enter a different path, or click Browse to choose another location. 22 Administrator s Guide SurfControl Filter for SMTP 5.0

36 SETTING UP FILTER 3 Logging The Logging options control where details of messages handled by the Receive service are recorded. Check the boxes to enable the logging you want you can select any or all of the following three options: Table 2 Logging options Logging Option Real-time console System log Traffic log What it does Details of incoming messages will display in the Receive console of the Monitor. For more information about the Monitor consoles, see Service Panes on page 90 System events related to incoming mail, such as the sending of notification messages will be displayed in the System log in Message Administrator. See Using Logs on page 279. Information about each incoming mail message will be displayed in the Traffic Log in Message Administrator. See Using Logs on page 279. SurfControl Filter for SMTP 5.0 Administrator s Guide 23

37 3 SETTING UP FILTER RECEIVE SERVICE CONFIGURATION The Receive Service Configuration branch has two sub-branches: SMTP Settings Connections SMTP Settings The SMTP Settings affect how Filter receives incoming for filtering. The SMTP Settings branch looks like this: Figure 3 SMTP Settings 24 Administrator s Guide SurfControl Filter for SMTP 5.0

38 SETTING UP FILTER 3 Table 3 shows the options for SMTP Settings. Table 3 SMTP Settings Field Receive Service SMTP Port Computer Name Telnet SMTP Greeting Description The port used by Filter to receive SMTP traffic. This is displayed in the Receive Service SMTP Port. You can change the port by entering a different port number here. You can specify which computer name the Receive service uses in its greeting when it receives a connection: Windows Computer Name The Receive service will use the fully-qualified primary domain name of the computer where Filter is installed. Specify Computer Name The Receive service will use the computer name you specify. You can use any commonly accepted form of host name, for example the domain name or the IP address. By default Filter will use the Windows Computer Name. The SMTP greeting is the greeting which is sent to a remote computer when it initiates a connection by sending a HELO or EHLO command. By default, the SMTP greeting is: 220 [server name].[domain name] You can add to this text so that the SMTP greeting consists of the default text plus any additions. You can use the SMTP greeting text to communicate your organization s policy on how that mail server can be used. For example if you do not allow the mail server to be used as a relay host you can warn mail clients not to try to relay mail through your server. SurfControl Filter for SMTP 5.0 Administrator s Guide 25

39 3 SETTING UP FILTER To change any of these settings, follow procedure 4: Procedure 4: Changing the SMTP settings Step Action Changing the Receive Service SMTP Port 1 To change the Receive Service SMTP Port, enter a different port number in the box. Make sure that the port is not being used by another service. Changing the Computer Name 1 Select Specify Computer Name. 2 Enter the computer name of the server where Filter is installed Customizing the Telnet SMTP Greeting 1 Select Customize. The Customize Greeting Text dialog will display. 2 Enter the Telnet SMTP greeting you want to use. This will display under the default greeting. Note: You can t delete or edit the default greeting text. When a HELO or EHLO command is received all the text visible in the box will be sent as a greeting. 3 Click OK to close the Customize Greeting Text dialog. When you have made your changes, click OK on the Server Configuration console. 26 Administrator s Guide SurfControl Filter for SMTP 5.0

40 SETTING UP FILTER 3 Connections The Connections settings affect how many connections The Receive service can accept, and how much incoming it can process at any one time. It is important to set these limits at appropriate levels for your system s capacity so that your network does not accept more connections than it has the resources to cope with. The Connections branch looks like this: Figure 4 Connections settings SurfControl Filter for SMTP 5.0 Administrator s Guide 27

41 3 SETTING UP FILTER Table 4 shows the connections that you can limit. Check the checkboxes of the limits you want to set. If a box is not checked filter will not limit the number of connections. Table 4 Connection options Option Description Default Maximum Connection Settings Maximum active inbound connections Limit maximum connections for each trusted IP address Limit maximum connections for each non-trusted IP address Idle connection timeout Data Size Limit maximum message size Limit maximum data per connection SMTP Options Limit maximum messages per connection The total number of incoming connections that Filter will accept at any one time. Limit the number of connections Filter will accept from the IP addresses on the Trusted IPs List. See Trusted IPs (Relay Sources) on page 33. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. Limit the number of connections from IP addresses not on the trusted IP addresses list. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. The number of seconds the receive service will wait to receive data before terminating the connection. Limit the size (in MBytes) of inbound messages that Filter will accept. Limit the total amount (in MBytes) of data that Filter will accept in a single connection. Limit the total number of s that Filter will accept in a single connection MB MB Administrator s Guide SurfControl Filter for SMTP 5.0

42 SETTING UP FILTER 3 PRE-SCREENING You can add an extra layer of protection against unwanted s by setting up Pre-Screening. The Pre-screening branch controls which connections Filter will accept, which means you can automatically drop connections from untrustworthy sources and control incoming , even before filtering takes place. The Pre-Screening branch has eight sub-branches: Protected Domains Trusted IPs (Relay Sources) Blacklist Reverse DNS Lookup Realtime Blackhole List (RBL) Directory Harvest detection Denial of Service detection Remote user authentication SurfControl Filter for SMTP 5.0 Administrator s Guide 29

43 3 SETTING UP FILTER Note: There must always be at least one domain on the Protected Domains list. Protected Domains The Protected Domains branch is where you identify the domains for which you want to be filtered, and for which Filter will accept . When you installed Filter, you entered the primary domain name, but if your network has more than one domain (for example mycompany.co.uk and mycompany.com,) you must enter the others so that they can send and receive e- mail. To add a protected domain, follow procedure 5. Procedure 5: Adding a Protected Domain Step Action 1 On the Server Configuration console, select Receive Service > Pre-Screening > Protected Domains. 2 You will see the Protected Domains options displayed in the right hand pane of the console. 3 Click Add 4 The Protected Domain Properties dialog will display. 5 In the Domain Name field enter the name of the domain you want Filter to accept for, e.g. mycompany.co.uk The Administrator Address field will fill in automatically as Postmaster@ the domain you specify: e.g. [email protected] You can edit this address for example you could change it to [email protected] 30 Administrator s Guide SurfControl Filter for SMTP 5.0

44 SETTING UP FILTER 3 You can also edit the details of a protected domain: Procedure 6: Editing a protected domain Step Action 1 Select the domain you want to change. 2 Click Edit The Protected Domain Properties dialog will display. 3 Make your changes to the Domain Name or Administrator s Address by typing in the fields. You can also delete a domain from the protected domain list so that Filter will no longer accept for that domain. Procedure 7: Deleting a protected domain Step Action 1 Select the domain you want to delete from the list. 2 Click Delete. You will be asked to confirm your choice. 3 Click OK. The domain will be removed from the list and Filter will no longer accept for that domain. Warning: Filter does not check the Protected Domains list for duplicate entries on the Blacklist. Make sure you do not add the protected domain to the blacklist or s to the protected domain will be rejected. SurfControl Filter for SMTP 5.0 Administrator s Guide 31

45 3 SETTING UP FILTER Warning: Disabling Anti-Spoofing makes it possible for spammers to send spoofed s into your organization. Anti-Spoofing Sometimes spammers use a technique called spoofing to fake their From: address so that their messages appear to be from a protected domain. By default SurfControl Filter will block these messages. Filter can examine and authenticate the IP address of all incoming mail, and reject messages that cannot be authenticated. If you do not enable this function, messages from the protected domain will be accepted, without examining the From address. If your organization includes users who send mail from the protected domain from an unlisted IP address (for example dial-up users) you should set up SurfControl Filter to authenticate addresses using Receive Service Remote User Authentication. This will allow legitimate mail from these users to get through, while still denying messages from fraudulent addresses. See Remote User Authentication on page 51 for information about how to set up remote users. By default Anti-Spoofing is enabled. SurfControl recommends that you keep it enabled. Anti-Relay Protection Spammers may attempt to relay messages via your mail server using old-style routing techniques. These routing techniques are not commonly used any more but may still be recognized by your mail server. SurfControl Filter can detect various routing relay techniques and deny e- mails that have been forwarded or routed using one of the following routing methods: Table 5 Routing relay techniques Relay Method Bang routing Quoted routing Source routing Percent hack routing Example user%@[email protected] If you do not deny Source Routing, SurfControl Filter will strip any additional routing information from the incoming message, so a message would be delivered as [email protected] 32 Administrator s Guide SurfControl Filter for SMTP 5.0

46 SETTING UP FILTER 3 Procedure 8: Changing the Anti-Spoof / Anti-Relay Settings Step Action 1 In the Server Configuration console, navigate to the Protected Domains branch. 2 Click Advanced. The Anti-Spoof settings will display. 3 By default, all anti-spoofing and anti-relay protection options are enabled. To disable an option, uncheck the box. SurfControl recommends you keep all options selected to protect your system. 4 Click OK. Trusted IPs (Relay Sources) Trusted IPs are IP addresses of mail servers that are allowed to send to and / or from the protected domain. You should include details of all the mail servers in your organization for which you want to filter . The purpose of the Trusted IP list is to identify: The IP addresses of the protected domains The IP addresses of any other nodes that need to access the protected domains from outside the network. SurfControl Filter for SMTP 5.0 Administrator s Guide 33

47 3 SETTING UP FILTER When you specify a Trusted IP, you also need to specify what can be relayed through that server by choosing a relay type. You can choose from the following: Table 6 Relay types Type Outbound Inbound Outbound and inbound Open relay Denied Description The mail server can send only to IP addresses outside the protected domain. Message sender: must be in the protected domain Message recipient: must be outside the protected domain The mail server can send only to IP addresses inside the protected domain. Message sender: must be outside the protected domain Message recipient: must be inside the protected domain. The mail server is allowed to send to any IP addresses (other than blacklisted ones). Message sender: can be inside or outside the protected domain. Message recipient: can be inside or outside the protected domain. One of these, either the sender or the recipient, must be inside the protected domain. The mail server is allowed to send to any other domain (including blacklisted domains) without any relay restrictions. Filter will accept any from the supplied IP address regardless of the domain name. Use with caution. The mail server is denied a connection to Filter and will therefore be unable to relay through it. In effect the mail server will be blacklisted for more information on blacklisting, see Blacklist on page 37. You can also specify that Filter will accept only from the Trusted IPs in the list. Select the Deny connections from all IP addresses not listed below checkbooks to deny connections from any IP address that is not on the list. 34 Administrator s Guide SurfControl Filter for SMTP 5.0

48 SETTING UP FILTER 3 To add a Trusted IP, follow procedure 9: Procedure 9: Adding a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Click Add to open the Edit Relay Source dialog. 3 Enter the IP address of the mail server for which you want to be filtered. 4 Select a Relay Type. See table 6 for more information. 5 When you have made your choice, click OK. Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message: Duplicate entry, please try again You can also edit the details of a Trusted IP: Procedure 10: Editing a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Select the IP address you want to edit. 3 Click Edit to open the Edit Relay Source dialog. 4 Change the IP address and / or the Relay type. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 35

49 3 SETTING UP FILTER To delete a Trusted IP, follow procedure 11. Procedure 11: Deleting a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Select the IP address you want to delete. 3 Click Delete. 4 You will be asked to confirm your choice. Click Yes to delete the IP address. When a mail client attempts to connect to Filter, the status of the connection is displayed in the Receive console of the Monitor. Table 7 shows some common status messages you may see and an example scenario to explain how each one might occur: Table 7 Receive service status messages Message The sender must be from a protected domain as its IP is in the Trusted Outbound list. The recipient must not be to a protected domain as the sender s IP is in the Trusted Outbound list. The sender must not be from a protected domain as the sender s IP is in the Trusted Inbound list. The recipient must be to a protected domain as the sender s IP is in the trusted Inbound list. Connection rejected deny connection for unknown [n.n.n.n] (sender in Deny Connection list). Deny from [email protected] IP n.n.n.n (Deny Connection list) Example Scenario The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the sender is not in the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the recipient is inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender is inside the protected domain, or is spoofed to appear to be from inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender has attempted to send an e- mail to an IP address outside the protected domain. The IP address has been added to the Trusted IP list with a setting of Denied. The mail client is prohibited from making a connection to the Receive service. The address [email protected] has been added to the Blacklist. The Receive service will reject any mail client trying to send an from [email protected], unless the mail client s IP is added to the Trusted IP list with a setting of Open Relay. 36 Administrator s Guide SurfControl Filter for SMTP 5.0

50 SETTING UP FILTER 3 Note: To blacklist an IP address, enter it in the Trusted IPs (Relay Sources) list with a setting of Denied. See Trusted IPs (Relay Sources) on page 33. Blacklist If there are addresses or domains from which you do not want to receive s, you can add them to the Blacklist. This is an important step in preventing unwanted content because: The Receive service will reject the before the message content is transferred to your mail server. No hard disk space is wasted storing unwanted s. Fewer messages have to be processed by the Rules service, conserving system resources. Procedure 12: Adding an item to the blacklist Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Add The Add / Edit deny list entry dialog will display. 3 Enter the domain or address you want to blacklist. In the Comment field you can enter a brief description of the item, or an explanation of why it is blacklisted. Note: The name of the domain and the comment must be less than 255 characters each. (Sheet 1 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 37

51 3 SETTING UP FILTER Procedure 12: Adding an item to the blacklist Step Action 4 Click OK. You will see the blacklisted item displayed in the right pane of the console. (Sheet 2 of 2) Warning: Make sure you do not add the protected domain to the blacklist or e- mails to the protected domain will be rejected. 38 Administrator s Guide SurfControl Filter for SMTP 5.0

52 SETTING UP FILTER 3 If you have added a domain to the blacklist, but want filter to accept from individuals within that domain, you can exclude individuals from the blacklist. For example if your organization was pursuing a grievance with another organization, you might want to block all from that organization except for their legal department. Procedure 13: Excluding an item from the blacklist Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Click Add The SMTP List Entry dialog will display. 4 Enter the address you want to exclude from the blacklist. Note: The address must be less than 255 characters. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 39

53 3 SETTING UP FILTER You can edit an item on the Exclude list follow procedure 14 Procedure 14: Editing an item on the Exclude list Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Select the item you want to Edit and click Edit The SMTP List Entry dialog will display. 4 Make your changes to the item and click OK. If you have added an item to the Exclude list and want to remove it, you can delete it from the exclude list follow procedure 15 Procedure 15: Deleting an item from the Exclude list Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Click Delete. You will be asked to confirm your choice. 4 Click Yes to delete the item. Filter will no longer accept from this IP address or address. 40 Administrator s Guide SurfControl Filter for SMTP 5.0

54 SETTING UP FILTER 3 Importing a Blacklist If you have a large number of domains or addresses you want to blacklist or exclude, you can create a text file containing all the items, and import it into Filter. The text file can contain both the items you want to blacklist, and the items you want to exclude from the blacklist. Follow procedure 16: Procedure 16: Importing a Blacklist Step Action Creating the text file 1 Create a new.txt file using any text editor. 2 In the.txt file, enter the domains or address you want to blacklist. Each item on the list must follow this format: type;domain or address;comment Each item on the list must begin on a new line. If you do not want to add a comment, leave a blank after the final semicolon. type is a numerical code to identify whether the item is a domain, an address or an address on the exclusion list: 0 = domain 1 = address 2 = address to be excluded from the blacklist Here are some example Blacklist entries: 0;yahoo.co.uk;internet mail 1;mailinglist.org.uk; known spammer 2;legitimat @mailinglist.org.uk; legitimate newsletter 3 When you have finished editing the file, save it. You can save it to any location that is accessible to the server where Filter is installed. However, saving it within the SurfControl Filter folder will save time as the import facility automatically looks there first. Importing the blacklist file 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Select Import. 3 From the dialog box that opens, navigate to your saved blacklist file. 4 Select your saved blacklist file and click Open. 5 If the blacklist file has been imported into Filter successfully, you will see a confirmation message, and the list of blacklisted domains / addresses displayed in the right hand pane of the console. If the file does not import successfully, check that each entry has the correct syntax. SurfControl Filter for SMTP 5.0 Administrator s Guide 41

55 3 SETTING UP FILTER Note: You cannot blacklist a partial range of numbers, for example IPs from Note: The default timeout is usually 3 seconds. Blacklisting an IP range You can blacklist an entire range of IP addresses by entering only the first three number sets in the IP address. For example if you wanted to blacklist all IPs from to , you could add to the blacklist. Reverse DNS Lookup The Receive service can check that an comes from a legitimate source by verifying that the domain name specified by the sending mail client in the HELO / EHLO greeting matches the domain name in its DNS record: 1 When a mail client requests a connection to the Receive service, the Receive service performs a reverse DNS lookup on that client s IP address to receive its PTR record. 2 If the PTR record does not exist, or if the DNS record doesn t match the host name specified in the HELO / EHLO command, the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. If a mismatch is detected, there are three actions that Filter can take. Table 8 explains each action. Table 8 Reverse DNS Lookup Actions Action Log Only Deny if no DNS record found Deny if DNS record fails to match HELO string. What it does The mismatch of domain names is displayed in the Receive Service Console of the Monitor, but the Receive service will accept the connection and continue to process the . If the Receive service cannot find a DNS record that corresponds to the IP address of the sending mail server, and the sending mail client fails to authenticate itself, the connection will be terminated at the MAIL FROM command. If the domain name in the DNS record does not match the one in the HELO / EHLO command the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. 42 Administrator s Guide SurfControl Filter for SMTP 5.0

56 SETTING UP FILTER 3 By default Reverse DNS Lookup is disabled. To enable it, follow procedure 17: Procedure 17: Enabling Reverse DNS Lookup Step Action 1 In the Server Configuration console, navigate to the Reverse DNS Lookup branch. 2 Select Enable Reverse DNS Lookup. 3 Now choose how Filter behaves if the domain names in the HELO string and the DNS record do not match. Select the option you want. It is an RFC recommendation, but not a requirement that the HELO / EHLO command contains the fully-qualified domain name (FQDN) of the sending mail client. If you have chosen to deny the connection, you may find that legitimate e- mail is blocked because the sending mail client does not use the FQDN in its HELO / EHLO command. To avoid blocking legitimate you should either: Select only to log the mismatch Exclude any known legitimate servers which may have a mismatched DNS / HELO string. Procedure 18: Excluding a mail server from Reverse DNS Lookup Step Action 1 In the Server Configuration console, navigate to the Reverse DNS Lookup branch. SurfControl Filter for SMTP 5.0 Administrator s Guide 43

57 3 SETTING UP FILTER Procedure 18: Excluding a mail server from Reverse DNS Lookup Step Action 2 Click Exclude. The Exclusion from Client DNS Lookup dialog will display. 3 Click Add The SMTP List Entry dialog will display. 4 Enter the IP address you want to exclude from Reverse DNS Lookup. 5 Click OK. 44 Administrator s Guide SurfControl Filter for SMTP 5.0

58 SETTING UP FILTER 3 Realtime Blackhole List (RBL) Filter can check an sender s domain name against a list of known spammers held in a Realtime Blackhole List. In order to enable this you need to know the domain name or IP address of the RBL you want to check s against. If the comes from a sender on the RBL, Filter will reject it. If you want to use an RBL as part of the pre-screening process, follow the steps in procedure 19: Procedure 19: Enabling Realtime Blackhole List Lookup Step Action 1 In the Server Configuration console, navigate to the Realtime Blackhole List branch. 2 Select Enable RBL DNS Lookup. 3 Click Add The SMTP Lists dialog will display. 4 Enter the IP address or domain name of the RBL Server you want to use. 5 Click OK. You will see the RBL displayed in the RBL Servers box. 6 Now choose how you want Filter to deal with a connection from a sender on the RBL. Choose one of the following: Log Only the fact that the connection came from a sender on the RBL will be recorded in the system log and displayed in the Monitor. Deny connection the connection will be dropped and from that sender will be rejected. SurfControl Filter for SMTP 5.0 Administrator s Guide 45

59 3 SETTING UP FILTER A legitimate organization can sometimes be wrongly placed on an RBL, for example if its domain name has been used by a spammer to send spoofed . You can exclude an individual domain or IP Address from RBL lookups so that Filter will accept from that source. If any you receive is mission-critical, you should make sure the sender s domain is excluded from RBL lookups. Procedure 20: Excluding a mail server from RBL Lookups Step Action Action 1 In the Server Configuration console, navigate to the Realtime Blackhole List branch. 2 Select Exclude The Exclusions dialog will display. 3 Click Add the SMTP List Entry dialog will display. Enter the domain name or IP address that you want to exclude from RBL lookups. Filter will then accept connections from this source. 4 Click OK. 46 Administrator s Guide SurfControl Filter for SMTP 5.0

60 SETTING UP FILTER 3 Note: if you restart the Receive service, these counts will be reset to zero. Directory Harvest detection Spammers use a variety of methods to mine your organization for valid addresses. If they succeed it can not only cause an increase in spam, but also slow down the delivery of legitimate . A common technique is to flood a mail server with a large number of s using fabricated addresses. Those addresses that are not immediately rejected by your mail server are assumed to be valid addresses and are added to the Spammer s database knowing that to these addresses will be received. Filter can detect when an server is trying to send large numbers of s for the purposes of directory harvesting, by keeping a count of: The number of invalid addresses per connection. The number of invalid addresses from each IP address per hour. You can instruct the Receive service to terminate a connection when these counts reach a maximum that you specify. Directory Harvest Detection uses LDAP to check which addresses are valid and which are invalid. SurfControl Filter for SMTP 5.0 Administrator s Guide 47

61 3 SETTING UP FILTER To enable Directory Harvest Detection, follow procedure 21: Procedure 21: Enabling Directory Harvest Detection Step Action Enabling Directory Harvest detection 1 On the Server Configuration console, navigate to the Directory Harvest branch. 2 Select Enable Directory Harvest detection. Adding an LDAP connection 1 On the Directory Harvest branch, click LDAP. The LDAP Connections dialog will display. 2 Click Add The Add LDAP Connections dialog will display. (Sheet 1 of 2) 48 Administrator s Guide SurfControl Filter for SMTP 5.0

62 SETTING UP FILTER 3 Procedure 21: Enabling Directory Harvest Detection Step Action Configuring the connection to the LDAP Server 3 Give the LDAP connection a name. Each LDAP connection you configure must have a unique name. 4 In the Server Name field, enter the name of the LDAP server that you want to connect to. 5 To make it compulsory that Filter uses a username and password to log on to the LDAP server, select I must log on to this server and enter the username and password you want E- mail Filter to use. Configuring the connection to the LDAP Server Advanced 6 To specify additional information about the LDAP server, click the Advanced tab. 7 In the LDAP Port number field, enter the LDAP Port number, or keep the default of If you want to use a secure connection (SSL) to connect to the LDAP server, select Use Secure Connection. 9 Specify a Search Base to use when searching for LDAP users and groups. The information for LDAP users and groups is not stored on the SurfControl Filter server; it is requested from the LDAP server as necessary, so specifying a Search Base makes the connection more efficient at locating specific users or groups. 10 In the Search timeout box, specify the amount of time that SurfControl Filter spends searching for users and groups before timing out. The default is 120 seconds. 11 In the Maximum number of search results box, enter the maximum number of users and groups you want the search to show. (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 49

63 3 SETTING UP FILTER Denial of Service Detection Note: An incomplete SMTP session occurs when a connection is made but no is received. A Denial of Service (DoS) attack is an attempt stop a network from functioning by flooding it with useless traffic or using up network resources. DoS attacks can take many forms: a well-known example is the Ping of Death which repeatedly sends packets exceeding the standard length to disrupt network traffic. Filter can detect when servers are trying to launch a DoS attack, by monitoring the number of incomplete SMTP sessions per hour. If you restart the Receive service, this count will be reset to zero. To set up protection against DoS attacks, follow procedure 22: Procedure 22: Enabling Denial of Service Detection Step Action 1 In the Server Configuration console, navigate to the Denial of Service Detection branch. 2 Select Enable Denial of Service Detection. 3 Specify how many incomplete SMTP sessions Filter will accept per IP address per hour. The default is five. If a single IP address attempts more than this number of incomplete SMTP sessions in an hour, Filter will act in the way you specify in step 4. 4 Choose the action you want Filter will take if it detects a DoS attack. You can Log the DoS attack in the System Log and the Monitor. Deny any further connections from that IP address for the number of hours you specify (the default is 24 hours). 50 Administrator s Guide SurfControl Filter for SMTP 5.0

64 SETTING UP FILTER 3 Remote User Authentication If there are users in your organization who need to connect to your mail server from outside the protected domain (for example home workers using a dial-up connection) you can configure their access on the Remote User Authentication Branch. Procedure 23: Enabling Remote User Authentication Step Action 1 In the Server Configuration console, navigate to the Remote User Authentication Branch. 2 Select Add The User Authentication Information dialog will display. 3 Give the remote user a user name and password. The remote user will be asked to supply these authentication details when they attempt to log on to Filter. 4 Click OK. You will see the user name displayed in the right hand pane of the Server Configuration console. SurfControl Filter for SMTP 5.0 Administrator s Guide 51

65 3 SETTING UP FILTER If you have large numbers of remote users you want to configure, you can create a list as a text file and import it into Filter: Procedure 24: Importing a list of remote users Step Action Creating the text file 1 Create a new.txt file using any text editor. 2 In the text file list the remote users you want to authenticate. Each item on the list must follow the following syntax: SEFAUTH;user name;password;<cr><lf> For example: SEFAUTH;Rachel;abcd1234<CR><LF> SEFAUTH;Barney;xyz987<CR><LF> SEFAUTH;Homer;a1b2c3d4<CR><LF> SEFAUTH;Marge;z9y8x7<CR><LF> 3 When you have finished editing the file, save it. You can save it to any location that is accessible to the server where Filter is installed. However, saving it within the SurfControl Filter folder will save time as the import facility automatically looks there first. Importing the text file 1 In the Server Settings console, navigate to the Remote User Authentication branch. 2 Click Import 3 From the dialog box that opens, navigate to the file you want to import. 4 Select your saved list of users and click Open. 5 If your file is imported successfully, you will see a confirmation message, and the remote users will display in the right hand pane of the console. If your file does not import successfully, check that all the items on the list have the correct syntax. 52 Administrator s Guide SurfControl Filter for SMTP 5.0

66 SETTING UP FILTER 3 CONFIGURING THE RULES SERVICE SurfControl Filter works by checking s against the rules you specify, to enforce your Acceptable Use Policy. The Rules Service controls how s are checked and processed. The main Rules Service branch controls the Rules service properties. It also has two sub-branches: Configuration Queue Management RULES SERVICE PROPERTIES The Rules Service Properties settings affect the folders used by the Rules service to access, hold and act upon s, and how the actions of the service are logged. Figure 5 Rules Service properties SurfControl Filter for SMTP 5.0 Administrator s Guide 53

67 3 SETTING UP FILTER Rules service folders There are three folders used by the Rules service to pick up, store and act upon Table 9 Rules service folders Folder Function Default path Rules mail pick-up folder Work folder Processed mail dropoff folder The Rules service monitors this folder for incoming . It is also called the In folder. The Work folder is where s are held while they are being checked against the rules. If an has been checked against the rules and allowed to proceed it will be placed in the Processed mail dropoff folder. If it has been delayed or isolated it will be placed in the folder specified by the rule it triggered. C:\Program Files\SurfControl Filter\In C:\Program Files\SurfControl Filter\Work C:\Program Files\SurfControl Filter\Out Warning:The path of the rules mail pickup folder must be exactly the same as the received mail dropoff folder. You can edit the path of these folders or browse to the location you prefer. Logging Options The Rules service logging options control how the actions of the Rules service are recorded and where they are displayed: Table 10 Rules service logging options Logging option Real-time console When enabled The actions of the Rules service are displayed in the real-time console, like this: System Log For more information about the Real-time console, see Service Panes on page 90 The status of the Rules service is displayed in the System Log in Message Administrator. For example, if you add and activate a new rule, you will see a message saying that the rules configuration has been reloaded: For more information about the System log, see page Administrator s Guide SurfControl Filter for SMTP 5.0

68 SETTING UP FILTER 3 RULES SERVICE CONFIGURATION The Rules Service Configuration branch looks like this: Figure 6 Rules Service Configuration branch Number of Rules Processing Threads Specify the number of messages that the Rules service can process at any one time. For example, using the default setting of 4 means that the Rules service can check 4 s at the same time. The default setting is 4, the maximum is 16. Warning: If there are too many rules threads for your system to handle with its available memory, Filter will not function. Each extra thread you add requires approximately 16MB of memory above the minimum system requirement of 512MB RAM. SurfControl Filter for SMTP 5.0 Administrator s Guide 55

69 3 SETTING UP FILTER Corrupted Messages If an has been corrupted, the Rules service may not be able to check it against the enabled rules. You can specify how Filter acts in the event that an becomes corrupted: Table 11 Handling Corrupted Messages Action Release corrupted messages Move corrupted messages to folder Copy to folder and send corrupted message What happens The corrupted will not be checked by the Rules service, and will be sent directly to its recipient. A copy of the will be left in the In folder. The corrupted will be moved to the folder you specify. Enter the path of the folder, or browse to the destination you want. Filter will take a copy of the corrupted and save it in the folder you specify, and then send the original to its recipient. Enter the path of the folder, or browse to the destination you want. QUEUE MANAGEMENT If the Rules service detects that an has triggered a rule, there are four automatically managed actions that Filter can take: Discard the Release the Isolate the Delay the s that are isolated or delayed are held in dedicated queue folders until they are either discarded or released and sent to their recipient. Filter is installed with 11 pre-configured queues for easy management of , but you can set up others to suit your needs. 56 Administrator s Guide SurfControl Filter for SMTP 5.0

70 SETTING UP FILTER 3 The Queue Management branch is where you configure and manage queues. The queues are displayed in the right hand pane. The list of queues displays in the righthand pane Figure 7 Queue Management branch SurfControl Filter for SMTP 5.0 Administrator s Guide 57

71 3 SETTING UP FILTER Adding a queue To add a queue, follow procedure 25 Procedure 25: Adding a queue Step Action Creating the queue 1 In the Server Configuration console, navigate to the Queue Management branch. 2 Click Add The Queue Configuration dialog box will display. 3 In the Queue Name box enter the name of the queue you want to create, for example Gambling. 4 In the Queue Folder box, enter the path of the folder where you want the queue to be held. To navigate to a folder, click Browse To create a new folder click New Folder and enter the path and name of the new folder in the box that displays. 5 You can now either: Click OK to accept the defaults Configure the queue see procedures Administrator s Guide SurfControl Filter for SMTP 5.0

72 SETTING UP FILTER 3 Procedure 26: Editing a queue Step Action Editing and Deleting queues Once you have created a queue you can change its details: 1 In the Server Settings console, navigate to the Queue Management branch. The Queue Configuration dialog will display. 2 Highlight the queue you want to changed and click Edit. The Queue Configuration dialog will display. 3 You cannot change the name of the queue, but you can save it to a different folder by clicking Browse and navigating to the folder you want to save it into, or creating a new folder. 4 Configure the rest of the Queue settings as normal see procedures To delete a queue, follow procedure 27 Procedure 27: Deleting a queue Step Action 1 In the Server Settings console, navigate to the Queue Management branch. 2 Select the queue you want to delete and click Delete. 3 You will be asked to confirm that you want to delete the queue. Note: You cannot delete a queue if it contains messages or is being used by a rule. SurfControl Filter for SMTP 5.0 Administrator s Guide 59

73 3 SETTING UP FILTER Configuring your queue Once you have entered the queue name and set up the queue folder, you can configure the details. The options are as follows: Table 12 Queue Management options Option Queue Administration Automated Queue Management Administrator Alerts What it does If there are multiple administrators in your organization you can specify which administrator has access to which queue for the management of . Automated Queue Management allows you to automatically release, delete or move isolated s at the time you specify. Filter can send an to the administrator of a queue when the number of s in that queue reaches a set number. 60 Administrator s Guide SurfControl Filter for SMTP 5.0

74 SETTING UP FILTER 3 To specify who can manage s held in a queue, follow procedure 28 Procedure 28: Configuring queue administration Step Action 1 In the Server Configuration console, navigate to the Queue Management branch. 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 25, Adding a queue on page 58. The Queue Configuration dialog will display 3 If you want the queue to be available to all systems administrators, choose All Users. This means that all administrators will be able to view, release, delete and move e- mails held in this queue. 4 If you want the queue to be restricted to specified administrators, select Selected Users. The administrators you can choose from will be displayed in the box. If you do not see a list of administrators here you need to configure administrator accounts. See Configuring Administrators on page Select the administrators you want to have access to this queue by checking the boxes. SurfControl Filter for SMTP 5.0 Administrator s Guide 61

75 3 SETTING UP FILTER Automatic Queue Management You can automatically delete, release or move messages that have been isolated or delayed for a specified amount of time: Procedure 29: Configuring Automated Queue Management Step Action Action Enabling Automated Queue Management 1 In the Server Configuration console, navigate to the Queue Management branch. 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 25, Adding a queue on page 58. The Queue Configuration dialog will display. 3 Select Enable Automated Queue Management. 4 Now choose which action you want to be applied to the messages in the queue. You can choose from the following actions: Release: release each message from its current queue folder a set time after it is placed there. Delete: permanently delete each message a set time after it was placed in its current queue folder. Move to : move each message to the specified queue a set time after it was placed in its current queue. Each queue is listed and when you add a new queue it will be added to the list. 62 Administrator s Guide SurfControl Filter for SMTP 5.0

76 SETTING UP FILTER 3 Procedure 29: Configuring Automated Queue Management Step Action Action 5 To specify the time when your chosen action will take place, select Configure. The Configure Automated Queue Management dialog will display. 6 You can set a time for your chosen action in two ways: Take Action after time delay Enter the amount of time in days, hours and minutes you want each message to be held in the queue before action is applied to it. When each message arrives in its specified queue it will be held there for that period of time. The minimum amount of delay you can specify is 5 minutes. Take action at Specified Times Click Add to enter a time of day when you want your chosen action to take place. A dialog box will open for you to enter the time. Click OK, and the time will appear in Automated Queue Management dialog. 7 If you want to keep a record of which messages have been deleted or released by automatic queue management, click Log to the system database. If you have chosen to automatically move messages to another queue, these cannot be logged and the check box becomes unavailable. 8 When you have set up automated queue management, click OK. The Automated Queue Management configuration dialog will close. SurfControl Filter for SMTP 5.0 Administrator s Guide 63

77 3 SETTING UP FILTER Administrator Alerts Filter can notify the administrator of a queue when that queue reaches a specified size (e.g messages). Procedure 30: Enabling Administrator Alerts Step Action 1 In the Server Configuration console, navigate to the Queue Management branch. 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 25, Adding a queue on page 58. The Queue Configuration dialog will display 3 Select Enable Administrator Alerts 4 Now specify how many messages the queue must contain before an alert is sent. By default, Filter will send a notification if the queue contains more than 1000 messages. 64 Administrator s Guide SurfControl Filter for SMTP 5.0

78 SETTING UP FILTER 3 CONFIGURING THE SEND SERVICE The Send Service controls what happens to s after they have been allowed to proceed through the system by the Rules Service. It is important to configure the Send Service correctly, otherwise s that have passed through the system will not reach their intended recipients. The main Send Service branch of the Server Configuration console controls general Send Service settings. It also has four sub-branches: Connections Routing Smart Host Routing Requeuing scheme SurfControl Filter for SMTP 5.0 Administrator s Guide 65

79 3 SETTING UP FILTER SEND SERVICE GENERAL SETTINGS The Send Service general branch looks like this: Send Mail Pickup Folder Warning: The Send Mail Pickup Folder must always be the same folder as the Rules Service Processed Mail Folder. When an has been checked and allowed to proceed, it is placed in the Send Mail Pickup Folder (the Out folder), where the Send Service can pick it up for delivery. By default the path is: C:\Program files\surfcontrol Filter\Out You can change the path or browse to a different location. Logging When an is moved to the Out folder for delivery, you can log the action in two places: Table 13 Send Service logging options Option Real-time console System log What it does Details of messages placed in the Out folder will display in the Receive console of the Monitor. For more information about the Monitor consoles, see Service Panes on page 90 System events related to the Send Service will display in the System log in Message Administrator. See Using Logs on page 279. Select the logging options you want to enable. 66 Administrator s Guide SurfControl Filter for SMTP 5.0

80 SETTING UP FILTER 3 CONNECTIONS The Connections branch controls the type and number of connections that Filter can make when it is sending s. There are three kinds of Connections settings that you can configure: Connections SMTP Options SMTP EHLO/HELO command Connections Table 14 shows the Connections settings. Table 14 Send Service Connections Option Description Default Maximum Maximum active outbound connections Maximum connections per IP address Idle connection timeout The maximum number of outbound connections that Filter can make at any one time. The maximum number of outbound connections that Filter can make to any single IP address. Note: This number must be less than or equal to the maximum active outbound connections. The number of seconds after which Filter will drop an attempted connection SMTP Options You can limit the number of s that can be sent via a single connection: Procedure 31: Limiting s sent via a single connection Step Action 1 On the Server Configuration console, navigate to the Connections branch. 2 In the SMTP Options area, select Limit maximum messages per connection. 3 Now specify the maximum number of s that SurfControl can send for any one connection. SurfControl Filter for SMTP 5.0 Administrator s Guide 67

81 3 SETTING UP FILTER SMTP EHLO / HELO Command The SMTP EHLO / HELO command is the SMTP statement that will be used to initiate an SMTP connection with the receiving mail server in order to send the in the Out folder. There are two ways that Filter can initiate a connection: Table 15 SMTP EHLO / HELO Command settings Setting Use the local machine s host name as the domain name What happens When Filter initiates the outbound connection, the EHLO / HELO statement will use the host name of the machine where Filter is installed as a domain name, for example: HELO devserver Specify the domain name When Filter initiates the outbound connection, the EHLO / HELO statement will contain the domain name you specify, for example: HELO mycompany.com 68 Administrator s Guide SurfControl Filter for SMTP 5.0

82 SETTING UP FILTER 3 ROUTING The Routing branch is where you define Filter s routing tables. The Routing branch looks like this: Filter s routing table You can move items up and down the list using the arrows. Figure 8 The Routing branch The routing table defines the location of your mail servers so that Filter can identify where to send within the protected domain. SurfControl Filter for SMTP 5.0 Administrator s Guide 69

83 3 SETTING UP FILTER Static Routes By default, the protected domain you specified during installation is listed in the Static Routes list. If your organization has more than one protected domain, you need to add the other domains that you didn t specify during installation. You can also add details of an external mail server, for example if your organization generates a lot of traffic with a particular company. Procedure 32: Adding a static route Step Action 1 On the Server Configuration console, navigate to the Routing branch. 2 Click Add The Domain Route Settings dialog will display. 3 In the Domain Name for Static Route box, enter the domain name. 4 In the Route Host for this Domain box, enter the IP address of a server you want to handle for this domain. 5 In the IP port to use for this SMTP host box, enter the port number of the server you want to handle for this domain. This is usually port If Filter will need to supply authentication details to connect to the server, select Server Requires Authentication and enter a valid username and password. 70 Administrator s Guide SurfControl Filter for SMTP 5.0

84 SETTING UP FILTER 3 Once you have added static routes, you need to specify how Filter will route addressed to destinations outside the domains specified on the Static Routes list. There are two ways it can do this: Using a default route you specify The send service will pass any s addressed to domains not on the Static Routes list to the server you specify as the default route. This server will then handle the and perform the MX lookups to send the to its destination. The default route is initially the route you specified during installation, but you can change its details or add further servers. Using MX records Filter will attempt to route the by performing the MX Lookups itself. Configuring use of a Default Route To set the default route, follow procedure 33 Procedure 33: Configuring a Default Route Step Action 1 On the Server Configuration console, navigate to the Routing branch. 2 In the Undefined Route area, select Use Default Route. 3 Now click Configure The Configure Default Routes dialog will display. SurfControl Filter for SMTP 5.0 Administrator s Guide 71

85 3 SETTING UP FILTER Procedure 33: Configuring a Default Route Step Action 4 By default the default route is the server you specified during installation. You can Edit these details so that the default route is a different server, or you can Add further servers. Click either Edit or Add. The Domain Routes Properties dialog will display. 5 The name in the Domain Name for Static Route field is always Default. 6 In the Route Host for this Domain field, enter the IP address of the server you want to use as the default route. 7 In the IP Port to use for this SMTP Host field, enter the IP port Filter will use to communicate with the server. 8 If the server requires authentication, enter a valid user name and password. Confirm the password. 9 Click OK. The dialog will close and you will see the server details listed in the Default Routes Configuration dialog. Click OK to return to the Server Configuration Console. 72 Administrator s Guide SurfControl Filter for SMTP 5.0

86 SETTING UP FILTER 3 Configuring MX Lookups If you want Filter to perform MX Lookups, follow procedure 34: Procedure 34: Configuring MX Lookups Step Action 1 On the Server Configuration console, navigate to the Routing branch. 2 In the Undefined route area, select Use MX Lookups. 3 Now click Configure The MX Lookups Properties dialog will display. 4 If a domain exists but Filter cannot find an MX record for it, it can try to connect to the domain directly using port 25. Specify the action you want Filter to take if an MX Lookup fails. Choose one of the following: Always try direct connections Never try direct connections. The timeout value for direct connections is 60 seconds, so attempting direct connections can delay the delivery of mail. 5 If you want MX records to be cached, select Cache MX records and specify how long you want MX records to be cached for (up to 24 hours). 6 If you want non-existent MX records to be cached, select Cache non-existent domains and specify how long you want the non-existent records to be cached for (up to 24 hours). If a non-existent MX record is cached, Filter will not attempt further MX lookups for that domain. 7 Click OK to return to the Server Configuration Console. SurfControl Filter for SMTP 5.0 Administrator s Guide 73

87 3 SETTING UP FILTER SMART HOST ROUTING You can route s to a specific mail server or MTA according to their content, for example: If your organization uses an encryption server, Filter can redirect messages that meet the criteria you specify for encryption. The encryption server encrypts the messages and sends them to their destination. If your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original messages as normal. Enabling Smart Host Routing Before you start configuring Smart Host Routing, make sure that the Smart Host server can accept all mail from the Filter Send service. Consult your Smart Host documentation for more information on how to do this. 74 Administrator s Guide SurfControl Filter for SMTP 5.0

88 SETTING UP FILTER 3 Once you have enabled the Smart Host to accept mail, you need to: 1 Configure Smart Host Routing in the Server Configuration console. Follow Procedure Set up a rule in the Rules Administrator which specifies which s you want to be routed to the Smart Host. See Routing Object on page 236. Procedure 35: Configuring Smart Host Routing Step Action 1 In the Server Configuration console, navigate to the Send Service > Smart Host Routing branch. 2 Click Add The Smart Host Properties dialog will display. 3 In the Smart Host Name box, enter the name of the Smart Host server to which you want s redirected. 4 Click Add the Relay Host Properties dialog will display. 5 Enter the DNS server name or IP address of the Smart Host to which you want s redirected (e.g. the encryption server). 6 Enter the IP port number that Filter will use to connect to the Smart Host. SurfControl Filter for SMTP 5.0 Administrator s Guide 75

89 3 SETTING UP FILTER Procedure 35: Configuring Smart Host Routing Step Action 7 If Filter needs to be authenticated by the Smart Host, select the Server Requires Authentication box, and enter the username and password of an account that will be accepted by the Smart Host. 8 Click OK to close the Relay Host Properties dialog. 9 You will see the details of your Smart Host server displayed in the Smart Host properties dialog. If you are happy with these settings click OK. Note: Smart Host routing supports failover. If you configure more than one relay host, the Send service will first try to send mail to the first relay host on the list. If it cannot send to that relay host, it will try each one in order. If the Send Service cannot send the message to any of the Relay Hosts, the message will be requeued. 10 You have now configured a smart host. To route s to this server when they trigger a rule, you need to set up a rule containing the Routing object. See Routing Object on page 236. Deleting a Smart Host To delete a Smart Host, follow procedure 36. You can t delete a Smart Host that is being used in a rule. Procedure 36: Deleting a Smart Host Step Action 1 In the Server Configuration console, navigate to the Send Service > Smart Host Routing branch. 2 Select the Smart Host you want to delete and click Delete 3 You will be asked to confirm that you want to delete the selected Smart Host. 76 Administrator s Guide SurfControl Filter for SMTP 5.0

90 SETTING UP FILTER 3 REQUEUING If SurfControl Filter cannot send a message (for example because it cannot connect to a remote mail host), it will store the message in a queue and try to send it again at intervals. You can specify how often these attempts to resend messages take place. You can configure: How many times Filter will try to send the message. The length of time between each attempt. You can decrease the number of attempts and increase the time between each attempt over four stages. The requeueing branch looks like this: Figure 9 Requeuing branch SurfControl Filter for SMTP 5.0 Administrator s Guide 77

91 3 SETTING UP FILTER The Default requeuing intervals are as follows: Table 16 Requeuing intervals Stage Retry attempts Retry intervals What happens min filter tries to send the once every 15 minutes for 12 attempts min filter tries to send the once every 60 minutes for 21 attempts min filter tries to send the once every 360 minutes for 8 attempts min filter tries to send the once every 1440 minutes for 0 attempts. You can change any of the retry attempts and retry intervals to suit your needs. However SurfControl recommends that you leave the default settings unchanged. Procedure 37: Changing the requeuing intervals Step Action 1 In the Server Configuration console, select the Send Service > Requeuing branch. 2 Change the number of attempts, or the number of minutes between each attempt by entering new amounts in the boxes. The requeuing intervals are added up to make the total retry time. If the Filter cannot send the once the total retry time has elapsed, the is designated a dead message. 78 Administrator s Guide SurfControl Filter for SMTP 5.0

92 SETTING UP FILTER 3 Dead Messages Dead messages have the file extension.msg.d and are stored in the Out folder. When you configure the requeuing schedule you can choose to automatically delete dead messages as soon as the total retry time is up. Procedure 38: Automatically deleting dead messages Step Action 1 In the Server Configuration console, navigate to the Send Service > Requeuing branch 2 Select Automatically delete dead messages 3 When the total retry time (as shown below the requeuing intervals) expires, the message will be irrevocably deleted. Warning: If dead messages are allowed to build up in the Out folder it can impair the performance of the Send service and delay the delivery of . If you do not discard dead messages automatically they will remain in the Out folder indefinitely until you delete them manually. While they are held in the Out folder you can attempt to re-send them using QueueView see QueueView Window on page 97. SurfControl Filter for SMTP 5.0 Administrator s Guide 79

93 3 SETTING UP FILTER CONFIGURING THE ADMINISTRATION SERVICE The Administration branch controls general system settings. It has one subbranch, Configuration, where you can configure remote administrative access to Filter. ADMINISTRATION: PROPERTIES The Administration properties look like this: Figure 10 Administration Settings General Administrator s Address When you set up a protected domain you are asked to specify the address of the system administrator for that domain. If Filter needs to send a notification (for example an NDR) it examines each recipient of the message and checks each domain against the Protected Domains list. As soon as it finds a recipient in a protected domain, Filter will send the notification from the administrator of that domain. If none of the recipients are in any of the protected domains, Filter will send the notification from the address specified in the Administration Settings. You cannot enter more than one address here. However, if you create a group in Exchange containing all the Filter administrators, you can enter the group address, e.g. [email protected]. 80 Administrator s Guide SurfControl Filter for SMTP 5.0

94 SETTING UP FILTER 3 Print Configuration You can print a record of your system configuration by clicking Print Configuration. A text file will display showing all the Server Configuration settings: Figure 11 Configuration printout By default the name of this file is: STEFCFG_date_time (for example STEFCFG_09_Jul_2004), but you can save it under any name in any location. CONFIGURING ADMINISTRATORS The administrators branch is where you configure access to remote administration of Filter. There are two methods of remote access: Using Web Administrator The SurfControl Filter Web Administrator is a Web-based application that gives remote access to selected Filter functions from any computer via a Web browser. Using the Filter Administration Client You can install the Filter Administration Client on a remote computer and use it to access the Filter user interface. For more information on how to install the client, see the SurfControl Filter Installation Guide. SurfControl Filter for SMTP 5.0 Administrator s Guide 81

95 3 SETTING UP FILTER Remote Administration Permissions Table 17 shows the remote administration permissions you can set, and which method of remote access you can use for each permission setting. Table 17 Remote administration permissions Permission setting Access Access method All Permissions Message Administration Rules Administration Systems Administration Dictionary Management View Logs User Management All of the permissions on the list below. View and work with isolated messages using Message Administrator functions. See Message Administrator on page 255 for more information about message administrator. Create and manage rules to enforce your organizations AUP using Rules Administrator functions. See Working with Rules on page 101 for more information about rules administrator. View the progress of s through Filter in real time. See Monitoring on page 87. Configure SurfControl Filter using the Server Configuration console. See Setting Up Filter on page 15. Manage Dictionaries and their content. See Dictionary Management on page 281 for more information. View the Traffic, Rules and System logs from a remote computer. Set administrative access to Filter. via Web Administrator Yes No No Yes Yes No Via Administration Client Yes Yes Yes Yes Yes Yes 82 Administrator s Guide SurfControl Filter for SMTP 5.0

96 SETTING UP FILTER 3 Adding a Remote Administrator Account To use Remote Administration you need to add administrator accounts and set their permissions. If there are no administrator accounts, Remote Administration will be unavailable. Procedure 39: Adding a remote administrator account Step Action 1 In the Server Configuration Console, select the Administrators branch. 2 Click Add the User Profile dialog will display. 3 In the User Name field, enter the user name of the administrator you want to add. 4 In the Password field enter the password of the administrator you want to add. Confirm the password in the Confirm box. The password should have at least six characters. 5 Select the permissions you want the administrator to have see Table 17, Remote administration permissions, on page 82. The Queues box on the right hand side displays which queues the administrator has access to. Use Queue Management to change these settings see page Click OK to confirm your changes and close the dialog box. SurfControl Filter for SMTP 5.0 Administrator s Guide 83

97 3 SETTING UP FILTER Editing a Remote Administrator Account To edit a remote administrator account, follow procedure 40: Procedure 40: Editing a Remote Administrator Account Step Action 1 In the Server Configuration Console, select the Administrators branch. 2 Select the administrator whose details you want to edit. 3 Click Edit The User Profile dialog will display. 4 You can make changes to the user details or the permissions. 5 When you have made your changes, click OK. 84 Administrator s Guide SurfControl Filter for SMTP 5.0

98 SETTING UP FILTER 3 Deleting a Remote Administrator Account To delete a Remote Administrator account, follow procedure 41: Procedure 41: Deleting a Remote Administrator Account Step Action 1 In the Server Configuration Console, select the Administrators branch. 2 Select the administrator account you want to delete. 3 Click Delete. 4 You will be asked to confirm that you want to delete the selected account. SurfControl Filter for SMTP 5.0 Administrator s Guide 85

99 3 SETTING UP FILTER CONFIGURATION COMPLETE When you have made all your server configuration changes, click OK to confirm your changes. The Server Configuration console will display the following message: Figure 12 Configuration update message Filter will then stop and restart any services that have changed in their configuration. You are now ready to begin filtering and monitoring . BACKING UP YOUR SERVER CONFIGURATION You can back up the configuration settings you have chosen so that you can replicate it on other servers, or restore it if for any reason you have to reinstall Filter. The Database Management Guide explains how to use the database management utilities. 86 Administrator s Guide SurfControl Filter for SMTP 5.0

100 Chapter 4 Monitoring In This Chapter page 88 Launching the Monitor page 88 Parts of the Monitor Window page 89 QueueView page 96

101 4 MONITORING IN THIS CHAPTER This chapter explains how to use the Monitor to view the progress of s as they pass through Filter. LAUNCHING THE MONITOR From the Start Menu, select SurfControl Filter > Monitor. The Monitor window will display. 88 Administrators Guide SurfControl Filter 5.0 for SMTP

102 MONITORING 4 PARTS OF THE MONITOR WINDOW The Monitor window is divided into panes, each showing information about a different part of the filtering process: Service Panes Server status pane: shows how long each Filter service has been running for, and keeps count of all the actions applied to each . Receive console: shows the activity of the Receive service. Rules console: shows the activity of the Rules service. Queue statistics pane: shows how many messages are held in each queue. Send console: shows the activity of the Send service. Status bar: shows the status of the Receive, Rules and Send services Figure 1 The Monitor Figure 1 shows the default layout of the panes you can drag the Server Status and Queue Statistics Pane anywhere on the desktop. You can also hide or show the Server Status and Queue Statistics pane by clicking Tables 1 5, starting on page 90 explain the parts of the monitor window in more detail. SurfControl Filter 5.0 for SMTP Administrators Guide 89

103 4 MONITORING SERVICE PANES There are three Service Panes, showing the progress of s through Filter: Table 1 The Service Panes Pane Receive console Rules console Send console Information displayed Shows activity by the Receive Service. When a mail server or firewall requests a connection with SurfControl Filter, a log entry appears in this pane. Shows activity by the Rules Service. When Filter checks an against enabled rules, a log entry appears in this console. When an triggers an action (Isolate, Delay, Delete or Allow), the log entry is in red text. A log entry will also appear in this pane when you update the Anti-Spam Agent. Shows activity by the Send Service. When Filter delivers a message (including those released from isolate or delay queues), a log entry appears in this pane. Clearing the Service Panes You can clear the Service Panes of the information they show: Procedure 1: Clearing the Service Panes Step Action 1 Right-click on the Service Pane you want to clear of information. The shortcut menu will display. 2 Select Clear Console. 3 The Service Pane will clear all its information. As soon as there is a new event, e.g. the service is re-started or the service handles an , log entries will display in the Service Pane again. 4 To clear all three Service Panes simultaneously, select View > Clear Status Windows. 90 Administrators Guide SurfControl Filter 5.0 for SMTP

104 MONITORING 4 Copying Service Pane information to the clipboard You can copy the information displayed in each Service Pane to the clipboard to paste into another application (e.g. Notepad). Procedure 2: Copying Service Pane information to the clipboard Step Action 1 Right-click on the Service Pane you want to copy. The shortcut menu will display. 2 Select Copy to Clipboard. 3 Paste the information into an application of your choosing, for example Notepad. Note: SurfControl recommends you keep the logging level set to 0 or 1, unless necessary for support purposes. Changing the information displayed in the Service Panes You can specify how much detail you want to be displayed in each Service Pane by changing the logging level. There are four levels to choose from: Level 0 Level 0 is the lowest logging level. At level 0 you will see only basic information about the status of message processing, for example: Blue text to show when the receive service has accepted an . Whether the message has triggered a rule or not Blue text to show when the send service has sent an . Level 1 With the logging level set to 1 you will see more detailed information about service activity, for example: The SMTP conversation between the receive service and the connecting mail client. The status of rule the checking process The SMTP conversation between the send service and the mail server it is connecting to. Levels 2 and 3 Levels 2 and 3 display very detailed technical information sometimes used for diagnostic purposes. If you are discussing an issue with SurfControl Customer Support, you may be asked to increase your logging level to 2 or 3. SurfControl Filter 5.0 for SMTP Administrators Guide 91

105 4 MONITORING Follow Procedure 3 to change the logging level: Procedure 3: Changing the information in the Service Panes Step Action 1 Right-click on the Service Pane you want to change. The shortcut menu will display. 2 Select Console Logging Level, then specify the logging level you want, with 0 being the least detail and 3 being the most. 3 If you do not want to see information messages, for example notification of configuration reloads, select Hide Info Messages. 92 Administrators Guide SurfControl Filter 5.0 for SMTP

106 MONITORING 4 THE SERVER STATUS PANES Note: You can stop, start and pause services from the Server Status Pane by rightclicking the service and selecting an action. The Server Status areas show information about the running of the services and the connections they are making. Information displayed in the Server Status Areas: Table 2 shows the information displayed in the Receive Service Area Table 2 Server Status Panes: Receive Service Section Information Displayed Uptime Time since the Receive service was last started. Total messages Number of s handled by the Receive service during Uptime. Total MB Amount of data in MB handled by the Receive service during Uptime. Connections Total Total number of connections accepted during Uptime. Active Number of connections currently active. Denied Number of connections denied during Uptime. Table 3 shows the information displayed in the Send Service Area Table 3 Server Status Panes: Rules Service Section Uptime Enabled Rules Messages Pending Statistics Messages (Total) Isolated Statistics (Last Hour) Delayed Discarded Messages Isolated Delayed Discarded Information Displayed Time since the Rules service was last started. Number of rules currently enabled. Number of s in the In folder awaiting checking against enabled rules. Number of s checked by the Rules service during Uptime. Number of s moved to an Isolate folder during Uptime. Number of s moved to the Delay folder during Uptime. Number of s discarded during Uptime. Number of s checked by the Rules service in the last hour. Number of s moved to an Isolate folder in the last hour. Number of s moved to the Delay folder in the last hour. Number of s discarded in the last hour. SurfControl Filter 5.0 for SMTP Administrators Guide 93

107 4 MONITORING Table 4 shows the information in the Send Service Area Table 4 Server Status Panes: Send Service Section Uptime Total Messages Total MB Active Connections Messages Pending Failed Requeued Dead Messages Information Displayed Time since the Send service was last started. Total number of s delivered by the Send service during Uptime. Total amount of data in MB handled by the Send service during Uptime. Number of connections currently being made by the Send service. Number of s in the Out folder awaiting delivery. Number of s that have been requeued because of a temporary failure to connect to the intended mail server. Number of s that could not be delivered and have been designated dead messages. Clearing the Statistics If you re-start the Rules service the Statistics (Total) and the Statistics (Last hour) displays will re-set to 0. You can also re-set these statistics by right-clicking on Rules Service and selecting Clear Statistics. 94 Administrators Guide SurfControl Filter 5.0 for SMTP

108 MONITORING 4 QUEUE STATISTICS AND STATUS BAR The Queue Statistics Pane shows information about queue folders and the s held in them. The Status bar shows activity by the Receive, Rules and Send services. Table 5 Area Queue Statistics Status bar Queue Statistics and Status bar Information displayed Shows all the queues currently set up, and the number of e- mails held in each queue. Double-click on a queue to view the contents in Message Administrator. Each box on the status bar shows the status of a Filter service. From left to right the boxes show the status of the Receive, Rules and Send services respectively: The left field (Receive service) shows the number of current connections to the Receive Service. The middle field (Rules service) shows the number of currently active Rules processing threads. This number is equal to the number of messages currently being processed by the Rules service. The right field (Send service) shows the number of connections being made by the Send service. If a service stops then an X will appear in its status field; if the services is running but connection cannot be made, a question mark will appear. If a service is paused, a P will display in its status field. SurfControl Filter 5.0 for SMTP Administrators Guide 95

109 4 MONITORING QUEUEVIEW If an cannot be delivered immediately it is held in a queue while Filter attempts to deliver it. You can view the status of queued s in the QueueView window. LAUNCHING QUEUEVIEW You can launch the Queue View window from the Start Menu, or from within the Monitor.. From the Start Menu Select Programs > SurfControl Filter > QueueView From the Monitor Click the QueueView icon on the Toolbar. The QueueView window looks like this: Figure 2 QueueView Window 96 Administrators Guide SurfControl Filter 5.0 for SMTP

110 MONITORING 4 QUEUEVIEW WINDOW You can view information about three kinds of s: Queued Message Files If Filter cannot send an immediately, it is requeued (see Requeuing on page 77) while Filter makes further attempts to send it. Pending Message Files Pending messages are messages that are waiting for Filter to make an initial connection with a mail server so that they can be sent. If Filter attempts to make a connection but is unsuccessful, the message will then be queued. Dead Message Files If Filter cannot send an and the total requeuing period has passed, it is designated a dead message. The message file is given a file extension of.d and held in the Out folder indefinitely until you act upon it. To select which of these messages you want to view, follow procedure 4 Procedure 4: Selecting which messages to view Step Action 1 Launch QueueView. Viewing Queued Messages 2 Select View > Queued files. The Queued Message Files view will display. Viewing Pending Messages 3 Select View > Pending files. The Pending Message Files view will display. Viewing Dead Messages SurfControl Filter 5.0 for SMTP Administrators Guide 97

111 4 MONITORING Procedure 4: Selecting which messages to view Step Action 4 Select View > Dead files. The Dead Message Files view will display Each view is divided into columns showing the following information: Table 6 QueueView Columns Column File Name Date Time Recipient Sender Subject Attempts Reason for failure Description The file name of the . The is stored under this name in the Out folder. The date that the was placed in the Out folder The time that the was placed in the Out folder The recipient in the s To: field. The sender in the s From: field The subject in the s Subject: field The number of attempts that Filter has made to send the . The reason Filter was unable to deliver the , for example if the recipient s address is invalid. You can rearrange the QueueView columns - drag the columns into the order you prefer. 98 Administrators Guide SurfControl Filter 5.0 for SMTP

112 MONITORING 4 RE-SENDING A QUEUED OR DEAD You can re-send dead or requeued s. This means that SurfControl Filter will make a further attempt to deliver the . Procedure 5: Re-sending a Queued or Dead Step Action 1 Launch QueueView and select the view you want to work with either Queued Message Files or Dead Message Files. 2 Select the you want to re-send. Use Shift or Ctrl to select more than one . 3 Right-click on the selected . The shortcut menu will display. 4 Select Resend Message Note: When an is designated a dead message, a failure report is sent to the sender. If you re-send the and it still cannot be sent, further failure reports will be sent. You should therefore avoid re-sending dead messages unless you are sure that they will be delivered successfully. 5 You will be asked to confirm that you want to resend the selected . SurfControl Filter 5.0 for SMTP Administrators Guide 99

113 4 MONITORING DELETING A QUEUED OR DEAD You can delete queued or dead s. This means that the will be irreversibly deleted, and will not be sent. Procedure 6: Deleting a Queued or Dead Step Action 1 Launch QueueView and select the view you want to work with either Queued Message Files or Dead Message Files. 2 Select the you want to delete. 3 Right-click on the selected . The shortcut menu will display. 4 Select Delete Message 5 You will be asked to confirm that you want to delete the selected . You can automatically delete dead messages immediately after the requeuing period has passed. See Dead Messages on page Administrators Guide SurfControl Filter 5.0 for SMTP

114 Chapter 5 Working with Rules In This Chapter page 102 Launching the Rules Administrator page 103 How Filter Uses Rules page 106 Rules Objects page 107 Building a Rule page 108 Positioning of Rules page 113 Pre-defined Rules page 115 Rule Groups page 118 Exporting Rules page 120 Importing Rules page 121 Configuring the Rules Administrator page 122

115 5 WORKING WITH RULES IN THIS CHAPTER The Rules Administrator is where you define, create and manage the rules that underpin your Acceptable Use Policy. This chapter explains how Filter uses the rules you specify to check . In this chapter you will also learn how to: Configure the Rules Administrator to suit your needs. Use SurfControl Filter s preconfigured rule set. Create your own custom rules using the Rule Objects. Manage and organize rules for optimum performance. Chapter 6, Rules Objects, gives a detailed breakdown of each rule object and how to include it in a rule. 102 Administrators Guide SurfControl Filter for SMTP 5.0

116 WORKING WITH RULES 5 LAUNCHING THE RULES ADMINISTRATOR From the Start Menu, select SurfControl Filter > Rules Administrator Figure 1 Launching Rules Administrator from the Start Menu SurfControl Filter for SMTP 5.0 Administrators Guide103

117 5 WORKING WITH RULES RULES ADMINISTRATOR WINDOW The Rules Administrator window looks like this: Toolbar: icons to manage rules and launch other Filter components. Tabs divide the Rules objects into logical groups Rules pane displays all available rules and their status Rules objects pane: displays all available rules objects Rules palette: drag and drop the Rules objects here to build or modify a rule Figure 2 The Rules Administrator Window 104 Administrators Guide SurfControl Filter for SMTP 5.0

118 WORKING WITH RULES 5 RULES PANE The upper part of the window displays all the available rules: The rules are grouped into a logical order. You can create and delete groups, and move rules from one group to another. Rule description: when you create a Rule you can give it a summary description. Figure 3 The Rules Pane Each line shows information about a rule: If this box is checked, all the rules in the group are enabled The group that the rule belongs to The number of enabled rules in the group If this box is checked, the rule is enabled The name of the rule What the rule does Figure 4 A Rule SurfControl Filter for SMTP 5.0 Administrators Guide105

119 5 WORKING WITH RULES RULES OBJECT PANE The lower part of the window shows: The list of Rules objects you can use to build a rule. The Rules palette, where you build and modify rules. There are five kinds of Rules object. When you select a type of Rules object, the objects belonging to that type are displayed here When you select a Rule from the list, the objects used to create the rule are displayed here Figure 5 Rules Objects and Rules Palette HOW FILTER USES RULES The Rules service checks the against the list of enabled rules, starting at the top of the window and working through the enabled rules in order until the message triggers a rule. If an triggers a rule, Filter will act on it in the way specified in the rule. The four actions objects Allow, Delay, Discard, Isolate are terminating actions. Once Filter performs a terminating action on an , no further processing takes place. If an passes all the rules checks without being isolated, delayed or discarded it is placed in the Out folder for delivery to its destination. 106 Administrators Guide SurfControl Filter for SMTP 5.0

120 WORKING WITH RULES 5 RULES OBJECTS Rules Objects are the basic logical units that you use to create a rule. There are five types of Rules object the order they are listed in table 1 is the logical order in which they should be added to a rule. Table 1 Types of Rules Object Object type Description Find out more Who What Operations Notify Actions A Who object in a rule affects who the rule applies to for example an individual, a department, senders or recipients of . If you don t include a Who object in a rule it will apply to everybody sending and receiving in and out of your protected domain. A What object in a rule checks the characteristics of the against the criteria you specify for example size, content, type of attachments. An Operations object in a rule will modify the in some way for example by adding a footer. A Notify object in a rule will send an to the user you specify to notify them that a rule has been triggered. An Actions object in a rule will perform an action on the , for example isolating it. Once an action has been carried out, no further processing takes place on the . Who Objects on page 135 What Objects on page 155 Operations Objects on page 222 Notify Objects on page 241 Actions Objects on page 246 SurfControl Filter for SMTP 5.0 Administrators Guide107

121 5 WORKING WITH RULES BUILDING A RULE GUIDELINES In order to be effective, a rule should usually: Begin with a Who object Work through the object types in the order they are shown on the Rules Object pane: Who What Operations Notify Actions You do not have to include every object type in every rule, but without a Who or What object, every will trigger the rule. Finish with an Action object. CONNECTING RULES OBJECTS You can connect Rules Objects together in different ways, depending on how you want the rule to work. Rules Objects connected together form logic blocks, and you can connect these logic blocks together to form a complete rule. There are four logical connections you can use: Table 2 Rule connectors Connector IF AND OTHERWISE IF THEN What it does The opening statement of a rule Adds extra conditions to the logic block. Creates a new logic block that will trigger if the conditions of its preceding logic block are not met. Connects the conditions to an event which will take place if the conditions are met a Notify, Operations or Action object. For example, this rule has two logic blocks and uses all four connectors: 108 Administrators Guide SurfControl Filter for SMTP 5.0

122 WORKING WITH RULES 5 Procedure 1: Creating a Rule Step Action Procedure 1 shows how to create a rule. As an example, this procedure creates a rule that will isolate s containing links to inappropriate Websites. 1 Right-click on any rule in the Rules description area. The Shortcut menu will display. 2 Select New Rule. The New Rule dialog will display. 3 Enter the name of the rule in the Rule name box. In the Rule description box, enter a brief description of what the rule will do. 4 If you want the rule to be enabled as soon as you create it, check the Enabled box. Note: The rule will not be applied to s until you save your changes. 5 Click OK. You will see that the Rules palette becomes empty, ready for you to add Rules objects. SurfControl Filter for SMTP 5.0 Administrators Guide109

123 5 WORKING WITH RULES Procedure 1: Creating a Rule Step Action 6 Select the Who tab. You will see the available Who objects listed. 7 Select a Who object and drag it onto the Rule palette. The properties sheet for the object will display, where you can specify the exact conditions of the object. To learn more about Rules objects and how to configure them, see Rules Objects on page 131. Note: You do not have to use a Who object in all the rules you create if you want a rule to apply to everybody sending to or from your organization, you can leave out the Who object. 8 When you have configured the Who object, click OK. You will see the Who object is displayed in the Rules palette. A Continue Processing object is automatically added to the end of the logic block, and will remain there until you choose an Action object to specify how Filter deals with s that trigger the rule. 9 Now choose a What object to specify what criteria you want to apply to s. Select the What tab. You will see all the available What objects listed. 110 Administrators Guide SurfControl Filter for SMTP 5.0

124 WORKING WITH RULES 5 Procedure 1: Creating a Rule Step Action 10 Drag your chosen What object onto the Rules palette and place it underneath the Who object. The properties sheet for your chosen What object will display. Configure the object and click OK. You can read a full description of each object starting on page The What object will display underneath the Who object. 12 Now add further objects to develop your rule. These could be from the What, Operations or Notify tabs. You don t have to use an object from each tab. 13 Once you have built your rule, you are ready to implement it. Make sure that the checkbox is checked this means that the rule is enabled. Now save your changes by clicking the save button. Your rule will not be applied to any s until you save your changes. SurfControl Filter for SMTP 5.0 Administrators Guide111

125 5 WORKING WITH RULES ENABLING A RULE Procedure 2: Enabling a Rule Step Action 1 Select the checkbox next to the rule you want to enable. 2 Click to save your changes. Note: If you do not save your changes, the rule will not apply to s, even though it appears to be enabled. Procedure 3: Step Action DELETING A RULE 1 Highlight the rule you want to delete. 2 Click the delete icon.. 3 You will be asked to confirm if you want to delete the selected rule. 4 Click to save your changes. Note: If you do not save your changes, the rule will continue to apply to s, even though it no longer appears on the Rules list. 112 Administrators Guide SurfControl Filter for SMTP 5.0

126 WORKING WITH RULES 5 POSITIONING OF RULES When Filter processes an , it checks the message against each of the rules in order, from the top of the screen until it reaches a terminating action (Allow, Delay, Discard or Isolate) or until the all the has been checked against all the rules and allowed to continue. Changing the order of rules can therefore change which s trigger rules and which are allowed to reach their destination. Rules are always processed from the top of the screen to the end, regardless of the Rule Group they are in: Figure 6 Rules are processed from top to bottom. When an triggers a rule with an Action object (Allow, Delay, Discard or Isolate) it is not checked against any subsequent rules. In the example below, the user has placed a rule allowing all from the systems administrator above a rule to detect virus-infected . SurfControl Filter for SMTP 5.0 Administrators Guide113

127 5 WORKING WITH RULES This means that if the administrator were to send a virus-infected , it would be checked by the first rule and allowed to continue without any further processing. The message would not be checked against the Anti-Virus Agent rule because it had already encountered a terminating action (the Allow object in the first rule). MOVING RULES AROUND Use the arrow buttons and to move a selected rule up or down the order. Alternatively, use the mouse to drag the rule into the position you want. A red line will show you where the rule will be placed: Figure 7 Moving a rule 114 Administrators Guide SurfControl Filter for SMTP 5.0

128 WORKING WITH RULES 5 PRE-DEFINED RULES SurfControl Filter comes with a comprehensive series of pre-defined rules, so that you can start filtering straight away. Although the pre-defined rules are a quick and easy way to begin filtering , you will still need to enter some details to make the rules work correctly in your organization. For example, you will need to enter your domain name in the Footers & Banners Rule, and specify the location of your anti-virus scanning software for the Virus Rule. Procedure 4: Using the Rule Configuration Wizard Step Action 1 Enable the rule you want to enable, by selecting the checkbox. 2 If the rule needs to be configured, the Rule Configuration Wizard will display. Click Next. 3 Follow the instructions in the Wizard to configure the rule. If you enable a rule but don t fill in the Configuration Wizard, the rule may not filter correctly. SurfControl Filter for SMTP 5.0 Administrators Guide115

129 5 WORKING WITH RULES Network Security Rules Virus Protection Rules Editing pre-defined rules Clicking on each rule will reveal its objects in the Rules palette. You can edit these pre-defined rules to suit your organization in the same way as if you were creating a new rule. See Building a Rule on page 108 to find out more about how to create rules, or Chapter 6 for a full list of Rules objects. Table 3 lists the pre-defined rules. Table 3 Pre-defined Rule Loop Detection Illegal MIME format Executables Encrypted Compressed VBS Scripts Anti-Virus Agent Third-party Virus Scanning Pre-defined Rules What it does Isolates messages that loop more than 5 times. Isolates non-standard or malformed messages. Isolates messages that contain executable attachments. Detects if staff are transmitting S/MIME or PGP files. Isolates mail that fails automatic decompression. Strips VBS attachments from messages. Isolate messages that contain a virus that cannot be cleaned. Isolate messages that contain virus-infected or suspect attachments. Spam Rules Whitelist Allows s from designated parties. Inappropriate Material Rules Anti-Spam Agent URL Category List Advertisement s Spam Misspellings Dictionary Isolates messages that trigger the Anti-Spam Agent. Isolates messages containing URLs from the category list. Isolates messages containing the ADV: advertisement tag. Isolates messages containing common misspelled spam words. Spam Dictionary Isolates messages with a Spam dictionary score > 120. Adult Dictionary Isolates messages with an Adult dictionary score > 100. Gambling Dictionary Isolates messages with a Gambling dictionary score > 100. Virtual Image Agent HTML Stripper Graphics Sound Video Offensive or Derogatory Isolates messages that contain explicit adult images. Strip active HTML components from messages. Isolates messages containing graphics, sound or video files. Isolates messages with Hate or Violence Dictionary. 116 Administrators Guide SurfControl Filter for SMTP 5.0

130 WORKING WITH RULES 5 Table 3 Pre-defined Rules Network Resources Rules Pre-defined Rule Files > 2MB More than 10 recipients Competitors Computer Security Confidential Information What it does Delay messages larger than 2MB. Bcc administrator if message has more than 10 recipients. Isolate transmission to competitors. Isolate outbound messages containing the word username or the word password. Isolate outbound messages containing intellectual property or confidential data. Other Footers Attach an outbound or inbound footer. SurfControl Filter for SMTP 5.0 Administrators Guide117

131 5 WORKING WITH RULES RULE GROUPS You can organize your rules by moving them into groups. Rule Groups make it easier to manage and apply your rules, so that you can: Keep similar rules together Enable all similar rules (for example all the anti-spam rules) with a single mouse click. Delete a rule set you no longer need quickly and easily. Filter s pre-configured rules are already organized into five groups (see Table 3 on page 116. Creating a Rule Group To create a Rule Group, follow Procedure 5 Procedure 5: Creating a Rule Group Step Action 1 From the Rule menu, select New Group. Alternatively, click the New Group icon. The New Group dialog will display 2 Give your group a name. 3 If you want to create a new rule within the new group, select Create a New Rule. 4 Click OK. You will see the new group displayed in the Rules pane. If you selected Create a New Rule the New Rule dialog box will automatically display. The new rule you create will automatically be placed inside the group you have created. Moving a Rule into a Group To move a rule into a group, click the Rule you want to move and drag it onto the group. When the mouse pointer is position correctly over a rule, you will see a red arrow. This means that if you release the mouse button, the rule will become part of that group: Figure 8 Moving a rule into a group 118 Administrators Guide SurfControl Filter for SMTP 5.0

132 WORKING WITH RULES 5 Working with Groups of Rules Note: Don t forget to click Save to activate your selected rules You can enable all the rules in a group by checking the box next to the group you want to enable. All the rules in the group will immediately appear selected: Figure 9 Enabling a group of rules Clear the box next to the group to disable all the rules in the group: Figure 10 Disabling a group of rules If you select some, but not all of the rules in a group, the box next to the group icon will appear partially selected: Figure 11 A partially enabled group SurfControl Filter for SMTP 5.0 Administrators Guide119

133 5 WORKING WITH RULES EXPORTING RULES Procedure 6: Exporting Rules Step Action You can export rules into a separate.rul file, which you can then use to restore your saved rule set. This is useful if you are deploying Filter on multiple servers, if you are undertaking server maintenance and want to keep your current rule configuration in place, or if you want to make a backup of your rules. To export your rules to a.rul file, follow Procedure 6: 1 In the Rules pane, select the Rules you want to export. You can select any number of rules or groups, or the entire rule set. Note: If you choose to export a rule group, all the rules within that group will be exported. 2 From the File menu, select Export Rules. The Save As dialog box will display. 3 Navigate to the location where you want to save your exported files, and give the.rul file a name. 4 Click Save. If Filter has successfully exported your chosen rules, you will see a confirmation message. Your chosen rules have now been saved into a.rul file in the location you specified. 120 Administrators Guide SurfControl Filter for SMTP 5.0

134 WORKING WITH RULES 5 IMPORTING RULES You can import a.rul file containing Filter Rules. This means you can: Note: If a rule you are importing already exists in the Rule pane, Filter will add an additional copy. Importing a rule does not overwrite any of your current rules. Import a rule set that you have previously exported Import the same rule set onto each server running Filter in your organization. Restore the default rule set that is included in the Filter install. To import a.rul file into Filter, follow Procedure 7 Procedure 7: Importing Rules Step Action 1 From the File menu select Import Rules. The Open dialog box will display. 2 Select the.rul file you want to import. 3 Click Open. The Import Rules dialog will display, showing a list of rules that the.rul file contains. 4 Choose which rules you want to import. If you select a rule group, all the rules in that group will be imported. 5 Specify where you want the selected rules to be placed in the Rules pane: Insert after the selected rule the imported rules will be placed after whichever rule is currently highlighted in the Rules pane. Insert after the last rule the imported rule will be placed at the end of the list of rules. 6 Now click Import. You will see your imported rules displayed in the Rules Pane. SurfControl Filter for SMTP 5.0 Administrators Guide121

135 5 WORKING WITH RULES CONFIGURING THE RULES ADMINISTRATOR There are four configuration settings you can apply to the Rules Administrator. These settings affect the way s are checked against the Rules, and can affect the speed with which s proceed through the rules checking process. Table configuration settings: Table 4 Rules Administrator Configuration Setting Dictionary Scanning Password Protected Archives Document Decomposition HTML Parser What it does Specifies which files are scanned against the dictionaries for content that could trigger a rule. Specify how much of each file is scanned. Sets up decompression of encrypted and password protected files. Set up the extraction of data from compound document files, so that Filter can check them against the rules. See Document Decomposition on page 442. Set up the parsing of HTML s to combat HTML spam. 122 Administrators Guide SurfControl Filter for SMTP 5.0

136 WORKING WITH RULES 5 CONFIGURING DICTIONARY SCANNING Many rules check the contents of an and its attachments against the SurfControl Dictionaries. However, some file types are more suitable for dictionary scanning than others. To save processing time, you can choose not to scan certain file attachment types, e.g. image or audio files, or to only scan a specified amount of each message. To configure Dictionary Scanning, follow Procedure 8 Procedure 8: Configuring Dictionary Scanning Step Action 1 Launch the Rules Administrator. 2 From the Tools menu, select Options. The System Options dialog will display. 3 Select the Dictionary Scanner tab. 4 Specify how much of each you want to be scanned against the dictionaries. The default is 10KB, the maximum is 10,000KB. The more of each file you choose to scan, the longer it take to check each against the rules. 5 Now select which file types you want to exempt from dictionary scanning. You can select groups of file types, for example audio files, or specific file types, e.g. MP3s. 6 If the file type you want to exempt from dictionary scanning is not on the list, you can add it. Click Add extension, and enter the file extension in the box that displays. The file extension must not include its. character. For example to add the extension for a text file you would add txt not.txt 7 To remove an extension you have added, select the extension and click Remove extension. Note: You cannot delete the preset file extensions. 8 When you are happy with your changes, click OK. SurfControl Filter for SMTP 5.0 Administrators Guide123

137 5 WORKING WITH RULES CONFIGURING PASSWORD PROTECTED ARCHIVES You can prevent unauthorized users from sending password protected archive files, e.g. a zip file with a password, by entering recipient / password pairs on the Password Protected Archives tab. You can specify which users are allowed to send password protected archive files, and the password that they will use to create these files. SurfControl Filter will use the password to decompress the file and scan the contents. If a user that has not specified a password attempts to send an with a password-protected archive file, or uses a different password, the message will trigger the preconfigured rule, if enabled. To add a recipient / password pair, follow procedure 9 Procedure 9: Adding a recipient / password pair for decompression Step Action 1 Launch the Rules Administrator. 2 From the From the Tools menu, select Options. The System Options dialog will display. 3 Select the Password Protected Archives tab. 4 Click Add The Enter Recipient / Password Pair will display. 5 In the Recipient box, enter the name of the recipient you want to add. To find a recipient, click Browse. 124 Administrators Guide SurfControl Filter for SMTP 5.0

138 WORKING WITH RULES 5 Procedure 9: Adding a recipient / password pair for decompression Step Action Browsing for Recipients 6 The Select Users dialog will display. You can choose to retrieve the following users: Monitored External users Monitored Internal users Imported users / groups database Windows address book Outlook address book Select which user you want to retrieve from the Select users from drop down menu. 7 The users will display in the user list. To add a user, highlight it and click Add. Retrieving recipients using LDAP 8 You can also retrieve a list of recipients using an LDAP connection. If you have already configured a connection to the LDAP server, the connection will be listed in the Select users from drop down menu. To configure a connection to the LDAP server, click LDAP and follow Procedure 4, Configuring an LDAP Connection, on page The recipients retrieved will display in the user list. To add a user, highlight it and click Add. 10 When you have selected the user, click OK. The user name or address will then display in the Recipient box. SurfControl Filter for SMTP 5.0 Administrators Guide125

139 5 WORKING WITH RULES CONFIGURING DOCUMENT DECOMPOSITION Filter can extract data from supported files, and apply the current filtering rules to that data. You can decompose documents and then: Scan extracted text with the Dictionary Scanner object. Examine extracted pictures with the Virtual Image Agent object. Detect executables that are embedded in a file. Scan extracted files with the Anti-Virus Agent. By default, decomposition of all documents is enabled. Filter can decompose nested and combined containers (e.g. a Word document inside a Zip container that is inside an Excel workbook) with up to 25 levels of depth. Procedure 10: Enabling Document Decomposition Step Action 1 Launch Rules Administrator. 2 From the Tools menu, select Options. The System Options dialog will display. 3 Select the Document Decomposition tab. 4 Select Enable document decomposition. 5 Click OK 126 Administrators Guide SurfControl Filter for SMTP 5.0

140 WORKING WITH RULES 5 Choosing which files are decomposed You can specify which document types and data you want to be decomposed. Table 5 Advance document decomposition options Option Microsoft Word Documents Microsoft Excel Workbooks Microsoft PowerPoint Presentations OLE Embedded Files Web Archives Microsoft Mail Data Rich Text Documents Adobe PDF Documents Data extracted Text and Pictures included in Word document files (*.doc,.dot). Text and Pictures included in Excel workbook files (*.xls,.xlt). Text and Pictures included in PowerPoint presentations (*.pps, *.ppt). Embedded-files (OLE Objects) from any of the Microsoft Office documents types listed above. Files in MIME format Files in TNEF format.rtf files PDF documents created using Adobe Acrobat. For a full list of the Microsoft Office programs and versions that Document Decomposition supports, see Supported File Types on page 438. SurfControl Filter for SMTP 5.0 Administrators Guide127

141 5 WORKING WITH RULES Now follow procedure 11 Procedure 11: Choosing which file types are decomposed Step Action 1 Launch Rules Administrator. 2 From the Tools menu, select Options. The System Options dialog will display. 3 Select the Document Decomposition tab. 4 Click Advanced. The Advanced Properties dialog will display. 5 Select the document types you want document decomposition to extract data from. 6 Click OK 128 Administrators Guide SurfControl Filter for SMTP 5.0

142 WORKING WITH RULES 5 Note: As well as extracting visible text, the HTML parser will also extract any URLs from the body of the message into a text file called SC_URL.txt. You can examine this file in Message Administrator. CONFIGURING HTML PARSING A common spamming technique is to use HTML tags to break up the flow of text to defeat anti-spam filters. The HTML Parser extracts the user-visible text from the HTML document so that it can scanned by the Dictionary Scanner. User-visible text is text which is visible to the user, as opposed to white-on-white text, text in hidden HTML tags or text outside the valid parts of an HTML document. There are two types of HTML parsing that you can enable: HTML extraction from message body: this will extract the user-visible text from the message body so that it can be scanned. Text extraction from HTML attachments: this will extract text from HTML attachments so that it can be scanned. For example, here is the body of an HTML spam message: Figure 12 HTML spam Here is a section of source code from the same message: <B>Re<!KQ>tail or online, big or small, we provide businesses o<!nj>f all <!KQ>t<!HOM>ypes an oppor<!kq>tuni <!KQ> t<!hom>y <!KQ> to have <!KQ> theirown no hassle Credi<!KQ>t Card Merchan<!KQ>t Accoun<!KQ>t. The spammer has inserted HTML tags into the middle of words to avoid detection. When the HTML Parser is enabled the HTML tags are removed so that the remaining text can be scanned by the dictionary scanner. SurfControl Filter for SMTP 5.0 Administrators Guide129

143 5 WORKING WITH RULES To enable HTML parsing, follow Procedure 12. Procedure 12: Enabling HTML Parsing Step Action 1 Launch the Rules Administrator 2 From the Tools menu select Options. The System Options dialog will display. 3 Select the HTML Parser tab. 4 Select which types of HTML parsing you want to use with s. By default, both are enabled. 5 Click OK. Now turn to Chapter 6 for a full description of each rule object. 130 Administrators Guide SurfControl Filter for SMTP 5.0

144 Chapter 6 Rules Objects In This Chapter 132 Adding A Rule Object to a Rule 133 Who Objects 135 What Objects 155 Operations Objects 222 Notify Objects 241 Actions Objects 246

145 6 RULES OBJECTS IN THIS CHAPTER This chapter gives a detailed description of each rule object, and an explanation of how to include it in a rule. 132 Administrator s Guide SurfControl Filter for SMTP 5.0

146 RULES OBJECTS 6 ADDING A RULE OBJECT TO A RULE The process of adding any rule object to a rule is the same: Procedure 1: Adding a Rule Object to a Rule Step Action 1 Launch the Rules Administrator 2 Select the rule object you want to include in your rule. 3 Drag the rule object into the Rules palette and drop it into position. 4 The properties sheet for the object will display. This is where you enter the criteria that Filter will use to check s. You can find out how to configure each rules object later in this chapter. 5 When you have configured the object, click OK 6 You will see your criteria displayed in the rules palette. You can move the object into different positions to change the logic of the rule. SurfControl Filter for SMTP 5.0 Administrator s Guide 133

147 6 RULES OBJECTS REVERSE LOGIC The logic of rule objects can be reversed by applying a reverse logic condition. This means that if the criteria in the rule object is not met, the rule will trigger. For example, this rule isolates any sent from mycompany.com: Figure 1 Rule without reverse logic If you applied reverse logic to the From Users and Groups Object, the rule would change to this: Figure 2 Rule with reverse logic If reverse logic is available for a rule object, you will see a checkbox on its property sheet. Each rule object is explained fully in this chapter, including an explanation of how reverse logic can be applied to it. The sections that follow describe each of the rules objects and how to configure them. 134 Administrator s Guide SurfControl Filter for SMTP 5.0

148 RULES OBJECTS 6 WHO OBJECTS A Who object checks the sender and the recipients of each against the criteria you specify. If you don t include a Who object in a rule, it will apply to every sent to and from your protected domain. There are three Who objects: From Users and Groups Inbound / Outbound mail To Users and Groups SurfControl Filter for SMTP 5.0 Administrator s Guide 135

149 6 RULES OBJECTS FROM USERS AND GROUPS The From Users and Groups object checks the contents of an s From: field against the criteria you specify. Filter can check whether or not the comes from a specified address, group or domain. CONFIGURING THE FROM USERS AND GROUPS OBJECT Follow Procedure 2 to specify which sending users and groups the rule will look for: Procedure 2: Specifying a Sending User or Group Step Action 1 Drag the From Users and Groups object into the position on the Rules palette. 2 The From Users and Groups property sheet will display. 3 Click Add The Add Senders dialog will display. 4 Enter the addresses or domains you want to detect, separated by a semicolon. (Sheet 1 of 2) 136 Administrator s Guide SurfControl Filter for SMTP 5.0

150 RULES OBJECTS 6 Procedure 2: Specifying a Sending User or Group Step Action 5 Click OK. You will see the senders displayed in the Message Senders box. Individual addresses are marked with the user symbol. Domains are marked with the globe symbol. 6 Click OK. The users and groups you added will display on the Rules palette within the From Users and Groups object. (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 137

151 6 RULES OBJECTS Retrieving User information from a data source As well as entering user details manually, you can also retrieve a list of users and groups from your system that you can use in a rule. The advantages of this are: You can add many users, domains or groups at one time. You don t have to remember user details. You don t have to risk misspelling user details by typing them in. There are six ways to automatically retrieve user information. Table 1 User lists Data Source Monitored external users Monitored internal users Imported Users / Groups database Windows address book Outlook address book LDAP Details Every time an from outside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules Every time an from inside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules If you created a users / groups database using the Scout Exchange Import utility, you can retrieve the user details from there. Retrieve user details from the Windows address book. Retrieve user details from the Outlook address book. Retrieve user details from the LDAP server. To retrieve user details using LDAP, you must first configure a connection to the LDAP server, see page Administrator s Guide SurfControl Filter for SMTP 5.0

152 RULES OBJECTS 6 To retrieve a list of users, follow procedure 3 Procedure 3: Retrieving User information from a data source Step Action 1 Drag the From Users and Groups object into the position on the Rules palette. 2 The From Users and Groups property sheet will display. 3 Click Browse The Select Users dialog will display. 4 Select the data source from which you want to retrieve user details: Monitored external users Monitored internal users Imported Users / Groups database Windows address book Outlook address book. LDAP connection Note: To retrieve user details from the LDAP server, you first need to configure a connection to the LDAP server. See Configuring an LDAP Connection on page 141 (Sheet 1 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 139

153 6 RULES OBJECTS Procedure 3: Retrieving User information from a data source Step Action 5 Filter will retrieve the user details from the data source you specify and display them on the left hand pane of the dialog box. 6 Select the users and groups you want to include in your Who rule and click Add. The users / groups that you add will move to the right hand pane of the dialog box. To remove a user or group, select it and click Remove. 7 When you have chosen the users / groups to include in your Who rule, click OK. (Sheet 2 of 2) 140 Administrator s Guide SurfControl Filter for SMTP 5.0

154 RULES OBJECTS 6 CONFIGURING AN LDAP CONNECTION If you want to use LDAP to retrieve user details, you need to set up a connection to the LDAP server. Follow procedure 4: Procedure 4: Configuring an LDAP Connection Step Action 1 Drag the From Users and Groups object into the position on the Rules palette. 2 The From Users and Groups property sheet will display. 3 Click Browse The Select Users dialog will display. 4 Click LDAP. The LDAP Connections dialog will display. (Sheet 1 of 4) SurfControl Filter for SMTP 5.0 Administrator s Guide 141

155 6 RULES OBJECTS Procedure 4: Configuring an LDAP Connection Step Action 5 Click Add. The Add LDAP Connection dialog will display. 6 Select the General tab. 7 Give this LDAP connection a name. This is the name that will display in the Select Users From dialog when you browse for users and groups to include in a Who object. 8 In the Server name field enter the name of the LDAP server from which you want to retrieve user information. 9 To make it compulsory that Filter uses a username and password to log on to the LDAP server, select log on to this server and enter the username and password you want Filter to use. If you want Filter to connect to the LDAP server anonymously, clear the Log on to this server checkbox. 10 If you want Filter to connect to the LDAP server using secure authentication, select Log on using Secure Authentication (Sheet 2 of 4) 142 Administrator s Guide SurfControl Filter for SMTP 5.0

156 RULES OBJECTS 6 Procedure 4: Configuring an LDAP Connection Step Action Advanced Settings 11 Select the Advanced tab 12 Enter the LDAP port number of the LDAP server. By default this is 389. If you want to connect to the LDAP server using a secure connection (Secure Sockets Layer), select Use a secure connection (SSL). If you enable SSL, the default port number will change to Now specify a search base for the LDAP query. The search base is the starting point for the query. LDAP users and groups information is not stored on the SurfControl Filter server; it is requested from the LDAP server whenever necessary, so specifying a search base makes the connection more efficient at locating specific users or groups. To automatically enter the default search base, click Get Default. 14 Click Specify Group Object. The LDAP Server Options will display. 15 By default, Filter will use the default group object, GroupofNames, but you can specify a Group object by entering it in the box. 16 When you have made your changes, click OK. If you have successfully configured the LDAP connection, you will see it listed in the Select users from: drop down list, it is displayed as the connection name you specified prefixed by LDAP. (Sheet 3 of 4) SurfControl Filter for SMTP 5.0 Administrator s Guide 143

157 6 RULES OBJECTS Procedure 4: Configuring an LDAP Connection Step Action 17 When you select the LDAP connection, you will see the users and groups retrieved from the LDAP server displayed in the left hand pane of the dialog box. You can then include these users and groups in any Who rule. 18 If the users and groups do not display successfully, you can test the LDAP connection. See Testing the LDAP Connection on page 145. (Sheet 4 of 4) 144 Administrator s Guide SurfControl Filter for SMTP 5.0

158 RULES OBJECTS 6 TESTING THE LDAP CONNECTION You can test that Filter is able to make a successful connection to the LDAP Server. The testing process comprises three separate tests, carried out in this order: 1 Test Basic LDAP connection 2 Test LDAP Authentication 3 Test Search for Groups and Users filter will carry out each test in order, until either the connection has passed all the tests, or until it fails one. Test Basic LDAP connection The Basic LDAP Connection test will fail if SurfControl Filter can t make a TCP/IP connection with the server. If the test fails, you will see a dialog box with the details: Make sure you have specified the server name or IP address and LDAP Port number correctly remember that the server may not be using the default port number of 389. If the server and port number are correct, other possible causes of a connection failure are: The server is not running The server is running but its LDAP service is not. SurfControl Filter cannot access the server, possibly because of firewall or DNS factors. SurfControl Filter for SMTP 5.0 Administrator s Guide 145

159 6 RULES OBJECTS Test LDAP Authentication The LDAP Authentication test will fail if the LDAP server cannot authenticate your user details (user name, password and domain names). If the test fails, you will see a dialog box with the details: Make sure that the user name, password and domain name you supplied are correct. If the I must log on to this server checkbox is selected, SurfControl Filter will use simple authentication (the password passed in clear text). If you also check the Log on using Secure Authentication checkbox, the program will use secure authentication. So, if you experience an invalid credentials error and are using simple authentication, try switching to secure authentication, and vice versa. Test Search for Groups and Users The Search for Groups and Users test will fail if: You have not specified a search base You have specified a search base incorrectly. 146 Administrator s Guide SurfControl Filter for SMTP 5.0

160 RULES OBJECTS 6 If the test fails, you will see a dialog box with the details: If you have not specified a search base, Go to the Advanced tab on the Add LDAP Connection dialog. Click Get Default to get the default search base. Note: If you connect to the server via an anonymous connection, the test may be successful without finding any Groups. This is because the client has not been authenticated by the server and so does not have permission to retrieve Groups. If you have entered a search base and the test still fails, check the search base for errors and check with the LDAP server Administrator that you have specified a valid search base for this server. When all three tests have been successful, a dialog box will display confirming that all the tests have been passed: SurfControl Filter for SMTP 5.0 Administrator s Guide 147

161 6 RULES OBJECTS Reverse logic Check the Reverse logic checkbox to reverse the logic of the From Users and Groups object: Table 2 Reverse logic From Users and Groups Reverse Logic Disabled Enabled Result The rule will trigger if the message IS from the user or group specified in the rule. The rule will trigger if the message IS NOT from the user or group specified in the rule. 148 Administrator s Guide SurfControl Filter for SMTP 5.0

162 RULES OBJECTS 6 INBOUND / OUTBOUND MAIL OBJECT Warning: If you enable a rule that contains the Inbound / Outbound Mail object, you must have anti-spoofing enabled somewhere in your system, either in the receive service (see Anti-Spoofing on page 32) or with an upstream MTA. Without anti-spoofing there is a risk that spoofed inbound mail will be treated as internal. The Inbound / Outbound Mail Object specifies whether a rule applies to coming into, going out of or coming from within the protected domain. This avoids unnecessary message processing for example you can apply anti-spam filtering only to s coming into your organization. The Inbound / Outbound object checks the domain of the message sender and the domain of the message recipient against the criteria you specify. There are four criteria you can set: Table 3 Inbound / Outbound options Option Inbound Outbound Internal External Relay What it does The rule will apply only to s sent from outside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient outside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from outside a protected domain to a recipient outside a protected domain. SurfControl Filter for SMTP 5.0 Administrator s Guide 149

163 6 RULES OBJECTS CONFIGURING THE INBOUND / OUTBOUND MAIL OBJECT Follow procedure 5 to include the Inbound / Outbound Mail Object in a rule: Procedure 5: Adding the Inbound / Outbound Mail object to a rule Step Action 1 Drag the Inbound / Outbound Mail Object into position on the Rules palette. 2 The Inbound / Outbound Mail Object property sheet will display. 3 Select which messages you want the rule to apply to. You can choose any or all of the following: Inbound Outbound Internal External Relay 4 Now choose which protected domains you want to include in the rule. By default the rule will check against all protected domains. To specify which of your protected domains you want to include, click Selected and then select one or more of the protected domains on the list. 5 If you want to reverse the logic of the Inbound / Outbound Mail object, select Reverse logic. See Table on page 151 for an explanation of how this will affect the logic of the rule. 6 Click OK. 150 Administrator s Guide SurfControl Filter for SMTP 5.0

164 RULES OBJECTS 6 Reverse Logic: Inbound / Outbound Mail Object Table 4 explains how reverse logic affects the Inbound / Outbound Mail object, using the example protected domain mycompany.com Table 4 Reverse Logic Inbound / Outbound Mail Object Inbound Outbound Internal External Relay Reverse Logic Disabled If the is sent from outside mycompany.com to a recipient inside mycompany.com, the rule will trigger. If the is sent from inside mycompany.com to a recipient outside mycompany.com, the rule will trigger. If the is sent from inside mycompany.com to a recipient inside mycompany.com, the rule will trigger. If the is sent from outside mycompany.com to a recipient outside mycompany.com, the rule will trigger. Reverse Logic Enabled If the is sent from: Inside mycompany.com to any recipient Outside mycompany.com to a recipient outside mycompany.com the rule will trigger. If the is sent from Outside mycompany.com to any recipient. Inside mycompany.com to a recipient inside mycompany.com the rule will trigger If the is sent from Outside mycompany.com to any recipient Inside mycompany.com to a recipient outside mycompany.com the rule will trigger If the is sent from: Outside mycompany.com to a recipient inside mycompany.com Inside mycompany.com to a recipient outside mycompany.com Inside mycompany.com to a recipient inside mycompany.com the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 151

165 6 RULES OBJECTS TO USERS AND GROUPS The To Users and Groups object checks the contents of an s To: field against the criteria you specify. Filter can check whether or not the is addressed to a specified address, group or domain. CONFIGURING THE TO USERS AND GROUPS OBJECT Follow Procedure 6 to specify which recipient users or groups the rule will look for. Procedure 6: Specifying a Recipient User or Group Step Action 1 Drag the To Users and Groups object into the position on the Rules palette. 2 The To Users and Groups property sheet will display. 3 Click Add The Add Recipients dialog will display. 4 Enter the addresses or domains you want to detect, separated by a semicolon. (Sheet 1 of 2) 152 Administrator s Guide SurfControl Filter for SMTP 5.0

166 RULES OBJECTS 6 Procedure 6: Specifying a Recipient User or Group Step Action 5 Click OK. You will see the recipients displayed in the Message Recipients box. Individual addresses are marked with the user symbol. Domains are marked with the globe symbol. 6 Click OK. The users and groups you added will display on the Rules palette within the To Users and Groups object. (Sheet 2 of 2) Retrieving recipient information from a data source As well as entering user details manually, you can also retrieve a list of recipient users and groups from your system that you can use in a rule. The advantages of this are: You can add many users, domains or groups at one time. You don t have to remember user details. You don t have to risk misspelling user details by typing them in. The process for retrieving user information automatically is the same as for the From Users and Groups object see Retrieving User information from a data source on page 138. SurfControl Filter for SMTP 5.0 Administrator s Guide 153

167 6 RULES OBJECTS Reverse logic Check the Reverse logic checkbox to reverse the logic of the To Users and Groups object: Table 5 Reverse logic From Users and Groups Reverse Logic Disabled Enabled Result The Rule will trigger if the message IS addressed to the specified user or group. The rule will trigger if the is NOT addressed to the specified user or group. 154 Administrator s Guide SurfControl Filter for SMTP 5.0

168 RULES OBJECTS 6 WHAT OBJECTS What objects check s to identify them against characteristics you specify. There are 15 What objects: Table 6 What Objects What object Description Find out more Anti-Spam Agent Anti-Virus Agent Anti-Virus Scanning Object Dictionary Threshold External Program Plugin Object Digital Fingerprinting Tool Checks s against the known spam and junk mail in SurfControl s Anti-Spam database. SurfControl s Global Content Team is constantly updating the Anti-Spam database with the electronic signatures of known spam circulating on the Internet. Heuristics The ASA analyzes the and assesses its characteristics in relation to known spam. LexiRules The ASA uses LexiRules to check the for word combinations and patterns commonly seen in spam. Neural Networks The Anti-Spam Agent uses artificial intelligence to assess the likelihood of the being spam. Performs a virus scan on s using McAfee mcscan32.dll Integrates with your own anti-virus software to detect viruses in s and attachments. Scans the for words in one or more of the SurfControl dictionaries, or from a dictionary you have created. Integrates SurfControl Filter with an external executable or batch file. page 157 page 158 page 158 page 158 page 163 page 171 page 181 page 184 File Attachment Identifies the file type of an attachment. page 188 Illegal MIME Format Detects whether the or its attachments contain page 193 non-standard or malformed MIME content. LexiMatch Inspects the for specified word combinations page 195 from the filter dictionaries. Loop Detection Detects looping of messages between mail servers, for example loops due to Auto-forwarding rules on servers and auto-replies to delivery failure messages. page 200 Message Size Number of Recipients Sets the maximum size for a message or individual attachments. Checks whether an is being sent to more recipients than you have allowed in a rule. page 209 page 211 SurfControl Filter for SMTP 5.0 Administrator s Guide 155

169 6 RULES OBJECTS Table 6 What Objects What object Description Find out more URL Category List Virtual Image Agent Virtual Learning Agent Detects when an contains a URL, and checks that URL against the SurfControl URL Database. Checks whether an image contains explicit adult graphics. page 213 page 215 Scans messages for patterns of words and phrases. page 217 When Controls the day and time that a rule is enabled. page Administrator s Guide SurfControl Filter for SMTP 5.0

170 RULES OBJECTS 6 ANTI-SPAM AGENT OBJECT The Anti-Spam Agent (ASA) Object is a powerful tool that: Checks against a database of known spam Analyzes content to detect spam characteristics. The ASA object is an add-on component that requires an activation key. However, if you are running an evaluation copy of SurfControl Filter you can use the Anti-Spam Agent during your 30-day evaluation period without entering the activation key. ANTI-SPAM AGENT TOOLS The Anti-Spam Agent comprises four separate tools. You can enable or disable any combination of tools for use in a rule.: Table 7 Anti-Spam Agent tools ASA Tool Digital Fingerprinting Heuristics LexiRules Neural Networks What it does The ASA compares the digital fingerprint of the against its database of known spam and junk mail. The ASA analyzes the and assesses its characteristics in relation to known spam. The ASA uses LexiRules to check the for word combinations and patterns commonly seen in spam. The Anti-Spam Agent uses artificial intelligence to assess the likelihood of the being spam. SurfControl Filter for SMTP 5.0 Administrator s Guide 157

171 6 RULES OBJECTS Digital Fingerprinting The Digital Fingerprinting tool checks the digital fingerprint of an against SurfControl s Anti-Spam database. The Anti-Spam database classifies spam into one of 17 categories, so that you can decide which kinds of content you want to allow, and which you want to block. The categories are as follows: Adult Chain letters Computing and Internet Dating and personals Entertainment Finance and home business Gambling Games and interactive Health and medicine Humor Illegal material Novelty software Offensive Other Phishing and Fraud Products and services Special events You can read a full description of each category in Appendix A. Heuristics The Heuristics tool analyzes the entire , performing a series of tests that determine how closely an resembles spam. You can specify how sensitive the Heuristics tool is in evaluating s. The higher the sensitivity, the fewer spam-like traits an needs in order to trigger the rule. By default, the Heuristics tool will scan the entire . In high-volume environments however, it is quicker to scan only the header. LexiRules The LexiRules tool performs the same tests as the Heuristics tool, but if will trigger the rule if the has any spam-like traits. Neural Networks The Neural Networks tool is a pre-trained artificial intelligence tool which examines the contents of the and compares it with known spam. 158 Administrator s Guide SurfControl Filter for SMTP 5.0

172 RULES OBJECTS 6 CONFIGURING THE ANTI-SPAM AGENT OBJECT Follow procedure 7 to include the Anti-Spam Agent Object in a rule: Procedure 7: Configuring the Anti-Spam Agent Object Step Action 1 Drag the Anti-Spam Agent Object into position on the rules palette. 2 The Anti-Spam Agent property sheet will display Enabling the Digital Fingerprinting tool 3 Select the Digital Fingerprinting tab 4 Select Enable Digital Fingerprinting 5 Select the categories of spam you want to detect. SurfControl Filter for SMTP 5.0 Administrator s Guide 159

173 6 RULES OBJECTS Procedure 7: Configuring the Anti-Spam Agent Object Step Action Enabling the Heuristics tool 6 Select the Heuristics tab. 7 Select Enable Heuristics. 8 Use the slider to set a sensitivity level. See Heuristics on page 158 for more information. 9 Choose whether you want to scan the whole or just the header. Enabling the LexiRules tool 10 Select the LexiRules tab. 11 Select Enable LexiRules 160 Administrator s Guide SurfControl Filter for SMTP 5.0

174 RULES OBJECTS 6 Procedure 7: Configuring the Anti-Spam Agent Object Step Action Enabling the Neural Networks tool 12 Select the Neural Networks tab 13 Select Enable Neural Networks. 14 When you have enabled the tools you want, click OK. Reverse Logic If you reverse the logic of the Anti-Spam Agent object, you reverse the logic of all its enabled tools: Table 8 Reverse Logic Anti-Spam Agent Object Reverse Logic Disabled Enabled Result The rule will trigger if ANY of the enabled ASA tools detect spam content in the . The rule will trigger if NONE of the enabled ASA tools detect spam content in the . SurfControl Filter for SMTP 5.0 Administrator s Guide 161

175 6 RULES OBJECTS Anti-Spam Agent Best Practice The Anti-Spam Agent attacks spam in two ways: The Digital Fingerprinting tool detects that is known to be spam because it has been seen and categorized by SurfControl in the ASA database. The Heuristics, LexiRules and Neural Network tools detect that has the characteristics of spam. The Digital Fingerprinting tool is extremely accurate at detecting known spam and will return virtually no false positives. The Heuristics LexiRules and Neural Network tools are highly effective in detecting new, unclassified spam, but because they assess the likelihood that an is spam, there is a chance that legitimate will trigger the rule. For example, a marketing newsletter could share some characteristics with a spam (such as its use of HTML) and therefore trigger the rule. Because of this difference, there are two default rules that use the ASA object: 1 The first ASA rule enables only digital fingerprinting. If an has the digital signature of known spam, it is isolated in the Anti-Spam Agent DFP folder. 2 The second ASA rule enables the Heuristics, LexiRules and Neural Network tools. If any of these tools detect a likely spam it is isolated in the Anti-Spam Agent folder. Separating these functions into two rules means that: Known spam is detected and isolated you can be confident that isolated by the Digital Fingerprint tool into the Anti-Spam Agent DFP folder is spam, and manage it accordingly. isolated by the Heuristics, LexiRules and Neural Network tools are kept in a separate folder, so that you can monitor which s are isolated and assess whether you need to change the sensitivity of the Heuristics tool. UPDATING THE ANTI-SPAM AGENT OBJECT SurfControl s content team constantly updates the Anti-Spam Agent object. SurfControl recommend you schedule regular updates to the ASA using the scheduler. See Scheduling Anti-Spam Agent Updates on page Administrator s Guide SurfControl Filter for SMTP 5.0

176 RULES OBJECTS 6 ANTI-VIRUS AGENT The Anti-Virus Agent helps protect your system by deleting viruses and cleaning infected files when they occur. It uses the industry-leading McAfee Olympus Anti-Virus engine to detect files that could damage your system. To use the Anti-Virus Agent you need an activation key. If you are running an evaluation copy of SurfControl Filter, you can use the Anti-Virus Agent without an activation key for the 30-day evaluation period. CONFIGURING THE ANTI-VIRUS AGENT OBJECT When you include the AVA object in a rule, you need to specify: What kind of virus threats the AVA will scan for. What action the AVA will take if it finds a virus. Which files are exempt from AVA scanning. The message users will see if a virus has been removed or cleaned from their . Scan Options You can specify what kind of virus threats the AVA will detect. Choose any or all of the following: Table 9 Scanning Method Treat Errors as Infected Treat Encrypted Files as Infected Treat Macros as Infected Heuristic Analysis Macro Analysis Scan All Files for Macros AVA Scan Options What it does If the anti-virus software reports an error (for example scan failed), the Anti-Virus Agent will treat the file as if it was infected with a virus. If the file uses encryption that the anti-virus software cannot decrypt, the Anti-Virus Agent will treat the files as if it was infected with a virus. Any encrypted files (including password protected archive or document files) will be treated as virus-infected. If a macro is found in a scanned file, the file will be treated as if it was infected with a virus. Heuristic Analysis means anti-virus software can recognize a virus without ever having seen that virus before. If the anti-virus software detects virus-like traits in a file, the Anti-Virus Agent will treat that file as if it was infected with a virus. All macros found will be dissected and scanned for the presence of viruses. If the analysis of a macro within any scanned file reveals it to be infected, it is reported to the Anti-Virus Agent. By default, the Anti-Virus Agent submits only files from the Document Files group to the anti-virus scanner for analysis. With this option selected, all files are scanned for macros, regardless of their file type and if a macro is found, it is reported to the Anti-Virus Agent. SurfControl Filter for SMTP 5.0 Administrator s Guide 163

177 6 RULES OBJECTS Table 9 AVA Scan Options Scanning Method Malicious Applications Joke/Hoax Viruses What it does Malicious applications include any software that has effects unintended by or prejudicial to the user; usually where these effects are hidden. If the anti-virus software detects a malicious application, it will report it to the Anti-Virus Agent. Joke or Hoax viruses do not destroy or interfere with the working of the computer system. They do, however, act as a nuisance to the user and can place an overload on your server. With this option selected, the anti-virus software will scan files for the presence of joke/hoax viruses and if detected then a positive virus return code gets reported back to the Agent. AVA Actions You can specify what action the AVA will take if it finds a virus. Choose one of the following: Table 10 AVA Actions Take No Action Delete the virus Attempt to Clean the infected file The AVA will take no action, but the rule will trigger. The AVA will attempt to delete the virus. If it cannot delete it, the rule will trigger. The AVA will attempt to clean the virus. If it cannot clean it, the rule will trigger. Excluded Files You can add filenames to the excluded file list. The AVA will not scan these files. 164 Administrator s Guide SurfControl Filter for SMTP 5.0

178 RULES OBJECTS 6 Notification Footer If the AVA deletes or cleans a virus from an you can add a footer to tell the recipient that this has happened. As well as free text, you can insert the following variable codes into the footer: Table 11 Variable Virus Notification Footer Variables What it means $A the name of the infected file $B the message subject $D the date that the message was processed $F the message filename $N the name of the triggered rule $R the message recipient s name $S the message senders name $T the time of message processing $V the name of the virus detected by McAfee DLL anti-virus $Z the message size So, for example, you could type the text: Virus $V was detected in $A, by SurfControl Anti- Virus Agent. The infected file contents have been removed. This would add the following text to the infected Virus (The name of the virus) was detected in (The name of the file) by SurfControl Anti-Virus Agent. The infected file contents have been removed. SurfControl Filter for SMTP 5.0 Administrator s Guide 165

179 6 RULES OBJECTS Follow procedure 8 to include the Anti-Virus Agent in a rule: Procedure 8: Configuring the Anti-Virus Agent Object Step Action 1 Drag the Anti-Virus Agent object into position on the rules palette. 2 The Anti-Virus Agent property sheet will display. Specify Scan Options 3 Click Scan Options. The Scan Options dialog will display. 4 Select which virus threats you want the AVA to scan for. See Table 9 on page 163 for an explanation of the options. 5 Click OK. The Scan Options dialog will close. 166 Administrator s Guide SurfControl Filter for SMTP 5.0

180 RULES OBJECTS 6 Procedure 8: Configuring the Anti-Virus Agent Object Step Action Specify AVA Actions 6 Select what action you want the AVA to take if it finds a virus: No action Delete virus Clean virus Specify which files will not be scanned 7 Select Exclude File List 8 The Exclude File List dialog will display 9 Click Add. The Add Filename dialog will display. 10 Enter the filename of the file you want to exclude from scanning. SurfControl Filter for SMTP 5.0 Administrator s Guide 167

181 6 RULES OBJECTS Procedure 8: Configuring the Anti-Virus Agent Object Step Action 11 Click OK. You will see the file you entered listed on the Exclude File List dialog. The AVA will not scan any of the files listed here for viruses. Adding a notification footer 12 Select either 13 Delete virus, or Clean virus from the Action menu. The Message for Place-holder file will become available. 14 Enter the text you want to add when the AVA has successfully cleaned or deleted the virus from an infected . You can use the variables listed on page When you have made all your changes click OK. 168 Administrator s Guide SurfControl Filter for SMTP 5.0

182 RULES OBJECTS 6 Reverse Logic If you reverse the logic of the Anti-Virus Agent object, it will behave as follows: Table 12 Reverse Logic Anti-Virus Agent AVA Action Reverse Logic Result No action Disabled If the AVA detects a virus, the rule will trigger. Enabled If the AVA does NOT detect a virus, the rule will trigger. Delete virus Disabled If the AVA detects a virus and cannot delete it, the rule will trigger. Enabled If the AVA detects a virus and deletes it, the rule will trigger. Clean virus Disabled If the AVA detects a virus and cannot clean it, the rule will trigger. Enabled If the AVA detects a virus and cleans it, the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 169

183 6 RULES OBJECTS THE PRE-CONFIGURED ANTI-VIRUS AGENT RULE SurfControl Filter is installed with a pre-configured Anti-Virus Agent rule, enabled by default, which isolates virus-infected s that the AVA cannot clean. The logic of the rule is as follows: Figure 3 The preconfigured Anti-Virus Agent rule Scan 1. The first scan detects for the presence of a virus. If the AVA finds a virus the rule progresses to scan 2. Scan 2. The second scan has virus cleaning enabled. If the AVA cannot clean the virus, it is isolated in the Virus folder. If the AVA can clean the , it cleans it, adds a notification footer to all users, sends a notification to the message sender and continues checking the against the remaining rules. UPDATING THE ANTI-VIRUS AGENT You can automatically download updates to the Anti-Virus Agent using the SurfControl Filter Scheduler. To keep your system safe against new viruses, you should download updates weekly. If you are an evaluating user, you can download updates for the duration of the 30-day evaluation period. For more on liveupdates, see Scheduling Anti-Virus Agent Updates on page Administrator s Guide SurfControl Filter for SMTP 5.0

184 RULES OBJECTS 6 ANTI-VIRUS SCANNING OBJECT The Anti-Virus Scanning object uses your third-party virus software to detect viruses in mail messages and attachments. If you have more than one type of anti-virus scanner, SurfControl filter can use all of them to give a comprehensive scan of suspect files. SurfControl Filter breaks up a message into its component parts and passes them to the virus scanners for analysis. The virus scanners report the results of the scan, using the standardized set of codes listed in Appendix C on page 445 and Filter then deals with the message as specified in your rule set. The Anti-Virus Scanning Object works independently of the Anti-Virus Agent object. You do not need an -specific version of your anti-virus software, but you must disable any automatic file level or directory-level scanning that your anti-virus software performs, at least on the SurfControl Filter subdirectories. CONFIGURING THE ANTI-VIRUS SCANNING OBJECT You can scan with three different kinds of anti-virus scanner: DLL-based Command line based ICAP based For sites with high volumes of message traffic, SurfControl recommends using DLL-based scanners rather than command line scanners. DLL scanners are usually faster because they are memory-resident. Filter is integrated with the AV scanners listed in table 13. Alternatively you can configure the Anti-Virus Scanning Object to use any other command line based AV product. Table 13 Fully integrated AV Scanners Type Available Scanners See DLL-based Norman Defense Systems page 172 Sophos SAVI Trend InterScan VirusWall IKARUS Software Command Line McAfee / Network Associates page 174 NetShield Executable (scan.exe) ICAP Symantec Anti-Virus Scanning Engine (SASE) page 177 SurfControl Filter for SMTP 5.0 Administrator s Guide 171

185 6 RULES OBJECTS Scanning with a DLL-based scanner Procedure 9: Scanning with a DLL-based scanner Step Action 1 Drag the Anti-Virus Scanning object into position on the Rules palette. 2 The Anti-Virus Scanning object property sheet will display 3 Click Add 4 The Select Virus Scanner dialog will display 5 DLL-based scanners are marked DLL. Select the one you want to use. 6 Click OK. 7 You will see your chosen scanner displayed on the Anti-Virus Scanning object property sheet. (Sheet 1 of 2) 172 Administrator s Guide SurfControl Filter for SMTP 5.0

186 RULES OBJECTS 6 Procedure 9: Scanning with a DLL-based scanner Step Action 8 Now select the Virus code you want to trigger the rule. If your chosen anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object will trigger the rule. For example if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 9 Click OK (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 173

187 6 RULES OBJECTS Scanning with a Command Line based Scanner Procedure 10: Scanning with a Command Line based Scanner Step Action 1 Drag the Anti-Virus Scanning object into position on the Rules palette. 2 The Anti-Virus Scanning object property sheet will display 3 Click Add 4 The Select Virus Scanner dialog will display 5 Select the command line scanner you want to use. If your Anti-Virus product is not on the list, select Other. 174 Administrator s Guide SurfControl Filter for SMTP 5.0

188 RULES OBJECTS 6 Procedure 10: Scanning with a Command Line based Scanner Step Action 6 Click OK. The Anti-Virus Product Configuration dialog will display. 7 In the AntiVirus Executable box, enter the location of your chosen Anti-Virus product s.exe file, or click Browse to navigate there. If you selected a fully integrated Anti-Virus product from the list on page 171, the default location will display automatically. 8 The Default Parameters box contains instructions to your Anti-Virus scanner. If you chose a product from the list on page 171, these will display automatically. If you are using an anti-virus scanner that is not on the list, you need to enter codes in the Default Parameters field to tell the scanner what to do. These codes will be listed in the documentation that came with your virus scanning software. 9 Enter a value in the Timeout Period field. This value indicates how long SurfControl Filter will wait for the scanner to complete its scan. If the virus software does not respond within this time then Filter moves on to the next processing step in the rule. 10 Click OK. You will see your chosen AV product displayed on the Anti-Virus Scanning object property sheet. SurfControl Filter for SMTP 5.0 Administrator s Guide 175

189 6 RULES OBJECTS Procedure 10: Scanning with a Command Line based Scanner Step Action 11 Now select the Virus code you want to trigger the rule. If your chosen anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object will trigger the rule. For example if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 12 Click OK 176 Administrator s Guide SurfControl Filter for SMTP 5.0

190 RULES OBJECTS 6 Scanning with Symantec SASE Procedure 11: Scanning with Symantec SASE Step Action 1 Drag the Anti-Virus Scanning object into position on the Rules palette. 2 The Anti-Virus Scanning object property sheet will display 3 Click Add 4 The Select Virus Scanner dialog will display 5 Select Symantec Anti-Virus Scan Engine (SASE) 6 Click OK. 7 The Anti-Virus Product Configuration dialog will display. SurfControl Filter for SMTP 5.0 Administrator s Guide 177

191 6 RULES OBJECTS Procedure 11: Scanning with Symantec SASE Step Action 8 Select Add The SASE Server Configuration dialog will display. 9 In the SASE Server IP box, Enter the IP address of the SASE Server. If SASE is installed on the same machine as Filter enter here. 10 Click Test if the connection is successful you will see a message showing the virus definition date. If Filter cannot connect to the SASE server, you will see an error message check that the IP address is correct. 11 In the SASE Server Port Number box enter the port that Filter will use to communicate with the SASE server. 12 In the Fail Retry Time box enter the length of time in seconds Filter will wait before retrying the connection if it is unsuccessful first time. 13 In the Scan Timeout box enter the amount of time Filter will wait for SASE to complete its scan. If SASE doesn t complete the scan in this time, Filter will proceed to the next processing step. 14 Click OK. You will see the Symantec SASE scanner listed on the Anti-Virus Product Configuration dialog. 15 Click OK. 178 Administrator s Guide SurfControl Filter for SMTP 5.0

192 RULES OBJECTS 6 Procedure 11: Scanning with Symantec SASE Step Action 16 You will see the Symantec SASE scanner listed on the Anti-Virus Scanning object property sheet. 17 Now select the Virus code you want to trigger the rule. If your chosen anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object will trigger the rule. For example if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 18 Click OK SurfControl Filter for SMTP 5.0 Administrator s Guide 179

193 6 RULES OBJECTS Reverse Logic You can reverse the logic of the Anti-Virus Scanning object so that the rule will trigger if the virus scanner returns a code less than the scan evaluation code you specify: Table 14 Reverse Logic Anti-Virus Scanning object Reverse Logic Disabled Enabled Result The rule will trigger if the anti-virus scanner returns a scan evaluation code greater or equal than the scan evaluation code you specified on the property sheet. The rule will trigger if the anti-virus scanner returns a scan evaluation code less than the scan evaluation code you specified on the property sheet. MULTIPLE SCANS You can allow multiple virus scans of the same file to take place when: You have enabled more than one rule that uses the Anti-Virus Scanning object. You have configured the Anti-Virus Scanning object to use more than one anti-virus product. By default, once an has been scanned once, the results of the scan will be carried over and applied when there is a further instance of the Anti-Virus Scanning Object. To re-scan the each time, select the Force Scan checkbox on the Anti-Virus Scanning object property sheet. AVOIDING CONFLICTS WITH THIRD-PARTY AV PRODUCTS Occasionally, there can be a conflict when third-party anti-virus software is installed on the SurfControl server, and the Filter Rules service and the anti-virus service try to access the In folder simultaneously. This can occur whether or not the Anti-Virus Agent or SurfControl Anti-Virus Scanning objects are part of a rule. To prevent this conflict: Exclude the SurfControl root directory from real-time scanning. Do not use your anti-virus software to scan inbound files. You can continue the real-time scanning of outbound messages. 180 Administrator s Guide SurfControl Filter for SMTP 5.0

194 RULES OBJECTS 6 DICTIONARY THRESHOLD OBJECT The Dictionary Threshold Object uses a library of dictionaries to detect content that your organization may want to avoid. These dictionaries contain words associated with different aspects of unwanted content, for example adult material, hate speech and gambling. Filter is pre-configured with the following dictionaries: Adult Alcohol / Tobacco / Drugs Arts / Entertainment Computing / Internet / hacking Confidential Finance Gambling Hate speech / Offensive Job search Medical / Healthcare Shopping Spam Spam Misspellings Sports Travel Violence / Weapons You can edit these dictionaries by adding or deleting words, or by changing the scores. You can also create new dictionaries see Dictionary Management on page 281. SurfControl Filter for SMTP 5.0 Administrator s Guide 181

195 6 RULES OBJECTS CONFIGURING THE DICTIONARY THRESHOLD OBJECT To configure the Dictionary Threshold Object you need to specify: What kind of content you want the rule to detect. Which parts of the message you want to scan for dictionary content. The dictionary score required to trigger the rule. How the Dictionary Threshold Object works The Dictionary threshold object works by assigning each word a numeric value. The Dictionary threshold object checks to see how many words from the selected dictionaries appear within a message and adds up the total. If this value is greater than the value specified in the Dictionary Threshold object, the rule will trigger. For example, a Dictionary threshold value of 150 from the Gambling dictionary is set for a rule. An using the words baccarat, blackjack, poker and slot machine, arrives at the SurfControl server. The dictionary value of each of these words is 50, exceeding the Dictionary threshold value and the rule triggers. To include the Dictionary Threshold Object in a rule, follow procedure 12. Procedure 12: Configuring the Dictionary Threshold Object Step Action 1 Drag the Dictionary Threshold Object into position on the Rules palette. 182 Administrator s Guide SurfControl Filter for SMTP 5.0

196 RULES OBJECTS 6 Procedure 12: Configuring the Dictionary Threshold Object Step Action 2 The Dictionary Threshold Object property sheet will display. 3 Select the categories of content you want to detect, or select All Categories. 4 Select which parts of the message you want to scan for dictionary content. Choose from: Entire Message Header Body Attachments 5 Select the threshold that will trigger the rule. The default is 100. Note: If you have selected more than one dictionary to scan against, the threshold is cumulative across all of the selected dictionaries. 6 Click OK Reverse Logic Table 15 shows how the Dictionary Threshold behaves when you reverse the logic, where N is the threshold score. Table 15 Reverse Logic Dictionary Threshold Object Reverse Logic Disabled Enabled Result If the selected part of the has a score of N or higher, the rule will trigger. If the selected part of the has a score of N or lower, the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 183

197 6 RULES OBJECTS EXTERNAL PROGRAM PLUGIN OBJECT The External Program Plugin object integrates SurfControl Filter with an external executable or batch file. You can use an external program to run a third party command line executable that does not require user input, either to check messages for a condition or to perform an action when a message meets a condition. The command must return a standard return code if an external command is to check for a condition. CONFIGURING THE EXTERNAL PROGRAM PLUGIN OBJECT Command line parameters You can enter parameters for the executable or batch file. A list of these parameters should be available in the documentation supplied with the program. Message part operators You can also automatically add text from the message to form part of the external program trigger by inserting operators in the Command Line Parameters field. Different operators refer to different parts of the message. Table 16 shows the message part operators: Table 16 Message Part Operators Operator What it means $F The message filename $S The message sender s name $R The message recipient s name $D The date that the message was processed $T The time that the message was processed $B The message subject $Z The message size $N The name of the triggered rule $W Current working directory $V The name of the virus detected by the Anti-Virus Agent 184 Administrator s Guide SurfControl Filter for SMTP 5.0

198 RULES OBJECTS 6 Return Values The return value is the value returned by the external program. You can specify what value will trigger the rule. You can also specify the following logical conditions for the return value. Table 17 shows the options, using the return value N. Table 17 Return Values and logical conditions Logical condition Always Never Less than Less than or equal to Result If the value returned is N, the rule will trigger. If the value returned is not N, the rule will trigger. If the value returned is less than N, the rule will trigger. If the value returned is less than or equal to N the rule will trigger. Greater than If the value returned is greater than N, the rule will trigger. Greater than or equal to If the value returned is greater than or equal to N, the rule will trigger. To include the External Program Plugin object in a rule, follow Procedure 13: Procedure 13: Configuring the External Program Plugin Object Step Action 1 Drag the External Program Plugin object into position on the rules palette. SurfControl Filter for SMTP 5.0 Administrator s Guide 185

199 6 RULES OBJECTS Procedure 13: Configuring the External Program Plugin Object Step Action 2 The External Program Plugin property sheet will display. 3 Click Browse and navigate to the file location of the external program you want to use. 4 In the Command Line Parameters box, enter the command line parameters (see the external program s documentation) and / or the message part operators (see page 184). 5 Select an option from the Will Return TRUE drop-down menu. 6 Enter the Return value that will trigger the rule if it meets the logical condition specified in step 5. 7 Enter the Timeout Period. This is the time that Filter will allow for the external program to complete its function. If the external program takes longer than the period specified, Filter will move on to the next processing step. 8 Click OK. 186 Administrator s Guide SurfControl Filter for SMTP 5.0

200 RULES OBJECTS 6 Reverse Logic Table 18 Logical condition Reverse Logic Result Reverse Logic External Program Plugin Object Always Disabled If the value returned is N, the rule will trigger. Enabled If the value returned is not N, the rule will trigger. Never Disabled If the value returned is not N, the rule will trigger. Enabled If the value returned is N the rule will trigger. Less than Disabled If the value returned is less than N, the rule will trigger. Enabled If the value returned is greater than or equal to N, the rule will trigger. Less than or equal to Disabled If the value returned is less than or equal to N, the rule will trigger. Enabled If the value returned is greater than N, the rule will trigger. Greater than Disabled If the value returned is greater than N, the rule will trigger. Enabled If the value is less than or equal to N, the rule will trigger. Greater than or equal to Disabled If the value returned is greater than or equal to N, the rule will trigger. Enabled If the value returned is less than N, the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 187

201 6 RULES OBJECTS FILE ATTACHMENT OBJECT Warning: If you configure the File Attachment Object to trigger the rule when it detects document files, the rule will also trigger if it detects web archive files (.mht) The File Attachment object triggers a rule when it detects a specified file type as an attachment to a message. SurfControl Filter examines the contents of a file and detect its indigenous format, so even if a.bmp file was renamed as a.doc file, SurfControl Filter would still recognize it as a bitmap file. If you configure a File Attachment object to scan for archive files, SurfControl Filter attempts to decompress these archives into their component files. If successful, it will break up the archive into its component files and act on these files, discarding the archive wrapper. If it fails to decompress the archive, for example in the case of a protected archive where the password is not supplied, Filter will apply an If Message contains any archive files rule condition to the file. You can also add your own file extensions to the list by clicking the Add extension button then filling in the details in the dialog that follows. For unsupported file types, the filter will only analyze the attachment according to its extension. You can view a complete list of file attachments supported by SurfControl Filter in Appendix B on page Administrator s Guide SurfControl Filter for SMTP 5.0

202 RULES OBJECTS 6 CONFIGURING THE FILE ATTACHMENT OBJECT Supported File Types See Supported File Types on page 438 for a full list of the file attachments Filter can process. Advanced Settings If you specify that the File Attachment object detects archive files, you can choose how filter will act if it detects files of this kind: Table 19 Advanced Settings Archive Files Setting Trigger Archive file types only on archive files that cannot be decompressed. Trigger Archive file types on any archive file. What it does If Filter detects an archive file and cannot decompress it, it will trigger the rule. If Filter detects an archive file that it can decompresses, it will scan the component files and apply the enabled rule set to them. If Filter detects any archive file, it will trigger the rule. You can also specify that the rule triggers only if all the files attached to an are of the same type. Including the File Attachment Object in a rule: Follow procedure 14: Procedure 14: Configuring the File Attachment Object Step Action 1 Drag the File Attachment object into position on the Rules palette. SurfControl Filter for SMTP 5.0 Administrator s Guide 189

203 6 RULES OBJECTS Procedure 14: Configuring the File Attachment Object Step Action 2 The File Attachment property sheet will display. 3 Select the file types you want to trigger the rule. You can select a group of file attachments, such as image files, or an individual file type, such as.jpg You can also add file extensions to the list. See page If you want the rule to trigger if there is an attachment of any type, select Any Attachment. 5 Click OK. Adding a File Extension to the List If the file extension you want to detect is not shown, you can add it to the list. Filter will check the file extensions of any attachments against those on the list, but where you have added unsupported file types, it will not be able to detect files of that type if they have been renamed with a different extension. Procedure 15: Adding a file extension to the list Step Action 1 Drag the File Attachment object into position on the Rules palette. 190 Administrator s Guide SurfControl Filter for SMTP 5.0

204 RULES OBJECTS 6 Procedure 15: Adding a file extension to the list Step Action 2 The File Attachment property sheet will display. 3 Click Add 4 The Add File Extension dialog will display. 5 Enter the file extension you want to add to the list. Note: Do not include the. character in the file extension. 6 Click OK. The Add File Extension dialog will close, and you will see your file extension displayed on the list under the File Extensions category. By default the file attachment is not selected. Check the box to select it for inclusion in the rule. 7 When you are happy with your changes click OK on the File Attachment property sheet. SurfControl Filter for SMTP 5.0 Administrator s Guide 191

205 6 RULES OBJECTS Reverse Logic You can reverse the logic of the File Attachment object. This means that the rule will trigger if Filter does not find attachments of the type you specify: Table 20 Reverse Logic File Attachments Trigger only if attachments are all of selected type Reverse Logic Result Disabled Disabled If the File Attachment object finds files of the type specified, the rule will trigger. Enabled If the File Attachment object does not find any files of the type specified, the rule will trigger. Enabled Disabled If the File Attachment object finds files of the type specified, and all the attachments are of the same file type, the rule will trigger. Enabled If the File Attachment object does not find any attachments, the rule will trigger. If the File Attachment object finds more than one attachment and the attachments are not of the same file type, the rule will trigger. 192 Administrator s Guide SurfControl Filter for SMTP 5.0

206 RULES OBJECTS 6 ILLEGAL MIME FORMAT MIME stands for Multipurpose Internet Mail Extensions, an Internet standard that specifies the format of messages so that they can be exchanged between different systems. MIME is a flexible format, so that many types of file or document can be included in an message. MIME messages can contain text, images, audio, video, or other application-specific data. A message and its attachments must be de-mimed by a mail client so that a user can read it. Most mail clients are built to be tolerant of loose interpretations of MIME to allow the sending of messages containing flawed MIME coding. This flexibility makes it easier for communication to flow between different systems, but it also poses security risks, because Virus writers can create malicious hand-coded MIME sequences. The Illegal MIME Format object detects messages and attachments that do not pass SurfControl Filter's rigorous DeMIME-ing process. CONFIGURING THE ILLEGAL MIME FORMAT OBJECT Messages can fail the object for the following reasons: A mail client produces a non-standard message. An attachment is invalid. The message contains malicious code. SurfControl recommends that you implement the Illegal MIME Format object in a rule at the top of the rules list, placing any messages that trigger the DeMIME Failure object into a dedicated Isolate folder for analysis. Be aware that some of these messages may contain viruses. There are two kinds of scans Filter can perform: Detect non-standard message Filter will scan the message body. Detect invalid attachment Filter will scan any files attached to the message. When you include the Illegal MIME Format object in a rule you can specify that Filter performs any or both of these scans. To include the Illegal Mime Format object in a rule, follow procedure 14. SurfControl Filter for SMTP 5.0 Administrator s Guide 193

207 6 RULES OBJECTS Procedure 16: Configuring the Illegal MIME Format Object Step Action 1 Drag the Illegal MIME Format Object into position on the Rules Palette. 2 The Illegal MIME Format Object property sheet will display. 3 Select which parts of the message you want to scan for illegal MIME. You can choose any or both of the following: Scan the message. Scan message attachments. 4 Click OK. 194 Administrator s Guide SurfControl Filter for SMTP 5.0

208 RULES OBJECTS 6 LEXIMATCH OBJECT The LexiMatch Object uses advanced Boolean searches to check for specific words or combinations of words. This means that you can trigger a rule when words are used in one context, for example breast enlargement, but allow the same word to be used in a different context, for example breast cancer. CONFIGURING THE LEXIMATCH OBJECT To Configure the Leximatch Object you need to: Select which parts of the you want to scan for LexiMatch content Choose words from the dictionaries and specify the relationship between them to create word patterns. Connecting Words Together There are three operators that you can use to join words from the dictionary together. Table 21 describes the operators using the example words Red and Blue Table 21 Word Operators Operator Example word pattern What it does AND Red AND Blue If the scanned part of the contains the word Red and the word Blue, the rule will trigger. The words can occur any distance apart and in any order. OR Red OR Blue If the scanned part of the contains either the word Red or the word Blue, the rule will trigger. NEAR Red NEAR Blue If the scanned part of the contains both Red and Blue within the number of characters specified in the NEAR distance, the rule will trigger. If the two words are further apart than the specified NEAR distance, the rule will not trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 195

209 6 RULES OBJECTS Near Distance When you create a word pattern using the NEAR operator, Filter evaluates whether: 1 The contains the words in the word pattern 2 Whether the words are less than the specified number of characters (the NEAR distance) apart. The NEAR distance applies only to this rule. You can set different NEAR distances for each rule you create that uses the LexiMatch object. Joining Word Patterns Together As well as joining single words together you can join word patterns together to form more sophisticated combinations by using JOIN commands. Table 22 describes the JOIN command, using examples Phrase A and Phrase B. Table 22 JOIN commands JOIN command Example What it does AND Phrase A AND Phrase B If the scanned part of the contains Phrase A AND Phrase B, the rule will trigger. AND NOT Phrase A AND NOT Phrase B If the scanned part of the contains Phrase A but NOT Phrase B, the rule will trigger. OR Phrase A OR Phrase B If the scanned part of the contains EITHER Phrase A OR Phrase B, the rule will trigger. OR NOT Phrase A OR NOT Phrase B If the scanned part of the contains Phrase A the rule will trigger. If the scanned part of the does NOT contain Phrase A but also does NOT contain Phrase B, the rule will trigger. 196 Administrator s Guide SurfControl Filter for SMTP 5.0

210 RULES OBJECTS 6 Including the LexiMatch Object in a Rule Follow procedure 17 Procedure 17: Configuring the Leximatch Object Step Action 1 Drag the LexiMatch object into position on the Rules palette. 2 The LexiMatch object property sheet will display. 3 Select the part of the message you want to scan for LexiMatch content. You can choose from: Entire Message Header Body Attachments Create a word pattern 4 Select the dictionary you want to use, e.g. Finance. Note: You can choose a different dictionary for each word in your word pattern. 5 Select the first word in your word pattern, e.g Stocks. SurfControl Filter for SMTP 5.0 Administrator s Guide 197

211 6 RULES OBJECTS Procedure 17: Configuring the Leximatch Object Step Action 6 Select the second word in your word pattern, e.g. Shares. 7 Select the Operator to define the relationship between the two words, e.g. Stocks AND Shares. 8 If your word pattern uses the NEAR operator, you can change the NEAR distance. This is the number of characters between the two words. Joining word patterns together 9 Create your word patterns using steps Join the two word patterns together using the JOIN command. 11 When you are happy with your word patterns, click OK. 198 Administrator s Guide SurfControl Filter for SMTP 5.0

212 RULES OBJECTS 6 Reverse Logic Reversing the logic of the LexiMatch object causes the rule to trigger if the e- mail does not contain the specified words or phrases: Table 23 Reverse Logic LexiMatch Object Reverse Logic Disabled Enabled Result If the contains the specified words or word patterns and meets the specified conditions (NEAR distance etc.) the rule will trigger. If the does not contain the specified words or word patterns, or the word patterns do not meet the specified conditions (NEAR distance etc.) the rule will trigger. Reversing the logic of a LexiMatch object is useful if you combine the LexiMatch object with a Dictionary Threshold object. For example you can create a rule that triggers if it detects words from the Adult dictionary, which would not trigger if the same words were used in, for example, a medical context:. Figure 4 Using a Reverse Logic Leximatch Object with a Dictionary Threshold SurfControl Filter for SMTP 5.0 Administrator s Guide 199

213 6 RULES OBJECTS LOOP DETECTION OBJECT The Loop Detection Object detects looping messages between two or more servers. It can detect four different kinds of looping messages: Single message looping. Looping messages due to Auto-Forwarding rules on servers. Outgoing reply to Delivery-failure looping messages. Looping of Delivery-failure messages to and from the same user. The Loop Detection object marks each message passing through it with a unique domain ID. If the mark is already there the Loop Detection object recognizes that it has been processed before and checks it for looping. The best way to deal with looping messages is to isolate them into a dedicated folder. 200 Administrator s Guide SurfControl Filter for SMTP 5.0

214 RULES OBJECTS 6 CONFIGURING THE LOOP DETECTION OBJECT To include the Loop Detection Object in a rule you need to specify How many occurrences of a message will trigger the rule The condition that will identify the message as looping. Choose one of the following: Greater than or equals: if the occurrences of one message reach the number specified in Message Occurrences, or higher, the loop detection object will trigger. Equals: if the occurrences of one message reach exactly the number specified in Message Occurrences, the loop detection object will trigger. The Loop Detection Object also checks the header of messages to detect delivery failure notices. Because looping is commonly caused by delivery failure notices, you can set the Loop Detection Object to trigger the rule when it encounters the message header of a delivery failure notice. By default, the loop detection object will trigger the rule if the header contains any of the following: <> could not be sent delivery failure postmaster report-type=delivery status You can edit this list see Configuring Delivery Failure Loop Detection on page 203. SurfControl Filter for SMTP 5.0 Administrator s Guide 201

215 6 RULES OBJECTS To include the Loop Detection object in a rule, follow Procedure 18 Procedure 18: Configuring the Loop Detection object Step Action 1 Drag the Loop Detection object into position on the Rules palette. 2 The Loop Detection object property sheet will display 3 Enter the number of occurrences of the same that will trigger the rule. By default, if Filter processes the same five times or more, it will trigger the rule. 4 Enter the condition that will trigger the rule: Greater than or equals If the number of times that the passes through Filter is greater than or equal to the number you specified in step 3, the rule will trigger. Equals If the number of times that the passes through Filter is exactly equal to the number you specified in step 3, the rule will trigger. 5 Click OK. 202 Administrator s Guide SurfControl Filter for SMTP 5.0

216 RULES OBJECTS 6 Configuring Delivery Failure Loop Detection To set up the Loop Detection to detect Delivery Failure notices, follow procedure 19 Procedure 19: Configuring Delivery Failure Loop Detection Step Action 1 Drag the Loop Detection object into position on the Rules palette. 2 The Loop Detection object property sheet will display. 3 In the Delivery Failure Detection area, click Configure. The Delivery Failure Configuration dialog will display. SurfControl Filter for SMTP 5.0 Administrator s Guide 203

217 6 RULES OBJECTS Procedure 19: Configuring Delivery Failure Loop Detection Step Action 4 Click Add The Add message header text dialog will display. 5 Enter the text you want to use to identify delivery failure messages, for example Failure Notice. The Loop Detection object will check the message header to see if it contains this text string. 6 When you have added your text string, click OK. 7 You will see the text string you have just added displayed in the Delivery Failure Configuration dialog. 204 Administrator s Guide SurfControl Filter for SMTP 5.0

218 RULES OBJECTS 6 Advanced Settings The Loop Detection object has the following advanced settings: Unique Identifier The Loop Detection object uses a unique identifier to track messages as they pass through SurfControl Filter. The default number generated during installation displays in the box, but you can edit it. If you are running Filter on more than one server you should edit the number so that all servers in your domain share the same Unique Identifier Procedure 20: Editing the Unique Identifier Step Action 1 Drag the Loop Detection object into position on the Rules palette. 2 The Loop Detection object property sheet will display. SurfControl Filter for SMTP 5.0 Administrator s Guide 205

219 6 RULES OBJECTS Procedure 20: Editing the Unique Identifier Step Action 3 Click Advanced The Advanced dialog will display. 4 In the Unique Identifier box, enter the code you want to use as a unique identifier for s. You can use up to 36 characters. 5 Click OK. Forwarded Messages Looping is sometimes caused by auto-forwarding messages as attachments. You can specify the number of levels of nesting that are allowed in forwarded messages before triggering the loop detection object. The default is 3. The maximum level of nesting you can allow is 25 Procedure 21: Specifying Nesting Levels Step Action 1 Drag the Loop Detection object into position on the Rules palette. 206 Administrator s Guide SurfControl Filter for SMTP 5.0

220 RULES OBJECTS 6 Procedure 21: Specifying Nesting Levels Step Action 2 The Loop Detection object property sheet will display. 3 Click Advanced The Advanced dialog will display. 4 Enter the number of levels of nesting you want to allow in forwarded messages, up to 25. The default is 3. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 207

221 6 RULES OBJECTS Reverse Logic Table 24 shows the behavior of reverse logic, where N is the number of occurrences of a message. Table 24 Condition Reverse Logic Result Greater than or Equals Reverse Logic Loop Detection Object Disabled If the passes through E- mail filter N times or more, the rule will trigger. Enabled If the passes through e- mail filter less than N times, the rule will trigger. Equals Disabled If the passes through Filter exactly N times, the rule will trigger. Enabled If the does not pass through Filter exactly N times, the rule will trigger. 208 Administrator s Guide SurfControl Filter for SMTP 5.0

222 RULES OBJECTS 6 MESSAGE SIZE OBJECT The Message Size object enables you to restrict the size of messages or of files sent as attachments. You enter a value for the maximum message size allowed. Alternatively, you can choose to restrict the size of the largest single file attachment to a message. CONFIGURING THE MESSAGE SIZE OBJECT Follow Procedure 22 to include the Message Size object in a rule: Procedure 22: Configuring the Message Size Object Step Action 1 Drag the Message Size object into position on the Rules palette. 2 The Message Size object property sheet will display. 3 Choose whether you want the Message Size object to check: The total message size The size of the largest attachment. 4 In the Maximum size field, specify the largest file size you want to allow in KB. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 209

223 6 RULES OBJECTS Reverse Logic Table 25 shows the behavior of the Message Size Object if you reverse the logic Table 25 Reverse Logic Message Size Object Reverse Logic Result Disabled If an is larger than the maximum size you specified, the rule will trigger. Enabled If an is smaller than the maximum size you specified, the rule will trigger. 210 Administrator s Guide SurfControl Filter for SMTP 5.0

224 RULES OBJECTS 6 NUMBER OF RECIPIENTS OBJECT The Number of Recipients object limits the number of users that can receive any one message. This is particularly useful if you are trying to manage your corporate bandwidth. CONFIGURING THE NUMBER OF RECIPIENTS OBJECT Follow Procedure 23 to include the Number of Recipients Object in a rule. Procedure 23: Configuring the Number of Recipients Object Step Action 1 Drag the Number of Recipients object into position on the Rules palette. 2 The Number of Recipients object property sheet will display. 3 In the Number of Recipients field, enter the maximum number of users that you want to receive any one message. If an has more than the specified number of recipients, the rule will trigger. 4 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 211

225 6 RULES OBJECTS Reverse Logic Table 26 shows the behavior of the Number of Recipients object if you reverse the logic: Table 26 Reverse Logic Number of Recipients object Reverse Logic Disabled Enabled Result If an is sent to more than the maximum number of recipients you specified, the rule will trigger. If an is sent to less than the maximum number of recipients you specified, the rule will trigger. 212 Administrator s Guide SurfControl Filter for SMTP 5.0

226 RULES OBJECTS 6 URL CATEGORY LIST OBJECT You can prevent the sending and receiving of inappropriate web links via by using the URL Category List object. This object detects when an contains a URL, and checks that URL against the SurfControl URL Database. The URL Database classifies billions of Websites into the following categories: Adult / Sexually Explicit Criminal Skills Drugs, Alcohol and Tobacco Gambling Hacking / Spyware Intolerance / Hate Violence / Tasteless Weapons You can therefore prevent the sending and receiving of s that contain links to Websites of this nature. The URL Category List object is an optional component that needs a separate license. If you are an evaluating customer, you can use the URL Category List object for the duration of your 30-day evaluation period. To buy a license contact SurfControl Sales. CONFIGURING THE URL CATEGORY LIST OBJECT To configure the URL category list you need to specify which categories you want to detect. Follow procedure 24 to include the URL Category List object in a rule: Procedure 24: Configuring the URL Category List object Step Action 1 Drag the URL Category List object into position on the Rules palette. SurfControl Filter for SMTP 5.0 Administrator s Guide 213

227 6 RULES OBJECTS Procedure 24: Configuring the URL Category List object Step Action 2 Select the categories of URL you want to detect in s, or select All Categories. 3 Click OK. Reverse Logic Table 27 shows the behavior of the URL Category object if you reverse the logic: Table 27 Reverse Logic URL Category Object Reverse Logic Disabled Enabled What it does If the contains a URL that has matches one of the selected categories, the rule will trigger. If the contains a URL that doesn t match any of the selected categories, the rule will trigger. 214 Administrator s Guide SurfControl Filter for SMTP 5.0

228 RULES OBJECTS 6 VIRTUAL IMAGE AGENT OBJECT The Virtual Image Agent (VIA) is a powerful image recognition tool that scans graphics files for explicit adult content. The VIA is an optional component that needs a separate license. If you are an evaluating customer, you can use the VIA object for the duration of your 30-day evaluation period. To buy a license contact SurfControl Sales. The VIA uses intelligent scanning technology to analyze images. You decide the sensitivity of the image analysis. A High sensitivity setting will result in more explicit adult images being detected but also more false positives. Setting the slider to Low will result in fewer false positive, but will also detect fewer explicit adult images being detected. CONFIGURING THE VIA OBJECT Follow Procedure 25 to include the VIA object in a rule: Procedure 25: Configuring the VIA Object Step Action 1 Drag the Virtual Image Agent object into position on the Rules palette. 2 The Virtual Image Agent object property sheet will display. 3 Drag the Slider to set the sensitivity of the Virtual Image Agent. 4 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 215

229 6 RULES OBJECTS Reverse Logic Table 28 shows the behavior of the VIA object if you reverse the logic: Table 28 Reverse Logic VIA Object Reverse Logic Disabled Enabled Result If the contains any images that are caught by the VIA on your chosen setting, the rule will trigger. If the contains any images, and none of them are caught by the VIA on your chosen setting, the rule will trigger. 216 Administrator s Guide SurfControl Filter for SMTP 5.0

230 RULES OBJECTS 6 THE VIRTUAL LEARNING AGENT OBJECT The Virtual Learning Agent (VLA) is a unique content development tool that you can train to understand and recognize business-confidential content. Deploying the VLA with SurfControl Filter provides the most comprehensive filtering tool to protect your corporate confidential documents and business-critical information from the security risks arising from confidential data leakage. The VLA Object uses the adaptive reasoning technology of the VLA to identify words and phrases in documents you select as representative of your organization's confidential material. You can use the VLA Object to determine if an message contains confidential data. SurfControl Filter for SMTP 5.0 Administrator s Guide 217

231 6 RULES OBJECTS CONFIGURING THE VLA OBJECT Before you can use the VLA Object in a rule, you must train the VLA to recognize the business-confidential content you want to detect. To train the VLA, see Virtual Learning Agent on page 389. When you have trained the VLA, you can use the VLA Object to identify business-confidential content. Follow procedure 26 to use the VLA Object in a rule: Procedure 26: Configuring the VLA Object Step Action 1 Drag the VLA object into position in the Rules palette 2 The VLA object property sheet will display 3 Select the VLA category you want the VLA Object to detect. 4 Click OK. 218 Administrator s Guide SurfControl Filter for SMTP 5.0

232 RULES OBJECTS 6 Reverse Logic Table 29 shows the behavior of the VLA object if you reverse the logic Table 29 Reverse Logic VLA Object Reverse Logic Disabled Enabled Result If the contains content that the VLA Object recognizes as one belonging to a trained VLA category, the rule will trigger. If the doesn t contain any content that the VLA Object recognizes as belonging to a trained VLA category, the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 219

233 6 RULES OBJECTS WHEN OBJECT The When object controls the day and time that a rule is active. For example, you can combine a When object with a Message Size object so that large files are sent over your network outside of working hours when demand for bandwidth is lower. CONFIGURING THE WHEN OBJECT To set the time when a rule is active you can specify: The time of day that the rule will start and finish. The days of the week that the rule is active A calendar period when the rule is active. Follow procedure 27 to include a When object in a rule: Procedure 27: Configuring the When Object Step Action 1 Drag the When object into position on the Rules palette. 220 Administrator s Guide SurfControl Filter for SMTP 5.0

234 RULES OBJECTS 6 Procedure 27: Configuring the When Object Step Action 2 The When object property sheet will display. 3 In the Start and Finish boxes, enter the times you want the rule to start and finish. For example: Start 09:00:00 Finish 17:00:00 Note: The When object uses the 24-hour clock. This means that AM times are and PM times are Enter either: The days of the week you want the rule to be active, e.g. Monday - Friday The Calendar day you want the rule to start and / or finish. For example: - Trigger after 19 August Trigger before 25 August 2004 This mean the rule will be active between 19 and 25 August. 5 Click OK. Reverse Logic Table 30 shows behavior of the When object when you reverse the logic Table 30 Reverse Logic When Object Reverse Logic Enabled Disabled Result If the time is between the start and finish times and dates you specify, the rule will trigger. If the time is outside the start and finish times / dates you specify, the rule will trigger. SurfControl Filter for SMTP 5.0 Administrator s Guide 221

235 6 RULES OBJECTS OPERATIONS OBJECTS Operations objects make changes to either a message or parts of a message (such as the message header). There are six Operations objects: Table 31 Operations Objects Operations Object What it does Find out more Archive Message Stores a copy of the in a specified location. page 223 Compress Attachments Compresses attachments into a single archive, reducing the e- mail s size. page 225 Footers & Banners Adds a footer or a banner to the message. page 228 Header Modification Edits, removes or appends header fields. page 231 HTML Stripper Removes active HTML content from the . page 234 Routing Redirects messages to the mail server or MTA you specify. page 236 Strip Attachments Removes attachments from a message before sending to the recipient. page Administrator s Guide SurfControl Filter for SMTP 5.0

236 RULES OBJECTS 6 ARCHIVE MESSAGE The Archive Message object saves a copy of an to the folder you specify, so that you can keep a record of sent or received. CONFIGURING THE ARCHIVE MESSAGE OBJECT When you install filter, the setup program creates a folder at a default location that you can use to archive messages. You can specify a different location when you configure the object to use in a rule. You also need to specify how messages are archived. You can: Archive the original message Filter will archive the message exactly as it was when it was placed in the In folder. For example, if the message has had its HTML content stripped by a previous rule, the will be saved with its HTML content still present. Archive the current message state. Save a copy of the message in the condition it is in at the current stage of processing. For example, if the message has had its HTML content stripped by a preceding rule, the will be saved without its HTML content. SurfControl Filter for SMTP 5.0 Administrator s Guide 223

237 6 RULES OBJECTS Follow procedure 28 to include the Archive Message Object in a rule: Procedure 28: Configuring the Archive Message Object Step Action 1 Drag the Archive Message Object into position on the Rules palette: 2 The Archive Message Object property sheet will display. 3 Enter the path of the folder where you want to archive messages, or click Browse to navigate to the folder. The default Archive folder is in the SurfControl Filter directory. 4 Select how you want s to be archived. Choose one of the following: Archive the original message Archive the current message state. 5 Click OK 224 Administrator s Guide SurfControl Filter for SMTP 5.0

238 RULES OBJECTS 6 COMPRESS ATTACHMENTS OBJECTS The Compress Attachments object compresses file attachments, reducing message file size and conserving network bandwidth. CONFIGURING THE COMPRESS ATTACHMENTS OBJECT When you include the Compress Attachments Object in a rule, you need to decide which kinds of file attachments you want Filter to compress. You can choose to: Compress all attachments Compress attachments of the type you specify Compress attachments NOT of the type you specify. You can also specify: Whether Filter will create a log entry in the system database to record that it has compressed an attachment. What filename will be given to the file containing the compressed attachments. Follow procedure 29 to include the Compress Attachments object in a rule Procedure 29: Configuring the Compress Attachments Object Step Action 1 Drag the Compress Attachments object into position on the Rules palette. SurfControl Filter for SMTP 5.0 Administrator s Guide 225

239 6 RULES OBJECTS Procedure 29: Configuring the Compress Attachments Object Step Action 2 The Compress Attachments object property sheet will display. 3 Select which file attachments you want Filter to compress: All attachments Attachments of the type selected Go to step 5 Attachments of the type not selected Go to step 6 If you do not see the file type you want, you can add it. See Adding a file extension to the list on page If you select All attachments, the file selection area will be unavailable. 5 If you selected Attachments of the type selected, select which files you want Filter to compress. You can select groups of file types, for example audio files, or individual file types, for example.mp3 files. 6 If you selected Attachments of the type not selected, select those files that you do NOT want Filter to compress. 7 Click OK Advanced Settings 8 Click Advanced properties. The Advanced Properties dialog will display. 9 If you want to record the fact that an attachment has been compressed, select Log this operation to the database 10 You can choose the name of the zip file that will contain the compressed attachments. By default this is attachments.zip. 11 Click OK to return to the Compress Attachments property sheet. 226 Administrator s Guide SurfControl Filter for SMTP 5.0

240 RULES OBJECTS 6 Adding File Extensions If you want to compress a file attachment that is not on the list, you can add it. If you have added a file extension while configuring the File Attachment object (see page 188) the file extension will also be included on the Compress Attachments property sheet you do not have to add it again. Procedure 30: Adding a file extension to the list Step Action 1 On the Compress Attachments dialog, click Add 2 Click Add 3 The Add File Extension dialog will display. 4 Enter the file extension you want to add to the list. Note: Do not include the. character in the file extension. 5 Click OK. The Add File Extension dialog will close, and you will see your file extension displayed on the list under the File Extensions category. By default the file attachment is not selected. Check the box to select it for inclusion in the rule. 6 When you are happy with your changes click OK on the Compress Attachments property sheet. SurfControl Filter for SMTP 5.0 Administrator s Guide 227

241 6 RULES OBJECTS FOOTERS AND BANNERS OBJECT You can add Footers and Banners to an , for example to act as a disclaimer. CONFIGURING THE FOOTERS AND BANNERS OBJECT When you use the Footers and Banners Object in a rule, you need to decide: Whether you want to add a footer or a banner to s. A banner appears at the beginning of the , a footer at the end. Whether the footer / banner will be included in all s, or selected users or groups. What the footer / banner text will say. Whether the footer / banner will override the previous one. Footer / Banner Variables You can enter the following variables into the footer & banner text $B the message subject $C the dictionary score $D the date that the message was processed $F the message filename $N the name of the triggered rule $R the message recipient s name $S the message sender s name $T the time of message processing $V the name of the virus detected by the Anti-Virus Agent $Z the message size 228 Administrator s Guide SurfControl Filter for SMTP 5.0

242 RULES OBJECTS 6 Follow procedure 31 to include the Footers and Banners object in a rule: Procedure 31: Configuring the Footers and Banners Object Step Action 1 Drag the Footers and Banners object into position on the rules palette. 2 The Footers and Banners object property sheet will display. 3 Specify who you want the footer / banner to apply to. You can add: a domain, e.g. mycompany.com an individual user e.g. [email protected] Leave the box blank to apply the footer to everybody. 4 Type your footer / banner text in the Text area. Alternatively you can import your text from a text file go to step 7. 5 By default the text will be added to s as a Footer. To add banner text, select Add text as Banner. 6 If you have several footer objects within your rules but only want one to appear on any individual message, select the Override previous footer or banner check box. This adds only the last footer of your rules logic to a message. SurfControl Filter for SMTP 5.0 Administrator s Guide 229

243 6 RULES OBJECTS Procedure 31: Configuring the Footers and Banners Object Step Action Importing Footer / Banner text from a text file 7 Click Import. The Import Footer dialog box will display. 8 Navigate to the text file you want to add as a footer / banner. The SampleFooter.txt file in the SurfControl Filter directory contains example footer / banner text that you can use. 9 Select the file and click Open. You will see the footer / banner text displayed in the Text area. 10 Click OK. 230 Administrator s Guide SurfControl Filter for SMTP 5.0

244 RULES OBJECTS 6 HEADER MODIFICATION OBJECT The Header Modification object can change message header field values, such as the subject, return path or to: fields in the way you specify. For example, if you have a generic account for some incoming , such as [email protected] you can use the Header Modification object to modify the To: field of the and replace it with the address of an individual in your organization. This means that customers can send an to the generic address, but the message will always reach an individual who can respond to it. CONFIGURING THE HEADER MODIFICATION OBJECT To include the Header Modification Object in a rule you need to decide: Which field of the message you want Filter to change What changes you want to make to that field. Whether there are any exceptions or whether Filter will always change the field. You can change the following fields of an Table 32 fields you can modify Field Description X-envelope - to The delivery information of the message. To / cc: The addresses on the To: or cc: list. From The sender s identity. Return path The address replies to the message will be sent to. Reply-To The originator of the message. Subject The text in the Subject line of an e- mail. Received The date and time the was received. Message ID The message identifier. SurfControl Filter for SMTP 5.0 Administrator s Guide 231

245 6 RULES OBJECTS Table 33 shows the actions you can perform on header fields. Not all actions are available for every header field, for example, you cannot perform a remove operation on message path fields (X-Envelope-To, To/CC, From or Return Path). Table 33 Header Modification Actions Action Find / Replace Remove Add / Overwrite Add / Append Add / Prepend What it does Finds specific content in the header field and replaces it with the text you specify. Removes the field. Note: If you choose to remove the Subject field, only the subject description is removed and not the field itself. For example, a message with Subject: Hello would read Subject: whereas if you remove the Received and Message-ID fields, both the fields and the contents are removed. Overwrites all the contents of the field with the text you specify. Adds the text you specify after the contents of the field. Adds the text you specify before the contents of the field. Follow procedure 32 to include the header modification object in a rule Procedure 32: Configuring the Header Modification Object Step Action 1 Drag the Header Modification object into position on the Rules palette. 232 Administrator s Guide SurfControl Filter for SMTP 5.0

246 RULES OBJECTS 6 Procedure 32: Configuring the Header Modification Object Step Action 2 The Header Modification object will display. 3 Click Add The Edit Header Field Modification dialog will display. 4 Select an Action. This is the change that you want to make to the header field. You can choose: Find \ Replace Remove Add \ Overwrite Add \ Append 5 Select the Field you want to change. 6 Enter the Field Parameters. The appropriate boxes for your action will become available. 7 You will see a summary of the action you have chosen, for example: Find [email protected] in the To:/cc field and replace with [email protected]; [email protected] 8 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 233

247 6 RULES OBJECTS HTML STRIPPER The HTML Stripper object can remove active HTML content from the body of messages. Active content is code that can execute on a client PC (such as JavaScript / VBScript, Java Applets or ActiveX objects), often without the user s permission. Active content can also include malicious actions executed by the mail client when the user is viewing the message. CONFIGURING THE HTML STRIPPER OBJECT There are two ways you can remove active HTML content from s: Remove Active HTML Components The HTML Stripper object can remove the following types of active HTML content: Scripts: JavaScript, VBScript etc. IFrame: independent HTML frames Active links ActiveX and software objects Java applets Remove the HTML from multi-part messages and deliver the text-only message body. Multipart/alternative s contain both a plain text and a HTML part. Which part is shown to the recipient is determined by their client, and (in some cases) by their choice. The HTML Stripper object can remove the HTML from this kind of message so that the recipient can only view the in its plain text form. Non-multipart alternative HTML messages will be delivered with no message body. The HTML Stripper can deal with the HTML part of multipart messages in one of two ways. Remove all active HTML components Remove the HTML content entirely. This may mean the will appear to be empty because the body content has been removed. 234 Administrator s Guide SurfControl Filter for SMTP 5.0

248 RULES OBJECTS 6 Follow procedure 33 to include the HTML stripper in a rule: Procedure 33: Configuring the HTML Stripper Object Step Action 1 Drag the HTML Stripper object into position on the Rules palette. 2 The HTML Stripper object property sheet will display. 3 Specify how Filter will remove HTML content if the rule is triggered. See page 234 for a description of each option. 4 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 235

249 6 RULES OBJECTS ROUTING OBJECT The Routing Object can redirect s that trigger rules to the mail server or MTA of your choice. For example, if your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original messages as normal. Before you can use the Routing Object in rules, you need to configure Smart Host Routing in the Server Configuration Console. See Smart Host Routing on page Administrator s Guide SurfControl Filter for SMTP 5.0

250 RULES OBJECTS 6 CONFIGURING THE ROUTING OBJECT To include the Routing Object in a rule, follow Procedure 34. Procedure 34: Configuring the Routing Object Step Action 1 Drag the Routing object into position on the Rules palette. SurfControl Filter for SMTP 5.0 Administrator s Guide 237

251 6 RULES OBJECTS Procedure 34: Configuring the Routing Object Step Action 2 The Properties for Routing dialog will display. 3 Select whether you want to redirect: Each message that triggers the rule Filter will continue processing the message, then redirect the message to the server you specify (unless further rules are triggered that lead to the message being isolated or discarded). A copy of each message that triggers the rule. filter will immediately send a copy of the message to the server you specify, without processing it any further. The original message will be processed as normal. 4 If you redirect a copy of each message that triggers the rule, you now need to choose the state of the message. Select one of the following: Current message state. Filter will redirect a copy of the message in the condition it is in at the current stage of processing. For example, if the message has had its HTML content stripped by a preceding rule, the will be redirected without its HTML content. Original message Filter will redirect the message exactly as it was when it was placed in the In folder. For example, if the message has had its HTML content stripped by a previous rule, the will be delivered with its HTML content still present. 5 Now select the server that you want Filter to redirect messages to. The Smart Host list will display any Smart Hosts that you have configured. To configure a Smart Host see Smart Host Routing on page Click OK. 238 Administrator s Guide SurfControl Filter for SMTP 5.0

252 RULES OBJECTS 6 STRIP ATTACHMENTS OBJECT Note: If an archive file, e.g. a.zip file contains a file type that triggers the Strip Attachments object, the entire attachment is stripped, not just the file that triggered the object. The Strip Attachments object removes attachments from messages before allowing them to proceed to their destination. You can choose to remove all attachments or just certain formats. CONFIGURING THE STRIP ATTACHMENTS OBJECT Follow Procedure 35 to include the Strip Attachments Object in a rule: Procedure 35: Configuring the Strip Attachments Object Step Action 1 Drag the Strip Attachments object into position on the Rules palette. 2 The Strip Attachments object property sheet will display. 3 Select which file attachments you want Filter to remove. You can select groups of file types, for example audio files, or individual file types, for example.mp3 files. To remove all attachments, select Remove all message attachments. If you do not see the file type you want, you can add it. See page 240. SurfControl Filter for SMTP 5.0 Administrator s Guide 239

253 6 RULES OBJECTS Adding a File Extension to the List If you want to remove a file attachment that is not on the list, you can add it. If you have added a file extension while configuring the File Attachment or Compress Attachments object (see page 188) the file extension will also be included on the Remove Attachments property sheet you do not have to add it again Procedure 36: Adding a file extension to the list Step Action 1 On the Strip Attachments dialog, click Add. 2 Click Add 3 The Add File Extension dialog will display. 4 Enter the file extension you want to add to the list. Note: Do not include the. character in the file extension. 5 Click OK. The Add File Extension dialog will close, and you will see your file extension displayed on the list under the File Extensions category. By default the file attachment is not selected. Check the box to select it for inclusion in the rule. 6 When you are happy with your changes click OK. 240 Administrator s Guide SurfControl Filter for SMTP 5.0

254 RULES OBJECTS 6 NOTIFY OBJECTS The Notify objects enable you to send an notification to a user when a rule has been triggered. There are two kinds of Notify object: Table 34 Notify Objects Notify Object What it does Find out more Blind Copy Notification Copies a message that has triggered a rule to an interested third party, such as the systems administrator. Notifies an interested party that a rule has been triggered, with the details of the rule. page 242 page 244 SurfControl Filter for SMTP 5.0 Administrator s Guide 241

255 6 RULES OBJECTS BLIND COPY OBJECT The Blind Copy object sends a blind copy of the message that has triggered a rule to the user you specify. CONFIGURING THE BLIND COPY OBJECT When you include the Blind Copy object in a rule you need to decide: Who you want to blind copy the to. For example you might want to blind copy the to your organization s HR manager. Whether you want to replace the subject text You can replace the subject text of the message so that the user knows that they are receiving a blind copy notification before they open the . For example, if you were notifying the HR department that a rule had been triggered you could change the subject line to this breaches the AUP. You can also use variables in the subject line: Table 35 Subject Line Variables Variable Description $B The message subject $C The dictionary score $D The date that the message was processed $F The message filename $N The name of the triggered rule $R The message recipient s name $S The message sender s name $T The time of message processing $V The name of the virus detected by the Anti-Virus Agent $Z The message size For example, the text: This message has triggered $N and was sent by $S Would show the triggered rule and the message sender in the subject line. Whether you want the blind copy recipient to be able to reply directly to the message sender, or to the systems administrator. Follow procedure 37 to include the Blind Copy object in a rule: 242 Administrator s Guide SurfControl Filter for SMTP 5.0

256 RULES OBJECTS 6 Procedure 37: Configuring the Blind Copy object Step Action 1 Drag the Blind Copy object into position on the Rules palette 2 The Blind Copy object property sheet will display 3 To blind copy the to the domain administrator, check the Domain Administrator box. 4 To blind copy another user, enter their address in the Add new bcc recipient field and click Add. 5 You will see the address displayed in the address area. To remove an address, highlight it and click Remove. 6 To replace the subject text, select Replace Subject Text and enter the new text in the field. 7 If you want replies to the blind copy to be delivered to the Domain Administrator, select Return Path to Domain Administrator. 8 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 243

257 6 RULES OBJECTS NOTIFICATION OBJECT You can use the Filter Notification object to inform users that a rule has been triggered. For example you can notify the sender and the recipient of an e- mail, the system administrator and an HR representative. CONFIGURING THE NOTIFICATION OBJECT To include the Notification Object in a rule, you need to decide: Who will be notified (for example the message sender and their line manager). What the notification will say As well as free text, you can use the following variables in the subject line and body of the notification Table 36 Notification Object Variables Variable Description $B The message subject $C The dictionary score $D The date that the message was processed $F The message filename $N The name of the triggered rule $R The message recipient s name $S The message sender s name $T The time of message processing $V The name of the virus detected by the Anti-Virus Agent $Y Inserts the first 10k of the body of the . $Z The message size Whether you want to include the that triggered the rule in the notification . There are two ways you can do this: Attach the original message. Attach the current message state. Follow procedure 38 to include the Notification object in a rule. 244 Administrator s Guide SurfControl Filter for SMTP 5.0

258 RULES OBJECTS 6 Procedure 38: Configuring the Notification Object Step Action 1 Drag the Notification object into position on the Rules palette. 2 The Notification object property sheet will display. 3 Select who you want to send the notification to. Tick the boxes to send the notification to: The message sender The message recipients The domain administrator You can also enter addresses in the To: field, separated by a semicolon. 4 Enter the subject of the message. By default the subject is: Autonotify $B. You can edit the subject line using text or variables (see Table 36 on page 244). 5 To attach the message that triggered the rule, select Include Message as Attachment, then select either: Attach original message Attach current message state Note: Do not attach a message that you suspect is infected with a virus. 6 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 245

259 6 RULES OBJECTS ACTIONS OBJECTS The Actions objects determine what action to take if a message meets the conditions of the rule. Without Actions objects, s pass through filter to their destination, even if they trigger a rule. There are four Actions objects: Table 37 Actions objects Allow object What it does Find out more Allow Message Delay Message Places the in the Out folder for delivery. Delays the delivery of the message until the time you specify. page 247 page 249 Discard Message Irrevocably deletes the page 251 Isolate Message Places the in the folder you specify so that you can review and analyze it. page 252 The Rules service works through each of the enabled rules in order. If an triggers a rule that contains an Action object, no more processing of the rules will take place. 246 Administrator s Guide SurfControl Filter for SMTP 5.0

260 RULES OBJECTS 6 ALLOW OBJECT If an triggers a rule that contains an Allow object, no further rules checking takes place on it and the message is moved to the Out folder ready for delivery into the recipient s mailbox. The presence of an Allow object within a rule enables you to define the criteria for mail delivery. This can make it easier to implement your Acceptable Use policy by using positive filtering. For example, you could allow all messages from your CEO to pass through SurfControl Filter with the minimum of rules checking, but subject messages from other members of your organization to closer scrutiny. SurfControl Filter for SMTP 5.0 Administrator s Guide 247

261 6 RULES OBJECTS CONFIGURING THE ALLOW OBJECT Follow procedure 39 to include the Allow object in a rule: Procedure 39: Configuring the Allow Object Step Action 1 Drag the Allow object into position on the Rules palette 2 The Allow object property sheet will display 3 If you want to create an entry in the logging database when a message is Allowed, select Log this Action to Rules Database. 4 Click OK 248 Administrator s Guide SurfControl Filter for SMTP 5.0

262 RULES OBJECTS 6 DELAY MESSAGE OBJECT The Delay Message object enables you to delay sending or receiving messages that are likely to place undue load on your network. For example, you could delay the sending of files over a certain size until after work hours. When you use a Delay Message object in a rule, s that trigger the rule will be held in the Delay folder until the time you specify. To specify the time that delayed messages will be released, you need to configure the Delay Queue in the Server Configuration dialog. See Queue Management on page 56. SurfControl Filter for SMTP 5.0 Administrator s Guide 249

263 6 RULES OBJECTS CONFIGURING THE DELAY MESSAGE OBJECT Follow Procedure 40 to include a Delay Message object in a rule: Procedure 40: Configuring the Delay Message Object Step Action 1 Drag the Delay object into position on the Rules palette. 2 The Delay object property sheet will display. 3 Click OK. 250 Administrator s Guide SurfControl Filter for SMTP 5.0

264 RULES OBJECTS 6 DISCARD MESSAGE OBJECT The Discard Message object deletes messages. If an triggers a rule that contains a Discard Message object, it will be irrevocably deleted and no further rules will be applied to it. The Discard Message object is useful for destroying s and attachments that are found to be virus infected. You can choose to log Discard Message activity to the SurfControl Filter database. If your 30-day evaluation period expires, no activity logging will occur. CONFIGURING THE DISCARD MESSAGE OBJECT Follow procedure 41 to include the Discard Message object in a rule: Procedure 41: Configuring the Discard Message Object Step Action 1 Drag the Discard Message object into position on the Rules palette. 2 The Discard Message object will display. 3 If you want to create an entry in the logging database when a message is Discarded, select Log this Action to Rules Database. 4 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 251

265 6 RULES OBJECTS ISOLATE MESSAGE OBJECT The Isolate Message object places s that have triggered a rule in a separate folder, so you can review and analyze them. Once an has been isolated, no further rules are applied to it. Note: If you are upgrading Filter from a previous version, the new queues will not be created. CONFIGURING THE ISOLATE MESSAGE OBJECT When you install Filter, the following queues are created by default: Anti-Spam Agent - DFP Anti-Spam Agent Confidential Delay Dictionaries - Spam File Formats Isolate Network Security URL List - Offensive URL List - Spam Virtual Image Agent Virus VLA-Spam You can create other queues to suit your needs. See Adding a queue on page 58. When you include the Isolate Message object in a rule you specify which of the available queues will store s that trigger that rule. Follow procedure 42 to include the Isolate Message object in a rule: Procedure 42: Configuring the Isolate Message object Step Action 1 Drag the Isolate Message object into position on the Rules palette. 252 Administrator s Guide SurfControl Filter for SMTP 5.0

266 RULES OBJECTS 6 Procedure 42: Configuring the Isolate Message object Step Action 2 The Isolate Message object will display. 3 Select the Isolate folder you want to use to isolate that triggers the rule. To add a queue, See Adding a queue on page Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 253

267 6 RULES OBJECTS 254 Administrator s Guide SurfControl Filter for SMTP 5.0

268 Chapter 7 Message Administrator In This Chapter page 256 Launching the Message Administrator page 256 The Message Administrator Window page 257 Configuring Message Administrator page 279 The Message Parts Panel page 268 The Message Contents Panel page 269 Working with Queues page 272 Using Logs page 279

269 7 MESSAGE ADMINISTRATOR IN THIS CHAPTER You can review and manage s that have been placed in queues and view a record of Filter Activity using the Message Administrator. This chapter explains how to: Configure the Message Administrator Manage Messages Analyze Messages LAUNCHING THE MESSAGE ADMINISTRATOR From the Start menu, select Programs > SurfControl Filter. 256 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

270 MESSAGE ADMINISTRATOR 7 THE MESSAGE ADMINISTRATOR WINDOW The Message Administrator Window looks like this: Queues and Logs panel. select which queue or log to view Message List Panel: displays the messages / log entries in the queue / log you select from the queues and logs panel. Message parts panel:select the message components you want to view. The Message Contents Panel view the contents of the selected message component. Figure 1 The Message Administrator Screen SurfControl Filter 5.0 for SMTP Administrators Guide 257

271 7 MESSAGE ADMINISTRATOR CONFIGURING MESSAGE ADMINISTRATOR You can configure the Message Administrator by setting the Message Administrator Options. LAUNCHING MESSAGE ADMINISTRATOR OPTIONS From the Tools menu, select Options. The message administrator options will display. GENERAL TAB In the General Tab you can: Specify which file SurfControl Filter uses to automatically reply to messages (for example to tell a message sender that their message has not been delivered). Specify whether files are automatically saved and their location. Figure 2 Message Administrator Options General Tab Auto-Reply File: The location of the auto-reply text file used to generate responses to specific types of messages; the default is the AutoReply.txt file in your SurfControl Filter root directory. You can edit this file or create a new one by using a text editor (e.g. Notepad). See Appendix A for more information. Automatically save files when selected: Check this box to automatically save files to the identified directory when you press the Save button. If this box is not selected, SurfControl Filter will always prompt you to confirm the save operation. Folder to save files: Navigate to the directory where you want to automatically save files. 258 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

272 MESSAGE ADMINISTRATOR 7 MESSAGES TAB The Messages tab controls: The number of messages displayed at one time in the message list panel The number of log items displayed at one time in the message list panel How SurfControl Filter behaves when you perform an action on a message. Figure 3 Message Administrator Options Messages Tab The Messages tab contains the following options: Number of messages to display: Specify how many s are shown in the Message List panel at one time. The Message Administrator limits the maximum number of messages displayed to make remote administration over slow modem connections easier. If SurfControl Filter is running on the same machine as the Message Administrator, or you have a fast connection, you can increase this number to 100 or more. For slower connections, set a lower number. Number of log records to display: Enter the number of log records to show in the Message List panel when viewing the Rules, SMTP or System logs. Confirm when deleting messages: Check this box to be prompted to confirm deletion of the highlighted . Confirm when releasing all messages: Check this box to be prompted to confirm release of messages from the selected queue when you click either the Release or Release All buttons. Notify when new messages arrive: Check this box to display a notification pop-up when a new arrives at the Message Administrator. SurfControl Filter 5.0 for SMTP Administrators Guide 259

273 7 MESSAGE ADMINISTRATOR FILE TYPES TAB The File Types tab controls which file types you can open via the Message Administrator: Figure 4 Message Administrator Options File Types Tab Of the file types that appear on this list, you can view only HTML files within the Message Administrator. To view any other type of file, you will need an external viewer installed on your computer. You will be prompted to open non- HTML files using an external viewer. Click Always Open or Never Open to avoid being prompted. Note: Message Administrator does not control which viewer is used to view files. The viewer is determined by your Windows File Associations. For each file type you can select one of the following options: Always Prompt: - check this option for the Message Administrator to ask you whether you want to display the file content for each instance of the file type. Always Open: - check this option for the Message Administrator to automatically display the file contents of the file type in the associated viewer. Never Open: - select this option for the Message Administrator to never open files of the selected type. 260 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

274 MESSAGE ADMINISTRATOR 7 HTML VIEWER TAB This tab gives you the option of viewing the active HTML content of messages while you are reviewing them in the Message Contents Panel. This can represent a security risk as active HTML content can contain malicious code. SurfControl recommend that you keep all three checkboxes cleared and avoid viewing active HTML content if possible. Figure 5 Message Administrator Options HTML Viewer Tab COLUMNS TAB Use the Columns tab to specify which columns are visible when you are viewing queues and logs. The Columns tab looks like this: Figure 6 Message Administrator Options Columns Tab Choose which set of columns you want to change from the drop down menu. The visible columns are shown in the box below. SurfControl Filter 5.0 for SMTP Administrators Guide 261

275 7 MESSAGE ADMINISTRATOR Procedure 1: Moving a column Step Action 1 Highlight the column. 2 Move the column up or down in the list by clicking on the arrows. Procedure 2: Inserting a column Step Action 1 Click Insert to open the Choose a Column dialog: 2 Choose the column you want to insert and click OK. Procedure 3: Hiding a column Step Action 1 Highlight the column you want to hide. 2 Click Hide. When you are happy with your choice of columns, click Apply. Click OK to close the dialog and return to the Message Administrator. 262 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

276 MESSAGE ADMINISTRATOR 7 THE MESSAGE TOOLBAR The toolbar consists of ten buttons that enable you to work with the messages. This toolbar is only available when viewing a queue: Show information about the selected message, including details of recipients and file size. Analyze the contents of the selected message using one or more of the SurfControl dictionaries of your choice. Forward a copy of the selected message to any address. Does not delete the message. Reply to the message sender. Submit the selected message to SurfControl for inclusion in the Anti- Spam Agent database. Release the selected for delivery. Move the selected message from its current folder to an alternative folder. For example, move a message from the Delay queue to the Isolate queue. Save the selected . Delete the selected . Release all messages from the selected queue to their destination. Delete all messages from the selected queue. SurfControl Filter 5.0 for SMTP Administrators Guide 263

277 7 MESSAGE ADMINISTRATOR THE QUEUES AND LOGS PANEL This panel shows: The Delay and Isolate queues Any other queues that you have configured via Server Configuration, and the three logs. Figure 7 Queues and Logs Panel Alongside each queue is the number of records that it currently contains. From this list, choose the queue or log that you wish to view. The contents of that queue or log will be displayed in the Message List Panel. 264 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

278 MESSAGE ADMINISTRATOR 7 THE MESSAGE LIST PANEL The Message List Panel shows all s in a selected message queue or log. This example shows all the s in the Isolate queue: Figure 8 Message List Panel Isolate Queue This example shows all the messages in the Rules Log: Figure 9 Message List Panel Rules Log ARRANGING COLUMNS You can arrange the columns in the Message List panel to show the information you want in the way you want it. Showing or Hiding Columns To hide a column, right-click on the column heading and select Hide. The column will disappear from the Message List panel. To re-instate the column, right click on any column heading and select Insert then choose the column you want to restore from the list that displays. Moving Columns To move a column click on the column heading and, keeping the mouse button held down, drag it into position. A blue line will display to let you know where the column will be dropped when you release the mouse button. Resizing Columns You can change the width of a column by clicking on the line between columns and dragging it left or right. SurfControl Filter 5.0 for SMTP Administrators Guide 265

279 7 MESSAGE ADMINISTRATOR Sorting You can sort your list of messages on any of the column headings you have displayed. Click once on the column heading to sort in ascending order. In this example, the list has been sorted by subject: Figure 10 Messages sorted by subject Click on the column heading again to reverse the sort order from ascending to descending: Figure 11 The same messages in descending order Sorting on a column generates a new search and adds it to the query list. You can then save the query by selecting Save Query from the view menu. The next time you open the queue you can select the query from the list and the results will be sorted again. You can combine sorting with queries to give a powerful searching tool. For example this query shows messages isolated today, ordered alphabetically by subject: Figure 12 Sorting a query Listing isolated messages by subject is a good way to keep track of spam, because spammers change their address regularly. To find out more about searching, see Searching for messages on page Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

280 MESSAGE ADMINISTRATOR 7 QUICK SEARCH USING THE SHORTCUT MENU When you are viewing queues and logs you can use the shortcut menu to search for messages quickly and easily. Procedure 4: Using the shortcut menu Step Action 1 Right-click on the criteria you want, at any point on the list. This example uses the Loop Detection rule, but you can use any of the message properties, such as Sender or Subject. Right-clicking displays the shortcut menu, with the option Show other entries with this (rule name). 2 Now only log entries where the rule name is Loop Detection are displayed. 3 If you repeat this process with a different property you can search the displayed messages. So, for example you could display all the log entries for messages sent from one particular address, then show all the log entries for messages which had triggered the Adult rule. SurfControl Filter 5.0 for SMTP Administrators Guide 267

281 7 MESSAGE ADMINISTRATOR THE MESSAGE PARTS PANEL If a message has been placed in a queue folder, you can use Message Administrator to view its component parts. The Message Parts panel will show the message split up as follows: The message header The body Attachments Click on the part of the message you want to see: Figure 13 Message Parts Panel The Message Administrator uses its internal view to display it in the Message Contents Panel. If the Message Administrator cannot display the selected component in its internal viewer it will give you the option of viewing the component in an external viewer for that file type. VIEWING DECOMPOSED MESSAGES Note: You can only view the parts of a message if you are working with messages stored in a queue. If you are viewing a log, the Message Parts panel will disappear. When the Document Decomposition object is fully enabled, Text, Pictures and OLE Embedded objects are extracted from the compound files. A decomposed file will then be represented as a container, holding its decomposed data, like this: Figure 14 Decomposed messages 268 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

282 MESSAGE ADMINISTRATOR 7 THE MESSAGE CONTENTS PANEL Note: If Document Decomposition is enabled, HTML in the body of a message or in an attachment is decomposed into two files: sc_text.txt containing the visible text, and sc_urls.txt containing any URLs. See Configuring Document Decomposition on page 126. If you have selected a message from a queue, and it has been decomposed, you can view the contents of each message part in the Message Contents Panel. Click on the component you want to view. Here is an example of a message header: Figure 15 Message contents panel You can also view the message body and any attachments, as shown below: Figure 16 Viewing message content SurfControl Filter 5.0 for SMTP Administrators Guide 269

283 7 MESSAGE ADMINISTRATOR Procedure 5: Viewing details Step Action EXAMINING MESSAGES You can find out details about messages that are stored in queues by using the Properties function from the Message List panel. 1 Highlight the message within the Message Administrator. 2 Click the Properties button to view detailed information about a message, including the name of the rule triggered by the message, the time and date that the SurfControl Filter engine processed the rule and the Dictionary score for the message if it triggered a Dictionary Threshold rule. 3 If you want to perform detailed Dictionary analysis on the message, click the Analyze button to launch the Analyze File dialog. The message does not have to have triggered a Dictionary Threshold rule in order to use the Analyze feature. For more details on how to use the Analyze feature, see the section on the next page. 4 Click OK. 270 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

284 MESSAGE ADMINISTRATOR 7 ANALYZING MESSAGES When you analyze a message you can view each word that has triggered the dictionary rule, how often it occurs and its score: Procedure 6: Viewing Analyze Results Step Action 1 Highlight the message within the Message Administrator. 2 Click the Analyze button. The Analyze dialog will display: 3 Select the dictionary that you want to use to analyze the message. The Message Administrator will display a series of statistics concerning the words from that dictionary that appear within the message. The Analyze dialog displays: The words from the message that appear in the selected dictionary. The message part in which the words occur. The value assigned to each word. The number of these words found. The individual word scores. The total word score. 4 From the Message Part drop down list, you can select which parts of the message you wish to scan. You can scan: The entire message. The message header. The message body. The message attachments. 5 From the Scanning drop-down list, select either: Threshold Total: Display the dictionary scoring words from only the highest scoring part of a multi-part alternative message with more than one Message Body. Depending on which part of a message is the highest scoring part for the selected dictionary will decide which message part the words from which are displayed. Grand Total: Display the dictionary scoring words from all selected parts of a message. In the case of a multi-part alternative message with more than one Message Body, identical dictionary scoring words from alternative parts will have a cumulative effect on the final score for the selected dictionary. 6 Click OK to return to the Message Administrator. SurfControl Filter 5.0 for SMTP Administrators Guide 271

285 7 MESSAGE ADMINISTRATOR WORKING WITH QUEUES Procedure 7: Releasing messages Step Action When you are viewing a queue, you can perform actions on the messages in it, for example move them to a different queue folder. The actions you can perform on messages are as follows: 1 Highlight the message within the Message Administrator. 2 Click the Release button. 3 If you have selected the option Confirm when releasing all messages in the Message Administrator options, you will be asked if you are sure that you want to release the message. The message is then moved to the Send queue. Procedure 8: Moving messages to a different queue Step Action 1 Highlight the message within the Message Administrator. 2 Click the Move button. The Move to Queue... dialog will display. 3 You will be asked to choose which queue you want to move the message into. You can also move a message by clicking on it and dragging it into a queue in the Queues and Logs section of the Message Administrator. Procedure 9: Saving a copy of a message Step Action 1 Highlight the whole message within the Message List Panel or the individual message part within the Message Parts Panel. 2 Click the Save button to display the Save As dialog. Choose where you would like the message to be saved you can also give it a different name. 3 Click Save to save a copy of the message. 272 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

286 MESSAGE ADMINISTRATOR 7 Procedure 10: Deleting a message Step Action 1 Highlight the message within the Message Administrator. 2 Click the Delete button. 3 If you have selected the option Confirm when deleting messages in the Message Administrator options, you will be asked if you are sure that you want to delete the message. Procedure 11: Releasing all messages from a queue Step Action 1 Select the queue that you wish to release messages from in the Queues and Logs panel. 2 Click the Release All button. 3 If you have selected the option Confirm when releasing all messages in the Message Administrator options, you will be asked if you are sure that you want to release the messages. All messages from the selected queue are passed to the Send service for delivery. Procedure 12: Searching for messages Step Action 1 You can search the queues and logs for a particular message or messages. Click the Find button to perform a Search. The Find dialog will display. 2 Choose the field that you wish to search. You can search any of the fields within the Message Administrator. 3 Enter the words that you wish to search for in the Find What field. 4 Select the Match whole word only check box to find just the results that exactly match the text you have entered will be listed. Otherwise, the search will find text strings that contain the word you have entered; for example, a search for hotmail.com will match on [email protected], [email protected], [email protected], etc. 5 Click Find to start your search. SurfControl Filter 5.0 for SMTP Administrators Guide 273

287 7 MESSAGE ADMINISTRATOR Procedure 12: Searching for messages Step Action 6 To save your search criteria, choose Save Query from the View menu. You can give your query a name by entering it in the Query Name field on the Search dialog. For example this Query has been renamed xmas spam. 7 You cannot re-use a search of the Queue on the Logs or vice versa. When you exit Message Administrator, unsaved Search Criteria will be cleared. 8 When you want to use your search again, select it from the drop down menu Saved queries are displayed in blue text in the query list, unsaved queries in black. Unsaved queries will be lost if you select a different queue or log, or if you close the Message Administrator. Make sure any queries you want to keep are saved, by selecting Save Query from the View menu 9 To return to the previous query, click the Back icon 274 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

288 MESSAGE ADMINISTRATOR 7 WORKING WITH QUEUES ON MULTIPLE SERVERS If you have SurfControl Filter set up on more than one server but sharing an SQL database, you can act on messages from any server. For example a message in the Isolate folder on Server A could be released using Message Administrator on Server B. However, in order to do this, SurfControl Filter must be configured as follows: All Filter servers must share the same domain. The Administration Server services on each machine must be logged on using a domain account with network privileges. An account on the local machine, or within a workgroup, is not sufficient. If the server is logging to a remote SQL Server using Windows Authentication, then all the services need to be logged on using this Domain account, and the account must have sufficient database access privileges as well. (You can use SQL Authentication for this). If your system is set up in this way you will be able to use Message Administrator to work with messages across more than one server. However you cannot use Message Administrator to move messages from one server to another. For more information on configuration options, see the SurfControl Filter Installation Guide. FORWARDING A COPY OF THE SELECTED MESSAGE You can forward a message from a queue. For example, you might want to forward a copy of message which has been isolated for inappropriate content to the sender s manager or the HR department. The message from the queue will be forwarded as an attachment. SurfControl Filter 5.0 for SMTP Administrators Guide 275

289 7 MESSAGE ADMINISTRATOR Procedure 13: Forwarding messages Step Action 1 Highlight the message within the Message Administrator. 2 Click the Forward button to display the Forward message dialog: 3 In the To: field; enter the addresses that you want the message to be forwarded to. 4 Specify who you want to receive copies of the . Select any or all of the following: Message Sender Message Recipients Systems Administrator 5 The Subject of the forwarded message will appear by default in the Subject: field, but you can change it to a different one. 6 In the Body field, you can type a message, e.g. This message has been isolated because it contains material that could be deemed inappropriate. 7 Click Send to forward the message. The message will appear in the addressee s inbox as being from your Mail Administrator s mailbox. The original message will remain in its current queue. 276 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

290 MESSAGE ADMINISTRATOR 7 Procedure 14: Replying to the sender of the message Step Action 1 Highlight the message within the Message Administrator. 2 Click the Reply button to display the Reply to Sender dialog: 3 If you wish another person to receive a copy of this reply, enter their address in the BCC field. 4 If you want a copy to be sent to the Systems Administrator, check the BCC Admin box. 5 You can choose from a range of standard auto reply messages depending on the material under discussion. Alternatively, select Clear from the Auto-Reply Format menu and type your own message in the box. 6 Click OK to send your reply. The message will appear in the addressee s inbox as being from your Mail Administrator s mailbox. The original message will remain in its current queue. SurfControl Filter 5.0 for SMTP Administrators Guide 277

291 7 MESSAGE ADMINISTRATOR Procedure 15: Submitting a message to the Anti-Spam Agent database Step Action 1 Highlight the message within the Message Administrator. 2 Click the Submit button to display the Submit dialog: 3 The address and subject will automatically be filled in. 4 Click OK. You have now sent this message to SurfControl who will assess it for addition to the Anti- Spam Agent categories. The original message will remain in its current queue. 278 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

292 MESSAGE ADMINISTRATOR 7 USING LOGS You can view the Traffic, Rules and System Log via the Message Administrator. The Rules Log contains details of all messages triggering rules, the rule triggered, the location of the message, the message sender and recipients, and the time and date that the was received by SurfControl Filter. The Traffic Log contains details on every message received by Filter, the sender host IP and HostName, together with the time and date that the message was received by SurfControl Filter. The System Log contains status information on SurfControl Filter services. Double-click an individual log record to display its properties. USING QUEUES AND LOGS WITH MULTIPLE SERVERS If you are using more than one Receive service, e.g. in a large organization with more than one mail server, it is possible that two different.msg files could be given the same name. In order to distinguish between servers, you can display the server name for each message. Procedure 16: Displaying the Server Name in the Queue / Log Step Action 1 In Message Administrator, click on any log to highlight it. 2 In the Message List panel, right-click on any column heading: 3 Select Insert to display the Choose a Column dialog: 4 Select Server Name and click OK. You will see an extra column on the message list panel showing which server each message belongs to. SurfControl Filter 5.0 for SMTP Administrators Guide 279

293 7 MESSAGE ADMINISTRATOR 280 Administrators Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

294 Chapter 8 Dictionary Management In This Chapter page 282 Launching Dictionary Management page 282 The Dictionary Management Window page 283 Adding a Dictionary page 284 Adding Words to a Dictionary page 285 Editing Dictionary Words page 289 Deleting Words From A Dictionary page 290 Deleting a Dictionary page 291 Importing Dictionaries page 292 Exporting Dictionaries page 297

295 8 DICTIONARY MANAGEMENT IN THIS CHAPTER This chapter explains how to configure the dictionaries used by such tools as the Dictionary Threshold object and the LexiMatch object. By adding dictionaries and words, and by amending the score of words in the pre-configured dictionaries you can optimize filtering results. LAUNCHING DICTIONARY MANAGEMENT From the Start menu, select Programs > SurfControl Filter > Utilities > Dictionary Management. 282 Administrators Guide, SurfControl Filter 5.0 for SMTP

296 DICTIONARY MANAGEMENT 8 THE DICTIONARY MANAGEMENT WINDOW When you launch Dictionary Management, the Dictionary Managment window will display: If you add a dictionary it will display under Custom Dictionaries. The SurfControl pre-configured dictionaries are listed here. Click on a dictionary to display the words it contains and their scores. When you click on a dictionary in the left pane, the list of words it contains will display in the right hand pane. Figure 1 The Dictionary Management Window SurfControl Filter 5.0 for SMTP Administrators Guide 283

297 8 DICTIONARY MANAGEMENT ADDING A DICTIONARY To add a dictionary, follow procedure 1: Procedure 1: Adding a Dictionary Step Action 1 Launch the Dictionary Management window. 2 Click the New Dictionary button. The Add / Edit dictionary dialog will display. 3 Give the new dictionary a name. 4 In the Description field, enter a brief description of the new dictionary. 5 If you want to display a warning message when the dictionary is launched (for example if the dictionary contains offensive words), enter a warning message in the Warning Message field. Then select Display this message when dictionary launches 6 Click OK. You will see your new dictionary displayed under Custom Dictionaries. You will also be able to select your dictionary when using the dictionary-based rules objects (e.g. the LexiMatch object). 7 Click to save your changes. 8 Now add words to your dictionary. See Adding Words to a Dictionary on page Administrators Guide, SurfControl Filter 5.0 for SMTP

298 DICTIONARY MANAGEMENT 8 ADDING WORDS TO A DICTIONARY Note: If you want to use the Confidential dictionary in rules, you need to add the words and phrases that signify confidential content in your organization. You can add words or phrases to a dictionary and give them a score. You can also use wildcards and number pattern recognition to make dictionary scanning tools more powerful. Using Number Pattern Recognition You can add any pattern of numbers to a dictionary by using the # character to signify a digit. For example #### #### #### #### would find the credit card number , but not the string abcd 1234 defg Using number pattern recognition in this way means you can prevent users from transmitting potentially sensitive data such as credit card details, account numbers or patient file numbers. Note: You can t place one wildcard character immediately next to another one. Using WildCards You can make the SurfControl Filter dictionary scanner more extensive by using wildcard characters. With no wildcards, a word is assumed complete and separated by white space or punctuation marks. With wildcards, you can scan parts of words. You can use the following wildcard characters * any character before or after a word or phrase? any single character within a word or phrase ^ one or more white-space characters! a single white-space or punctuation character \ escape character For example: Use * at the beginning or the end of a word or phrase. e.g. sex* finds sexy and sexily but NOT Middlesex. Use? in the middle of a word or phrase to indicate a single wildcard character. e.g. jo?n would match john and joan but NOT johann. SurfControl Filter 5.0 for SMTP Administrators Guide 285

299 8 DICTIONARY MANAGEMENT Using Binary Sequences You can also search for binary sequences. Use this ability to identify specific binary file sequences expressed as hexadecimal sequences. To enter a binary sequence, enter `~ followed by an even number of hexadecimal characters representing the search sequence. For example `~ is the Binary representation of abcd A rule to detect this binary sequence would trigger if a message contained the following strings: abcd abcdxxxabcdxxx The phrase ABCD would not trigger the rule because the binary code distinguishes between upper and lower case letters. 286 Administrators Guide, SurfControl Filter 5.0 for SMTP

300 DICTIONARY MANAGEMENT 8 To add words to a dictionary, follow procedure 2: Procedure 2: Adding Words to a Dictionary Step Action 1 Launch the Dictionary Management window. 2 Click on the dictionary to which you want to add words. The list of words in the dictionary will display in the right hand pane. 3 Click the add icon. The add / edit phrase dialog will display. 4 Enter the word or phrase you want to include in the dictionary 5 In the Phrase Value box, give the word or phrase a score between 0 and 100. The higher the score you give, the fewer instances of the word or phrase need to appear in an to trigger a dictionary threshold rule. SurfControl Filter 5.0 for SMTP Administrators Guide 287

301 8 DICTIONARY MANAGEMENT Procedure 2: Adding Words to a Dictionary Step Action 6 Click OK. You will see the new word or phrase added to the list of words in the dictionary. 7 Click to save your changes. 288 Administrators Guide, SurfControl Filter 5.0 for SMTP

302 DICTIONARY MANAGEMENT 8 EDITING DICTIONARY WORDS You can change a dictionary word or its score. Follow procedure 3: Procedure 3: Editing Dictionary Words Step Action 1 Launch the Dictionary Management window. 2 Click on the dictionary you want to edit. The list of words in the dictionary will display in the right hand pane. 3 To change a word or dictionary score, doubleclick it. You will see the cursor focus change so that you can edit the word or score. 4 Click to save your changes. SurfControl Filter 5.0 for SMTP Administrators Guide 289

303 8 DICTIONARY MANAGEMENT DELETING WORDS FROM A DICTIONARY To delete words from a dictionary, follow procedure 4. If you delete words used by objects in an enabled rule, the rule will be ineffective the will pass through it to the next processing step. Procedure 4: Deleting Words from a Dictionary Step Action 1 Launch the Dictionary Management window. 2 Click on the dictionary from which you want to delete words. The list of words in the dictionary will display in the right hand pane. 3 Select one or more words you want to delete. You can select multiple words using shift+click or ctrl+click. 4 Click the delete word icon 5 Your selected words will be removed from the dictionary. 6 Click to save your changes. 290 Administrators Guide, SurfControl Filter 5.0 for SMTP

304 DICTIONARY MANAGEMENT 8 DELETING A DICTIONARY You can delete any of the dictionaries. If you delete a dictionary, rules that use threshold scores from that dictionary or LexiMatch object will be ineffective the will pass through them to the next processing step. If you delete a dictionary by mistake you can restore it by importing the SurfControl dictionary pack see Importing a SurfControl Dictionary Pack on page 293 Procedure 5: Deleting a Dictionary Step Action 1 Launch the Dictionary Management window. 2 Click on the dictionary you want to delete 3 Now click the Delete Dictionary icon. 4 You will be asked if you want to delete your chosen dictionary. Click Yes to proceed and delete the dictionary. 5 Click to save your changes. SurfControl Filter 5.0 for SMTP Administrators Guide 291

305 8 DICTIONARY MANAGEMENT IMPORTING DICTIONARIES There are two ways you can import dictionaries into Filter: Import a SurfControl dictionary pack Import a unicode text file. IMPORTING A SURFCONTROL DICTIONARY PACK You can import and export dictionaries using the Dictionary Import-Export utility. SurfControl Filter 5.0 provides language dictionaries for the following languages: Dutch French German Italian Japanese Portuguese Spanish Traditional Chinese Simplified Chinese By default, the product installs the English language dictionaries. You can add other language dictionaries using the Import-Export utility. 292 Administrators Guide, SurfControl Filter 5.0 for SMTP

306 DICTIONARY MANAGEMENT 8 To import a SurfControl Dictionary Pack, follow Procedure 6 Procedure 6: Importing a SurfControl Dictionary Pack Step Action 1 Launch the Dictionary Management Window. 2 From the File menu, select Import / Export Dictionary Pack. The Import / Export utility wizard will launch. 3 Click Next. The Select Source and Target dialog will display. 4 Select Import from file. SurfControl Filter 5.0 for SMTP Administrators Guide 293

307 8 DICTIONARY MANAGEMENT Procedure 6: Importing a SurfControl Dictionary Pack Step Action 5 Enter the path of the dictionary file you want to import. Alternatively, click Browse and navigate to the location of the dictionary files. By default the SurfControl dictionaries are in the SurfControl Filter\Language Packs folder. 6 Select the dictionary you want to import and click Open. 7 You will see the file selected in the Select Source and Target dialog 8 Click Next. 9 The Select Dictionaries dialog will display. Select which dictionaries you want to import, or click Select All. By default, the Import / Export wizard will import only those dictionary words which you have not changed. If you want to import the entire dictionary and overwrite your changes select Import all words and overwrite any modifications. 10 Click Next 11 The import summary screen will display, listing the choices you have selected. Click Finish to import the dictionaries, or Back to change your settings. 294 Administrators Guide, SurfControl Filter 5.0 for SMTP

308 DICTIONARY MANAGEMENT 8 IMPORTING A UNICODE TEXT FILE Importing a unicode text file is an easy way to add large numbers of words and their scores to an existing dictionary, or create a new one. Follow procedure 7 Procedure 7: Importing a Unicode Text File Step Action 1 Launch Notepad or a similar text editor. 2 Enter the words and dictionary scores you want to add to the dictionary. Put the words in inverted commas ( ) and put a tab space in between each word and its score. For example Basketball [tab space]50 Football [tab space]30 Baseball [tabspace]40 3 Save the file as file type unicode. 4 Launch the Dictionary Management window. 5 From the File menu, select Import Unicode TXT file. 6 The Open dialog will display. Navigate to the unicode file you want to import. SurfControl Filter 5.0 for SMTP Administrators Guide 295

309 8 DICTIONARY MANAGEMENT Procedure 7: Importing a Unicode Text File Step Action 7 Click Open. You will be asked if you want to import the unicode file as a new dictionary, or overwrite whichever dictionary is currently selected in the left hand pane. 8 To import the unicode file as a new dictionary, click New. You will be asked to give your new dictionary a name and descriptions. Click OK. You will see your new dictionary displayed in the Dictionary Management Window. 9 To overwrite the dictionary that is currently selected, click Overwrite. The selected dictionary will disappear and you will see your new dictionary in its place. 10 If your file cannot be imported successfully you will see an error message. Check that the syntax of the entries in your unicode file matches the one in step 2, and that the text file is saved as unicode. 296 Administrators Guide, SurfControl Filter 5.0 for SMTP

310 DICTIONARY MANAGEMENT 8 EXPORTING DICTIONARIES You use Dictionary Management to export dictionaries from SurfControl Filter. This is useful if you want to edit the dictionaries when you are running multiple instances of Filter, because you only have to edit the dictionary once. There are two ways of exporting Dictionaries: As a SurfControl Dictionary pack (an XML file) As a unicode file. EXPORTING A DICTIONARY AS A DICTIONARY PACK Follow procedure 8 Procedure 8: Exporting a SurfControl Dictionary Pack Step Action 1 Launch the Dictionary Management Window. 2 From the File menu, select Import / Export Dictionary Pack. The Import / Export utility wizard will launch. SurfControl Filter 5.0 for SMTP Administrators Guide 297

311 8 DICTIONARY MANAGEMENT Procedure 8: Exporting a SurfControl Dictionary Pack Step Action 3 Click Next. The Select Source and Target dialog will display. 4 Select Export to file. 5 Enter the path of the dictionary file you want to export the dictionary into. 6 Alternatively, click Browse and navigate to a file. Select the dictionary you want to export and click Open. 7 You will see the file selected in the Select Source and Target dialog. 8 Click Next. 9 The Select Dictionaries dialog will display. Select which dictionaries you want to export, or click Select All. 10 Click Next. 298 Administrators Guide, SurfControl Filter 5.0 for SMTP

312 DICTIONARY MANAGEMENT 8 Procedure 8: Exporting a SurfControl Dictionary Pack Step Action 11 The import summary screen will display, listing the choices you have selected. Click Finish to export the dictionaries, or Back to change your settings. SurfControl Filter 5.0 for SMTP Administrators Guide 299

313 8 DICTIONARY MANAGEMENT EXPORTING A DICTIONARY AS A UNICODE FILE Follow procedure 9 to export a dictionary as a Unicode File Procedure 9: Exporting a Dictionary as a Unicode File Step Action 1 Launch the Dictionary Management Window. 2 Select the dictionary you want to export from the list in the left hand pane. 3 From the File menu, select Export unicode file. 4 The Save As dialog will display. 5 By default the file name is the name of the dictionary, e.g. Job Search Dictionary, but you can change it by entering a name in the File name box. 6 Click Save 7 You will see a message to confirm that the file has been exported successfully. 300 Administrators Guide, SurfControl Filter 5.0 for SMTP

314 Chapter 9 Scheduler In This Chapter page 302 Launching the Scheduler page 302 Scheduler window page 303 Scheduled Events page 303 Scheduling Anti-Virus Agent Updates page 305 Scheduling Anti-Spam Agent Updates page 308 Scheduling URL Category Updates page 311 Scheduling Queue Synchronization page 314 Scheduling Database Management Tasks page 318 Purging the Database page 319 Archiving the Database page 322 Shrinking the Database page 325

315 9 SCHEDULER IN THIS CHAPTER This chapter explains how to use the Scheduler for easy and effective management of SurfControl Filter. You can use the Scheduler to: Update tools that use SurfControl Content, such as the Anti-Virus Agent, ensuring that Filter is armed with the most up to date information about new kinds of spam and other threats. Automatically manage message queues to avoid congestion and keep your system running efficiently. Manage the logging and configuration database. LAUNCHING THE SCHEDULER To launch the Scheduler from the Start Menu, select Programs > SurfControl Filter > Scheduler. 302 Administrator s Guide SurfControl Filter for SMTP 5.0

316 SCHEDULER 9 SCHEDULER WINDOW The Scheduler Window looks like this: Scheduled tasks display here. Use the buttons to create and configure scheduled tasks Figure 1 The Scheduler Window SCHEDULED EVENTS You can use the Scheduler to schedule the following events: Table 1 Scheduled Events Event What it does Find out more Anti-Virus Update Anti-Spam Agent Update URL Category List Update Queue Synchronization Database Management Download the latest Anti-Virus Agent files. Download the latest Anti-Spam Agent files. Download the latest URL Category files. Synchronizes the database with the actual status of the server. Purge, archive or shrink the logging database. page 305 page 308 page 311 page 314 page 318 SurfControl Filter for SMTP 5.0 Administrator s Guide 303

317 9 SCHEDULER During installation, SurfControl Filter automatically sets up the following scheduled events: Table 2 Default Scheduled Events Default Event Update Anti-Virus Agent daily Update Anti-Spam Agent daily Queue Synchronization Shrink Database Weekly Update URL Category List daily Time Every day at 22:00 Every day at 23:00 Every day at 02:00 Every Monday at 07:00 Every day at 00: Administrator s Guide SurfControl Filter for SMTP 5.0

318 SCHEDULER 9 SCHEDULING ANTI-VIRUS AGENT UPDATES By regularly updating the Anti-Virus Agent, you ensure that the virus list used by the Anti-Virus Agent object remains up-to-date and able to fight new viruses. Procedure 1: Scheduling Anti-Virus Agent Updates Step Action 1 Launch the Scheduler. The Scheduler window will display 2 Select Add Item The Scheduler Item Configuration will display. 3 Select Anti-Virus Agent Update from the drop down menu. (Sheet 1 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 305

319 9 SCHEDULER Procedure 1: Scheduling Anti-Virus Agent Updates Step Action 4 Choose how frequently you want the AVA update to take place. You can choose from: Daily Weekly Monthly Yearly 5 Choose which days of the week you want the AVA update to take place by checking the boxes. 6 Choose the time of day you want the AVA update to take place, using the 24 hour clock. Alternatively, if you want the AVA update to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the AVA update to take place. 7 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. 8 Now click Configure The Product Registration dialog will display. 9 You must register for Anti-Virus Agent updates. If you filled in the registration details when you installed Filter, the fields will be populated. If you didn t fill in the registration form, or want to change it, enter your details now. 10 When you have registered, click OK to close the registration box and return to the Item Configuration dialog. (Sheet 2 of 3) 306 Administrator s Guide SurfControl Filter for SMTP 5.0

320 SCHEDULER 9 Procedure 1: Scheduling Anti-Virus Agent Updates Step Action 11 When you have finished setting the date and time of the update, click OK. You will see your update listed in the Scheduler Window. (Sheet 3 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 307

321 9 SCHEDULER SCHEDULING ANTI-SPAM AGENT UPDATES SurfControl s content team constantly updates the Anti-Spam Agent files to ensure that they stay up to date with the latest Internet content. Schedule regular Anti-Spam Agent updates to ensure that the Anti-Spam Agent uses the most recent resources from SurfControl. Procedure 2: Scheduling Anti-Spam Agent Updates Step Action 12 Launch the Scheduler. The Scheduler window will display 13 Select Add Item The Scheduler Item Configuration will display. 14 Select Anti-Spam Agent Update from the drop down menu. (Sheet 1 of 3) 308 Administrator s Guide SurfControl Filter for SMTP 5.0

322 SCHEDULER 9 Procedure 2: Scheduling Anti-Spam Agent Updates Step Action 15 Choose how frequently you want the ASA update to take place. You can choose from: Daily Weekly Monthly Yearly 16 Choose which days of the week you want the ASA update to take place by checking the boxes. 17 Choose the time of day you want the ASA update to take place, using the 24 hour clock. Alternatively, if you want the ASA update to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the ASA update to take place. 18 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. 19 Now click Configure The Product Registration dialog will display. 20 You must register for Anti-Spam Agent updates. If you filled in the registration details when you installed Filter, the fields will be populated. If you didn t fill in the registration form, or want to change it, enter your details now. 21 When you have registered, click OK to close the registration box and return to the Item Configuration dialog. (Sheet 2 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 309

323 9 SCHEDULER Procedure 2: Scheduling Anti-Spam Agent Updates Step Action 22 When you have finished setting the date and time of the update, click OK. You will see your update listed in the Scheduler Window. (Sheet 3 of 3) 310 Administrator s Guide SurfControl Filter for SMTP 5.0

324 SCHEDULER 9 SCHEDULING URL CATEGORY UPDATES The URL Category List object uses SurfControl Web Filter technology, enabling you to block messages containing links for spam or inappropriate Web sites. Schedule URL Category updates to make sure that the URL Category List object has the latest Web site classifications from SurfControl. Procedure 3: Scheduling URL Category Updates Step Action 1 Launch the Scheduler. The Scheduler window will display 2 Select Add Item The Scheduler Item Configuration will display. 3 Select URL Category Update from the drop down menu. (Sheet 1 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 311

325 9 SCHEDULER Procedure 3: Scheduling URL Category Updates Step Action 4 Choose how frequently you want the URL Category update to take place. You can choose from: Daily Weekly Monthly Yearly 5 Choose which days of the week you want the URL Category update to take place by checking the boxes. 6 Choose the time of day you want the URL Category update to take place, using the 24 hour clock. Alternatively, if you want the URL Category update to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the URL Category update to take place. 7 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. 8 Now click Configure The Product Registration dialog will display. 9 You must register for URL Category updates. If you filled in the registration details when you installed Filter, the fields will be populated. If you didn t fill in the registration form, or want to change it, enter your details now. 10 When you have registered, click OK to close the registration box and return to the Item Configuration dialog. (Sheet 2 of 3) 312 Administrator s Guide SurfControl Filter for SMTP 5.0

326 SCHEDULER 9 Procedure 3: Scheduling URL Category Updates Step Action 11 When you have finished setting the date and time of the update, click OK. You will see your update listed in the Scheduler Window. (Sheet 3 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 313

327 9 SCHEDULER SCHEDULING QUEUE SYNCHRONIZATION Note:You should schedule this event at a time when there is little or no traffic on the network. Sometimes, for example if you delete messages directly from the Queue folders, the contents of the queues can be different from the messages listed in the STEMLog database. The Queue Synchronization event synchronizes the two. This improves the performance of the Message Administrator and supports the use of multiple servers. It also maintains the integrity between database and message files so that they are unlikely to get lost. If loss of messages does occur, Queue Synchronization can retrieve them. If you have large numbers of delayed or isolated messages, Queue Synchronization may take some time to complete. Managing your queued messages to avoid unnecessary build up of delayed or isolated messages will keep Queue Synchronization running smoothly. 314 Administrator s Guide SurfControl Filter for SMTP 5.0

328 SCHEDULER 9 Follow Procedure 4 to Schedule a Queue Syncronization event: Procedure 4: Scheduling a Queue Synchronization Event Step Action 1 Launch the Scheduler. The Scheduler window will display 2 Select Add Item The Scheduler Item Configuration will display. 3 Select Queue Synchronization 4 Choose how frequently you want the Queue Synchronization event to take place. You can choose from: Daily Weekly Monthly Yearly 5 Choose which days of the week you want the Queue Synchronization event to take place by checking the boxes. 6 Choose the time of day you want the Queue Synchronization event to take place, using the 24 hour clock. Alternatively, if you want the Queue Synchronization event to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the Queue Synchronization event to take place. 7 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. (Sheet 1 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 315

329 9 SCHEDULER Procedure 4: Scheduling a Queue Synchronization Event Step Action 8 Now click Configure. The Queue Synchronization dialog will display. 9 By default all queues will be synchronized. To exclude a queue from the list, click Add The Add Queue dialog will display. 10 Select the queue you don t want to be synchronized. 11 Click OK. Repeat steps 8 and 9 until you have excluded all the queues you don t want to be synchronized. 12 You will see your excluded queues on the Queue Synchronization dialog. 13 Now specify the maximum number of messages you want to be synchronized. The default is Click OK to return to the Item Configuration dialog. (Sheet 2 of 3) 316 Administrator s Guide SurfControl Filter for SMTP 5.0

330 SCHEDULER 9 Procedure 4: Scheduling a Queue Synchronization Event Step Action 15 Click OK. You will see your Queue Synchronization in the Scheduler window. (Sheet 3 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 317

331 9 SCHEDULER SCHEDULING DATABASE MANAGEMENT TASKS Note:SurfControl Filter services will stop while Database Management is taking place. You should schedule these events at times of low e- mail traffic so that they have minimal impact on your system. As soon as you start SurfControl Filter, it begins to record a log of all the communication taking place and stores this information in a database. In a busy environment, the database logs can grow quickly. Use Database Management to manage the logging database, and use the SurfControl Scheduler to perform these tasks regularly: There are three database management tasks you can automate using the Scheduler: Table 3 Database Management Tasks Task Purge Database Archive Database Shrink What it does Delete records from the database. Store a database record set in a separate file, choosing whether or not to remove these entries from the main SurfControl Filter database. Reduce the size of the logging database by eliminating redundant space, but without removing any database content. 318 Administrator s Guide SurfControl Filter for SMTP 5.0

332 SCHEDULER 9 PURGING THE DATABASE Purging removes records you specify from the logging database. Removing records means that they will no longer appear in reports. Follow Procedure 5: Procedure 5: Purging the Database Step Action 1 Launch the Scheduler. The Scheduler window will display 2 Select Add Item The Scheduler Item Configuration will display. 3 Select Database Management. 4 Choose how frequently you want the Database Management event to take place. You can choose from: Daily Weekly Monthly Yearly 5 Choose which days of the week you want the Database Management event to take place by checking the boxes. 6 Choose the time of day you want the Database Management event to take place, using the 24 hour clock. Alternatively, if you want the Database Management event to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the Database Management event to take place. 7 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. SurfControl Filter for SMTP 5.0 Administrator s Guide 319

333 9 SCHEDULER Procedure 5: Purging the Database Step Action 8 Now click Configure. 9 Select Purge Database. 10 The Purge dialog will display. 11 Choose one of the following: Purge All: delete all database entries Purge data older than 24 hours: remove all but today s records Purge data older than n days: where n is the number of day s records that you want to preserve, counting back from today Purge data older than date: specify a date forward of which you do not want to purge the records Purge Range: specify two dates, purging all records with dates after the first but before the last. 12 If you want to remove all address data that is not currently being used by the database, select Purge unused address data. This prevents the database from becoming sluggish, especially after a large attack by a spammer. 13 Click OK to return to the Item Configuration dialog. 320 Administrator s Guide SurfControl Filter for SMTP 5.0

334 SCHEDULER 9 Procedure 5: Purging the Database Step Action 14 Click OK. You will see the Purge Database item in the Scheduler Window. SurfControl Filter for SMTP 5.0 Administrator s Guide 321

335 9 SCHEDULER ARCHIVING THE DATABASE Archiving stores records from the logging database into a separate file. Follow procedure 6 Procedure 6: Archiving the Database Step Action 1 Launch the Scheduler. The Scheduler window will display 1 Select Add Item The Scheduler Item Configuration will display. 1 Select Database Management. 1 Choose how frequently you want the Database Management event to take place. You can choose from: Daily Weekly Monthly Yearly 1 Choose which days of the week you want the Database Management event to take place by checking the boxes. 1 Choose the time of day you want the Database Management event to take place, using the 24 hour clock. Alternatively, if you want the Database Management event to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the Database Management event to take place. 1 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. (Sheet 1 of 3) 322 Administrator s Guide SurfControl Filter for SMTP 5.0

336 SCHEDULER 9 Procedure 6: Archiving the Database Step Action 2 Now click Configure. 3 Select Archive Database. 4 The Archive Database will display. 5 Choose one of the following: Archive all: archives the entire database. Archive data from the last 24 hours: archives all records with today s date. Archive data older than n days: where n is the numbers of day s records that you do not want to archive, counting back from today. Archive data older than date: specify a date forward of which you do not want to archive the records. Archive Range: specify two dates, archiving all records with dates after the first but before the last. 6 Enter the path of the archive file, or click Browse to navigate to the location you want. The default archive folder is in C:\Program files\surfcontrol Filter\Archive If you want to automatically give the archive file a name based on when the archive was performed, Select Unique date-based filename. 7 If you want to automatically give the archive file a name based on when the archive was performed, Select Unique date-based filename. 8 if you want the archived files to be removed from the logging database, select Purge Archived Data. 9 Click OK to close the Archive Database dialog. (Sheet 2 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide 323

337 9 SCHEDULER Procedure 6: Archiving the Database Step Action 10 Click OK. You will see the Archive Database item in the Scheduler Window. (Sheet 3 of 3) 324 Administrator s Guide SurfControl Filter for SMTP 5.0

338 SCHEDULER 9 SHRINKING THE DATABASE Shrinking reduces the file size of the database by eliminating redundant space but without removing any useful data. Follow procedure 7: Procedure 7: Shrinking the Database Step Action 1 Launch the Scheduler. The Scheduler window will display. 2 Select Add Item The Scheduler Item Configuration will display. 3 Select Database Management. 4 Choose how frequently you want the Database Management event to take place. You can choose from: Daily Weekly Monthly Yearly 5 Choose which days of the week you want the Database Management event to take place by checking the boxes. 6 Choose the time of day you want the Database Management event to take place, using the 24 hour clock. Alternatively, if you want the Database Management event to take place every time a set number of hours, select Every HH:MM and enter how frequently (in hours and minutes) you want the Database Management event to take place. 7 In the Description field, give the event a name. This will help you to recognize which event is which on the Scheduler window. SurfControl Filter for SMTP 5.0 Administrator s Guide 325

339 9 SCHEDULER Procedure 7: Shrinking the Database Step Action 8 Now click Configure. 9 Select Shrink 10 The Shrink / Compact database dialog will display. 11 Specify by how much you want to shrink the database (between 1% and 99%). The default is 10%. 12 Click OK to return to the Item Configuration dialog.. 13 Click OK. You will see the Shrink Database item in the Scheduler Window. 326 Administrator s Guide SurfControl Filter for SMTP 5.0

340 Chapter 10 Reporting In This Chapter page 328 Installing Report Central page 328 Allocating memory to the tembdb transaction log page 328 Logging On for the First Time page 329 Remote Access page 330 Getting Started With Report Central page 332 Configuration Options page 334 Setting up Users page 335 Changing User Details page 339 Specifying a Mail Server page 340 Databases page 341 Resolving Database Memory Issues page 342 Archiving / Deleting Reports page 344 Reporting page 347 Rules Reports page 348 Traffic Statistics Reports page 349 Generating Reports page 368 Saving Reports page 369

341 10 REPORTING IN THIS CHAPTER This chapter explains how to use SurfControl Report Central alongside Filter to create reports that give you an in-depth view of how is being used in your organization. INSTALLING REPORT CENTRAL See the Filter Getting Started Guide for instructions on how to install Report Central. ALLOCATING MEMORY TO THE TEMBDB TRANSACTION LOG When generating reports, SQL Server can run out of memory if the SQL Server tempdb transaction log does not have enough memory allocated to it. To allocate more memory, follow these steps: Procedure 1: Allocating memory to the tempdb transaction log file Step Action 1 Launch SQL Server Enterprise Manager. 2 Select TempDB from the database list. 3 Right-click on TempDB and select Properties from the shortcut menu. The TempDB properties sheet will display. 4 Select the Transaction Log tab. 5 Under Space Allocated (MB) enter a value of 15 or above. 6 Click OK to close the dialog. 328 Administrator s Guide SurfControl Filter for SMTP 5.0

342 REPORTING 10 LOGGING ON FOR THE FIRST TIME When you log on to SurfControl Report Central for the first time, use the Admin account credentials you set up during installation. This will give access to all the configuration options. The first time you run Report Central, you will be asked to install the Java Runtime Environment v if this is not already installed on your machine. Follow the steps in the Setup program, accepting the defaults on each screen. SurfControl Filter for SMTP 5.0 Administrator s Guide329

343 10 REPORTING REMOTE ACCESS Users who do not have SurfControl Report Central installed can generate reports via remote access, without installing any software on their computers. You can give users remote access to SurfControl Report Central by distributing the hyperlink as shown on the next page. SYSTEM REQUIREMENTS FOR REMOTE ACCESS If a user wants to access Report Central remotely, their computer must meet the following system requirements. Table 1 Remote access system requirements Operating System Applications Windows XP Windows 2000 Server SP3 Windows 2000 Advanced Server SP3 Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Internet Explorer 5.0 or later. Adobe Reader 6.0 or later to read reports in PDF format. 330 Administrator s Guide SurfControl Filter for SMTP 5.0

344 REPORTING 10 To distribute the remote access shortcut, follow procedure 2. Procedure 2: Distributing the remote access shortcut Step Action 1 From the Start menu navigate to Programs SurfControl Report Central. 2 Right-click on Filter 5.0 Client Shortcut and select Send To from the menu. 3 Select Mail Recipient. 4 Your program (e.g. Microsoft Outlook) will open a new message. The body of the message will contain a link to Report Central. 5 Enter the addresses of the users you want to receive the link, and send the . 6 To use Report Central, users must have the Java Runtime Environment installed on their computer. If they do not have this component, they will be prompted to install it the first time they try to log on to Report Central. They should accept any requests to download and install files, and choose the Typical install option when asked. 7 Although you can send the remote access shortcut to many users at once, it is better to send it to one user at a time, along with their user name and password. See Setting up Users on page 18. Warning: Internet Explorer users if you want to use SurfControl Filter Web Reports as well as Report Central, make sure that Sun Java is enabled. Select Internet Explorer >Tools >Options and select Enable Java 2 SDK You will need to re-send the remote access shortcut if you edit any of the following settings on the computer where Report Central is installed: IP address of host computer. Tomcat Web Server Port Number. SurfControl Filter for SMTP 5.0 Administrator s Guide331

345 10 REPORTING GETTING STARTED WITH REPORT CENTRAL LAUNCHING SURFCONTROL REPORT CENTRAL From the Start menu, select: Programs SurfControl Report Central Filter 5.0 Reports Warning: To log on to Report Central you must have ActiveX controls and Plug-ins enabled in Internet Explorer. Check the settings in Internet Explorer > Tools >Internet Options > Security > Custom Level. You will be asked to log on. When you log on for the first time, use the authentication details that you set up when you were installing Report Central. 332 Administrator s Guide SurfControl Filter for SMTP 5.0

346 REPORTING 10 FINDING YOUR WAY AROUND When you launch Report Central you will see the following screen in your browser window: Click Configuration to set up and administrate Report Central. The left hand pane shows the reports. When you launch Report Central these are rolled up into folders. The right hand pane is where you will specify report criteria. Click on a folder to expand the list. When you select a report, the criteria will display in the right-hand pane, like this: Use these settings to customize your report. SurfControl Filter for SMTP 5.0 Administrator s Guide333

347 10 REPORTING CONFIGURATION OPTIONS To configure SurfControl Report Central, select Configuration Options to display the Configuration Options dialog: There are four tabs on the dialog: Users add, edit and delete users. See Setting up Users on page 335. Database Connection change the database that Report Central connects to. Mail Settings set up a connection to your mail server to enable reports to be sent by . See Specifying a Mail Server on page 340. Archive / Delete manage the reports you have generated. See Archiving / Deleting Reports on page Administrator s Guide SurfControl Filter for SMTP 5.0

348 REPORTING 10 SETTING UP USERS The first thing you need to do after installing Report Central is set up user accounts. There are three stages to this process. 1 Specify logon details 2 Specify user permissions 3 Specify report permissions These stages are described in detail on the following pages. SurfControl Filter for SMTP 5.0 Administrator s Guide335

349 10 REPORTING 1. SPECIFYING LOGON DETAILS Follow Procedure 3 to create logon details for a new user account. Procedure 3: Specifying logon details Step Action 1 Log on using the Admin account. 2 Select Configuration Options to display the Configuration Options dialog. 3 On the Users tab, click New. 4 The User Configuration dialog will display. Select the General tab. 5 Enter the following information: User Name Password Confirm Password 336 Administrator s Guide SurfControl Filter for SMTP 5.0

350 REPORTING SPECIFYING USER PERMISSIONS When you are creating user accounts, you can set the following user permissions: Table 2 User permissions Permission Setting Act as global administrator Able to change database used for reports Able to create reports in a private view Able to create and share reports in a public view Restricted User Permitted Actions The user can create and edit users. The user can run reports from any database on the list. They can also edit and delete database connections. The user can create reports and folders that only they can access. The user can create reports that all users can access. The user can run reports but cannot change any report criteria. Use this option if you want a user to run only specific reports that have been set up by a global administrator and saved in the Public folder. To set user permissions, follow these steps: Procedure 4: Specifying user permissions Step Action 1 On the User Configuration dialog, select the General tab. 2 Select the level of access you want the user to have by selecting the checkboxes. SurfControl Filter for SMTP 5.0 Administrator s Guide337

351 10 REPORTING 3. SPECIFYING REPORT PERMISSIONS There are two kinds of report; standard and custom. Standard Reports Standard reports are the pre-set reports that come installed with Report Central. They are divided into two groups: Rules Reports Traffic Statistics Reports You can specify whether or not a user has access to a group of reports, or you can specify which individual reports in each group you want users to be able to access. This means that nobody in your organization can view sensitive user information unless they are qualified or authorized to do so. For a detailed description of each group and report, See Running Reports on page 31. Custom Reports Custom reports are defined by the user. You can allow users to specify their own reports, or you can restrict them to using only the standard ones. To specify report permissions, follow these steps: Procedure 5: Specifying report permissions Step Action 1 Select the Reports tab 2 Choose the reports you want the user to have access to by checking the boxes: Check Select All to give the user access to all reports. Check a category to give the user access to all reports in that group Click on the group to expand it, and check an individual report to give the user access to only that report. 338 Administrator s Guide SurfControl Filter for SMTP 5.0

352 REPORTING 10 CHANGING USER DETAILS Procedure 6: Editing User Details Step Action Users with Global Administrator status can edit user details or delete user accounts. Procedure 6 describes how to edit user details. 1 From the Configuration Options Users tab, highlight the user in the Existing Users panel. 2 Click Edit. The User Configuration dialog will appear with the user s existing details. 3 You can change all existing General and Report settings for the user except for the User Name. 4 Click OK to confirm your changes. Procedure 7: Deleting a User Procedure 7 describes how to delete a user. Step Action 1 From the Configuration Options Users tab, highlight the user in the Existing Users panel. 2 Click Delete. A Confirm Delete warning will be displayed. 3 Click Yes to confirm the deletion of the user or No to cancel. SurfControl Filter for SMTP 5.0 Administrator s Guide339

353 10 REPORTING SPECIFYING A MAIL SERVER You can reports to other users. To be able to do this, you need to specify a mail server. Follow procedure 8. Procedure 8: Specifying a Mail Server Step Action 1 On the Configuration Options dialog, select the Mail Settings tab 2 In the Hostname field, enter the server name of the mail server you want to use to distribute reports, for example myserver.mycompany.com 3 In the Port field, enter the number of the port you want to use to send outbound . This is usually port In the Senders Address field, enter the address you want to send reports from, for example [email protected] 5 Click OK to confirm your changes. 340 Administrator s Guide SurfControl Filter for SMTP 5.0

354 REPORTING 10 DATABASES The Database Connection tab shows the following information: The current database being used for reporting. The authentication details of the current database. A list of databases that can be used for reporting. From this tab you can select a different database to connect to. CONNECTING TO A DIFFERENT DATABASE To report on a new database, you must first add the database connection details to the list. You can only add a database connection if you are either: A global administrator, or A user with the Able to change database used for reports privilege. Details of the current database are shown in the Current Database box. To connect to a different database, follow procedure 9: Procedure 9: Connecting to a different database Step Action 1 Select Configuration Options. The Configuration Options dialog will display. 2 Select the Database Connections. 3 In the Server box, enter the name of the server where the database is running. 4 Enter the Hostname. This is either the IP address or name of the SQL Server that Report Central will connect to. 5 In the Authentication area, choose the authentication method for connecting to the server. If you choose SQL Authentication, enter a user name and password. 6 The available databases will display in the Database menu. Select the database you want to connect to and click Select. 7 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide341

355 10 REPORTING RESOLVING DATABASE MEMORY ISSUES INCREASING MEMORY TO THE JAVA VIRTUAL MACHINE If your database is very large, you may find that the following message displays when you try to generate a report with a large list of criteria (for example over 500,000 senders): To display the criteria list you need to increase the amount of Java Virtual Memory. To increase the amount of memory available to the Java Virtual Machine follow procedure: Procedure 10: Increasing the Java Virtual Memory Step Action 1 From the Start Menu, select Settings Control Panel Java Plug-in. The Java Plug-in Control Panel will open. 2 Select the Advanced tab. 3 In the Java Runtime Parameters field, enter the following: -Xms256m -Xmx512m This will set the amount of memory available to the Java Virtual Machine to a minimum of 256MB and allow it to expand to 512MB. You can allocate more memory by changing 512 to a higher value, but make sure there is enough system memory available before you do this. 342 Administrator s Guide SurfControl Filter for SMTP 5.0

356 REPORTING 10 INCREASING THE TEMPDB TRANSACTION FILE The following reports can generate high volumes of data. Table 3 High-volume reports Report type Rules reports Traffic statistics reports Report name Rules by date Rules by sender summary Rules by sender detail Rules by sender showing recipient Messages by size If your database does not have enough memory, it will be unable to generate the report. To increase the amount of memory, follow the procedure Allocating memory to the tempdb transaction log file on page 328. SurfControl Filter for SMTP 5.0 Administrator s Guide343

357 10 REPORTING ARCHIVING / DELETING REPORTS You can specify how SurfControl Report Central deals with reports that are no longer current. Once you have enabled archiving or deletion (procedure 11), use the Archive / Delete options to specify: Which reports are deleted or archived. When deletion or archiving takes place. ENABLING REPORT ARCHIVING / DELETION Note: Reports are archived individually, in their originally created format. In order to delete or archive reports you must first enable the archive and delete facility: Procedure 11: Enabling Report Archiving / Deletion Step Action 1 On the Configuration Options dialog, select the Archive / Delete tab. 2 Select Enable Automatic Report Cleanup. The Delete and Archive options will become available. 3 Select whether you want to Delete reports or Archive them. The settings for the options you have chosen will become available. Note: By default Automatic Report Cleanup is disabled. When you enable it, the Archive Reports option is selected by default. Now set your archive / delete options by following the procedures on the following pages. 344 Administrator s Guide SurfControl Filter for SMTP 5.0

358 REPORTING 10 Procedure 12: Deleting reports Step Action Specifying which reports are deleted DELETING REPORTS Once you have chosen to delete reports, use the Delete Options tab to specify which reports are deleted, and when. 1 On the Configuration Options dialog, select the Archive / Delete tab. 2 Make sure the Enable Automatic Report Cleanup and Delete Reports options are selected. 3 Select the Delete Options tab. 4 To choose which reports are deleted, select one of the following: All (the default setting) Before today Older than last 7 days Older than last full month. Specifying the date and time you want reports to be deleted 5 Select the Date / Time tab. 6 In the Time of Day area, specify a time of day (using the 24hr clock) to delete your reports. 7 If you want the selected reports to be deleted on a certain day or days of the week, select Daily / Weekly, and use the checkbox to specify the days you want. If you want the reports to be deleted every day, select all the checkboxes. 8 If you want the selected reports to be deleted on a certain day in the month, select Monthly and use the Day field to specify which day of the month you want. Alternatively, if you want the reports to be deleted on the last day of each month, select End of Month. 9 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide345

359 10 REPORTING ARCHIVING REPORTS Once you have chosen to archive reports, use the Archive Options tab to specify: which reports are archived, and when. Procedure 13: Choosing which reports are archived Step Action 1 On the Configuration Options dialog, select the Archive / Delete tab. 2 Make sure the Enable Automatic Report Cleanup and Archive Reports options are selected. 3 Select the Archive Options tab. 4 To choose which reports are archived, select one of the following: All (the default setting). Before today. Older than last 7 days. Older than last full month. 5 In the Archive Location field, specify a folder where you want archived reports to be stored. 6 Select the Date / Time tab. 7 In the Time of Day area, specify a time of day (using the 24hr clock) to archive your reports. 8 If you want the selected reports to be archived on a certain day or days of the week, select Daily / Weekly, and use the checkbox to specify the days you want. If you want the reports to be archived every day, select all the checkboxes. 9 If you want the selected reports to be archived on a certain day in the month, select Monthly and use the Day field to specify which day of the month you want. Alternatively, if you want the reports to be archived on the last day of each month, select End of Month. 10 Click OK. 346 Administrator s Guide SurfControl Filter for SMTP 5.0

360 REPORTING 10 REPORTING There are two kinds of report: Standard reports generated using pre-set criteria. Custom reports generated using criteria you have previously entered and saved. This means you can generate the same report many times without having to re-enter the criteria. The reports are displayed in the left pane of the work area: Report Central has the same range of reports as Web Reports for SurfControl Filter, but the reports have been improved and given more descriptive names. The report listings on page 348 and 349 show the new name for each report and also the former name as used in Web Reports. If there is a Web report you use regularly, check the Formerly known as column to find out whether the name has changed. STANDARD REPORTS Standard Reports are split into two categories: Rules Reports Traffic Statistics Reports SurfControl Filter for SMTP 5.0 Administrator s Guide347

361 10 REPORTING RULES REPORTS Rules reports give information about rules which rules are being broken, how often and by whom. Table 1 lists the Rules Reports. Table 4 Rules Reports Report name Type Formerly known as Data Ordered by Rules by Date Table Detailed messages by broken rules Rules by Sender Summary Rules by Sender Detail Rules by Sender Showing Recipient Top N Incoming IPs by Rule Top 15 Rules Rule name Date Sender Recipient Subject Table Full report summary Sender Rule name Number of messages Total size Table Full report detail Sender Rule name Date Time Action Recipient Table Detail for specific rules Sender Rule name Date Recipient Size Table Bar chart Top N incoming host IPs by rules triggered. Top 20 broken rules IP address Host name Rule name Number of times rule triggered 15 rules most often triggered by all messages Top N Rules Table Top N rules N rules most often triggered, by incoming / outgoing messages. Time the rule was triggered. Top N Rules by Incoming IP Top 10 Rules by Percent Top 15 Senders by Rules Triggered Table Bar chart Bar chart Top N triggered rules showing incoming host IPs Percentage of messages by top 10 rules Top 20 senders by message Rule name IP address Host name Number of times rule triggered Top 10 most frequently triggered rules and the percentage of messages triggering them. Top 15 senders broken down by the percentage of messages triggering each rule. Rule name Sender Sender Sender IP address Number of rule-breaking messages Time triggered Rule name N / A Number of messages sent. 348 Administrator s Guide SurfControl Filter for SMTP 5.0

362 REPORTING 10 TRAFFIC STATISTICS REPORTS Traffic Statistics Reports give information on the volume of traffic passing through your system. Table 2 lists the Traffic Statistics Reports. Table 5 Traffic Statistics Reports Report name Type Formerly known as Data Ordered by Bandwidth by Date Bandwidth by Hour Messages by Weekday Messages by Size Top N Incoming IPs Top 15 Recipients by Total Messages Top 15 Recipients by Total Size Top 15 Senders by Percent Top 15 Senders by Total Messages Top 15 Senders by Total Size Bar chart Bar chart Bar chart bandwidth by date bandwidth by hour Number of messages by weekday Total number of messages per day. Total number of messages per hour Table Message size by sender Message size Sender Message date Message time Total number of messages per day of the week Table Top N incoming host IPs IP address Host name Number of messages sent Volume of messages sent Bar chart Bar chart Bar chart Bar chart Bar chart Volume by recipient summary Volume by recipient detail Percentage of messages by sender. Top 20 senders by number of messages Top 20 senders by volume of messages Top 15 recipients by number of messages received. Top 15 recipients by volume of messages in bytes. Top 15 message senders and the percentage of messages sent by them. Top 15 senders Top 15 senders and the volume of sent by them in bytes. Date Time Day Message size Number of messages sent Number of messages received. Volume of messages received. N / A Total number of messages sent. Volume of sent. SurfControl Filter for SMTP 5.0 Administrator s Guide349

363 10 REPORTING SETTING UP REPORTS There are four stages to setting up a report: 1 Select the report you want to run 2 Specify report criteria 3 Specify running options 4 Specify scheduling options Warning: The date on the computer where Report Central is installed must be the same as on the SQL server, otherwise the time and date may not be reported accurately. SELECTING A REPORT To select a report, click on it. The criteria for that report will display in the righthand pane. When you select a report, SurfControl Report Central retrieves the Time and Date information from the database. If you receive the following error message: Date and Time information cannot be retrieved from the database there is a problem with your database connection. You should check the following: Report Central is connecting to a valid database (Configuration Options dialog). The server is running correctly (SQL Service Manager). 350 Administrator s Guide SurfControl Filter for SMTP 5.0

364 REPORTING 10 SPECIFYING REPORT CRITERIA You can specify the following report criteria, depending on the type of report you are generating, and your access privileges: Date / Time Senders Sender domains Rules Weekday Recipients Recipient domains Options Database (Custom reports only) SurfControl Filter for SMTP 5.0 Administrator s Guide351

365 10 REPORTING Date / Time Table 3 shows the Date / Time criteria Table 6 Date / Time criteria All Available Today Yesterday Last 7 Days Last full month Custom Report on all available messages stored on the database. Report on all messages logged to the database today. Report on all messages logged to the database yesterday (between 00hrs and 24hrs). Report on all messages logged to the database in the last seven days. (the default setting). Report on all messages logged to the database in the last full month. Report on all messages logged to the database in the time period you specify. See procedure 14. Specifying a custom time period for reports. You can report on any time period by using the Custom option. Procedure 14: Specifying a custom time period for reports Step Action 11 Select a Start Date by clicking the calendar button. 12 Select an End Date by clicking the calendar button. 13 Specify a Start Time (in 24 hr clock). 14 Specify an End Time (in 24 hr clock). 15 If you want the report to take data from the same time period each day, select Use same start and end times each day. See Table 4 for an explanation of this feature. 16 If you want the report to take data from outside the time period you specify, select Exclude Time Range. See Table 5 for an explanation of this feature. 352 Administrator s Guide SurfControl Filter for SMTP 5.0

366 REPORTING 10 Use same start and end times per day You can specify that the report uses data from the same time frame each day. Table 7 Use same start and end times per day checkbox Checkbox What happens Example Cleared Selected SurfControl Report Central will use report data from the entire date range you specify, beginning at the start time on the start date and ending at the end time on the end date. SurfControl Report Central will use report data from the time period you specify, for each day between the start and end date. Between 9am on day 1 and 5pm on day 3. between 9am and 5pm on day 1, 9am and 5pm on day 2, etc. Exclude Time Range You can use the Exclude Time Range check box independently of the Use same start and end times per day check box. Table 8 Exclude Time Range checkbox Checkbox What happens Example Cleared Selected The report will use data from the time period you specify. report will use any data excluded by the Use same start and end times per day options. Between 9am and 5pm on day 1. Midnight until 9am and 5pm till 11:59pm on day 1. SurfControl Filter for SMTP 5.0 Administrator s Guide353

367 10 REPORTING Senders By default, all senders monitored by SurfControl Filter are included in reports and all new message senders are automatically included, but you can also: Include only the senders you specify in the report Exclude the senders you specify from the report. Specifying senders in a report Procedure 15: Specifying senders in a report Step Action 1 Select the Senders tab. 2 By default, all senders are included in the report. You can also: Include selected items. Exclude selected items. (Sheet 1 of 3) 354 Administrator s Guide SurfControl Filter for SMTP 5.0

368 REPORTING 10 Procedure 15: Specifying senders in a report Step Action Including Selected Items 3 Select Include selected items. The Choose Criteria: Senders will display. Note: restricted users cannot change Sender criteria. 4 You can search for senders by entering search criteria in the Search box. Now click Search By default, the Choose Criteria dialog will return up to 50 senders. If you want to increase the number of results that are shown, increase the number in the Retrieve N Criteria box. 5 You will see the available senders displayed in the Available Criteria box. Select the senders you want to include in the report and click Add. 6 The senders you selected will display in the Selected Criteria box. 7 When you are happy with your selection, click OK. Only the senders you selected will be included in the report. (Sheet 2 of 3) SurfControl Filter for SMTP 5.0 Administrator s Guide355

369 10 REPORTING Procedure 15: Specifying senders in a report Step Action Excluding Selected Items 8 Select Exclude selected items. The Choose Criteria: Senders will display. 9 Choose which senders you want to exclude by following steps When you are happy with your selection, click OK. The report will include all senders except the ones you specified. (Sheet 3 of 3) Sender domains By default, all sender domains are included in the report, but you can also: Include only the sender domains you specify in the report Exclude the sender domains you specify from the report Procedure 16: Specifying sender domains in a report Step Action Action 1 Select the Sender Domains tab. 2 By default, all sender domains are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items (Sheet 1 of 2) 356 Administrator s Guide SurfControl Filter for SMTP 5.0

370 REPORTING 10 Procedure 16: Specifying sender domains in a report Step Action Action 3 Select Include selected items. The Choose Criteria: Sender domains dialog will display. 4 You can search for sender domains by entering search criteria in the Search box. Now click Search. By default, the Choose Criteria dialog will return up to 50 sender domains. If you want to increase the number of results that are shown, increase the number in the Retrieve N Criteria box. 5 You will see the available sender domains displayed in the Available Criteria box. Select the sender domains you want to include in the report and click Add. 6 The sender domains you selected will display in the Selected Criteria box. 7 When you are happy with your selection, click OK. Only the sender domains you selected will be included in the report. Excluding Selected Items 8 Select Exclude selected items. The Choose Criteria: Sender Domains dialog will display. 9 Choose which sender domains you want to exclude by following steps When you are happy with your selection, click OK. The report will include all sender domains except the ones you specified. (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide357

371 10 REPORTING Rules By default, all rules that have been triggered are included in reports, but you can also: Include only the triggered rules you specify in the report Exclude the triggered rules you specify from the report. Procedure 17: Specifying rules criteria in a report Step Action 1 Select the Rules tab. 2 By default, all triggered rules are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Rules dialog will display. 4 You can search for rules by entering search criteria in the Search box. Now click Search. By default, the Choose Criteria dialog will return up to 50 triggered rules. If you want to increase the number of results that are shown, increase the number in the Retrieve N Criteria box. 5 You will see the triggered rules available for selection displayed in the Available Criteria box. Select the sender domains you want to include in the report and click Add. 6 The sender domains you selected will display in the Selected Criteria box. 7 When you are happy with your selection click OK. Only the triggered rules you specify will be included in the report. (Sheet 1 of 2) 358 Administrator s Guide SurfControl Filter for SMTP 5.0

372 REPORTING 10 Procedure 17: Specifying rules criteria in a report Step Action Excluding Selected Items 8 Select Exclude selected items. The Choose Criteria: Rules dialog will display. 9 Choose which triggered rules you want to exclude by following steps When you are happy with your selection, click OK. The report will include all triggered rules except the ones you specified. (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide359

373 10 REPORTING Weekday By default all available days of the week are included in the report, but you can: Include only the weekdays you specify in the report. Exclude the weekdays you specify from the report. Procedure 18: Specifying days of the week in a report Step Action Action 1 Select the Weekday tab. 2 By default, all weekdays are included in the report, but you can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Weekday dialog will display. 4 You will see the days of the week available for selection displayed in the Available Criteria box. Select the days you want to include in the report and click Add. 5 The days you selected will display in the Selected Criteria box. 6 When you are happy with your selection click OK. Only the days you specify will be included in the report. Excluding Selected Items 7 Select Exclude selected items. The Choose Criteria: Weekday dialog will display. 8 Choose which days you want to exclude by following steps When you are happy with your selection, click OK. The report will include all weekdays except the ones you specified. 360 Administrator s Guide SurfControl Filter for SMTP 5.0

374 REPORTING 10 Recipients By default all recipients are included in a report, but you can also: Include only the recipients you specify in the report. Exclude the recipients you specify from the report. Procedure 19: Specifying recipients in a report Step Action 1 Select the Recipients tab. 2 By default, all recipients are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Recipients will display. 4 You can search for recipients by entering search criteria in the Search box. Now click Search By default, the Choose Criteria dialog will return up to 50 recipients. If you want to increase the number of results that are shown, increase the number in the Retrieve N Criteria box. 5 You will see the available recipients displayed in the Available Criteria box. Select the recipients you want to include in the report and click Add. 6 The recipients you selected will display in the Selected Criteria box. 7 When you are happy with your selection, click OK. Only the recipients you selected will be included in the report. Excluding Selected Items 8 Select Exclude selected items. The Choose Criteria: Recipients will display. 9 Choose which recipients you want to exclude by following steps When you are happy with your selection, click OK. The report will include all recipients except the ones you specified. SurfControl Filter for SMTP 5.0 Administrator s Guide361

375 10 REPORTING Recipient domains By default, all recipient domains are included in the report, but you can also: Include only the recipient domains you specify in the report Exclude the recipient domains you specify from the report Procedure 20: Specifying recipient domains in a report Step Action Action 1 Select the Recipient Domains tab. 2 By default, all recipient domains are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Recipient Domains dialog will display. 4 You can search for recipient domains by entering search criteria in the Search box. Now click Search. By default, the Choose Criteria dialog will return up to 50 recipient domains. If you want to increase the number of results that are shown, increase the number in the Retrieve N Criteria box. 5 You will see the available recipient domains displayed in the Available Criteria box. Select the recipient domains you want to include in the report and click Add. 6 The recipient domains you selected will display in the Selected Criteria box. 7 When you are happy with your selection, click OK. Only the recipient domains you selected will be included in the report. (Sheet 1 of 2) 362 Administrator s Guide SurfControl Filter for SMTP 5.0

376 REPORTING 10 Procedure 20: Specifying recipient domains in a report Step Action Action Excluding Selected Items 8 Select Exclude selected items. The Choose Criteria: Recipient Domains dialog will display. 9 Choose which recipient domains you want to exclude by following steps When you are happy with your selection, click OK. The report will include all recipient domains except the ones you specified. (Sheet 2 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide363

377 10 REPORTING Options The options tab shows options for the report you are generating. There are two possible options you may see here: Exclude Postmaster: use this field to exclude messages to and from the Postmaster account. Enter the address of the Postmaster, e.g. Top N Rules: enter how many of the most frequently triggered rules you want to include in the report; for example enter 10 to include the top 10. Most reports have one option or the other, some have both. Some reports do not have any options, in which case the tab will not be visible. Database (Custom reports only) Once you have saved custom report criteria in the public or private folder, the Database tab will become available. The Database tab shows you which database is being used for reports. SurfControl recommends that you do not attempt to change databases if reports are potentially being generated from the current one. Procedure 21: Changing the database used for reports Step Action 1 Select the Database tab. 2 Click Change Database. If you have set up any report criteria, these will be lost. You will be asked to confirm that you want to change databases. 3 The Choose Database dialog will appear. Choose the database you want to use for reports. If the database is not listed, use the Configuration Options to add the database. See Connecting to a Different Database on page 24 for instructions on how to do this. 364 Administrator s Guide SurfControl Filter for SMTP 5.0

378 REPORTING 10 SPECIFYING RUNNING OPTIONS The Running Options tab controls how your report is produced and where it is saved. Display Selected Criteria Note:If you use the default setting of including all criteria, the selected criteria will not be shown, even if you select Display Selected Criteria You can choose whether or not the criteria you have chosen for the report will be displayed on the first page. If you choose to do this, the criteria you have excluded will be printed. For example, if you choose to generate a report on senders 1, 2 and 3, the criteria displayed on your report will say: Excluded senders: sender 4, sender 5, sender 6 Format You can generate reports in the following formats: Table 9 Format.csv html.pdf.rtf Report formats Details Stands for Comma Separated Value a text format that can be used by spreadsheet and database programs such as Microsoft Excel and Access. You can view the report in HTML format using a web browser. Portable Document Format is the default format. You need a reader such as Adobe Acrobat Reader (available as a free download from to view PDF documents. Rich Text Format is a format that can be viewed in word processors such as MS Word. SurfControl Filter for SMTP 5.0 Administrator s Guide365

379 10 REPORTING Destination Type Warning: some programs may not display bar chart reports in html format correctly. To display the report, save all the ed files to the same folder and open them from there. It is better to bar charts as PDFs. You can specify how you want a report to display. If you choose to a report, note that reports are ed in their native format and won t be compressed. If you are unsure about the size of a report to , save the report to your machine using the Schedule options. You can then check the size of the report before you send it. Table 10 Destination type options Option Show in Browser (default) Send by Details Reports in html and pdf format will open automatically in a browser window. The csv and rtf formats will ask whether you want to open the file or save it on your computer. The report will be sent as an attachment to the address you specify. Procedure 22 describes how to specify running options: Procedure 22: Specifying running options Step Action 1 Select the Running Options tab. 2 If you want to display the report criteria, select Display Selected Criteria. 3 Choose a report format from the list. 4 Choose how you want the report to be displayed, from the Destination Type menu. 5 If you have chosen to send the report as an , enter an address in the Receiver s Address field. Note: If you send a table report of more than two pages via , the navigation buttons will work only if the recipient saves the report to a folder on their local machine. 6 Click Run to run the report. 366 Administrator s Guide SurfControl Filter for SMTP 5.0

380 REPORTING 10 SCHEDULE OPTIONS You can set up reports to run automatically at the time or date you choose. The Schedule Options tab is used to schedule reports. Enabling Report Scheduling To enable report scheduling, select the Schedule Report check box. When you enable report scheduling, two tabs will become available: Date / Time Save Options Date/Time On this tab you can specify the following: Time of Day - specify the hour and minute you want to run a report (using the 24 hr clock). Daily/Weekly - specify which days of the week you want to run a report. You can run reports every day, once a week or on selected days. Monthly - specify a day of the month to run a report, or run a report on the last day of the month. If you select the monthly check box, the Daily/Weekly options are unavailable. Save Options When the report you have scheduled is generated you can automatically save it to your hard drive by specifying save options. Table 11 Save Options Option Format Destination type Details You can save the report in the following formats:.csv.html.pdf.rtf See Format on page 365. for information about each format. Save on Hard drive the report will be saved to your computer s hard drive. This is useful if you want to check the size of the file before ing it. Sent by the report will be sent as an attachment to the address you specify. SurfControl Filter for SMTP 5.0 Administrator s Guide367

381 10 REPORTING GENERATING REPORTS Note: You can check the size of a report by printing it to file see Save Options on page 367. You can then view the report without having to print it out, or print only selected pages. Once you have set up your criteria, you are ready to generate the report. Managing large reports Some reports will generate extremely large volumes of data, especially in large organizations with heavy traffic. Generating reports that run to many thousands of pages can slow down Report Central, and are also unwieldy to print and view. The reports in Table 9 are likely to generate high volumes of data. Table 12 High-volume reports Report type Rules reports Traffic statistics reports Report name Rules by date Rules by sender summary Rules by sender detail Rules by sender showing recipient Messages by size If the report contains more than 20,000 records you will see the following message at the top of your report: This report shows only the first 20,000 records from a total of x records. Limiting the report criteria will show more records. Where x is the total number of records available To show more records, limit the report criteria, for example, reduce the number of senders. When you have set up your report, click Run. Alternatively, if you want to return all the report options to their default settings, click Revert to Default. 368 Administrator s Guide SurfControl Filter for SMTP 5.0

382 REPORTING 10 SAVING REPORTS When you have set up your report, you can save a copy to your hard drive. There are two ways you can save a report: Save the report to a public folder. Save the report to a private folder. See Setting up Users on page 18 for more information about folders and permissions. Procedure 10 shows how to save a report. Note:If you change a report from the public folder, save it with a different name to make sure that you do not overwrite another user s report. PUBLIC FOLDER Procedure 23: Saving a report Any user can see report criteria that have been saved in the public folder. They can also modify the report criteria that were saved and overwrite them by saving the report criteria with the same name. PRIVATE FOLDER Reports saved to the private folder can be viewed only by the user who created it To save a report, follow procedure 23. Step Action 1 Set up the report using the criteria and options you want. 2 When you are happy with the report, click Save As. The Save Report dialog will open. 3 Select the folder you want to save the report into. 4 In the Report Name field, give your report a name. 5 Click Save. The Completed Reports tab will appear on the dialog. SurfControl Filter for SMTP 5.0 Administrator s Guide369

383 10 REPORTING SUB-FOLDERS You can organize reports in the public or private folders by creating sub-folders. Procedure 24: Creating sub-folders Step Action 1 Click on Public or Private reports, as appropriate. The New Folder button will become available. 2 Click New Folder. Enter the name of the new folder in the dialog that displays. The name of the folder must not be longer than 50 characters. Note: The total number of characters used in the filename of a sub-folder and any folders beneath it cannot exceed 110 characters. For example: File abc123 = 6 characters File abcd1234 = 8 characters File abcde12345 = 10 characters Total = 24 characters 3 Click OK to confirm your choice. You will see the new folder in the left hand pane of the work area. To delete a folder, highlight it and click Delete. You cannot delete the top level Public or Private folders. COMPLETED REPORTS Note: only reports that have been saved into the public or private folders are displayed in the Completed Reports tab. Reports sent as are not displayed there. When you have saved a report to the public or private folders, a new tab, Completed Reports, will be added to the dialog. This tab shows which reports have been generated. 370 Administrator s Guide SurfControl Filter for SMTP 5.0

384 Chapter 11 Remote Administration In This Chapter page 372 Administration Client page 372 Web Administrator page 373 Launching Web Administrator page 373 Dictionary Management page 381 Viewing Logs Remotely page 384

385 11 REMOTE ADMINISTRATION IN THIS CHAPTER This chapter explains how to manage your organization s from a remote computer. There are two kinds of remote administration: Using the Administration Client Using the Web Administrator ADMINISTRATION CLIENT The Filter Administration Client gives you remote access to one or more of the following Filter components: Message Administrator Rules Administrator Monitor (Including Server Configuration) Dictionary Management You can also: Configure Administrators View Logs To use the Administration Client, you need to install it on the remote computer. See the SurfControl Filter Installation Guide for instructions. You can choose which filter components you want to install. You then need to set up remote users and specify their access permissions. See Configuring Administrators on page 81 and Queue Management on page 56. Authorized users can then use the available Filter components from the remote computer in the same way as on the filter server. 372 Administrator s Guide SurfControl Filter for SMTP 5.0

386 REMOTE ADMINISTRATION 11 WEB ADMINISTRATOR The Web Administrator enables you to access the following Filter functions from a remote computer: Message Administrator Dictionary Management You can also view the rules, traffic and system logs. LAUNCHING WEB ADMINISTRATOR LAUNCHING WEB ADMINISTRATOR LOCALLY You can launch the Web Administrator locally from the Filter Server. From the Start menu select Programs > SurfControl Filter > SurfControl Web Administrator. SurfControl Filter for SMTP 5.0 Administrator s Guide373

387 11 REMOTE ADMINISTRATION LAUNCHING WEB ADMINISTRATOR FROM A REMOTE LOCATION Before you can use Web Administrator remotely you need to set up Administrators in the Server Configuration console. The Administrator s permission settings must include Message Administration, otherwise they will not be allowed to use Web Administrator. See Configuring Administrators on page 81. Enter the following address into your internet browser: IP address of your SurfControl Filter server>:<the standard port number>/index.htm. For example, to access an installation on a server with an IP address of and a standard port of 82 specified during installation, the URL would be: The Login screen will display: Figure 1 Web Administrator Login Screen Enter your username and password. 374 Administrator s Guide SurfControl Filter for SMTP 5.0

388 REMOTE ADMINISTRATION 11 Once you have logged in, the Web Administrator start screen will display in your browser window: Figure 2 Web Administrator Start Screen SurfControl Filter for SMTP 5.0 Administrator s Guide375

389 11 REMOTE ADMINISTRATION MESSAGE ADMINISTRATOR You can use the Message Administrator link to work with queues and logs. The Message Administrator screen looks like this: Click on the queue you want to work with Choose the actions to apply to Click on the log you want to view The Message List, Logs or dictionaries display here. You can also manage the dictionaries. Figure 3 Message Administration Functions Sorting Messages To sort the list, click on the column heading you want to use for sorting. For example clicking on Subject once will sort the list by subject in descending order. Click the column heading again to reverse the sort order. 376 Administrator s Guide SurfControl Filter for SMTP 5.0

390 REMOTE ADMINISTRATION 11 Moving, Releasing and Deleting Messages You can Move, Release or Delete any or all of the messages on the list: Procedure 1: Moving, Releasing or Deleting Messages Step Action 1 Select which messages you want to work with by checking the checkboxes next to them. Alternatively, select all the messages on the list by checking the Select All box. 2 Choose which action you want to apply to the messages from the Action list. You can: Release the selected messages. This will move them into the Send queue, allowing them to move on to their destination. Delete the selected messages. This will irrevocably delete the messages. Move the selected messages to another queue. Each queue is listed separately. 3 When you have chosen your action, click the button next to the Action list to carry it out. SurfControl Filter for SMTP 5.0 Administrator s Guide377

391 11 REMOTE ADMINISTRATION Viewing Individual Messages and Their Properties Click on a message to view more information about it: Actions: a list of the actions you can perform on the message. File area: displays the message filename, the address it was sent from and the date it was received. Rule log information: brief information from the rule log, such as the name of the rule triggered and the action taken. Message Contents: if Document Decomposition is enabled, you can view the component parts of the message here. Message Header Figure 4 Message Properties The actions area shows the actions you can perform on the message. These are the same as actions you would perform in Message Administrator. Table 1 Message Actions Action Release Send Reply Forward Copy Submit Delete Delay Description Place the message in the Send queue so that it can proceed to its destination. Send a reply to the sender of the message. An form will open for you to type your message. You can either enter the message text manually, or use a pre-set message. Forward a copy of the message to another user. You can enter an address in the To: field as well as using the check boxes to send the message to: The message sender The message recipient The systems administrator. Report the message to SurfControl as Spam. SurfControl will analyze the message and any attachments for inclusion in the Anti-Spam Agent signature file. Delete the message. You will be asked to confirm your choice before the message is deleted. Move the message into the delay queue. You will be asked to confirm your choice before the message is delayed. 378 Administrator s Guide SurfControl Filter for SMTP 5.0

392 REMOTE ADMINISTRATION 11 ANALYZING MESSAGES You can use the analyze function via Web Administrator to analyze messages, whether or not they have triggered a rule: Procedure 2: Analyzing Messages with Web Administrator Step Action 1 Click on Analyze. The Analyze page will display. 2 Select the dictionary that you want to use to analyze the message. 3 The Analyze screen displays: The words from the message that appear in the selected dictionary. The message part in which the words occur. The value assigned to each word. The number of these words found. The individual word scores. The total word score. 4 From the Message Part drop down list, you can select which parts of the message you wish to scan. You can scan: The entire message The message header The message body The message attachments SurfControl Filter for SMTP 5.0 Administrator s Guide379

393 11 REMOTE ADMINISTRATION Procedure 2: Analyzing Messages with Web Administrator Step Action 5 From the Scoring drop-down list, select either: Threshold Total: If the is in a multipart alternative format, you can display only the words from the part that scored highest. Grand Total: Display the dictionary scoring words from all selected parts of a message. In the case of multi-part alternative messages, identical dictionary scoring words from alternative parts will have a cumulative effect on the final score for the selected dictionary. 6 Click OK to return to the message list. 380 Administrator s Guide SurfControl Filter for SMTP 5.0

394 REMOTE ADMINISTRATION 11 DICTIONARY MANAGEMENT You can create and edit dictionaries from a remote location using the Dictionary Management functions in Web Administrator. Click on the Dictionary Management link to launch the Dictionary Management screen: Figure 5 Dictionary Management screen SurfControl Filter for SMTP 5.0 Administrator s Guide381

395 11 REMOTE ADMINISTRATION Procedure 3: Adding a Dictionary Step Action 1 Click the Dictionary Management link. 2 Click the Add New Dictionary link. The Add Dictionary screen will display. 3 In the Name field, enter the name of the new dictionary ADDING A DICTIONARY Follow Procedure 3 to add a dictionary via remote administration: 4 In the Comment field, enter a description of your dictionary. 5 If you want to show a warning message enter it in the Warning Message box and select Show Warning. 6 Click OK. 7 Click Commit Dictionary Changes to implement your changes. You will see your new dictionary added to the list. You can now add words and scores to it. 382 Administrator s Guide SurfControl Filter for SMTP 5.0

396 REMOTE ADMINISTRATION 11 ADDING WORDS TO A DICTIONARY Once you have created a dictionary, you can add words to it: Procedure 4: Adding Words to a Dictionary Step Action 1 Click on the Dictionary Management link to display the Dictionaries list. 2 Click on the dictionary you want to add words to. The list of words in the dictionary, and their scores will display. 3 Click Add Word. The Add Word screen will display. 4 Enter the word you want to add to the dictionary, and give it a value. 5 Click OK. You will see the word and its value displayed in the dictionary. 6 Click Commit Dictionary Changes to implement your changes. SurfControl Filter for SMTP 5.0 Administrator s Guide383

397 11 REMOTE ADMINISTRATION VIEWING LOGS REMOTELY You can view the following logs from a remote location: Traffic Log System Log Rules Log Click on the link you want to view. The log will display in your browser window. 384 Administrator s Guide SurfControl Filter for SMTP 5.0

398 Chapter 12 Performance Monitoring In This Chapter page 386 Windows Performance Monitoring page 387

399 12 PERFORMANCE MONITORING IN THIS CHAPTER This chapter explains how to use performance monitoring to see statistics on how your system is performing and the volume of mail being processed. 386 Administrator s Guide SurfControl Filter for SMTP 5.0

400 PERFORMANCE MONITORING 12 WINDOWS PERFORMANCE MONITORING You can use the Microsoft Windows Performance Monitoring tool to show the performance of your system, and displays statistics on the volume of messages being processed. Procedure 1: Launching the Windows Performance Tool Step Action 1 From the Start menu, select Settings > Control Panel. 2 The Control Panel will display. Select Administrative Tools 3 The Administrative Tools window will display. Select Performance. 4 The Performance console will display. In the right hand pane of the console, right click to launch the shortcut menu: 5 Select Add Counters to display the Add Counters dialog. 6 Select the computer where SurfControl Filter is installed, to count the number of s processed by that machine. 7 Select SurfControl Filter from the Performance Object drop-down list. A list of counters will display. These counters monitor different aspects of your system s performance, for example connections per second. 8 Select which aspects of your system s performance you want to monitor. Choose from the following. To read a description of each counter, highlight it and click Explain. A box will display with a brief explanation of what the counter does. Choose from the list on the next page, or select All Counters. SurfControl Filter for SMTP 5.0 Administrator s Guide387

401 12 PERFORMANCE MONITORING Procedure 1: Launching the Windows Performance Tool Step Action 9 Click Add to add your chosen counters to the Performance tool. They will appear in the lower right hand panel of the display, like this: To find out more about Performance, consult your Windows Help and documentation. 388 Administrator s Guide SurfControl Filter for SMTP 5.0

402 Chapter 13 Virtual Learning Agent In This Chapter page 390 Workflow page 390 Before You Begin page 391 VLA Tutorial page 391 Counter Category page 400 Trivial Words page 401

403 13 VIRTUAL LEARNING AGENT IN THIS CHAPTER The VLA is a powerful tool that you can train to recognize specific types of content you want to filter, for example, confidential documents specific to your organization. This chapter explains how to set up the VLA so you can use the VLA Object in rules. The example used throughout this chapter is the creation of a category called Confidential Travel. All the material you need to create this category is supplied in the SurfControl Filter\Resources\VLA Examples folder. WORKFLOW Before you can use the VLA Object to construct rules, you need to set up the VLA so that it recognizes the kind of content you want to detect. The VLA wizard automatically works through the setup process using the information and materials you supply. The VLA wizard works through the following steps: Add a category name and description Add documents to the category. Add documents to the counter category. Train the VLA. Test the VLA using additional documents. 390 Administrator s Guide SurfControl Filter for SMTP 5.0

404 VIRTUAL LEARNING AGENT 13 BEFORE YOU BEGIN Before you start creating a VLA category, you should gather the following materials: Training Documents The VLA uses training documents to learn about the content in your category. You will need: messages or documents that contain content that describes the category you want to create messages or documents that contain content that does not describe the new category. These will be added to the counter category. Testing Documents Once you have trained the VLA, you need to test it to check that it can identify content from your category accurately enough to be used in rules. You will need: additional category documents or messages that can be used to test the VLA to check that it can correctly identify content belonging to the category additional counter category documents or messages. If you are creating following the VLA tutorial to create the sample category Confidential Travel, all the files you need are supplied with the product. STARTING THE VLA TRAINING WIZARD From the Start menu select Programs > SurfControl Filter > Virtual Learning Agent. VLA TUTORIAL To help you learn to use the Wizard, SurfControl provides documents you can use to create a sample category called Confidential Travel. When you installed Filter these files were placed in the following folder: SurfControl Filter\Resources\VLA Examples, SurfControl Filter for SMTP 5.0 Administrator s Guide391

405 13 VIRTUAL LEARNING AGENT Procedure 1: VLA Tutorial Step Action 1 Launch the VLA. The Welcome screen will display. Because you haven t created any categories yet, you won t see anything in the Trained Category box. 2 Click Next to move to the next screen. The next screen shows the categories available. Again, you won t see any categories listed yet. 3 Click Add to start the Category Wizard that you will use to define the sample Confidential Travel category. (Sheet 1 of 7) 392 Administrator s Guide SurfControl Filter for SMTP 5.0

406 VIRTUAL LEARNING AGENT 13 Procedure 1: VLA Tutorial Step Action Define the Category Name and Description 1 The Category Wizard asks you to define a category name and description. Use this information to fill in the text boxes: Category Name = Confidential Travel Description = Sample SurfControl VLA Category Click Next to continue. Add Category Training Files 2 Here s where you select the first group of positive documents or messages that define the content of the Confidential Travel category. Click Add to start the file selection. The Add Files dialog will open Navigate to SurfControl Filter\Resources\VLA Examples\Confidential Travel Training 3 Change the Files of Type to All Files (*.*) and then select all message files in the folder. Note: If you have trouble adding files, close the Add Files dialog, then reopen it and try adding the files again. 4 Click Open to return to the Add Training Files screen. You now see the files you added in the Add Training Files screen. 5 Click Next to move on. (Sheet 2 of 7) SurfControl Filter for SMTP 5.0 Administrator s Guide393

407 13 VIRTUAL LEARNING AGENT Procedure 1: VLA Tutorial Step Action Choose Keywords 1 After a few seconds of processing, you will see the Choose Keywords screen. This is where you choose the words that will help to identify content belonging to the new category. 2 From the left hand pane, select the keywords listed in Table 1 on page 399. Click Add. You will see your chosen words move to the right hand pane of the dialog. When you have selected your keywords, click Next. Add Testing Files 1 Now add the files that the VLA will use to test itself. These test files are different from the training files but should contain similar content. Click Add to open the Add Files window, and navigate to the Confidential Travel Test folder. 2 Change Files of Type to All Files (*.*) you will see all the files in the folder. 3 Select all the files and click Open 4 You will see all the testing files displayed in the Add Testing Files window. 5 Click Next. (Sheet 3 of 7) 394 Administrator s Guide SurfControl Filter for SMTP 5.0

408 VIRTUAL LEARNING AGENT 13 Procedure 1: VLA Tutorial Step Action 6 The Wizard now returns you to the Configure VLA Categories screen. You now see the Confidential Travel category listed. Define Counter Examples 1 Now that you have defined the positive examples of the new category, you can start defining the counter-examples (the content is definitely NOT a match for the new category). 2 Click Next. The Define Counter Categories screen will display. 3 Click Configure to launch the VLA Counter Category Wizard. (Sheet 4 of 7) SurfControl Filter for SMTP 5.0 Administrator s Guide395

409 13 VIRTUAL LEARNING AGENT Procedure 1: VLA Tutorial Step Action 4 Click Next The Add Counter-Category Training Files screen will display. 5 Click Add The Add Files dialog will open. Navigate to the Non-Travel Training folder Then select All Files (*.*) Select all the files in the folder and click Open. You will see all the counter category training file you added displayed in the 6 Click Next. The Choose Counter-Categories Keywords screen will display. This is where you choose keywords that are NOT representative of your category. Select the counter category keywords listed in Table 2 on page 399. (Sheet 5 of 7) 396 Administrator s Guide SurfControl Filter for SMTP 5.0

410 VIRTUAL LEARNING AGENT 13 Procedure 1: VLA Tutorial Step Action Add Counter Category Testing Files 1 Click Next. The Add Counter Category Testing Files screen will display. Click Add to launch the Add Files dialog. Navigate to SurfControl Filter\Resources\VLA Examples\Non Travel Test and select all the files in the folder. Click Open. You will see the testing files listed on the Add Counter Categories Testing Files screen. 2 Click Next Train the VLA 1 A message box will ask you to confirm that you want to save your category and counter category, and proceed with training the VLA. Click OK. You will see the VLA training screen, showing progress bars for training files processed. 2 When the training process is finished, a message box will display. Click OK to close it. Test the VLA 1 You now need to test the VLA to ensure that it is accurate enough to use in rules. Click Next to start testing the VLA. 2 The Testing screen will show the progress of the testing process. 3 When the progress bar shows 100%, click Next. (Sheet 6 of 7) SurfControl Filter for SMTP 5.0 Administrator s Guide397

411 13 VIRTUAL LEARNING AGENT Procedure 1: VLA Tutorial Step Action 4 The Testing Files Results screen show how many testing files the VLA has categorized as correctly belonging to the new category. Correctly categorized files are marked with a green check. Wrongly categorized files are marked with a red exclamation point. Click Next. 5 The VLA Training Completed screen will display the accuracy score of the category and the counter category. See Table 3 on page 400 for an explanation of the accuracy score. If you are happy with the accuracy of the VLA, click Finish. 6 If you launch the Rules Administrator and open the Virtual Learning Agent Object you will see that the Confidential Travel category is available for you to select. (Sheet 7 of 7) 398 Administrator s Guide SurfControl Filter for SMTP 5.0

412 VIRTUAL LEARNING AGENT 13 TRAINING FILE KEYWORDS If you are creating the sample category, Confidential Travel, you should choose the keywords listed below for the category and the counter category. Table 1 Sample Category Keywords accommodation carriage fares seat stansted air conditions flight passenger terminal airfare confirmation flights passengers ticket airline connect hotel photo tickets airlines deals hotels receipt transfer airport departure international refund travel baggage destinations london reservation traveladge banners domestic miles reservations trip board europe navigant room vacation boarding expedia nights ryanair valid boeing fare open seattle world Table 2 Sample Counter Category Keywords account individual phone terms agent investment plain training apply job plugin unknown checked letters product users columbia manager products virtual connect manutd resources terms cost news rules virus customer newsletter salary checked database number security ware days original server work filtering path software writer following permanent technology years SurfControl Filter for SMTP 5.0 Administrator s Guide399

413 13 VIRTUAL LEARNING AGENT VLA Accuracy The VLA trains itself by categorizing the testing files and measuring how many of the files it categorized correctly as belonging to the new category. It then displays a percentage score that you can use to determine whether the VLA has been trained enough to be incorporated into rules. Table 3 explains how you should interpret the VLA accuracy score. Table 3 VLA Accuracy Score What it means 85% or higher An accuracy rating of 85% or higher means the VLA object will usually correctly identify messages and documents in this category. You can confidently build rules with the Virtual Learning Agent object using this category. 65% 85% Accuracy of between 65% to 85% is acceptable, but you may want to take the following steps to increase accuracy: Select additional training documents Review all keywords Less than 65% The VLA is not accurate enough to be used in rules. You should retrain the VLA until you get a higher rating for the category. To increase the VLA s accuracy: Review your training files to make sure they accurately represent the category. Review the counter category training files to make sure they do not represent the category. Review the keywords you have chosen from the categories and counter categories. COUNTER CATEGORY When you create a new category, it is important that you review the Counter Category. This is because the VLA uses only one counter category as the counter example to all the categories. For example, if you created the following categories: Financial Information Staff Personal Data Marketing Planning you would have to ensure that the counter category s material didn t contain any material representative of any of those categories. 400 Administrator s Guide SurfControl Filter for SMTP 5.0

414 VIRTUAL LEARNING AGENT 13 TRIVIAL WORDS Some words occur in documents of all types and categories and therefore cannot be used to by the VLA to evaluate whether an belongs to a category or not. These words are called trivial words. The VLA has a pre-defined list of common trivial words such as and, but, because etc. that do not appear in the word lists. You can add further trivial words to this list when you choose keywords or counter category keywords: Procedure 2: Adding Trivial Words to the VLA Step Action 1 From either of the Keyword screens, click Trivial Words. 2 Select the words you don t want to be included in the word lists. 3 Click Exclude. The words will disappear from the word lists, and will not be shown in future word lists when you configure other categories. SurfControl Filter for SMTP 5.0 Administrator s Guide401

415 13 VIRTUAL LEARNING AGENT 402 Administrator s Guide SurfControl Filter for SMTP 5.0

416 Chapter 14 Database Tools In This Chapter page 404 Launching Database Tools page 404 Configuration Database page 405 Backing up the Configuration Database page 405 Restoring the Configuration Database page 407 Log Database page 409 Creating a New Log Database page 410 Archiving the Log Database page 412 Restoring an Archived Log Database page 414 Deleting a Log Database page 416 Truncating the Log Database Transaction Log page 418 SQL User Management page 420 Creating a New SQL User Account page 420 Changing the Password on a SQL User Account page 423 Deleting a SQL / MSDE Account page 425 Managing Database Authentication page 427

417 14 DATABASE TOOLS IN THIS CHAPTER This chapter will explain how to use the Database Tools to manage the Filter databases. There are three Database Tools: Configuration Database Management Log Database Management SQL User Management Each of these tools has a wizard that guides you through the process step-bystep. LAUNCHING DATABASE TOOLS From the Start Menu select Programs > SurfControl Filter > Database Tools. Figure 1 Launching Database Tools From the Database Tools menu, select the tool you want to launch. Choose from: Configuration Database Management Log Database Management SQL User Management A wizard will display to guide you through your chosen option. 404 Administrator s Guide SurfControl Filter for SMTP 5.0

418 DATABASE TOOLS 14 CONFIGURATION DATABASE The Configuration database stores the details of Filter s server setup and configuration options. You can use the Configuration Database Management tool to: Back up the configuration database. Restore a previously backed up database. BACKING UP THE CONFIGURATION DATABASE It is useful to make a backup of your Filter system configuration so that: You can replicate the same configuration on each Filter server in your organization. You can restore your configuration if for any reason you need to reinstall Filter. To back up the Configuration database, follow procedure 1 Procedure 1: Backing up the Configuration Database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Configuration Database Management. The Configuration Database Wizard will launch. 2 From the welcome screen, select backup database to a file. 3 The SQL / MSDE Server details screen will display. Specify the server where the database you want to back up is located. To connect to the server via a trusted connection keep the Use trusted connection box checked. To connect to the server using the username and password you specify, clear the Use trusted connection box and enter the username and password. SurfControl Filter for SMTP 5.0 Administrator s Guide 405

419 14 DATABASE TOOLS Procedure 1: Backing up the Configuration Database Step Action 4 Click Next. The Configuration Database Backup Details will display. From the drop down menu, select the database you want to backup. By default this is STEMConfig. Now enter the path where you want the backup file to be saved. By default the path is: Program files\surfcontrol Filter\Database\STEMConfig.bak Alternatively, you can Browse to a different file location. Click Next. 5 A summary screen will display showing the options you have chosen. If you are happy with these choices, click Next. To return to the previous screen, click Back. 6 The Database Wizard will begin to back up the configuration database. 7 When the backup is finished you will see a confirmation screen. Click Finish. 406 Administrator s Guide SurfControl Filter for SMTP 5.0

420 DATABASE TOOLS 14 RESTORING THE CONFIGURATION DATABASE You can restore a previous backup file to the configuration database. If you do this, your current configuration settings will be replaced by the ones specified in the backup file. Follow procedure 2: Procedure 2: Restoring the Configuration Database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Configuration Database Management. The Configuration Database Wizard will launch. 2 Choose Restore Database from a File. Click Next. 3 The Restore Details screen will display. Select the backup file you want to restore. By default this is the most recent backup file you created. Now select the database you want to restore. By default this is STEMConfig. 4 Click Next. The Restore Summary screen will display. Once you are ready to restore the database, click Next. SurfControl Filter for SMTP 5.0 Administrator s Guide 407

421 14 DATABASE TOOLS Procedure 2: Restoring the Configuration Database Step Action 5 Once the database has been restored, you will need to stop and re-start the Filter services. If you want to re-start the Filter services immediately after the database has been restored, select: Restart Filter Services Now If you want to re-start the Filter services manually later on, select: Restart Filter Services Later 408 Administrator s Guide SurfControl Filter for SMTP 5.0

422 DATABASE TOOLS 14 LOG DATABASE The log database records details of s passing through Filter, and the actions that Filter takes on s that trigger rules. You can use the Log Database Management tool to: Create a new log database Back up the log database Restore a log database backup file Delete a log database Truncate the log database transaction log. SurfControl Filter for SMTP 5.0 Administrator s Guide 409

423 14 DATABASE TOOLS CREATING A NEW LOG DATABASE To create a new log database, follow procedure 3: Procedure 3: Creating a new log database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Log Database. The database wizard will launch. 2 Select Create a new log database. Select the server where the database is running from the list. You can connect to the server using: A trusted connection The username and password you supply. 3 Click Next. The MSDE / SQL Server Details dialog will display. 4 Give the new database you are creating a name and a DSN name. These must be different from your the name and DSN name of your existing database. To use the default file location, keep the Use default file location box checked. Proceed to step 5. To specify file locations, clear the checkbox and proceed to step Administrator s Guide SurfControl Filter for SMTP 5.0

424 DATABASE TOOLS 14 Procedure 3: Creating a new log database Step Action 5 Click Next. If you selected the default file locations, you will see a summary of your database creation options. If you are happy with your selection, click Next. 6 If you cleared the Use default file locations box in step 4, enter the file name and location for: The database file The transaction log file. 7 You will see a confirmation screen when the new log database has been created. 8 Click Finish. SurfControl Filter for SMTP 5.0 Administrator s Guide 411

425 14 DATABASE TOOLS ARCHIVING THE LOG DATABASE To archive the log database to a file, follow Procedure 4 Procedure 4: Archiving the Log Database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Log Database. The database wizard will launch. Select Archive the log database to a file. 2 The MSDE / SQL Server Details dialog will display. Select the server where the log database is running from the list. You can connect to the server using: A trusted connection The username and password you supply. 3 Click Next. 4 Select the log database you want to archive Browse to the location where you want the archive file to be stored. Click Next. 412 Administrator s Guide SurfControl Filter for SMTP 5.0

426 DATABASE TOOLS 14 Procedure 4: Archiving the Log Database Step Action 5 Click Next. You will see a summary of the options you have selected. If you are happy with your selection, click Next. 6 You will see a confirmation screen when the log database has been successfully archived. 7 Click Finish. SurfControl Filter for SMTP 5.0 Administrator s Guide 413

427 14 DATABASE TOOLS RESTORING AN ARCHIVED LOG DATABASE To restore a database you have previously backed up, follow procedure 5 Procedure 5: Restoring an Archived Log Database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Log Database. The database wizard will launch. 2 Select Restore Archived Log Data to a Database Select the server where the log database is running from the list. You can connect to the server using: A trusted connection The username and password you supply. 3 Click Next. The MSDE / SQL Server Details dialog will display. 4 Browse to the log file you want to restore. Select the database you want to restore the archived data to. If you want to restore the archived file to the file location specified in the archive file, select the Use original file location checkbox. Proceed to step 6. To specify the file location that the archived file will be restored to, clear the Use original file location checkbox. Proceed to step Administrator s Guide SurfControl Filter for SMTP 5.0

428 DATABASE TOOLS 14 Procedure 5: Restoring an Archived Log Database Step Action 5 If you cleared the Use Original File Locations checkbox in step 4, specify: The file location that the archived file will be restored to. The file location of the transaction log. Note: If you are restoring a large database, make sure you specify a location that has enough disk space to hold the restored database. Now proceed to step 6. 6 Click Next. You will see a summary of the options you have selected. If you are happy with your selection, click Next. 7 You will see a confirmation screen when the archived data has been successfully restored to the database. Once the archived data has been restored, you will need to stop and re-start the Filter services. If you want to re-start the Filter services immediately after the database has been restored, select: Restart Filter Services Now If you want to re-start the Filter services manually later on, select: Restart Filter Services Later 8 Click Finish. SurfControl Filter for SMTP 5.0 Administrator s Guide 415

429 14 DATABASE TOOLS DELETING A LOG DATABASE To delete a log database, follow procedure 6: Procedure 6: Deleting a Log Database Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Log Database. The database wizard will launch. 2 Select Delete an Existing Log Database. 3 Click Next. Now select the database you want to delete. Click Next. 4 You will see a summary screen showing which database you have chosen to delete. To continue, click Next. 416 Administrator s Guide SurfControl Filter for SMTP 5.0

430 DATABASE TOOLS 14 Procedure 6: Deleting a Log Database Step Action 5 You will see a confirmation screen when the database has been deleted. Click Finish. SurfControl Filter for SMTP 5.0 Administrator s Guide 417

431 14 DATABASE TOOLS TRUNCATING THE LOG DATABASE TRANSACTION LOG The Log Database s transaction log can grow very quickly, which can affect performance. To prevent this happening, you can truncate it. To truncate the Log Database transaction log, follow procedure 7 Procedure 7: Truncating the Log Database Transaction Log Step Action 1 From the Start menu, select Programs > SurfControl Filter > Database Tools > Log Database. The database wizard will launch. 2 Select Truncate the log database transaction log. Click Next. 3 Select the database whose transaction log you want to truncate. By default this is STEMLog. 4 You will see a summary screen. If you are ready to begin truncating the transaction log, click Next. 5 The Database Wizard will begin the process. 418 Administrator s Guide SurfControl Filter for SMTP 5.0

432 DATABASE TOOLS 14 Procedure 7: Truncating the Log Database Transaction Log Step Action 6 When the transaction log has been truncated successfully, you will see a confirmation message. Click Finish. SurfControl Filter for SMTP 5.0 Administrator s Guide 419

433 14 DATABASE TOOLS SQL USER MANAGEMENT filter must be able to read and write to the logging and configuration databases. To access these databases it uses SQL User Accounts. The SQL User Management Tool enables you to set up and manage these accounts. To manage the SQL / MSDE User account used by Filter, you can: Create a new SQL user account Change the password on a SQL user account Delete a SQL user account CREATING A NEW SQL USER ACCOUNT To create an new account, follow procedure 8: Procedure 8: Creating a New SQL User Account Step Action 7 From the Start menu Select SurfControl Filter > Database Tools > SQL User Management. The SQL User Management welcome screen will display. Select Manage an MSDE / SQL Server User Account. Click Next. 8 From the options that display, select Create a SQL User account. Click Next. 420 Administrator s Guide SurfControl Filter for SMTP 5.0

434 DATABASE TOOLS 14 Procedure 8: Creating a New SQL User Account Step Action 9 The MSDE / SQL Server Details screen will display. Specify the Server where the database for which you want to create an account is located. If you want to connect to the server via a trusted connection, check the Use Trusted Connection box. If you want to connect to the server using a specified username and password, uncheck the Use Trusted Connection box and enter the username and password you want to use. 10 The Create a SQL User Account screen will display. Enter the following information in the fields: The username for the new account The password for the new account. Confirm the password and click Next. 11 A summary screen will display showing your choices. If you are happy with the new user account, click Next. 12 The Database Wizard will begin creating the new account. SurfControl Filter for SMTP 5.0 Administrator s Guide 421

435 14 DATABASE TOOLS Procedure 8: Creating a New SQL User Account Step Action 13 When the Database Wizard has created the new account, you will see a confirmation message. 422 Administrator s Guide SurfControl Filter for SMTP 5.0

436 DATABASE TOOLS 14 CHANGING THE PASSWORD ON A SQL USER ACCOUNT You can change the password of any of the user accounts you have set up. Follow procedure 9: Procedure 9: Changing the Password on a SQL User Account Step Action 1 From the Start menu Select SurfControl Filter > Database Tools > SQL User Management. The SQL User Management welcome screen will display. Select Manage an MSDE / SQL Server User Account. Click Next. 2 From the options that display, select Change Password for a SQL User Account. Click Next. 3 The MSDE / SQL Server Details screen will display. Specify the Server where the database is located. If you want to connect to the server via a trusted connection, check the Use Trusted Connection box. If you want to connect to the server using a specified username and password, uncheck the Use Trusted Connection box and enter the username and password you want to use. Click Next. SurfControl Filter for SMTP 5.0 Administrator s Guide 423

437 14 DATABASE TOOLS Procedure 9: Changing the Password on a SQL User Account Step Action 4 Enter the following details: The username of the account whose password you want to change. The old password for that account. The new password for that account. Confirm the new password and click Next. 5 A summary screen will display showing your choices. If you are happy with the settings, click Next. 6 The Database Wizard will begin changing the password. 7 Once the Database Wizard has changed the password you will see a confirmation screen. 424 Administrator s Guide SurfControl Filter for SMTP 5.0

438 DATABASE TOOLS 14 DELETING A SQL / MSDE ACCOUNT To delete a SQL / MSDE user account, follow procedure 10: Procedure 10: Deleting a SQL / MSDE Account Step Action 1 From the Start menu Select SurfControl Filter > Database Tools > SQL User Management. The SQL User Management welcome screen will display. Select Manage an MSDE / SQL Server User Account. Click Next. 2 From the options that display, select Delete a SQL user account Click Next. 3 The MSDE / SQL Server Details screen will display. Specify the Server where the database is located. If you want to connect to the server via a trusted connection, check the Use Trusted Connection box. If you want to connect to the server using a specified username and password, uncheck the Use Trusted Connection box and enter the username and password you want to use. Click Next. SurfControl Filter for SMTP 5.0 Administrator s Guide 425

439 14 DATABASE TOOLS Procedure 10: Deleting a SQL / MSDE Account Step Action 4 Enter the username and password of the account you want to delete. Click Next. 5 A summary screen will display your choices. If you are happy with them, click Next to delete the account. 6 The Database Wizard will begin deleting the account. 7 When the account has been deleted successfully you will see a confirmation screen. Click Finish. 426 Administrator s Guide SurfControl Filter for SMTP 5.0

440 DATABASE TOOLS 14 Warning: You cannot set up SQL or NT authentication from a remote computer. MANAGING DATABASE AUTHENTICATION The Database Authentication settings control how Filter connects to the database. Filter can connect to the database using: SQL Authentication NT Authentication To use SQL Authentication, follow procedure 11: Procedure 11: Setting up SQL Authentication Step Action 1 From the Start menu Select SurfControl Filter > Database Tools > SQL User Management. The SQL User Management welcome screen will display. Select Manage Database Authentication. Click Next. 2 From the options that display, choose SQL Authentication. Click Next. 3 Enter the username and password of the account that Filter will use to connect to the database. Now click Next. SurfControl Filter for SMTP 5.0 Administrator s Guide 427

441 14 DATABASE TOOLS Procedure 11: Setting up SQL Authentication Step Action 4 A summary screen will display your choices. Click Next. 5 When Filter has updated the authentication method, you will see a confirmation message. Click Finish. 428 Administrator s Guide SurfControl Filter for SMTP 5.0

442 DATABASE TOOLS 14 To use NT Authentication, follow procedure 12: Procedure 12: Setting up NT Authentication Step Action 1 From the Start menu Select SurfControl Filter > Database Tools > SQL User Management. The SQL User Management welcome screen will display. Select Manage Database Authentication. Click Next. 2 From the options that display, choose NT Authentication. Click Next. 3 A summary screen will display your choices. Click Next. SurfControl Filter for SMTP 5.0 Administrator s Guide 429

443 14 DATABASE TOOLS Procedure 12: Setting up NT Authentication Step Action 4 When the Database Wizard has updated the authentication method you will see a confirmation screen. 430 Administrator s Guide SurfControl Filter for SMTP 5.0

444 10 Appendix A Anti-Spam Agent Categories & Criteria 432

445 10 APPENDIX A ANTI-SPAM AGENT CATEGORIES & CRITERIA Table 1 shows a summary of the Anti-Spam Agent Categories. For a detailed description of each category, see page 433: Table 1 Summary of Anti Spam Agent Categories Core / Liability Categories Adult Gambling Illegal Material Offensive Productivity Categories Chain letters Games / interactive Novelty software Computing / Internet Health / medicine Personal / dating Entertainment Phishing / fraud Products / services Finance / home business Humor Special events Other 432 Administrator s Guide SurfControl Filter for SMTP 5.0

446 APPENDIX A 10 CORE / LIABILITY CATEGORIES Table page 433 describes the Core / Liability Categories Table 2 Core / Liability Categories Category Media Type Definition Adult Executable Graphics Movies Sound Text Gambling Executables Text Illegal Material Executables Graphics Movies Text Offensive Executables Graphics Movie Sound Text Adult humor, erotic stories, cartoons and animation or erotic chat Adult products including sex toys, CD-ROMs and videos Child Pornography Depictions or images of sexual acts, including sadism, bestiality or any form of fetish. Sexually exploitative or sexually violent text or graphics Sexually oriented or erotic full or partial nudity Online gambling or lottery sites that invite the use of real or virtual money Virtual casinos Fantasy sports leagues, sports picks and betting pools Information or advice for placing wagers, participating in lotteries, or gambling, or running numbers Advice on performing illegal acts or obtaining illegal objects Advocating, instructing, or giving advice on performing illegal acts such as phone, service theft, evading law enforcement, lock-picking, fraud, plagiarism/cheating, and burglary techniques Displaying, selling, or detailing the use of guns, weapons, ammunition or poisonous substances Displaying, selling, or detailing use of drug paraphernalia Hacking Promoting a political or social agenda that is supremacist in nature and exclusionary of others based on their race, religion, nationality, gender, age, disability, or sexual orientation (e.g. Bigotry and racism) Grotesque depictions Offensive jokes and humor SurfControl Filter for SMTP 5.0 Administrator s Guide433

447 10 APPENDIX A PRODUCTIVITY CATEGORIES Table 3 describes the Productivity Categories Table 3 Productivity Categories Category Media Type Description Chain Letters Executables Text Computing/ Internet Executables Graphics Movies Sound Text Entertainment Graphic Text Finance /Home Business Executables Graphics Movies Text Games / Interactive Graphics Text Health / Medicine Graphics Text Phishing / fraud Graphics Movies Sound Text Humor Executables Graphics Movies Mass ed chain letters Spy Software Hardware and Software advertisements Web Hosting and Web Design services Questionnaires Entertainment and celebrity news Promotions Horoscopes, Psychic readings and Chinese Astrology Hobbies and recreation Get Rich Quick schemes and Multi-Level Marketing Debt consolidations and refinance schemes Mortgage and Loans promotional services Stock quotes, stock tickers, and fund rates Term Life Insurance Work-at-Home Business reports & promotions Online games and puzzles Interactive quizzes, movies and programs Prescription medicines promotions (e.g. Viagra Ordering) Weight Loss, health supplements Medical product promotions Medical, dental and health Insurance Body modification and sexual enhancements Virus hoaxes Phishing scams Deceptive or fraudulent information Urban legends (e.g. 419 scam and International Lottery scam) Jokes and pranks (non-sexually explicit) Humorous and satirical awards Cartoons and humorous pictures Novelty Software Text Cursor-changing software Other software and gadgets intended for entertainment value rather than system performance Personal /Dating Text Singles listings, matchmaking and dating services Personal chat lines Products /Services Executables Graphics Movies Text Special Events Graphics Movies Sound Text General product & service sales and advertisements Promotions and commercials Festive and Seasonal messages, files, promotions Messages pertaining to a current event that may be objectionable based on content, bandwidth, or negative impact on productivity such as a major sports event 434 Administrator s Guide SurfControl Filter for SMTP 5.0

448 APPENDIX A 10 Table 3 Productivity Categories Category Media Type Description Other Text Items that do not fit into the above categories: Job Search E-greeting cards and wishes Questionnaires, polls and surveys Stories, quotes, riddles, quizzes SurfControl Filter for SMTP 5.0 Administrator s Guide435

449 10 APPENDIX A 436 Administrator s Guide SurfControl Filter for SMTP 5.0

450 10 Appendix B Supported File Types page 438 File Attachments Object page 438 Document Decomposition page 442

451 10 APPENDIX B SUPPORTED FILE TYPES FILE ATTACHMENTS OBJECT Table 1 shows the file types that Filter can analyze and detect. The File Attachments Object can analyze a file in its native format even if its file extension has been renamed. If a file type you want to detect is not listed here, you can add it to the file attachments object manually. Table 1 File Types Supported by the File Attachments Object File Groups File Types Extensions Audio Files AIFF Audio file.aif,.aiff Archive Files CD Audio file MIDI Music file MPEG Audio file Ogg Vorbis Audio file Sun/Next Audio file Waveform audio file Windows Media file Windows MIDI file ARC compressed file archive BZIP compressed file LHZ archive compressed file archive RAR compressed file archive Tape archive file ZOO compressed file archive Compressed Files ARJ compressed file.arj InstallShield compressed file GZIP compressed file LU compressed file ZIP file.cda.mid /.rmi /. midi.mp3,.mp2,.mp1.ogg.au.wav.wma.mid.arc,.pak.bz,.bz2.lha,.lzh.rar.tar.zoo.cab.gzip,.gz.lbr.zip,.jar 438 Administrator s Guide SurfControl Filter for SMTP 5.0

452 APPENDIX B 10 Table 1 File Types Supported by the File Attachments Object File Groups File Types Extensions Executable Files Batch file.bat,.cmd Executable file HTML Application.htm,.html Java class file.class JScript File.js,.jse Netware loadable module.nlm SHS scrap object.shs,.shb VB Script file.vbs,.vbe Windows script file.wsf,.wsh Image Files Adobe PhotoShop.psd,.pdd Adobe PostScript.ps,.eps Bitmap.bmp,.dib Cursor file.ani,.cur GIF.gif Icon file.ico JPEG.jpg,.jpe,.jpg Paint Shop Pro.psp PC Paintbrush Bitmap Graphic.pcx.exe,.dll,.vxd,.sys,.cpl,.scr,.ocx,.oca,.com,.drv,.msi,.fon Portable Network Graphic.png Targa version 2.tga,.vda,.icb,.vst TIFF.tif.tiff Windows Metafile.wmf 3DstudioMAX file.max Web Files Cascading style sheet.css ColdFusion file.cfm HTML file.htm,.html,.shtml,.asp,.php,.url Single file web page.mht,.mhtml HTML application.hta SurfControl Filter for SMTP 5.0 Administrator s Guide439

453 10 APPENDIX B Table 1 File Types Supported by the File Attachments Object File Groups File Types Extensions Document Files Adobe PDF document.pdf Compiled HTML Help file Microsoft Access database Microsoft Excel spreadsheet Microsoft Excel spreadsheet with password Microsoft Excel spreadsheet with VBA Microsoft PowerPoint presentation Microsoft Project document Microsoft Word document Microsoft Word document with password Microsoft Word document with VBA Rich-text format document SurfControl Filter message file.chm.mdb.xls.xls.xlv.ppt.mpp.doc.doc.doc.rtf.msg Text file.txt Windows Help file.hlp Windows Write document.wri WordPad document.rtf,.txt WordPerfect document.wpf XML document.xml Data Files Data file.dat Information / setup file.inf Program Information file.pif Font file.fnt,.ttf Windows ASF file.asf Windows initialization file.ini Windows registry file.reg Windows shortcut.lnk 440 Administrator s Guide SurfControl Filter for SMTP 5.0

454 APPENDIX B 10 Table 1 File Types Supported by the File Attachments Object File Groups File Types Extensions Video Files Audio Video Interleave / Video for Windows DVM movie.dvm MPEG.mpe,.mpeg,.mpg QuickTime.qt,.mov ShockWave file.swf Windows Media ASX file.asx Source Code Files C / C++.c,.cpp,.h,.hpp.mak,.def,.idl,.rc,.rc2,.dsp;.dsw;.mdp Java.java Perl.pl Visual Basic.vb,.bas,.frm,.frx,.vbp,.vbz Drawing Files AutoCAD file.dwg,.dxf Visio drawing.vsd,.vst,.vsw.avi SurfControl Filter for SMTP 5.0 Administrator s Guide441

455 10 APPENDIX B DOCUMENT DECOMPOSITION Microsoft Office Documents Tables 2 4 show the Microsoft Office Files that SurfControl Filter can decompress using document decomposition. Table 2 shows the PowerPoint versions that Document Decomposition supports: Table 2 PowerPoint Version Document Data OLE Objects* Document Decomposition: Supported PowerPoint Files Text Pictures Excel Word PowerPoint.exe /.zip Pictures 2K / XP Y Y Y Y Y Y Y 97 N N Y Y Y Y Y 95 N N Y Y Y Y Y 4 N N Y Y Y Y Y Table 3 shows the Word versions that Document Decomposition supports: Table 3 Document Decomposition: Supported Word Files Document Data OLE Objects Word Version Text Pictures Excel Word Powerpoint.exe / zip Pictures 97 / 2K / XP Y Y Y Y Y Y Y 6 / 95 Y N Y Y Y Y Y 2 Y N N N N N N Table 4 shows the Excel versions that Document Decomposition supports. Table 4 Document Decomposition: Supported Excel Files Excel Version Document Data OLE Objects Text Pictures Excel Word Powerpoint.exe / zip 2K-XP Y Y Y Y Y Y Y 97 Y Y Y Y Y Y Y 95 N N Y Y Y Y Y 4 N N N N N N N 3 N N N N N N N 2.1 N N N N N N N Pictures 442 Administrator s Guide SurfControl Filter for SMTP 5.0

456 APPENDIX B 10 * When Document Decomposition is ON, Filter will scan and decompose PowerPoint files that contain OLE objects. When Document Decomposition is OFF, PowerPoint files that contain OLE objects will be checked against enabled rules, but the OLE files will not be scanned because of the way they are compressed. Microsoft Mail Message Data Filter can decompose messages in TNEF format, supporting Exchange servers 5.5, 2000 and PDF Documents Filter can decompose PDFs created using PDF protocol Rich Text Format Files Filter can decompose all.rtf files from version 1.0 onwards Web Archives Filter can decompose web archive files formatted using MIME 1.0 onwards. SurfControl Filter for SMTP 5.0 Administrator s Guide443

457 10 APPENDIX B 444 Administrator s Guide SurfControl Filter for SMTP 5.0

458 Chapter 10 Appendix C Anti-Virus Return Codes page 446

459 10 APPENDIX C ANTI-VIRUS RETURN CODES Table 1 lists the evaluation codes that the Anti-Virus Scanning Object can return. When you include the Anti-Virus Scanning Object in a rule, use these codes to specify what conditions will trigger the rule. Table 1 Anti-Virus return codes Return Code Definition 0 No virus found Virus found 1 Virus found 3 Damaged file 5 Dangerous virus 6 Uncertified macros 7 Encrypted file 10 Virus found and repaired 11 Uncertified macros repaired 12 Auto-cured 15 Dangerous virus found and repaired 18 Boot virus found 19 Memory virus found Anti-Virus 30-day evaluation period expired day evaluation period has expired Virus Scanning Error 21 Outdated virus data 22 Scan failed 23 Scan aborted 24 No DLL found 25 File not scanned 26 File not found (file / disk access error) 27 No signatures 28 No interface 29 Incompatible version 30 Wrong thread 31 The queried interface is not supported 32 Initialization failure 33 Not initialized 34 The main body of virus data is missing 446 Administrator s Guide SurfControl Filter for SMTP 5.0

460 APPENDIX C 10 Table 1 Anti-Virus return codes Return Code Definition 35 The virus data was corrupt 36 Some encryption error occurred. Probably a mismatch between NSE_xxx.LIB and NSE.DLL 37 Bad DLL format 38 I / O error during scan 39 Invalid parameter 40 Invalid structure 41 File is directory 42 File is protected 43 Access denied 44 Unexpected error 45 STRUCT.usSze not as expected by NSE 46 Error reading MCAFEE.MSG 47 Upgrade failed 48 Already initialized 49 Memory low 50 Cure failed 51 Cannot repair 52 Error during repair 53 McAfee: /FREQUENCY prevents scanner from proceeding 54 Cannot move virus pattern file SurfControl Filter for SMTP 5.0 Administrator s Guide 447

461 10 APPENDIX C 448 Administrator s Guide SurfControl Filter for SMTP 5.0

462 Chapter 10 Appendix D Editing Autoreply.txt page 450

463 10 APPENDIX D EDITING AUTOREPLY.TXT Autoreply.txt is a plain text file that contains messages for use with Rules Administrator objects and in the Message Administrator. Autoreply.txt contains messages that you can use in notification and forwarded s in a range of circumstances. It is stored in the installation directory of SurfControl Filter and you can edit it with a text editor, e.g. Notepad. You can also remove these preset messages and replace them with new ones so long as the heading format remains the same. [GENERAL] <Your Company> filters all automatically. This contained non business related attachments/content and has been deleted. Do Not resend. [END] [VIRUS] <Your Company> filters all automatically. This contained non business related attachments/content that are suspected of having virus content.the event has been logged and message has been deleted. Please do NOT resend. [END] [GRTR4MB] This is an automatic message.the files sent have been delayed until 9pm Sydney time due to the size > than 4MB. Contact postmaster@<your Company>.com to send message immediately. Please ensure that any attachments are as small as possible prior to transmission. Files > 10MB will be deleted. [END] [OFFENSIVE] This contains material which could be deemed inappropriate and is isolated. It will be reviewed and deleted if found to be inappropriate. [END] [JOKES] This contains material which could be deemed inappropriate and is isolated.it will be reviewed and deleted if found to be inappropriate. [END] [DEROGATORY] This contains material which could be deemed inappropriate and is isolated.it will be reviewed and deleted if found to be inappropriate. [END] [GRAPHICS] This contains material which could be deemed inappropriate and is isolated. It will be reviewed and deleted if found to be inappropriate. [END] 450 Administrator s Guide SurfControl Filter for SMTP 5.0

464 APPENDIX D 10 [BLKMSITE] This is an unsolicited . Please remove the intended recipient from your E- mail list. [END] SurfControl Filter for SMTP 5.0 Administrator s Guide 451

465 10 APPENDIX D 452 Administrator s Guide SurfControl Filter for SMTP 5.0

466 Chapter 10 Appendix E Third-Party Reporting page 454 Database Schema page 455 SMTP Relationships page 456 System Log Relationships page 456 Message Relationships page 457

467 10 APPENDIX E THIRD-PARTY REPORTING You can use a third party database reporting tool such as Crystal Reports to create custom reports from the Filter STEMLog database. The diagrams on the pages that follow show the structure of the database. 454 Administrator s Guide SurfControl Filter for SMTP 5.0

468 APPENDIX E 10 DATABASE SCHEMA Figure 1 shows the structure of the database. Figure 1 Database Structure SurfControl Filter for SMTP 5.0 Administrator s Guide 455

469 10 APPENDIX E SMTP RELATIONSHIPS Figure 2 shows tables related to the SMTP table. Figure 2 SMTP Relationships SYSTEM LOG RELATIONSHIPS Figure shows tables related to the System Log table. Figure 3 System Log Relationships 456 Administrator s Guide SurfControl Filter for SMTP 5.0

470 APPENDIX E 10 MESSAGE RELATIONSHIPS Figure 4 shows tables related to the Message table. Figure 4 Message Relationships SurfControl Filter for SMTP 5.0 Administrator s Guide 457

471 10 APPENDIX E 458 Administrator s Guide SurfControl Filter for SMTP 5.0

472 INDEX A Actions Objects Administration Client 372 Configuration 81 Administration Service Configuration Properties 80 Administrator Alerts 64 Address 80 Adult Images 215 Alerts, Administrator 64 Anti-Relay Protection 32 Anti-Spam Agent Best Practice 162 Categories 432 Configuration 159 LexiRules 158 Neural Networks 158 Tools 157 Updating 162 Anti-Spam Agent Object Digital Fingerprinting 158 Reverse Logic 161 Anti-Spoofing 32 Anti-Virus Agent Excluding Files 164 Pre-defined Rule 170 Updating 170 Anti-Virus Agent Object 163 Reverse Logic 169 Anti-Virus Return Codes 446 Anti-Virus Scanning Object 171 Avoiding Software Conflicts 180 Command Line Scanner 174 DLL-Based Scanner 172 Multiple Scans 180 Return Codes 446 Reverse Logic 180 Symantec SASE 177 Append Header 232 Archive Reports 346 Archive Message Object 223 Archiving Reports 346 Authentication Remote User 32 Automated Queue Management 62 Autoreply.txt 450 AVA See Anti-Virus Agent 163 B Backing Up Server Configuration Settings 86 Banners 228 Blacklist Adding Item 37 C Cache MX Records 73 Command Line Scanner 174 Compress Attachments Object 225 Computer Name 25 Configuration Administration Service Administrators 81 Default Route 71 Print Record 81 Receive Service Rules Service Send Service Server Conflicts Third-Party Anti-Virus Software 180 Connections Direct 73 Receive Service 27, 28 Console, Server Configuration 20 Counter Category 400.csv 365 D Database Message Relationships 457 Report Central 341 Schema 455 SMTP Relationships 456 System Log Relationships 456 Dead Messages 78, 79 Default Route Configuration 71 Delete Reports 345 Deleting 31 Delivery Failure Looping Messages 200, 203 Destination Type Send by 366 Show in Browser 366 Dictionary Management Remote 82 Dictionary Threshold Object Configuration 182 Reverse Logic 183 Rules Objects Dictionary Threshold 181 SurfControl Filter for SMTP 5.0 Administrator s Guide 459

473 INDEX Discard Messages 62 Disconnecting From Filter Server 19 DLL-Based Scanner 172 Document Decomposition Microsoft Mail Message 443 PDF 443 Rich Text Format 443 Supported File Types 442 Web Archives 443 Domain Non-existent 73 Protected 30, 70, 80 E Explicit Images 215 F File Attachment Object 188 Adding File Extension 190 Advanced Settings 189 Configuration 189 Reverse Logic 192 File Attachments Object Advanced Settings 189 Configuration 189 Supported File Types 438 Find / Replace Header 232 Footers 228 Footers and Banners Object Rules Object 228 Forwarded Messages Looping 206 G Generating Reports 368 H Header Modification Object Rules Objects Header Modification 231 Host Name 25 html 365 HTML Stripper Object 234 I Illegal MIME Format Object 193 Images Explicit 215 In Folder 22, 54 Inbound / Outbound Mail Object 149 IP Address Connections per 28 Non-trusted 28 Trusted 33 Isolate Messages 62 L LDAP Configuration Configuration LDAP Connection 141 Testing Connection 145 LexiMatch JOIN Command 196 LexiMatch Object Configuration 197 Reverse Logic 199 Rules Objects LexiMatch 195 LexiRules 158 LiveUpdates Anti-Spam Agent 162 Anti-Virus Agent 170 Logging Receive Service 23 Send Service 66 Lookups MX 73 Loop Detection Forwarded Messages 206 Loop Detection Object Advanced Settings 205 Configuration 201 Reverse Logic 208 Rules Objects Loop Detection 200 Looping Messages Nesting 206 M Mail Server Report Central 340 Message Administrator Autoreply.txt 450 Message Part Operators 184 Message Size Maximum 28 Message Size Object Reverse Logic 210 Rules Objects Message Size 209 Messages 62 Dead 78, 79 Microsoft Mail Message Document Decomposition Administrator s Guide SurfControl Filter for SMTP 5.0

474 INDEX Move Messages 62 Multiple Anti-Virus Scans 180 MX Records 71, 73 N NEAR Distance 196 Neural Networks 158 Non-trusted IP Address 28 Notifications 80 Notify Objects Number of Recipients Object Reverse Logic 212 Rules Objects Number of Recipients 211 O Operations Objects Options Schedule 367 Out Folder 66, 79 Overwrite Header 232 P PDF Document Decomposition 443.pdf 365 Performance Monitoring Permissions Report Central 337 Global Administrator 337 Pornography 215 Port 70 SMTP 25 Pre-defined Rules Anti-Virus Agent Rule 170 Prepend Header 232 Pre-Screening 29 Pre-screening Protected Domains 30 Processed mail dropoff folder 54 Protected Domain 31, 70, 80 Protected Domains 30 Adding 30 Editing 31 Q Queue Administration 61 Requeueing 77 Size 64 R Receive Service Configuration Connections 27 General Settings 22 SMTP Settings Logging 23 Pre-screening SMTP Port 25 Received mail drop-off folder See also In Folder 22 Relay Sources 33 Release Messages 62 Remote Access 81 Report Central 330 Distributing Shortcut 331 Remote Administration Permissions 82 Remote Administrator Account Adding 83 Editing 84 Remote User Authentication 32 Remove Header 232 Report 332 Report Central Archiving Reports 344, 346 Configuration Users 335 Configuration Options 334 Database 341 Deleting Reports 344, 345 Folder Completed Reports 370 Delete 370 High Volume Reports 343 Large Reports 343 Logging On 329 Mail Server 340 Permissions 337 Report 338 Private Folder 369 Public Folder 369 Remote Access 330 Report Criteria 351 Reports Format 365 Running Options 365 Save Options 367 Starting 332 Sub-Folders 370 TempDB Transaction Log 328 User Permissions 337 Users 335 Setting Up SurfControl Filter for SMTP 5.0 Administrator s Guide 461

475 INDEX Logon Details 336 Report Criteria Database 358, 364 Display Selected Criteria 365 Options 364 Recipients 361 Rules 358 Sender Domains 356, 362 Weekday 360 Reporting Third Party 454 Reports Archiving 346 Completed 370 Criteria 351 Destination Type 366 Generating 368 High-volume 368 Large Reports 368 Permissions 338 Report Criteria Custom Time Period 352 Exclude Time Range 353 Same Start and End Times 353 Senders 354 Time/Date 352 Rules 348 Rules Reports Rules by Date 348 Rules by Sender Summary 348 Rules by Sender Showing Recipient 348 Top 10 Rules by Percent 348 Top 20 Rules 348 Top N Incoming IPs by Rule 348 Top N Rules 348 Top N Rules by Incoming IP 348 Saving 369 Standard 347 Traffic Statistics Reports Bandwidth by Date 349 Bandwidth by Hour 349 Messages by Size 349 Messages by Weekday 349 Top 20 Recipients by Total Messages 349 Top 20 Recipients by Total Size 349 Top 20 Senders by Percent 349 Top 20 Senders by Total Messages 349 Top 20 Senders by Total Size 349 Top N Incoming IPs 349 Truncated 368 Requeuing 77 Intervals 78 Reverse Logic Anti-Spam Agent 161 Anti-Virus Agent 169 Anti-Virus Scanning Object 180 Dictionary Threshold 183 File Attachment 192 From Users and Groups Object From Users and Groups Object Reverse Logic 148 LexiMatch 199 Loop Detection 208 Message Size 210 Number of Recipients 212 Overview 134 URL Category List 214 Virtual Image Agent 216 Rich Text Format Document Decomposition 443 Routes Static 70 Routing 69 Default Route Configuration 71.rtf 365 Rules Administrator?? 253 Rules Mail Pick-up Folder 54 Rules Objects Anti-Virus Agent 163 Anti-Virus Scanning Object 171 Archive Message 223 Compress Attachments 225 File Attachment 188 HTML Stripper 234 Illegal MIME Format 193 Inbound / Outbound Mail 149 Loop Detection Advanced 205 URL Category List 213 Virtual Image Agent 215 Virtual Learning Agent 217 When 220 Rules Processing Threads 55 Rules Reports 348 Rules by Sender Detail 348 Top 15 Senders by Rules Triggered 348 Rules Service Configuration Folders 54 Running Options Destination Type 366 Display Selected Criteria 365 S Saving Reports 369 Scanning Anti-Virus Agent Excluding Files 164 Scanning Options 462 Administrator s Guide SurfControl Filter for SMTP 5.0

476 INDEX Anti-Virus Agent 163 Schedule Options 367 Send Mail Pickup Folder 66 Send Service Configuration Logging 66 Routing 69 Server Configuration Disconnecting From 19 Server Configuration Backing Up 86 SMTP Greeting 25 Port 25, 70 Settings Source Routing 32 Spoofing 32 Standard Reports 347 Static Routes 70 Supported File Types Document Decomposition 442 File Attachments Object 438 Symantec SASE 177 System Requirements, Remote Access 330 T Telnet SMTP Greeting 25 TempDB Transaction Log 328 Testing Documents 391 Testing LDAP Connection 145 Threads Rules Processing 55 Training Virtual Learning Agent 391 Training Documents 391 Trivial Words 401 Truncated Reports 368 Trusted IP Adding 35 Deleting 36 Editing 35 Trusted IP (Relay Sources) 33 U URL Category List Object 213 Reverse Logic 214 User Management 82 Users Report Central 335 V Variables Footer / Banner 228 VIA See Virtual Image Agent Object Virtual Image Agent Object 215 Reverse Logic 216 Virtual Learning Agent Accuracy 400 Accuracy Score 398 Category 393 Counter Category 400 Testing Files 397 Counter Examples 395 Keywords 394 Sample Keywords 399 Testing 397 Testing Documents 391 Testing Files 394 Training 397 Training Documents 391 Training Wizard 391 Trivial Words 401 Tutorial 391 Workflow 390 Virtual Learning Agent Object 217 Configuration 218 Viruses 163 VLA See Virtual Learning Agent VLA Object See Virtual Learning Agent Object W Web Administration 81 Web Administrator 373 Launch from Remote Location 374 Web Archives Document Decomposition 443 When Object 220 Word Patterns 195 Work Folder 54 X X-envelope - To 231 SurfControl Filter for SMTP 5.0 Administrator s Guide 463

477 INDEX 464 Administrator s Guide SurfControl Filter for SMTP 5.0