Secure E-Mail Gateway (SEG) Service Administrative Guides Filtering Service Revised February 2013 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Email Protection Administrator Guide Proprietary and Confidential
RESTRICTION ON USE, PUBLICATION, OR DISCLOSURE OF PROPRIETARY INFORMATION. Copyright 2012 McAfee, Inc. This document contains information that is proprietary and confidential to McAfee. No part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission from McAfee. All copies of this document are the sole property of McAfee and must be returned promptly upon request. McAfee, Inc. 9781 South Meridian Blvd., Suite 400 Englewood, CO 80112 USA Direct +1 720-895-5700 Fax +1 720-895-5757 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 2
Contents Overview...1 Differences in Administration for Service Providers...1 Account Management Necessary for Email Protection...1 MX Record Validation...2 Alias Domain Names...2 Auto-creation of Users...2 Email Filtering Policies...2 Types of Inbound Email Filtering...3 Types of Outbound Email Filtering...8 Configurable Actions for Filtered Email...8 User-level Policy Configurations...10 Quarantine...10 Customizing the Interface...11 Licensed Branding...11 Language Localization...12 Outbound Disclaimer...12 Notifications...13 Monitoring and Reporting...13 Optional Utilities...13 Spam Control for Outlook...13 Disaster Recovery Services...14 Fail Safe...14 Email Continuity...14 Access Email Protection Administration 15 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iii
Who Can Access Email Protection Administration windows...15 Other Documents You Might Need...19 Email Protection Documents...19 Web Protection Service Documents...20 Message Archiving Documents...20 User Guides...20 Ensure You Can Receive Email from Your Service Provider...20 Log on to the Control Console...20 Reset Your Password from the log on window...21 Check the Status of Email Protection on the Overview 25 Set up Your Servers 29 Confirm Your Inbound Servers Setup...29 Set up Additional Inbound Servers...29 Delete an Inbound Server...30 Add IP Address of Outbound Server, If Necessary...31 Delete an Outbound Server...32 Set up a Smart Host (If Outbound Mail Defense is Turned on)...32 Add an Outbound Email Disclaimer...32 Redirect Your MX Records...33 Check Your MX Record...34 Set up User Creation Mode SMTP Discovery or Explicit...36 Customize Inbound Mail Filters 39 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission iv
Enterprise or Service Provider Customer...39 Create a Custom Policy (Enterprise Customer Only)...41 Configure a Virus Filter...43 Set Email Protection to Notify Users about Emails with Viruses...44 Configure a Spam Filter...45 Define the Action to Take on Spam...46 Define Additional Words That Indicate Spam...47 Set up Spam Quarantine Reports...50 Configure a Content Filter...53 Turn Off a Default Content Filter...55 Custom Content Group...56 Notify Users about Spam Content...57 Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons...58 Configure Web Hyperlink Filters (ClickProtect)...60 Define an Attachment Filter...62 Filter by Attachment File Types...62 Filter by Attachment File Name...65 Filter Zip File Attachments...66 Notify Users about Attachment Violations...67 Allow or Deny Email to or from Specific Addresses...68 Allow Email from a Specific Address...69 Deny Email from a Specific Address...70 Deny Email to a Specific Recipient...72 Save a Copy of an Allow, Deny, or Recipient Shield List...73 Add Allow, Deny, or Recipient Shield Addresses with a Batch File...73 Email Authentication...73 Transport Layer Security...73 Enforced SPF...75 Define the Format and Text of Notifications to Users...80 Variables within a Notification...80 Define the Format and Text of Virus Notifications...81 Define the Format and Text of Content Violation Notifications...83 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission v
Define the Format and Text of Attachment Violation Notifications...84 Email Authentication...85 Disaster Recovery...87 Assign a Group to the Custom Policy...88 Customize Outbound Mail Filters 89 Create a Custom Outbound Policy...89 Configure a Virus Filter...90 Configure a Content Filter...90 Email Encryption for Content Groups...91 Define an Attachment Filter...92 Define the Format and Text of Notifications to Users...92 Assign a Group to the Custom Policy...92 Managing Quarantine Reports 93 Set up Quarantine Reports...93 Monitor Users Quarantined Email...93 Primary Email Addresses, Aliases, and Public Domain Addresses...94 Search for Quarantined Email...94 Interpret the Search Results...95 Sort the Search Results...96 Delete Quarantined Messages...97 Release Quarantined Messages...97 View Quarantines Messages...97 Monitor Your Own Quarantine...99 Set up Disaster Recovery Services 101 Administer Disaster Recovery Services...101 Set up Spooling for Disaster Recovery...101 Set up Notifications of Disaster Recovery...102 User-Level Policy Configuration 103 System Reports 105 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vi
Email Protection Reports...105 View an Email Protection Report...106 Traffic Overview...107 Traffic: Enforced TLS Report...109 Traffic: Encryption...110 Threats: Overview...111 Threats: Viruses...113 Threats: Spam...115 Threats: Content...117 Threats: Attachments...119 Enforced TLS: Details...121 Enforced SPF Report...122 ClickProtect: Overview...123 ClickProtect: Click Log...125 Quarantine: Release Overview...126 Quarantine: Release Log...128 View Details of Log Items...130 User Activity...131 Event Log...133 Audit Trail...134 Inbound Server Connections...135 Disaster Recovery: Overview...137 Disaster Recovery: Event Log...138 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission vii
Administer MSP Connector...139 Configure the MSP Connection...139 Add Domains to the MSP Connection...141 Turn on Exception Notifications for the MSP Connection...142 View an MSP Connector Audit Report...143 Administer Performance Reports...147 Performance Report Descriptions...148 Tips and Frequently Asked Questions 153 FAQs...153 Tips/Techniques...159 November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission viii
Differences in Administration for Service 1. Overview Email Protection provides security services that safeguard corporations from unsolicited spam email (junk mail), viruses, worms, and unwanted content at the network perimeter before they can enter the internal network. Multiple layers of Email Protection provide secure and complete email filtering to protect your users. You can enable or disable specific layers by changing the licensed packages of features and/or through configuring the specific email policies in the Control Console, the comprehensive graphical interface into Email Protection. This document describes the tasks necessary to configure and maintain your Email Protection. Differences in Administration for Service Providers This document is for use by Enterprise customers only. Service Provider customers do not administer groups for Email Protection and therefore, do not assign groups to email filtering policies. Instead, Service Provider customers assign policies directly to domains. The capabilities for managing policies and groups, as described in this document, apply only to Enterprise customers. Account Management Necessary for Email Protection Account Management is a set of administrative windows you use to configure and manage the entities that use or are affected by Email Protection (Email Protection), as well as the Web Protection Service (WDS) and Message Archiving products. These entities include: Domains Users Other administrators, including other Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers In addition, for Email Protection only, you use Account Management to administer groups of users that share a common email filtering policy. For more information, see Account Management Administrator Guide. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 1
Auto-creation of Users Email Protection Administrator Guide MX Record Validation You can validate that the MX Records that are configured for your domain are properly redirected by entering the specific DNS and/or IP address for your MTA server. The Control Console displays the MX Record configuration as reported by the authoritative DNS server. See Check Your MX Record. Alias Domain Names You can configure alias domain names that act as virtual domains using the configurations and email addresses defined in the primary Domain name. Email addresses are created automatically for alias domains (for example, jsmith@yourcompanyalias.com is automatically created for jsmith@yourcompany.com), allowing the single user to receive email for both addresses. For more information, see Account Management Administrator Guide. Auto-creation of Users The Email Protection automatically creates new user accounts if all the following is true: SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a convenient way to add users to your service. However, this capability might also add users who are not real users at your company and not add users who are real. SMTP discovery creates users that receive eight valid emails within a 24 hour period. A user account does not exist for the email address in the designated Domain. The emails were not addressed to an alias domain name. For more information, see Set up User Creation Mode SMTP Discovery or Explicit. Email Filtering Policies Email Protection has default inbound and outbound mail filters to block and clean malicious email and to quarantine email that might be malicious. The filters are configured by using policies, which are the parameters for the filters default policies are automatically assigned to each of your domains. You can customize the default inbound policy for any and each domain, or any and each group, to fit your business Email Protection. For more information, see Customize Inbound Mail Filters. 2 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Filtering Policies Types of Inbound Email Filtering Email Protection can filter both inbound and outbound email. Inbound filtering that is available to be configured is as follows: Anti-Spam Filtering Real-time Blackhole List Anti-Virus Filter Content Filtering and ClickProtect Attachment Filtering Multi-Level Allow and Deny Lists Anti-Spam Filtering Spam is usually defined as unsolicited (and usually unwanted) and commercial email sent to a large number of addresses. However, what one recipient may consider as spam, another recipient would consider as legitimate email. In addition, spam has become a tool of hackers and electronic terrorists who deliberately attempt to gather proprietary information from computer systems and/or attempt to cause harm to a company s email system. Typically, these types of spammers deliberately use naming standards, hijacked From: addresses, scrambled content, etc., to bypass spam filters such as blacklists and keyword lists. Using Stacked Classification Framework, Email Protection provides the most comprehensive and effective spam-blocking product on the market today blocking 98% of spam and providing an industry-leading low false positive rate (legitimate email marked as spam). The Stacked Classification Framework aggregates the most effective spam filters and techniques in the industry into a spam likelihood. As appropriate, email is assigned a high or medium likelihood of being spam. A separate email action can be assigned to each likelihood. The spam classification techniques include the following: Spam FilterType IP Reputation Connection Manager Description This filter operates at the front of the Stacked Classification Framework. It rates the reputation of every incoming email, based on IP reputation data collected by your Email Protection provider on an on-going basis. Connections are dropped for all messages which originate from IP addresses that are determined to carry a reputation for sending spam. Bayesian Statistical Filtering Statistical algorithms built by your Email Protection provider identify and quantify the possibility that an email is spam based on how often elements in that email have appeared in identified spam emails. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 3
Email Filtering Policies Email Protection Administrator Guide Spam FilterType Industry Heuristics Proprietary Heuristics URL Filtering Reputation Analysis Reputation-Based RBL Filtering Sender Policy Framework (SPF) Description Email Protection incorporates thousands of successful industrywide spam-fighting rules to recognize characteristics of spam. Email Protection experts write and update thousands of proprietary rules to block spam, including fraudulent phishing spam, using real-time data from your service provider s Threat Center. URL filtering works by comparing embedded links found in emails with URLs associated with identified spam. Email Protection constantly monitors inbound email to build a list of IP addresses and domain names to rate the reputation of the sender based upon the percentage of spam emails received from that address in the past. Using up to 31 real-time blackhole lists (RBLs) of known spammers provided by the industry, Email Protection creates a single RBL indicator to help gauge the likelihood of an email being sent by a known spammer. By using multiple black lists to create a single vote and by rating the reputation of each RBL based on its accuracy at distinguishing spammers from senders of legitimate email helps to minimize the possibility of a non-spammer being blocked by mistake. The SPF classifier helps identify and block fraudulent spoofing emails those sent by spammers with forged From addresses from entering your email network. For each inbound email, the SPF classifier will look up the sending domain s Domain Naming System (DNS) record and its list of authorized IP addresses. Emails that carry an IP address not found on the authorized list will be included within the Stacked Framework Classification System for the detection of spam. By determining whether or not the relationship between the DNS record and the IP address is legitimate, Email Protection is able to more accurately filter out fraudulent spoofed emails. As a result, Email Protection reduces risk for users who might be duped by the email into divulging confidential personal information. Real-time Blackhole List The Real-time Blackhole List (RBL) is a system for creating intentional network outages (blackholes) for the purpose of limiting the transport of known-to-be-unwanted mass email. The RBL is a database of IP addresses that are reported to be spam sources. 4 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Filtering Policies Anti-Virus Filter Email Protection provides highly effective, organization-wide virus and worm protection. By identifying viruses and worms at your network perimeter before they enter or leave your messaging infrastructure Email Protection minimizes outbreak and infection risks to your enterprise messaging infrastructure. You can configure whether infected emails are quarantined, denied, or stripped of infection. Provides maximum protection using multiple, industry-leading anti-virus engines to allow Email Protection to customize the protection to meet the latest threats. Virus definition updates every 5 minutes provide up-to-the-minute defense against the latest threats. Provides safe, external virus scanning and quarantine management for protection against viruses before they reach your network. Protects your users, networks, and data from harm Content Filtering and ClickProtect Email Protection protects your organization and reduces liability and risk by automatically identifying unwanted and malicious content before it enters or leaves your network. You can enable any of the following types of content filtering: Content Filter Type Predefined Content Keyword Groups Customized Content Keyword Groups Multiple Levels of HTML Filtering Graphic Image Replacement Description You can enable or disable predefined content keyword groups provided by Email Protection: Profanity Sexual Overtones Racially Insensitive You can define customized content keyword groups containing terms and phrases to satisfy the business and security Email Protection of your organization. You can designate the level of HTML filtering to be used (low, medium, or high), with predefined actions for each level. Depending on the level, malicious HTML tags and scripting options embedded in email are stripped. You can enable or disable the automatic replacement of images with a transparent 1x1 pixel GIF within HTML emails. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 5
Email Filtering Policies Email Protection Administrator Guide Content Filter Type Stripping of Spam Beacons or Web bugs Disabling hyperlinks within email with ClickProtect SM Description Spam beacons and web bugs are typically transparent, 1x1 pixel graphics embedded in HTML content that send information about your system to the source (usually a URL) of the spam beacon or web bug. Typically, web bugs are used on Web sites to monitor surfing behavior, but now spammers are hiding them in their mass mailings as spam beacons. If the graphic is not removed before an email is opened, the spam beacon sends a signal back to the spammer s URL that lets the spammer know whether the email was opened and if the recipient s email address is valid. If the spammer gets this signal, the recipient is marked as a valid email address and is guaranteed to receive more spam in the future. You can enable or disable the automatic stripping of spam beacons or Web bugs within HTML emails. ClickProtect allows you to monitor and disable or enable whether Web hyperlinks received in emails can be clicked and followed by the user. With multiple levels of ClickProtect policy control, Administrators can customize the desired level of protection. This feature supports blocking phishing sites and accidental downloads of viruses and worms. Attachment Filtering Email Protection provides you the ability to control the types and sizes of allowed attachments entering your email network. You can control attachment filtering using any of the following: Attachment Filter Type Attachment Filtering by File Type Attachment Filtering by Size Custom Attachment Rules by Filename Filtering for Files Contained within a Zip File Attachment Encrypted or High Risk Zip File Attachment Rules Description You can enable or disable filtering of attachments by file type. File type is determined using the file extension, MIME content type, and binary composition. You can designate a maximum allowed size for each enabled attachment type. You can configure custom rules using filenames that override the global settings for an attachment file type. You can designate that the rule use the entire filename or any part of the filename. You can configure custom rules to cause Email Protection to analyze the files within a zip file attachment, if possible, to determine if a file in the zip file violates attachment policies. If the zip file cannot be analyzed, you can designate the email action to be applied. You can configure custom rules for emails with encrypted zip files and/or zip files that are considered high risk (too large, too many nested levels, etc.). 6 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Filtering Policies Multi-Level Allow and Deny Lists Email Protection allows you to define lists of emails that will always be denied (blacklists) or will always be accepted (whitelists) at multiple levels. In addition, you can enable thirdparty Real-time Blackhole List to be used to filter unwanted emails. The administrator-level lists override the user-level lists in a top-down manner: global lists first, policy set lists next, and lastly user-level lists. For example, if the same address is added to a user-level Allow list and the policy set Deny list, the address is always denied. At the same level, the Allow list overrides the Deny list. For example, if you designate a range of email addresses (for example, by designating an entire domain) in the Deny list, but then designate a single email address from that domain in the Allow list, the email from that single address will be always accepted while the email from any other address in the domain in the Deny list will be always denied. The same address string cannot be added multiple times in the same list or added to both the Allow and Deny lists. Be aware that emails that have been quarantined by Email Protection may not need to be added to Deny lists because they are already being blocked from entering your email network. Following are the types of Allow and Deny lists that are available in Email Protection: Allow/Deny List Type Global Deny List Policy set-level Sender Deny Lists and Sender Allow Lists Description If your Email Protection provider determines that a Sending SMTP has sent too many invalid incoming emails within a specified time period, it will add the IP address for that Sending SMTP to a Global Deny List for a designated time period (default is 2 hours). During the denial period, all emails received from that Sending SMTP will be automatically denied. This process helps to protect against dictionary harvest and Denial of Service attacks. This process can be disabled at the system level. Sender Deny lists indicate sender addresses from which email is denied automatically. Sender Allow lists indicate sender addresses from which email is allowed without spam, content, or attachment filtering (virus filtering is always enabled unless specifically disabled). You can designate a single email address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file. Each policy set affects the email filtering for all user accounts in the groups that are subscribed to that policy set. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 7
Email Filtering Policies Email Protection Administrator Guide Allow/Deny List Type User-level Deny Lists and Allow Lists Recipient Shield List Description Maintained by you and/or the user, Deny lists indicate sender addresses from which email is denied automatically. Allow lists indicate sender addresses from which email is allowed without spam filtering (all other enabled filtering will be applied). You can designate a single email address, entire domains or IPs, or use wildcards to designate ranges of addresses. Optionally, you can save these lists to a spreadsheet file. These lists affect only the emails received for the designated user account and its alias addresses (user-level lists). You can define a list of recipient email addresses for which you want to specify special email actions (for example, you want to deny all emails for a user who is an ex-employee). You can also specify the email action to take if the recipient email address is invalid in your system (permfailed by your email server as an invalid recipient). Types of Outbound Email Filtering You can add outbound filtering to each package, helping to ensure the safety and appropriateness of information being sent from your corporate email system to valued customers or business partners. Filter Type Content Filtering Attachment Filtering Virus Scanning Description This feature automatically prevents inappropriate, malicious, or confidential content from leaving your corporate email system, allowing you to monitor and enforce your corporate email policies. Outbound attachments can be filtered by size, by MIME content type, or by binary content, according to your corporate email policies. Outbound virus scanning stops viruses and worms from leaving your corporate email system, preventing your enterprise from being the source of email-borne viruses to customers, suppliers, and partners. Configurable Actions for Filtered Email In Email Protection, email filtering policies control how emails are filtered within a specific Domain and how Email Protection will respond during email filtering and reporting. Depending on the feature package that is licensed for a domain, specific email filters will be available to be enabled and configured. Also, depending on the enabled email filter, various actions must be configured that define how Email Protection will respond if an email violates the specific filter policy. 8 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Filtering Policies Based on the defined policy configuration, each email that violated the specified policy can have any of the following actions taken, depending on the type of policy: Action Quarantine Tag Deny Delivery Do Nothing or Allow Delivery Silent Copy Strip Attachment Clean Custom X-Header Disable Filter Description The email is added to the respective quarantine area and is not sent to the recipient email address. If the email violated a spam policy, the email is reported in the user s Spam Quarantine Report. The subject line of the email has a descriptive phrase (for example, [SPAM] ) added to the beginning of the subject text and the email is sent to the recipient email address. The email is blocked automatically. Depending on the sending system s configuration, the email sender may or may not be notified with a 5xx Deny email. The email is forwarded to the recipient email address with no processing applied. The values in the reports and the Overview window will be incremented for the relevant email policy to indicate that an email did trigger the specific policy. A copy of the email is forwarded to a list of designated email addresses with no notification to the sender or recipient. If the email had an attachment that violated configured policies, this action causes that attachment to be removed from the email and the email is be sent to the recipient email address. Text is inserted into the email notifying the recipient that an attachment has been stripped. Only the attachment that violated the policy is stripped. If the email had an attachment that contained a virus or worm, this action attempts to remove the virus or worm and preserve the attachment. If the clean is successful, text is inserted into the email notifying the recipient that an attachment had contained a virus and was cleaned. If this action is selected, a second fall-back action also must be designated in case the Clean action fails. This action is specific to the virus filtering policies. If the email was determined to have a high or medium likelihood of being spam, you can configure that a custom X-header be inserted into the email. This X-header can be used by your email servers to perform additional actions within your network, such as redirecting the email. Each spam likelihood can have a different custom X-header. This action is specific to the spam filtering policies. A non-administrator user cannot disable virus filtering if it is licensed and enabled for a specific Domain or policy set. Only Administrators can enable or disable virus filtering for a specific Domain or policy set. You can designate that Email Protection first attempts to remove the virus from an infected attachment, and if the clean fails, perform another action. You can designate that only the infected attachment is stripped. and the remaining email contents and attachments are sent to the recipient. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 9
User-level Policy Configurations Email Protection Administrator Guide Notifications for Filtered Email You can enable or disable email notifications to the sender and/or recipient email addresses of email that was filtered because of virus, content keywords, or attachment. For more information, see one of the following: Set Email Protection to Notify Users about Emails with Viruses Notify Users about Spam Content Notify Users about Attachment Violations User-level Policy Configurations By default, policy configurations are defined for each domain and group. All emails received for all user accounts within a domain or group are processed using the same policy configurations. Optionally, user-level policy configurations can be defined for individual users that override the Domain/Group policies. Thus, if there is a conflict between a user-level policy and any of the other types of policy configurations, the user-level policy setting will be used. These user-level policy configurations allow customization of email actions for each user. User-level policies are confined to the following policies: Enable or disable email processing for spam, virus, content keyword, attachments, and/or HTML content. Specify actions to take for emails if they are determined to have a high or medium likelihood of being spam. Configure the spam quarantine reporting To manage the policy for an individual user, see User-Level Policy Configuration. To establish user control of policies, see Set up Spam Quarantine Reports. User also can have some control over their policies. Quarantine Email Protection provides multiple quarantine areas with different security accesses to store and support review of suspect email outside of your email network. Emails that violate configured policies and that have the Quarantine action applied are sorted into multiple quarantines to ease email management and support security levels: Spam Quarantined Messages Accessible to all users, with users with role of User or Reports Manager allowed to access only their own personal spam quarantine 10 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Customizing the Interface Virus Quarantined Messages Accessible to only Administrators and Quarantine Managers Attachment Quarantined Messages Accessible to only Administrators and Quarantine Managers Content Keyword Quarantined Messages Accessible to only Administrators and Quarantine Managers Within each quarantine, you can do any of the following: Delete selected emails or all emails Release selected emails or all emails for delivery to the recipient View selected email in a Safe View window Add the sender email addresses to the recipients user-level Allow list and release the emails (available only for quarantined spam emails) Emailed Reports of Quarantined Spam Emails Optionally, emails are sent to users to indicate that spam emails that have been quarantined, using either of the following types of emails: Spam Quarantine Report Spam Quarantine Reports are HTML-based email notifications of quarantined spam emails that sent to users. Multiple links in the Reports allow management of quarantined spam email based on policy set-level and user-level configurable control settings. When the user clicks a link, the designated action is performed and the user is automatically logged into the Control Console. Spam Quarantine Summary Spam Quarantine Summaries are optional text-based email notifications of quarantined spam email sent to users, to support email applications that are not HTML-compatible. The user clicks the link provided in the email and is automatically logged into the Control Console. Once logged in, the user can navigate to the relevant window to manage the spam quarantine and modify personal settings. Customizing the Interface Licensed Branding There are multiple branding levels that control the appearance and URL addresses used within the Control Console and Spam Quarantine Reports and Summaries: Standard Branding uses images and addresses provided by your service provider. Private You control the images and addresses. Cobrand Branding uses images provided by you and your service provider., and addresses provided by you. White Label Branding uses no identifying images and uses addresses provided by you. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 11
Customizing the Interface Email Protection Administrator Guide Branding levels other than Standard must be licensed separately. For more information, see Rebrand Your User Interface in Account Management Administrator Guide. Language Localization Within the Control Console, windows and features available to the non-administrative user (whose role is User) can be provided in translated form supporting multiple languages. When the user logs in via the log on window, he or she can select the desired language in the Language field. Thereafter, all spam quarantine reporting emails and window and field labels will be provided in the designated language. The following languages are supported: Brazilian Portuguese Chinese Simplified Chinese Traditional Danish Dutch English Finnish French German Italian Japanese Korean Norwegian Portuguese Russian Spanish Swedish Turkish This feature is available only to non-administrative user accounts. This feature must be enabled at the system level to be available. As a Customer Administrator, you can set the language for a user on the user s Preferences window. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide. Outbound Disclaimer You can define text that will be appended to the email content to support liability or legal requirements for your organization. Every email that was sent from your organization to Email Protection for email filtering will have the designated text added to the end of the email content. This feature requires that outbound filtering be licensed. 12 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Monitoring and Reporting See Add an Outbound Email Disclaimer. Notifications You can customize the content of the notification email for each combination of the type of filter and each type of email action (quarantine, deny, or strip). See Define the Format and Text of Notifications to Users. Monitoring and Reporting Email Protection provides near-real-time monitoring for most reports of system usage, email filtering, etc., for the designated Domain and date or date range. Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv). There are multiple reports available for viewing in the Control Console: For more information, see System Reports. Optional Utilities Your service provider provides additional, free tools that provide additional support for your email network. Spam Control for Outlook If you receive email that you feel should have been filtered as spam, you can use the Spam Control for Outlook plug-in. The Spam Control for Outlook plug-in automatically packages the email data, forwards it to your service provider s Threat Center, and then deletes it from your Microsoft Outlook mailbox. This utility only works for the Outlook mail client. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 13
Disaster Recovery Services Email Protection Administrator Guide Disaster Recovery Services Fail Safe The Fail Safe Disaster Recovery Service provides protection against lost emails in the case when your inbound email server (a.k.a. Customer MTA server) may be unavailable to receive email. If you have multiple inbound servers configured in Email Protection, all of these servers must be unavailable before Fail Safe is invoked. When your inbound servers becomes unavailable, Fail Safe begins spooling email, which means Fail Safe stores your emails in a temporary location until your inbound server becomes available. Once any of your inbound servers become available, Fail Safe begins unspooling the emails. That is, Fail Safe restores these stored emails to the inbound server using the first in, first out order. The messages Fail Safe stores are not available until the messages have been unspooled. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days. For more information, see Administer Disaster Recovery Services. Email Continuity Email Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Email Continuity delivers the messages. Users can access their messages through a Web-based interface while messages are in Email Continuity only. Email Continuity also has unlimited storage capacity and removes messages that have been in Email Continuity storage for more than 60 days. For more information, see Administer Disaster Recovery Services. 14 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Who Can Access Email Protection Admin- 2. Access Email Protection Administration As a customer of Email Protection, you can have administrators who access the Control Console with different levels of privileges within Account Management and Email Protection. Who Can Access Email Protection Administration windows The levels of administrative users you can add are as follows: Administrative level Reports Manager Group Administrator Quarantine Manager Domain Administrator Customer Administrator Group Adsministrator Description The Reports Manager can view, for an assigned domain, reports available with Email Protection. The Reports Manager can also manage his or her own user preferences and all other tasks a user can perform. The Group Administrator can add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create, edit, and modify Email Protection policies for the assigned groups. Finally, a Group Administrator can view user lists and user details. A Group Administrator does not need to be a member of a group in order to have these capabilities. Note: A Group Administrator cannot add or remove a group nor edit user information The Quarantine Manager, for an assigned domain, can manage the same areas as a Report Manager, plus manage, for the assigned domain, all users Quarantine for spam and other problematic messages, only if Email Protection is enabled. The Domain Administrator, for an assigned domain, can manage the same areas as a Quarantine Manager, plus manage server setup and authentication rules for the domain. The Customer Administrator can manage all aspects of the customer s Account Management for all domains. The Group Administrator can, within the Group Administrator s assigned domain, add and remove members from one or more groups if assigned to those groups. A Group Administrator can also create and modify Email Protection policies for the assigned groups. A Group Administrator does not need to be a member of a group in order to have these capabilities. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 15
Who Can Access Email Protection Administration windows Email Protection Administrator Guide The following figure summarizes the levels of administrators, plus users, in an Email Protection configuration. Table 1: Email Protection Window Access Privileges Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Overview No Yes Yes No No Policies tab Policy Sets No Yes No No Yes Anti-virus: Action No Yes No No Yes Anti-virus: Notifications Anti-SPAM: Classification Anti-SPAM: Content Groups Anti-SPAM: Reporting Content: Content Groups No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes 16 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Who Can Access Email Protection Admin- Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Content: Custom Content Groups Content: Notifications Content: HTML Shield Content: Click Protect Attachments: File Types Attachments: File Name Policies Attachments: Additional Policies Attachments: Additional Notifications Allow/Deny: Sender Allow Allow/Deny: Sender Deny Allow/Deny: Recipient Shield Enforced TLS: Actions Enforced TLS: Notifications Notifications: Content Notifications: Attachment Group Subscriptions No Yes No No Yes No Yes No No Yes No Yes No No Yes Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes No Yes No No Yes Disaster Recovery Yes No No Yes Quarantine Tab No Yes Yes Yes No SetupTab No November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 17
Who Can Access Email Protection Administration windows Email Protection Administrator Guide Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Inbound Servers Setup No Yes Yes No No Outbound Servers Setup Outbound Disclaimer Disaster Recovery Setup Yes. Depending on your purchased package, this service might need to be enabled. Yes. Depending on your purchased package, this service might need to be enabled. Yes. Either FailSafe or Email Continuity must be enabled or included in your package. Yes Yes No No Yes Yes No No Yes Yes No No MX Records Setup No Yes Yes No No User Creation Settings No Yes No No No Reports tab Traffic Overview No Yes Yes Yes No Threats Overview No Yes Yes Yes No Threats: Viruses No Yes Yes Yes No Threats: Spam No Yes Yes Yes No Threats: Content No Yes Yes Yes No Threats: Attachments ClickProtect:Over view ClickProtect: Click Log No Yes Yes Yes No No Yes Yes Yes No No Yes Yes Yes No 18 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Other Documents You Might Need Window Access Feature Enablement Required Customer Administrator Domain Administrator Quarantine Manager Group Admnistrator Quarantine: Release Overview Quarantine: Release Log No Yes Yes Yes No No Yes Yes Yes No User Activity No Yes Yes Yes No Event Log No Yes Yes Yes No Audit Trail No Yes Yes Yes No Inbound Server Connections No Yes Yes Yes No Disaster Recovery: Overview Disaster Recovery: Event Log Yes. Either FailSafe or Email Continuity must be enabled. Yes. Either FailSafe or Email Continuity must be enabled. Yes Yes Yes No Yes Yes Yes No Other Documents You Might Need Account Management is a self-contained subset of windows you access on the Control Console. You use it in conjunction with the administration windows for the previouslymentioned products. For information on administering these products, see the online help in the Control Console or the documentation as listed below. Email Protection Documents Email Protection Concepts Guide Email Protection Quick Start Intelligent Routing User Guide Email Continuity Administrator Quick Start Guide November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 19
Ensure You Can Receive Email from Your Service Provider Email Protection Administrator Guide Web Protection Service Documents Web Protection Service Quick Start WDS Connector Installation Guide Message Archiving Documents Message Archiving Administrator Guide Message Archiving Quick Setup Guide for Microsoft Exchange Server 2000 Message Archiving Quick Setup Guide for Microsoft Exchange Server 2003 Message Archiving Quick Setup Guide for Microsoft Exchange Server 2007 User Guides In addition, a variety of guides for your users are available. These are: Email Protection User Guide Message Archiving User Guide Spam Control for Outlook Email Continuity User Quick Start Guide Ensure You Can Receive Email from Your Service Provider If you had or still have a different email security or filtering service and your network is administered so that you can receive email only from IP addresses associated with that security service, you must administer your network to allow incoming email from the Control Console servers. For example, a port in your company s firewall may need to be enabled to receive email from the IP addresses of the Control Console servers. This enablement is necessary in order for you and your users to set the initial password for access to the Control Console. Log on to the Control Console To manage your account, you must log on to the Control Console with the following steps. Note: The first time you log on, you might need to create your password. If so, see Reset Your Password from the log on window. 1 Open a browser on your computer and enter the URL for the Control Console. 20 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Log on to the Control Console The URL should be identified in the Service Activation Guide you received from your provisioner. If you don t have the URL, contact your sales representative or Customer Support. 2 At the Control Console log on window, enter your email address and password. 3 Click Sign in. If you have not previously entered an answer to a security question, the Security Question window pops up. The answer to the security question is used is used to validate you, the user, if you forget your password. You can later change your security question and/or security answer on the Preferences window of your user account. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide. 4 Select a security question and type the answer. Your answer is not case-sensitive. Note: If you also use the Email Protection, you can also log onto the Control Console from a Spam Quarantine Report. Reset Your Password from the log on window Note: This capability may not be available if the user authentication method is set to LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the system level. If you forget your password or want to reset it, perform the following steps: 1 On the log on window, click the Forgot your password or need to create a password? link. The following window is displayed. 2 In the Username field, type your email address. 3 Do one of the following: November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 21
Log on to the Control Console Email Protection Administrator Guide If your email address is working and you are already receiving email, select Email password information to me. If your email address is not working, select Email password information to my Domain Contact. Your Domain Contact might be your administrator or another person your administrator defined for your domain within the Control Console. Check with your administrator on who that person is. 4 Click Next. If you selected the option for your email, your email application receives an email momentarily with further instructions. Continue with Step 5. If you selected the option to email a Domain Contact, that person receives an email from which the person can reset your password. The person can also forward the message to an alternative email address you might have. Contact that person for the password, then try to log on again. You are finished with this procedure. 5 If you selected the option to email information to you, open the email in your email application. The email subject line says Control Console Sign in Information. The email is similar to the following: 6 Click the link in the email. The link is active for only a limited time after the email is sent (typically, 60 minutes). 22 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Log on to the Control Console 7 If you previously had selected a security question, the security question is displayed. If you had not previously selected a security question, select a question from the Security Question drop-down menu. 8 Type the answer to the question in the Security Answer field. 9 For the Security Question field, click Change if you need to change the security question or answer. You must answer this question when you forget your password or need to reset it. The Security Question and Security Answer fields are displayed. Select a question from the Security Question drop-down menu, then type an answer. 10 In the Password field, type a password. The password must comply with the following rules: Length must be a minimum of 8 characters. Alphabetical, numeric, and special character types are allowed. There must be at least one character that differs in character type (alphabetical, numeric, or special) from the majority of characters. Thus, if the password contains mostly alphabetical characters, then at least one character must be either a special character or numeric. For example, majordude is invalid, but majordude9 is valid. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 23
Log on to the Control Console Email Protection Administrator Guide Allowed special characters are: left parenthesis ( ( ) ampersand ( & ) right bracket ( ] ) right parenthesis ( ) ) asterisk ( * ) colon ( : ) apostrophe ( `) hyphen ( - ) semicolon ( ; ) tilde ( ~ ) plus sign ( + ) double quotes ( " ) exclamation (! ) equals sign ( = ) single quotes ( ' ) @ bar ( ) less than sign ( < ) hash ( # ) backslash ( \ ) greater than sign ( > ) dollar sign ( $ ) left curly bracket ( { ) period (. ) percentage sign ( % ) right curly bracket ( }) question mark (? ) caret ( ^ ) left bracket ( [ ) Spaces are not allowed. Passwords are case-sensitive (for example, Password, password, and PASSword would be different passwords). Make sure you can remember your password, but do not use obvious passwords (for example, password, your name, or a family member s name). Keep your password safe and private. 11 Retype your password in the Confirm Password field. 12 Click Save. 24 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
3. Check the Status of Email Protection on the Overview The Overview window provides the following high-level information about the email traffic to your domain over the previous 24 hours: Disaster recovery information News and update information Customer Administrators will see the information for all the domains in the customer where the role was defined. Domain Administrators will see the information for only the domain where the role was defined. 1 Select Email Protection Overview. The Overview window is displayed with the initial view. 2 Click Display Statistics. The Overview window is displayed with the complete view. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 25
The sections on the window provide the following information: Section Inbound 24-Hour Snap Shot Description Displays a 24-hour snapshot of inbound email traffic: Messages Number of inbound messages processed Avg Size Average size of inbound messages, including attachments Bandwidth Average bandwidth used by inbound messages Viruses Number of inbound emails that contained viruses Spam Number of inbound emails that were potentially spam Quarantined Total number of inbound emails that were quarantined for any reason, including spam, virus, etc. 26 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Outbound 24-Hour Snap Shot Traffic (Last 24 Hours {timezone}) Policy Enforcement (Last 24 Hours {timezone}) Disaster Recovery Current Status Disaster Recovery Activity (Last 24 Hours) What s New News Section Description Displays a 24-hour snapshot of the domain s or Customer s outbound email traffic: Messages Number of outbound messages processed Avg Size Average size of outbound messages, including attachments Bandwidth Average bandwidth used by outbound messages Avg Size Average size of outbound messages, including attachments Viruses Number of outbound emails that contained viruses Quarantined Total number of outbound emails that were quarantined for any reason, including viruses. Displays a graph of traffic volume for the last 24 hours of the designated time zone. Optionally, select one of the graphic display type icons to change the appearance of the graph. Displays the percentage of messages that had the different email actions applied (for example, stripped, blocked, tagged, quarantined, cleaned, or normally delivered) over the past 24 hours of the designated time zone. Optionally, select one of the graphic display type icons to change the appearance of the graph. Displays domains that are currently in Disaster Recovery. The Email Protection is currently spooling the specified domain's email Displays how many emails were spooled and unspooled by Fail Safe for all domains in the indicated Customer during the last 24 hours of the designated time zone. Spooled Messages Indicates the number of emails that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them. Unspooled Messages Indicates the number of emails that were spooled by Fail Safe in the last 24 hours and how much spool storage was used by them. Displays a list of new information available about Email Protection. Depending on the configuration, this section may be blank or may contain different information. Displays any updates on current email threats and other important email security news (links). Click the desired link to view the complete information. Depending on the configuration, this section may be blank or may contain different information. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 27
28 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Confirm Your Inbound Servers Setup 4. Set up Your Servers This section describes how to ensure your inbound and outbound servers are set up correctly for Email Protection. Confirm Your Inbound Servers Setup Email Protection filters email destined for your inbound Simple Mail Transfer Protocol (SMTP) email server or servers. Your provisioner should have already defined one or more SMTP servers in the Control Console. To confirm that these servers are defined, perform the following steps: 1 Click Email Protection Setup. 2 From the domain drop-down menu on the Setup window, select the domain whose SMTP server you want to check. The SMTP Host Address field displays the domain name(s) or IP address(es) for the domain s SMTP server. In our example, domain denver.acme.com has an SMTP server with a domain name of mail1.denver.acme.com. The Inbound Servers Setup window is displayed. 3 Ensure the SMTP server listed are valid and correct. 4 Ensure that all other information on the window is correct, and select Save. 5 Repeat steps 2 through 4 for any other domains in your network. Set up Additional Inbound Servers You can configure additional inbound servers to receive inbound email from Email Protection for the designated domain. All servers for a domain that receive inbound email from Email Protection must be configured on the Inbound Servers Setup window. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 29
Set up Additional Inbound Servers Email Protection Administrator Guide Any server addresses designated here must be valid and available to connection from Email Protection. After the Save Changes button is clicked, the Email Protection immediately routes email to the active servers. 1 Click Email Protection Setup. 2 From the domain drop-down menu, select the domain whose SMTP server you want to add. 3 Click Add New Host. A new set of fields appears for the server 4 In the SMTP Host Address field, type the fully qualified DNS or IP address of the server host being configured. CIDR notation is not allowed. If you do not have a registered and valid DNS name for your email servers, you must enter the IP addresses of each server. 5 In the Port field, type the port on the server to which the Email Protection will connect. The default value is 25. 6 In the Preference field, type the number indicating order of connection preference between multiple servers. Email Protection attempts to connect first to the server with the lowest preference number. If that server is not available (either down or too busy), Email Protection tries the server with the next lowest preference number, and so on. If multiple servers have the same preference number, Email Protection will randomly route the email delivery between them. 7 Click the Active checkbox to allow the server is immediately start accepting email traffic. Caution: If all servers are set to inactive, all emails received for this domain will be tempfailed. 8 Click Save. Delete an Inbound Server To delete an inbound server, perform the following steps: 1 Access the appropriate domain on the Inbound Server Setup window 2 Click the Delete checkbox next to the server you want to delete. 3 Click Save. 30 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Add IP Address of Outbound Server, If Add IP Address of Outbound Server, If Necessary If your service includes Outbound Message filtering, you must identify one or more outbound mail servers through which your users send outgoing mail. While your outbound server might use a Domain Name Server (DNS) name within your network (for example, lewisoutbound.acme.com), you identify the outbound sever within Email Protection with an IP address (for example, 111.222.111.0). Alternatively, you can specify a Classless Inter-domain Routing (CIDR) address for a range of outbound servers (for example, 111.222.111.0/27) only. The address must be a public address. Any server addresses designated here must be valid and available for a connection. After the Save Changes button is clicked, Email Protection immediately accepts email traffic from the active servers. Note: If email is received from an outbound server that is not configured in the Email Protection system, it will be refused. If no outbound package has been designated for the selected domain, this window is unavailable. 1 Click Email Protection Setup Outbound Servers. The Outbound Server Setup window is displayed. 2 Click Add New Address, and add the address of the outbound server. 3 Click Save Changes. 4 Record the address listed under Recommended Smart Host Server Settings. You should use this address to perform the next task, Set up a Smart Host (If Outbound Mail Defense is Turned on). Important: You or your network administrator should also do the following before or immediately after adding your outbound server(s): Update Sender Policy Framework (SPF) records on your mail server(s) to ensure only authorized sources are sending outbound email. Scan your network for open relays, viruses and malware. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 31
Add IP Address of Outbound Server, If Necessary Email Protection Administrator Guide Delete an Outbound Server To delete an outbound server, perform the following steps: 1 Access the appropriate domain on the Outbound Server Setup window 2 Click the Delete checkbox next to the server you want to delete. 3 Click Save Changes. Set up a Smart Host (If Outbound Mail Defense is Turned on) To ensure that your outbound email is filtered, you must designate, for each of your outbound mail servers, an Email Protection server as your Smart Host. Your outbound email is then relayed through Email Protection before continuing to its final destinations. The outbound Smart Host address is listed at the bottom of the Outbound Server Setup window, or you can refer to your Service Activation Guide for more details. Note: This task is performed on your outbound email server or servers, on your network router, or on some other server, depending on your network s configuration. Add an Outbound Email Disclaimer You can create and assign text that will be appended to all outgoing emails that are filtered by Email Protection for the designated domain. For example, you might want to specify that the email sent from your company is the property of your company with all right reserved. Note: If no outbound package has been designated for the selected Domain, this window is unavailable. 1 Click Email Protection Setup Outbound Servers. 32 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Redirect Your MX Records The Outbound Server Setup window is displayed. 2 Click Display disclaimer in outbound email messages. 3 In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000 characters is allowed. 4 Click Save. Redirect Your MX Records The Mail Exchange (MX) record for each of your mail servers is a specification within a Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP). Each MX record specifies a host name and preference that determines where and how your ISP routes your company s email. Your MX record or records at your ISP must be changed to fully-qualified domain names (for example, denver.acme.com) within the Email Protection network. These changes allow Email Protection to filter your email before it arrives at your company s mail servers. Your Network Administrator or Domain Registrar is typically the individual responsible for making these changes. The information necessary for your company to make these changes is provided in your Email Protection Activation Guide, which you receive when you first sign up for service. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 33
Check Your MX Record Email Protection Administrator Guide Check Your MX Record Be aware that because of the nature of the Internet, it may take several days for your MX record redirect to propagate to all the email servers that may be sending email to your email server. During that time, your email server may still receive email directly from those email servers until they are updated with your latest MX record information. The MX Record Analysis window allows you to query Email Protection or your company s Authoritative DNS Name Server for the MX Records that are recognized for the SMTP server names for a domain. You can then confirm that all the IP records that are configured for your domain s MX Records are correctly redirected to Email Protection. The analysis indicates the following: All Authoritative Name Servers for the entered DNS name All MX Records that are recognized by the Authoritative Name Servers this process retrieves all the MX Records for a given domain Whether the hostname for each MX Record is a valid hostname, an outdated hostname that will work but should be updated, or an unrecognized hostname which may be allowing email to be routed around Email Protection This window also indicates the recommended values (using the default values configured at the system level for Email Protection) to assist you in determining whether your MX Records are redirected correctly. For example, if all the SMTP servers defined for a domain do not show the same information, this can indicate that your MX Records are not defined correctly. Note: This feature must be enabled at the system level to be available in Email Protection. 1 Click Email Protection Setup MX Records. The MX Record Analysis window is displayed. 34 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Check Your MX Record By default, the window shows the results of a DNS lookup by Email Protection on the IP addresses you submitted to your Internet Service Provider. The column headings show the following: Field MX Record Analysis Results for MX Records returned by Description The domain for which a DNS lookup was performed. The name of the DNS server, which can be the DNS server of your Email Protection provider or a DNS server from your company, if selected. Under each MX Records returned by heading, MX records should be listed that were set by your Internet Service Provider, along with the priority preference of the record, and the status of the MX record. Valid MX Record is current and fully authenticated. Valid recommend update MX Record uses an older hostname standard. It still works, but it is recommended that you update to the current hostname standard. Unrecognized MX Record could not be authenticated and may be allowing email to enter your system bypassing Email Protection. This situation, if occurring within 72 hours of the MX Record change, may indicated the changes are not yet complete. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 35
Set up User Creation Mode SMTP Discovery or Explicit Email Protection Administrator Guide 2 Check the Recommended MX Record Settings. This section indicates a list of typical MX Record configurations using the system-defined default values and the currently selected domain name. Note that this list may not match your actual MX Record configurations. These values are configured at the system level. You can alternatively enter a fully-qualified DNS Server name at your company in the Target Authoritative Name Server field, then click Analyze. This capability is helpful if the default display of MX records appears to be incomplete or in error. Similar results to those returned by Email Protection provider s DNS Server might occur. Note: You can also select the View only this name server link to reduce the number of DNS server lists of MX Records. Click the View all name servers link list all DNS servers again. Set up User Creation Mode SMTP Discovery or Explicit Note: This procedure applies only if your service includes Email Protection. Explicit user creation means that you must add user email addresses using one of the methods that are described later. SMTP Discovery means that users are created automatically based on SMTP transactions. That is, several incoming email messages to a user indicate that the user exists for the customer. As a result, Email Protection creates that user in the Control Console. SMTP Discovery is the default setting for a new customer, such that at initial startup of service, users might be created in the Control Console without any administration by you, the Customer Administrator. Note: Only messages delivered to recipient email addresses in a primary domain are counted for the purpose of user creation. Messages sent to recipient email addresses in alias domains are not counted. When the action is deny, the email is rejected and an error message is displayed to the sender. If you use Directory Integration, explicit user creation is highly-recommended. To turn on Explicit User Creation, perform the following steps: 1 Click Email Protection Setup. 2 Click User Creation Settings. 36 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Set up User Creation Mode SMTP Dis- 3 Under the User Creation Mode heading, select Explicit. 4 Click Save. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 37
Set up User Creation Mode SMTP Discovery or Explicit Email Protection Administrator Guide 38 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Enterprise or Service Provider Customer 5. Customize Inbound Mail Filters Email Protection has default inbound and outbound mail filters to block and clean malicious email and to quarantine email that might be malicious. The filters are configured by using policies, which are the parameters for the filters Default policies are automatically assigned to each of your domains. You can customize the default inbound policy for any and each domain, or any and each group, to fit your business needs. To change customers, select the link in the upper right of the opened window. In the Select window, begin entering the name of the entity you want and select that entity when a list of entities appears. Enterprise or Service Provider Customer Important: This document is for use by Enterprise customers only. The way in which custom policies are applied to your users varies depending on whether you are classified as a service provider or enterprise customer. If you are a service provider customer, each domain can have one custom policy (see Figure 7). If you are an enterprise customer, a single default policy applies to all domains. Thus, for an enterprise customer, you must create a group or groups of users, and for each group, you can create a custom policy. A group can be created according to domain membership (see Figure 8) or according to any other user characteristics that may apply across multiple domains (see Figure 9). For procedures, see Create a Group in Account Management Administrator Guide. Note: Because a group defined by an enterprise customer can contain users from different domains, a group policy does not apply to a domain, but rather to the group of users to which it is defined. A custom group policy supersedes the default policy that is assigned to all domains. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 39
Enterprise or Service Provider Customer Email Protection Administrator Guide Figure 6: Service Provider Custom Policy Assignment Figure 7: Enterprise Custom Policy Assignment (Groups by Domain) 40 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Create a Custom Policy (Enterprise Cus- Figure 8: Enterprise Custom Policy Assignment (Groups by Other Attributes) Create a Custom Policy (Enterprise Customer Only) Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains. 1 Click Email Protection Policies Inbound Policies link. 2 Click New to launch the New Policy window. The New Policy Set fields are displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 41
Create a Custom Policy (Enterprise Customer Only) Email Protection Administrator Guide Field Description Name Owner Description Direction Copy From Copy Sender Allow List Copy Sender Deny List Copy Recipient Shield List Copy ClickProtect Allow List Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy. The Owner heading indicates who can edit the policy. If the owner is Customer, only Customer Administrators can edit the policy. If the owner is Group, then Group Administrators assigned to that group, as well as Customer Administrators, can view or edit the policy. Enter a description of the new policy set. From the drop-down menu, select the direction of email, inbound SMTP or outbound SMTP, for which this policy will be configured. From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields. Select to copy the Sender Allow list from the policy set selected in the Copy From field. Selectto copy the Sender Deny list from the policy set selected in the Copy From field. Select to copy the Recipient Shield list from the policy set selected in the Copy From field. Select to copy the ClickProtect Allow list from the policy set selected in the Copy From field. 3 Click Save. The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs. 42 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Virus Filter Configure a Virus Filter Email Protection uses multiple virus scanning applications to analyze email to determine if a virus may be present. In your custom policy, you can configure how Email Protection handles an email that contains a known virus. Important Note: If an email is detected that contains a wide-spread worm or virus (for example, SoBig or MyDoom), Email Protection may automatically block that email, regardless of the settings in your custom policy. To create a new policy content filter, perform the following steps: 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Virus. The Actions window is displayed. 4 Complete the fields as described in the following table. Field Description November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 43
Configure a Virus Filter Email Protection Administrator Guide If a Message Contains a Virus If a Message Cannot be Cleaned Select an action Email Protection should take if an email contains a virus: Do nothing Email Protection sends the email to the recipient with no filtering or notification. Caution: This action is potentially hazardous because the email will still contain the virus. Quarantine the message after attachment is stripped Email Protection strips an infected attachment from the email and sends the email to quarantine with the message that an attachment had been stripped. Email Protection does not send a separate notification to the recipient. Strip the attachment Email Protection strips the infected attachment from the email and sends the email to the recipient. Email Protection inserts text into the email to notify the recipient that an attachment has been stripped. Deny delivery Email Protection denies delivery of the email. Clean the message Email Protection attempts to remove the virus content and save the remainder of the message. If successful, Email Protection sends the email to the recipient with the message that the email had been cleaned of a virus. If you select this action, you must also select an action for the If a Message Cannot be Cleaned field. If you previously selected Clean the message, select an action Email Protection should take if Email Protection fails to clean an infected email: Quarantine the message after attachment is stripped The infected attachment is stripped from the email and the email is sent to the recipient s virus quarantine area without notification to the recipient. Text is inserted into the email indicating that an attachment has been stripped. Strip the attachment The infected attachment is stripped from the email and the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped. Deny delivery The email is denied delivery. 5 Click Save or click on the Notifications under the Virus tab. Set Email Protection to Notify Users about Emails with Viruses You can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained a known virus. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. Note: Virus notifications will not be sent out for emails that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Email Protection. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Virus. 44 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Spam Filter 4 Click Notifications. 5 Complete the following fields: Field To the sender when a message is due to a virus infection To the recipient when a message is due to a virus infection Description Select one or more conditions that will cause Email Protection to send a notification email to the sender. Quarantined The infected email was quarantined. Denied delivery The infected email was denied delivery. Stripped The infected attachment was stripped and the email sent to the recipient. Select one or more conditions that will cause Email Protection to send a notification email to the recipient. Quarantined The infected email was quarantined. Denied delivery The infected email was denied delivery. Stripped The infected attachment was stripped and the email sent to the recipient. Configure a Spam Filter Email Protection spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework to determine if email is spam. Based on this analysis, Email Protection give each email a score. There are three scores are used to determine the likelihood of spam and what actions should be taken. Those scores are: Medium likelihood if default settings are used. This email is normally quarantined for review. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 45
Configure a Spam Filter Email Protection Administrator Guide High likelihood if default settings are used. This email is normally quarantined for review. Critical likelihood. This spam is blocked. If you specified an additional Realtime Blackhole List (RBL) in the Spam window of the assigned policy, the RBL can influence the spam score as well. To configure a spam filter, you can perform the following tasks Define the Action to Take on Spam Spam Content Groups Subtab Spam Reporting Subtab Define the Action to Take on Spam 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Spam. The Classification window is displayed. 4 Complete the following fields: Field Description 46 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Spam Filter If a Message is Probably Spam (Medium likelihood) area Select an action Email Protection should take if an email has a spam score of 90% or higher: Tag the message subject with [SPAM] Email Protection adds the phrase [SPAM] to the beginning of the email s subject text and sends the email to the recipient. Quarantine the message Email Protection sends the email to quarantine. Deny delivery Email Protection denies delivery of the email. Note: Emails that have the following actions applied will be reported as Other in the Threats: Spam report. Do nothing Email Protection sends the email to the recipient with no filtering or notification. If a Message is Probably Spam (High likelihood) area Select an action Email Protection should take if an email has a spam score of 99.9% or higher. These actions are the same as those for Medium likelihood. 5 Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go to step 8. Multiple real-time blackhole lists (RBLs) of known spammers are provided by the industry, from which Email Protection creates a single RBL indicator to assess the risk of an email originating from a known spammer. The use of multiple blackhole lists to create a single vote and rate the reputation of each RBL for accuracy helps to minimize the possibility of blocking a non-spammer by mistake. 6 If you clicked More Options, click the Enable Real Time Blackhole List (RBL) checkbox. Note: You can also block spammers by completing a Sender Deny List under the policy s Allow/Deny option. 7 Click Save or click on Content Groups under Virus. Define Additional Words That Indicate Spam Email Protection spam content filtering controls spam by comparing the content (subject and body) of an email against predefined lists of keywords or phrases (spam content groups). You can define a custom spam content group that contains additional lists of keywords that are used to filter email as spam. For each content group, you also define the action to take on email that contains a keyword. If the action is to send spam matches to quarantine, users who receive Spam Quarantine Reports can view the matching messages in the quarantine. Note: A spam content group does not analyze the content within attachments. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 47
Configure a Spam Filter Email Protection Administrator Guide The action for a content group you define overrides spam actions for Email Protection default spam filters. For example, if Email Protection determines that an email has a medium likelihood of being spam and also contains a keyword that is in your spam content group, the action defined for your spam content group is applied. However, if you also define content filtering on the Content Content Groups window (see Configure a Content Filter, that content filter overrides the keyword filtering you define on the following Spam Content Groups window. In addition, spam identified by the Content Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click the Spam. 4 Click Content Groups. 5 Double-click the Content Group you wish to modify. 6 In the Group Name field, type the name of your spam content group. This name should summarize the kind of keywords you want Email Protection to look for. For example, you might want to identify musical terms, such as concert, music, rock, jazz, and so on, as spam. In this case, your group name might be music. 7 From the Action drop-down menu, select an action to take if an email matches a keyword: None The email is forwarded to the recipient email address. Quarantine the message The email is sent to the recipient's domain content quarantine area. Deny Delivery The email is denied delivery. Allow The email is sent to the recipient email address. Note: The Allow option is useful if you want to override standard Email Protection spam content filtering for particular keywords. 48 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Spam Filter Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam report. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the email at the beginning of the subject text and the email is sent to the recipient email address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 8 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in email. Use the following rules for entering keywords. Each entry must be on its own line (separated by a hard return). If an entry contains multiple words, the entire phrase is used as a literal string (as is). If individual words are desired, each word must be on its own line. Letter-case (for example, upper case or lower case) is ignored. The wildcards question mark (?) and asterisk (*) can be used to designate the following:? designates any single character, including white space characters (for example, menu, space, line break, etc.). For example, w?y would catch way, why, and w y. * at the end of the string designates multiple characters until a white space character is encountered. For example, refi* would catch refinance, refinancing and refine. * followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered. For example, refi*d would catch refinanced, but would also catch refinishing is a great way to save d. If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, \* or \?). 9 For example, why\? (without quotes) would catch the string why? and the question mark would not be used as a wildcard.click the Enable checkbox to turn on the spam content group. 10 Click Save for the new spam content group. 11 Click Save for the policy or continue to the Reporting tab. To change a policy s existing spam content group, click Edit. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 49
Configure a Spam Filter Email Protection Administrator Guide Set up Spam Quarantine Reports When Email Protection scores email and determines that email might be problematic, but the email is not clearly a security risk, Email Protection place the email into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including: How reports are formatted. How often reports are sent How Spam is filtered What actions users can take on quarantined email See the Email Protection User Guide on how users might manage quarantine reports. To set up quarantine reports for users, perform the following steps: 1 Click Email Protection Policies. 2 Select a policy set for which the quarantine reports will apply. 3 Click Spam Reporting. 4 Under the Enable Spam Quarantine Reporting for heading, select one of the following options: All users All user accounts associated with the policy set receive Spam Quarantine Reports. Note: Users must be able to log into the Control Console to manage their spam quarantine areas. Selected users Only those user accounts configured for Spam Quarantine Reports on the User Management windows receive the reports. No users No users associated with this policy set receive Spam Quarantine Reports. 50 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Spam Filter 5 Under the Default Settings heading, complete the following field: Field Frequency Report Type HTML Format Description From the Frequency drop-down menu, select how often users receive Spam Quarantine Reports if they have email in spam quarantine. From the Report Type drop-down menu, select the content that each Spam Quarantine Report should contain: HTML All Quarantined All emails in your spam quarantine area are listed in the Spam Quarantine Report. HTML New Items Since Last Report Only those emails received since the previous Spam Quarantine Report are listed in the Spam Quarantine Report. Text Summary A text-only email notification is sent to you with a link to your spam quarantine, instead of the Spam Quarantine Report. This option supports users with email applications that do not support HTML content. Text New Items Since Last Report A text-only email report is sent to you that indicates how many new emails have been quarantined as spam since the last report and the total number of spam emails in your spam quarantine. The report also lists the email messages that have been quarantined since the last report. From the HTML Format drop-down menu, select one of the following: HTML with Actions The links Allow, Deny, and Release are enabled in the Spam Quarantine Reports. HTML without Actions The links Allow, Deny, and Release are disabled in the Spam Quarantine Reports. Users must log into the Control Console to perform these actions. Note: This field is ignored if the Report Type field is set to Textonly Summary. 6 Under the Spam Quarantine Report Security Settings heading, complete the following fields: Field Report Links Description From the Report Links drop-down menu, select the number of days after which the links in the Spam Quarantine Report become inactive. A low value may not give the users enough time to review their Spam Quarantine Report and perform any spam management. A high value might increase the security risk of unauthorized access into the Control Console using an old Spam Quarantine Report. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 51
Configure a Spam Filter Email Protection Administrator Guide Field Restrict user rights when accessing quarantine from spam quarantine report Description Select this field Selectso that administrator-level users will be logged in with role of User when accessing the Spam Quarantine Reports. If you leave the checkbox blank, administrator-level users will be logged as their administrative role. Note: Selecting this option is recommended to provide additional security for the Control Console. This option applies to all administrative levels, including Reseller Administrators, Customer Administrators, Domain Administrators, Quarantine Managers, and Reports Managers. 7 Under the Other Options heading, select any or all of the following options: Field Allow users to personalize spam filtering actions Allow users to personalize delivery frequency Allow users to personalize report type Allow users to opt out of spam filtering Enable Always Deny shortcut from spam quarantine report Show spam score on spam quarantine report Allow users to download Spam Control For Outlook Description Select to allow users to customize actions that Email Protection takes on email that is likely to be spam. Users actually select the actions on spam from the Preferences window on the Control Console. Select to allow users to change the frequency with which they receive Spam Quarantine Reports. Users select the frequency of reports from the Preferences window on the Control Console. Select to allow users to change the default settings you set in the Report Type field on this window. Users can change the Report Type from the Preferences windowwindow on the Control Console. Select to allow users to turn filters for spam on or off. Users can turn off spam filtering from the Preferences window on the Control Console. Select to enable the Always Deny link in user s Spam Quarantine Reports, the Message Quarantine windows, and the Safe Message View window. If you leave the checkbox blank, users must go to the Allow/Deny Sender Lists window to change their Allow or Deny lists. Select to display the spam likelihood score for each quarantined message in the Spam Quarantine Reports. Select to display a link in Spam Quarantine Reports, from which users can download the Spam Control For Outlook utility. The location from which the utility is downloaded is configured in the Branding Settings window. Note: This feature can be enabled or disabled at the system level. 52 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter Field Allow nonadmin users to sign in directly to the Control Console Display message content in Safe Message View Display user email addresses in spam quarantine report Allow users to configure alternate email address for spam report delivery Description Select to allow users to log into the Control Console using the Sign in window. Note: This feature does not affect the ability of users to log in by clicking a link in a Spam Quarantine Report. If Control Console access is not enabled and users do not receive the Spam Quarantine Report, the Quarantine Manager or higher level roles must perform any changes to the user settings, maintenance of the users spam quarantine, etc. Select to allow users to view the body content of an email in the Safe Message View window. If you leave the checkbox blank, the user must release the email to see what it contains in the body content. Select to enable the view of user addresses in the HTML SQR report so that users do not have to scroll through multiple addresses before they get to the quarantine items. Select to allow users to choose an alternate email address to reroute their Spam Quarantine Report if needed. Users may go to Account Management User Preferences to add their email alternate. Alert! Please be advised that redirecting a user's SQR allows the chosen alternate recipient to have full access to their Control Console account, including access to that user's Preferences. Therefore; please encourage the user to choose their alternate email address carefully. 8 Click Save. Configure a Content Filter You can create a custom content filter. The content filter does the following: Blocks or quarantines the email that contains prohibited keywords. Notifies the sender or recipient when an email has been quarantined or blocked. Blocks HTML malicious tags or prohibited images. Manages the ability for users to click on links in email. Note: Content filtering does not analyze the content within attachments. Note: You also define content filtering on the Spam Content Groups window (see Configure a Spam Filter, the Content Content Groups overrides the keyword filtering you define on the following Spam Content Groups window. In addition, spam identified by the Content Content Groups filter is accessible only by Quarantine Managers or higher level administrators. Users cannot view this spam. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 53
Configure a Content Filter Email Protection Administrator Guide Note: Due to the nature of the content filtering, the window images may contain offensive material. To create a new policy content filter, perform the following steps: 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Content. The Content Groups window is displayed, showing the default content groups. Profanity Racially Insensitive Sexual Overtones You cannot change the keywords in these groups. The Content Group Policy fields are displayed. Email Protection also provides predefined content groups that contain valid and acceptable personal identifiable information that is allowed in email messages due to specific policies. You cannot edit these content groups, but can designate whether or not they are used. Following are the two types of predefined content groups: Credit Card Number Social Security Number The Credit Cards that are supported include AMEX, VISA, MC, and DISC. Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in various ways and Email Protection may not be able to capture all messages that contain this information. More Options If a Customer or Domain subscribes to Email Encryption, then selecting this option can be used to enforce Email Encryption if the outbound message contains the word [encrypt]. The word, [encrypt] can reside in the message subject line or the body of the outbound message. 54 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter Note: This option is only available on the Outbound Policy Content Group window. 1 Click Edit or double-click on your selected Content Group, you may perform the following: Group Name This defaults to the name of your selected group. Content This field is disabled for Content Groups 2 From the drop-down Action list, the following actions may be applied to a Content Group None The email is forwarded to the recipient email address. Quarantine the message The email is sent to the recipient's domain content quarantine area. Deny Delivery The email is denied delivery. Allow The email is sent to the recipient email address. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the email at the beginning of the subject text and the email is sent to the recipient email address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. 3 Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 4 Click Save Turn Off a Default Content Filter You can deactivate any of the Email Protection default content filters if you want to allow email containing those keywords to be delivered or you want to replace the list of keywords with your own list. Note: Instead of turning off the content filter, you can also choose the action None for the filter. In this case, Email Protection filters email, but delivers matching email to users with no other notifications or marking. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Content. The Content Groups window is displayed, showing the default content groups. Profanity Racially Insensitive Sexual Overtones 4 Double-click one of the default content groups. 5 Uncheck the Enable checkbox. 6 Click Save. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 55
Configure a Content Filter Email Protection Administrator Guide Custom Content Group The Custom Content Groups subtab allows customers to define their own custom content keyword group and assist in monitoring their email. By configuring a Content Group, the customer can determine how the system reacts if it receives an email that contains text that violated that content policy. Customers can also define a different action for each content group. Note: If the content group is enabled, then email will be filtered for that content. 1 Click New or double-click your selected Custom Content Group,and perform the following: 2 Group Name: select and type of your Custom Content Group. 3 Content List the content keywords needed to define your Custome Content Group.In the Content field, type any keywords you want to search for in email. Use the following rules for entering keywords. Each entry must be on its own line (separated by a hard return). If an entry contains multiple words, the entire phrase is used as a literal string ( as is ). If individual words are desired, each word must be on its own line. Letter-case (for example, upper case or lower case) is ignored. The wildcards question mark (?) and asterisk (*) can be used to designate the following:? designates any single character, including white space characters (for example, menu, space, line break, etc.). For example, w?y would catch way, why, and w y. * (without quotes) at the end of the string designates multiple characters until a white space character is encountered. For example, refi* would catch refinance, refinancing and refine. * followed by a literal character designates multiple characters, including white space characters, until the designated character is encountered. 56 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter For example, refi*d would catch refinanced, but would also catch refinishing is a great way to save d. If the literal asterisk or question mark is desired, it must be preceded by a backslash (for example, \* or \?). For example, why\? (without quotes) would catch the string why? and the question mark would not be used as a wildcard. Caution: It is possible to create wildcard combinations that will filter valid email, including all email, and/or will substantially slow email processing. Be very careful if you use wildcards to ensure that only the desired content is filtered. 4 From the Action drop-down menu, select an action to take if an email matches a keyword: None The email is forwarded to the recipient email address. Quarantine the message The email is sent to the recipient's domain content quarantine area. Deny Delivery The email is denied delivery. Allow The email is sent to the recipient email address. Note: The Allow option is useful if you want to override standard Email Protection spam content filtering for particular keywords. Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam report. Tag the message subject with "[SPAM]" The phrase "[SPAM]" is added to the subject line of the email at the beginning of the subject text and the email is sent to the recipient email address. Encrypt Message is also available for Outbound content groups, if the Customer has subscribed to Encryption. Silent Copy allows you to forward a copy of the original message. To send a copy, select a predefined distribution list from the drop-down. 5 Click the Enable checkbox to turn on the spam content group. 6 Click Save for the new spam content group. 7 Click Save for the policy or continue to the Notifications tab. Notify Users about Spam Content You can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained spam content. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. Note: Virus notifications will not be sent out for emails that are infected with widespread viruses or worms (for example, SoBig or MyDoom). These notifications will be automatically disabled by the Email Protection. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 57
Configure a Content Filter Email Protection Administrator Guide 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click Notifications. Complete the following fields: Field To the sender when a message is due to a content group violation To the recipient when a message is due to a content group violation Description Select one or more conditions that will cause Email Protection to send a notification email to the sender. Quarantined The infected email was quarantined. Denied delivery The infected email was denied delivery. Select one or more conditions that will cause Email Protection to send a notification email to the recipient. Quarantined The infected email was quarantined. Denied delivery The infected email was denied delivery. Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons You can configure how Email Protection filters email for HTML attachments or various forms of HTML coding within email. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click HTML Shield. 58 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter 5 Under HTML Shield Protection, select one of the following options: Field Low Medium High None Description Select this option to remove only malicious HTML tags from the email and forward the email to the recipient. Text is added to the email to indicate that HTML content was removed. Select this option to remove the following HTML content from the email and forward the email to the recipient: Malicious HTML tags HTML comments and attributes All Java, Javascript, and ActiveX code Text is added to the email to indicate that HTML content was removed. Select this option to remove all HTML content, including scripts as in the Medium option, from the email and to forward the email to the recipient. Text is added to the email to indicate that HTML content was removed. Select this option to not perform HTML filtering on email. 6 Under Options for Low and Medium Setting, sselectelect Enable spam beacon and web bug blocking to block spam beacons and web bugs. A spam beacon can reveal user activity to spammers while flagging the recipient s address as active. A Web bug is any one of a number of techniques used to track who is reading a Web window or e-mail, when, and from what computer. A Web bug can also be used to see if an e-mail was read or forwarded to someone else, or if a Web window was copied to another Website. Note: This option is available only if you picked the Low or Medium options for HTML filtering. 7 Select Replace all image links with a default transparent image to eliminate objectionable images in email. This option replaces links to images in email with links to an image with one transparent pixel. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 59
Configure a Content Filter Email Protection Administrator Guide Note: This option is available only if you picked the Low or Medium options for HTML filtering. 8 Click Save or continue to ClickProtect. Configure Web Hyperlink Filters (ClickProtect) You can configure whether Web hyperlinks in email are blocked or can be clicked and followed by the user. You can also designate a ClickProtect Allow List of URL addresses that are excluded from the ClickProtect processing (for example, your corporate URLs). As another option, you can set tracking of links that are clicked so that they are reported in the ClickProtect: Click Log Report. Caution: ClickProtect only processes links in emails with accepted message formats, which include HTML or Rich Text 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Content. 4 Click ClickProtect. 5 Click one of the following options: Disable ClickProtect Disables this feature completely and allows users to click and access Web hyperlinks in the emails without logging information in the system. Display warning message before redirecting Displays a dialog box with a customizable warning message. Users can then either stop the click-through process or continue to the Web site. Display warning message and deny click-throughs Displays a dialog box with a customizable warning message and does not allow users to continue with the click-through process. 60 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter 6 If you clicked one of the last two options above, overtype the text in the Warning Message text box. You can also leave the default text if desired 7 In the Allow URL or IP field, type URL or IP addresses that you want to allow users to access and bypass ClickProtect processing. The following values are allowed: IP Address Complete address (for example, 10.10.10.1) or partial address with wild cards (for example, 10.10.10.*). Domain Name Qualified domain name (for example, xyz.com) or subdomains (for example, *@*.xyz.com denies emails from any subdomain of the XYZ domain, such as user@abc.xyz.com). If you know you want to allow all emails from this domain, then use this option instead of typing in each email address associated with the domain. The following list provides some examples of allowable URLs. www.domainname.com www.domainname.n* www.domainname.* www.domainname.example.com www.domainname.*.com www.domainname.xxx.xxx.xxx.xxx.com domainname.com The following are not accepted in domain names: http:// slashes IP addresses. 8 Click Add. The value is added to the list box. Note: (This step is only available to certain user roles, when a user-defined policy set is selected.) If you want to include the values listed for the Default Inbound policy set, select the check box located beneath the list. Upload a List of Allowed URLs You can create a list of allowed URLs and upload that list to the Control Console. To upload a list, perform the following steps: 1 Create a file with a predefined list of URLs. The predefined list must be in the following format: Must be a text file One entry per line File must be available for your browser to access 2 On the ClickProtect window, go to the More Options section. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 61
Define an Attachment Filter Email Protection Administrator Guide Additional fields are displayed. 3 To upload the file, click Browse next to the Upload List field and locate the file. 4 Click Upload Allow List. The contents are added to the ClickProtect Allow List box. 5 Click Save. Download a List of Allowed URLs from the Control Console If you want to download the list of allowed URLs to your local drive, click Download ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in Microsoft Excel. Define an Attachment Filter You can create a customer attachment filter. You can filter email for attachments based on the following criteria: Filter by Attachment File Types, including file size. Filter by Attachment File Name Filter Zip File Attachments Filter by Attachment File Types To filter email by file type, you must define the following: What file types are allowed to be received File size restrictions on the allowed file types 62 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define an Attachment Filter The email action that will be used if an email violates any of the file type attachment policies To create a new policy content filter, perform the following steps: 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 For each file type in the Allowed Attachment Types section, select one of the following options from the drop-down menu: Disallow All email containing this file type are blocked. A file size, such that an email with a file of this file type that exceeds the file size is blocked. Max 500 KB Max 1 MB 2 MB 5 MB 10 MB 15 MB Any size Email with this file type is allowed and delivered. Note: By default, each listed attachment file type is allowed unless you specifically select it to be disallowed, except for the types Executables and Scripts. These two file types are relatively easy to self-invoke from an email, and thus increase the security risk of a self-running virus or worm. The following table lists the file extensions associated with each file type: File Type Microsoft Word Documents *.doc, *.dot, *.rtf, *.wiz Example File Extensions November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 63
Define an Attachment Filter Email Protection Administrator Guide Microsoft Powerpoint Documents Microsoft Excel Documents Microsoft Access Files Other Microsoft Office Files Adobe Acrobat (PDF) Files Macintosh Files Compressed or Archived Files Audio Files Video/Movie Files Image Files Executables Scripts File Type ASCII Text Files Postscript Files *.pot, *.ppa, *.pps, *.ppt, *.pwz *.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp *.cal, *.frm, *.mbx, *.mif, *.mpc, *.mpd, *.mpp, *.mpt, *.mpv, *.win, *.wmf *.abf, *.atm, *.awe, *.fdf, *.ofm, *.p65, *.pdd, *.pdf *.a3m, *.a4m, *.bin, *.hqx, *.rs_ *.arj, *.bz2, *.cab, *.gz, *.gzip, *.jar, *.lah, *.lzh, *.rar, *.rpm, *.tar, *.tgz, *.z, *.zip *.aff, *.affc, *.aif, *.aiff, *.au, *.m3u, *.mid, *.mod, *.mp3, *.ra, *.rmi, *.snd, *.voc, *.wav *.asf, *.asx, *.avi, *.lsf, *.lsx, *.m1v, *.mmm, *.mov, *.movie, *.mp2, *.mp4, *.mpa, *.mpe, *.mpeg, *.mpg, *.mpv2, *.qt, *.vdo *.art, *.bmp, *.dib, *.gif, *.ico, *.jfif, *.jpe, *.jpeg, *.jpg, *.png, *.tif, *.tiff, *.xbm Note: This file type defaults to Disallow. *.bat, *.chm, *.class, *.cmd, *.com, *.dll, *.dmg, *.drv, *.exe, *.grp, *.hlp, *.lnk, *.ocx, *ovl, *.pif, *.reg, *.scr, *.shs, *.sys, *.vdl, *.vxd Note: This file type defaults to Disallow. *.acc, *.asp, *.css, *.hta, *.htx, *.je, *.js, *.jse, *.php, *.php3, *.sbs, *.sct, *.shb, *.shd, *.vb, *.vba, *.vbe, *.vbs, *.ws, *.wsc, *.wsf, *.wsh, *.wst *.cfm, *.css, *.htc, *.htm, *.html, *.htt, *.htx, *.idc, *.jsp, *.nsf, *.plg, *.txt, *ulx, *.vcf, *.xml, *.xsf *.cmp, *.eps, *.prn, *.ps Example File Extensions All Other Files Any file extensions that are not included in the other file types 5 In the Action to take for Disallowed Attachments section, select one of the following options: Do nothing Email Protection sends the email to the recipient with no filtering or notification. Deny delivery Email Protection denies delivery of the email. 64 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define an Attachment Filter Strip the attachment Email Protection strips the attachment from the email and the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped. Quarantine the message Email Protection sends the email to quarantine. 6 Click Save or continue to the Filename tab. Filter by Attachment File Name You can create custom filter to filter email for specific file names. This filter overrides any conflicting file type policies you may have defined. To define a filter for attachment file name, perform the following steps: 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 Click Filename Policies. The Filename Policies window is displayed. 5 Click New. The New Attachment Filename Policy section is displayed. 6 From the Filter drop-down menu, select one of the following: Is Email Protection filters for file names that have an exact match to the text in the Value field. For example, if you want to filter for the file name config.exe and no others, you must select Is and then type config.exe in the Value field. For this example,, the Is option has the meaning File name IS config.exe. Contains Email Protection filters for file names that contain the text in the Value description anywhere within the filename string. For example, if you want to filter for any file that contains config in its name, like postconfig or config.ini, select this option. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 65
Define an Attachment Filter Email Protection Administrator Guide Ends with Email Protection filters for file names that end with the text in the Value description. For example, if you want to filter for any executable files ending with.exe, select this option. 7 In the Value field, type the name or partial name with which Email Protection should search incoming email. For example, if you want Email Protection to search for any file containing the text config, type config. 8 From the Action drop-down menu, select one of the following options: Do nothing Email Protection sends the email to the recipient with no filtering or notification. Deny delivery Email Protection denies delivery of the email. Strip the attachment Email Protection strips the attachment from the email and the email is sent to the recipient. Text is inserted into the email notifying the recipient that an attachment has been stripped. Quarantine the message Email Protection sends the email to quarantine. 9 Ignore the Silent Copy drop-down list. No silent copy will be sent. 10 Click Save to save the new filename filter. 11 Click Save for the policy or continue to the Additional Policies tab to filter for zip file attachments. Filter Zip File Attachments You can create a custom filter for zipped file or compressed file attachments. These policies are ignored unless the Compressed or Archived Files filetype is allowed in the Attachments: File Types window. To define a filter for attachment file name, perform the following steps: 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. The Attachments: File Types window is displayed. 4 Click Additional Policies. The Additional Attachment Policies window is displayed. 66 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define an Attachment Filter 5 From the Message contains high-risk attachment drop-down menu, select one of the following options: Allow delivery Email Protection sends the email to the recipient with no filtering or notification. Quarantine the message Email Protection sends the email to quarantine. Deny delivery Email Protection denies delivery of the email. This action applies if an email has an attachment that is a zipped file and that violates any of the following rules: The zip file itself is too large ( > 500MB). A file contained in the zip file is too large ( > 100MB). The zip file contains too many files ( > 1500 files). The compression rate is too high ( > 95% compressed). The zip file contains too many levels of nesting ( > 3 levels). 6 From the Message contains an encrypted zip attachment drop-down menu, select one of the following options: Allow delivery Email Protection sends the email to the recipient with no filtering or notification. Quarantine the message Email Protection sends the email to quarantine. Deny delivery Email Protection denies delivery of the email. The action applies if an email message has an attachment that is a zipped file and is encrypted and password-protected. This format is commonly used to prevent scanning for viruses in zipped files. 7 From the File in zip attachment violates attachment policy drop-down menu, select one of the following options. Attachment policy action The action for the specific policy that was violated will be performed on the entire attachment. If multiple policies were violated, the policies defined in the Attachment Filename Policies subtab override the policies defined in this subtab. Do nothing The email is sent to the recipient with no filtering applied. The action applies if an email that has an attachment that is a zipped file and the zipped file contains files that violate the previously-defined filters for attachments. Notify Users about Attachment Violations You can direct Email Protection to send notification emails to the recipient and/or sender when an email is filtered because it contained an attachment violation. You can see the content of notifications and change it in the Notifications tabs. See Define the Format and Text of Notifications to Users. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Attachments. 4 Click Notifications. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 67
Allow or Deny Email to or from Specific Addresses Email Protection Administrator Guide 5 Complete the following fields: Field To the sender when a message is due to an attachment policy violation To the recipient when a message is due to an attachment policy violation Description Select one or more conditions that will cause Email Protection to send a notification email to the sender. Quarantined The email that contained an attachment violation was quarantined. Denied delivery The email that contained an attachment violation was denied delivery. Stripped The infected attachment was stripped and the email sent to the recipient. Select one or more conditions that will cause Email Protection to send a notification email to the recipient. Quarantined The email that contained an attachment violation was quarantined. Denied delivery The email that contained an attachment violation was denied delivery. Stripped The violating attachment was stripped and the email sent to the recipient. 6 Click Save. Allow or Deny Email to or from Specific Addresses You can define lists of sender email addresses, domain names, or IP addresses whose email is always delivered to your users, or conversely, whose email is always denied delivery. In addition, you can define lists of recipient email addresses that are always denied receiving email. 68 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Allow or Deny Email to or from Specific The Sender Allow and Sender Deny lists are used in combination with the user-level Allow and Deny lists that can be defined for specific user accounts. In the case of a conflicting entry (for example, the same email address is in the user-level Allow list and the Sender Deny list at the policy set level), the lists defined in these tabs override the user-level lists. The allowed maximum of items for each list is defined at the system level and may vary for different installations of Email Protection. Allow Email from a Specific Address You can define a list of sender addresses whose email will always be accepted without email filtering. The exception is that virus filtering is always applied if licensed for that policy set, unless overridden by the user-level policy configurations. In addition, the userlevel Deny list will override the policy set-level Sender Allow list. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. The Sender Allow window is displayed. 4 In the Add Address field, type the address of a sender whose email should be delivered without filtering. The following values are allowed in the list entries: Email addresses Complete sender email address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com) Domain names Complete domain name or partial name with wildcards (for example, domain.com ) IP addresses Complete IP address or partial address with wildcards (for example, 123.123.12.3 or 123.123.12.*) Note: CIDR notation is not allowed. Each IP address must be designated separately. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 69
Allow or Deny Email to or from Specific Addresses Email Protection Administrator Guide 5 Click Add. The address is added to the allowed address box on the right. 6 Repeat steps 4 and 5 for each address you want to add. 7 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. Sender Policy Framework (SPF) You are able to whitelist a specific email addess or domain and assign an SPF check to that address. Subsequent mail coming from the whitelisted domain is then checked against SPF records. Should the SPF check fail, the mail is denied. The following conditions apply to an SPF verification: If the record can be verified, then content and spam filtering is skipped for the sender s inbound messages. If the record cannot be verified, then filtering is not skipped for the sender s inbound messages. Note: If a sender on the allow list does not have an SPF record the inbound message is still allowed. Deny Email from a Specific Address You can define a list of sender addresses whose email will always be denied regardless of email filtering. This Deny list overrides the user-level Allow list. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. 70 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Allow or Deny Email to or from Specific The Sender Allow window is displayed. 4 Click Sender Deny. The Sender Deny window is displayed. 5 In the Add Address field, type the address of a sender whose email should be denied without filtering. The following values are allowed in the list entries: Email addresses Complete sender email address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com) Domain names Complete domain name or partial name with wildcards (for example, domain.com) IP addresses Complete IP address or partial address with wildcards (for example, 123.123.12.3 or 123.123.12.*) Note: CIDR notation is not allowed. Each IP address must be designated separately. 6 Click Add. The address is added to the denied address box on the right. 7 Repeat steps 4 and 5 for each address you want to add. 8 In the If the Sender is on the Sender Deny List section, select one of the following options: Accept and silently discard the message The email is accepted, but is discarded without notification. Deny delivery The email is denied delivery. 9 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 71
Allow or Deny Email to or from Specific Addresses Email Protection Administrator Guide Deny Email to a Specific Recipient You can define a list of recipient user addresses whose incoming email will always be denied, regardless of email filtering. For example, you can designate that emails received to an ex-employee s user account are always denied. Email received for all alias email addresses for the designated user account is also included in the Recipient Shield processing. You can add individual addresses one a time or you can add them with a batch file. See Add Allow, Deny, or Recipient Shield Addresses with a Batch File. 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Allow/Deny. The Sender Allow window is displayed. 4 Click Recipient Shield. The Recipient Shield window is displayed. 5 In the Add Address field, type the address of a recipient whose email should be denied. You can type a complete recipient email address or partial address with wildcards (for example, gsmith@domain.com or g*@domain.com ). Note: The email addresses must be defined in the primary Domain. Alias domain names are not allowed. 6 Click Add. The address is added to the recipient address box on the right. 7 Repeat steps 4 and 5 for each address you want to add. 8 In the If the Recipient is on the Recipient Shield List section, select one of the following options: Accept and silently discard the message The email is accepted, but is discarded without notification. 72 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Authentication Deny delivery The email is denied delivery. Do nothing The email is forwarded to the recipient email address with no processing applied. 9 Click Save. You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient Shield List. Save a Copy of an Allow, Deny, or Recipient Shield List You can download the allow or deny list you have created so you can store a copy. To download a copy, perform the following steps. 1 On the Allow, Deny, or Recipient Shield window, click More Options. 2 Click Download [] List. A download window is displayed. Email Protection automatically creates a Microsoft Excel spreadsheet (*.csv file) containing the address list. You can choose to save the file or open it directly. Add Allow, Deny, or Recipient Shield Addresses with a Batch File 1 Using a text editor, create a text file that contains one email address per line, and save it to your computer. 2 On the Allow, Deny, or Recipient Shield window, click More Options. Additional fields are displayed. 3 Click Browse and search for the text file you created. 4 Click Upload [] List. 5 Click Save. Email Authentication Transport Layer Security Transport Layer Security (TLS) has routinely been supported and is still supported by our Email Protection system. If a TLS connection can be negotiated between the sender and the recipient MTAs, then the system delivers the email over TLS. If a TLS connection CANNOT be established between the sender or the recipient MTA, then the mail transfer November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 73
Email Authentication Email Protection Administrator Guide agent delivers, via SMTP, without encryption. Therefore, it is recommended that you specify a Sender s domain and/or sub-domain for this policy so that TLS is enforced. Thus, if TLS cannot be established, then the message will not be delivered and a bounce message will be generated to the sender, recipient, or both depending on the Notifications. Note: Enforced TLS requires a negotiation between our mail transfer agent and yours to be successful. You must have TLS turned on at your end to accomodate this transaction. Refer to your MTA software manual on How to enable/turn-on TLS to ensure TLS is implemented in your system prior to setting up your domain lists. From the Policy Set window select Email Authentication Enforce TLS tab and complete the following steps. Add Domain 6 To enter values into the TLS domain list enter the full address of the Sender/ Recipient s domain and/or sub-domain. NOTE: To enter values into the TLS domain list enter the full address of the Sender/ Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or subdomain must be explicitly specified for enforced TLS. Specifying a Sender/ Recipient's domain doesn't automatically include any sub-domains of that domain. 7 Click the Add» button. The value is added to the list box. NOTE: The maximum number of values allowed in the Add Domain list is specified. This limit is defined at the system level (see the online help for the specific count). Any duplicate or invalid values are discarded automatically. 74 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Authentication More Options Upload Enforced TLS List (appends to existing list): To Upload a file with a predefined list, click the Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced TLS List (be sure to save changes first): To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. 8 Subscribe to Default TLS List By checking the subscription to the TLS default list you will be adding the appropriate Inbound/Outbound Default domain policy to your customized Enforced TLS domain list. The default list can be viewed by clicking the corresponding Inbound/Outbound Default selection under the Policies tab. This option is only available in custom (non-default) policy sets. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Save 9 Click the Save button to save your information. Download To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. Enforced SPF Sender Policy Framework (SPF) can be used by email recipients to determine if the messages they receive were sent from someone authorized by the domain owner, which can help detect spoofing. SPF only works when domain owners implement and maintain it voluntarily. To implement SPF, domain owners must create special DNS entries which list the IP addresses that are authorized to send email from their domain. Email recipients must compare an email's source IP address to the IP address in the domain owner's DNS SPF records. If they match, it is reasonable to assume that the message was sent by the domain owner or an authorized third party. Important SPF information: SPF implementation is voluntary and many domain owners have not implemented DNS SPF records, including many well-known commercially used domains. Even those that have implemented SPF might have outdated or inaccurate records, resulting in false positives. The only way to resolve this is to contact the domain owner and ask them to correct the issue. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 75
Email Authentication Email Protection Administrator Guide Nothing prevents spammers and hackers from implementing SPF, so it is not a reliable spam indicator - Many organizations allow third parties to send mail on behalf of their domain (authorized spoofing). These third parties must be authorized by the domain owner as part of their SPF records in order for recipients to successfully validate the third party messages. Hosted email providers often give the same SPF records to all their customers, making it impossible to distinguish one customer from the another, thus reducing usefulness of the technology. Even when SPF is implemented and enforced, it is still possible for spammers to create very convincing spoofed emails; therefore, continued user training and caution is advised. Create an Enforced SPF Domain Go to the Email Authentication Enforced SPF tab and complete the following information to implement an SPF domain. To enter values for the SPF domain list, enter the full address of the Sender domain and/or sub-domain, or use part of the domain using wildcards. Any Sender domain or subdomain must be explicitly specified for enforced SPF. Specifying a Sender domain doesn't automatically include any sub-domains of that domain. Examples of Wildcard use include any of the following: *.example.com example.* mysubdomain.*.* subdomain.*.example.com 1 Click the Add» button. The value is added to the list box. Note: The maximum number of values allowed in the Add Domain list is 1500. This limit is defined at the system level. Any duplicate or invalid values are discarded automatically. 2 To remove a value from the list, select it in the list box and click the «Remove button. Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry you want to remove, and then click the «Remove button. 76 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Authentication Note: All entries are removed when clicking the button Remove All. More Options Regardless of Sender Domain From the drop-down lists, select the appropriate SPF action (Deliver, Deny, Tag Subject) for the following criteria: when SPF is available but validation fails when SPF is not available when SPF is available and validation succeeds Note: When the action is tag subject, tags are applied to the end of the subject. The tags are: WARNING: SPF validation failed, SPF verified, WARNING: SPF validation unavailable. Upload Enforced SPF List (appends to existing list): To Upload a file with a predefined list, click the Upload Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced SPF List (be sure to save changes first): To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Enforced DKIM DomainKeys Identified Mail (DKIM) is part of the Email Authentication suite designed to verify the email sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 77
Email Authentication Email Protection Administrator Guide Create a DKIM Domain Complete the following information to implement a DKIM domain. Add Domain To enter values for the DKIM domain list, enter the full address of the sender domain and/or sub-domain, or use part of the domain using wildcards. Specifying a sender domain does not automatically include any sub-domains of that domain. The following list demonstrates different examples of entries using a wildcard (*). *.example.com example.* mysubdomain.*.* subdomain.*.example.com If the sub-domain is not going to be entered using the wildcard character, the sub-domain must be explicitly defined. 1 Click the Add» button. The value is added to the list box. Note: The maximum number of values allowed in the Add Domain list is 1500. This limit is defined at the system level. Any duplicate or invalid values are discarded automatically. 2 To remove a value from the list, select it in the list box and click the «Remove button. Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry you want to remove, and then click the «Remove button. Note: All entries are removed when clicking the button Remove All More Options Regardless of Sender Domain From the drop-down lists, select the appropriate DKIM action (Deliver, Deny, Tag Subject) for the following criteria: 78 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Authentication when a DKIM signature is present but is not valid. when no DKIM signature is present. when a valid DKIM signature is present. NOTE: When the action is tag subject, tags are applied to the end of the subject. The tags are: WARNING: DKIM validation failed, DKIM verified, WARNING: DKIM validation unavailable. Upload Enforced DKIM List (appends to existing list): 3 To Upload a file with a predefined list, click the Upload Browse button. After you select the file and it's path appears in the text field, click the Upload button. The contents are added to the Add Domain box above. Download Enforced DKIM List (be sure to save changes first): 4 To Download a domain list in a csv file, click the Download button, select the list you wish to download and click Save. 5 Click the Save button to save your information. By checking the Subscribe to Default Inbound policy Enforced DKIM list subscription, you will be adding the appropriate Inbound/Outbound Default domain policy to your customized Enforced DKIM domain list. The default list can be viewed by clicking the corresponding Inbound Default selection under the Policies tab. This option is only available in custom (non-default) policy sets. NOTE: If the default list changes, your subscription to the default is updated to reflect those changes. Email Authentication Notifications tab November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 79
Define the Format and Text of Notifications to Users Email Protection Administrator Guide Send Email Notifications 6 Check the box Denied Delivery regarding the heading To the sender when a message is to notify the sender is unable to send their message due to an Email Authentication violation. 7 Click Save 8 Check the box Denied Delivery regarding the heading To the recipient when a message is to notify the recipient is unable to receive their message due to a Email Authentication violation 9 Click Save View your selection Click the Notifications Tab in the Policy Set window. Define the Format and Text of Notifications to Users You can configure templates for the notification emails that are sent to the sender and/or recipient when an email message is filtered for: Viruses Content Attachments Default notification templates are provided for all the notification scenarios. You can change these templates if you wish. One notification email template is defined for each combination of the following: Filtering type For viruses, content, or attachments Destination of the notification Sender or recipient Email Action Deny, strip, or quarantine Variables within a Notification Within the notification emails, variables automatically insert content from the system. For example, the variable $(DATE) inserts the date when the notification email was sent. Default variables already exist for the default notifications. If you want to use a different variable, you must manually type the variable as shown below and the variables are casesensitive. $(SUBJECT) $(FROM) Inserts a variable that automatically indicates the subject of the email that violated the policy. Inserts a variable that automatically indicates the sender s email address (From: address) from the email that violated the policy. This variable inserts the From: address that is displayed in the email. 80 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define the Format and Text of Notifica- $(SENDER) $(TO) $(DATE) $(REASON) $(ACTION) $(DOMAIN) $(MSG_HEAD ER) $(SIZE) $(POSTMAST ER) Inserts a variable that automatically indicates the sender s email address (From: address) from the email that violated the policy. This variable inserts the SMTP envelope From: address received from the sending email server. Inserts a variable that automatically indicates the recipient s email address (To: address) from the email that violated the policy. Inserts a variable that automatically indicates the date when the email was received that violated the policy. Inserts a variable that automatically indicates the reason why the email violated the policy. Inserts a variable that automatically indicates the action that was applied to the email that violated the policy. Inserts a variable that automatically indicates the domain that received the email that violated the policy. Inserts a variable that automatically indicates the email header information from the email that violated the policy. Inserts a variable that automatically indicates the size, including attachments, of the email that violated the policy. Inserts the contact email address configured for the domain. The set of Notifications tabs includes the following subtabs: Notifications Virus Notifications subtab (see window 1) Notifications Content Notifications subtab Notifications Attachment Notifications subtab In addition, each subtab will have a separate Edit area for each of its notification templates. Because all the individual notification templates offer the same functionality, only one set of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that the same features are used to modify the remaining notification templates, the only difference being the combinations of filter type, destinations, and email actions. Be sure to modify the navigation and information accordingly. Define the Format and Text of Virus Notifications 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Notifications: Virus window is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 81
Define the Format and Text of Notifications to Users Email Protection Administrator Guide 4 Click on a notification in the Virus Notifications box. 5 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 6 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Subject Body Designates what email address is listed as the From: address in the notification email. Optionally, you can type variables that insert system information into this content. Designates what email address is used if the recipient of the notification email clicks the Reply button in his/her email application. Optionally, you can type variables that insert system information into this content. Type the text to be used as the subject for the notification email template. Optionally, you can type variables that insert system information into this content. Type the text to be used as the body text for the notification email template. Optionally, you can type variables that insert system information into this content. 82 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define the Format and Text of Notifica- 7 Click Save. Define the Format and Text of Content Violation Notifications 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Virus Notifications window is displayed. 4 Click Content. The Content Notifications window is displayed. 5 Click on a notification in the Content Notifications box. 6 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 7 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Subject Designates what email address is listed as the From: address in the notification email. Optionally, you can type variables that insert system information into this content. Designates what email address is used if the recipient of the notification email clicks the Reply button in his/her email application. Optionally, you can type variables that insert system information into this content. Type the text to be used as the subject for the notification email template. Optionally, you can type variables that insert system information into this content. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 83
Define the Format and Text of Notifications to Users Email Protection Administrator Guide Body Type the text to be used as the body text for the notification email template. Optionally, you can type variables that insert system information into this content. 8 Click Save. Define the Format and Text of Attachment Violation Notifications 1 Click Email Protection Policies. 2 Select the policy you want to change. 3 Click Notifications. The Virus Notifications window is displayed. 4 Click Attachment. The Attachment Notifications window is displayed. 5 Click on a notification in the Attachment Notifications box. 6 Either double-click on a subject or highlight a subject and click Edit. The Edit section of the window is displayed. 7 Change, if desired, the text or variables in any or all of the following fields: From Reply-To Designates what email address is listed as the From: address in the notification email. Optionally, you can type variables that insert system information into this content. Designates what email address is used if the recipient of the notification email clicks the Reply button in his/her email application. Optionally, you can type variables that insert system information into this content. 84 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Define the Format and Text of Notifica- Subject Body Type the text to be used as the subject for the notification email template. Optionally, you can type variables that insert system information into this content. Type the text to be used as the body text for the notification email template. Optionally, you can type variables that insert system information into this content. 8 Click Save. Email Authentication The Notifications Email Authentication subtab allows you to configure a template of how the notification email will appear that is sent to the sender and/or recipient. Within the notification emails, there are available variables that will automatically insert content from the system. For example, the variable $(DATE) will insert the date when the notification email was sent. You must manually type the variables as shown below and the variables are case-sensitive. 9 Highlight the message you wish to review and Click Edit to launch the edit template. Variables within the template include: $(SUBJECT) The Subject field is blank because the message was blocked before the email content had been sent. If you wish to have a Subject value for the Notification message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification'. $(FROM) Inserts a variable that automatically indicates the sender's email address (From: address) from the email that violated the policy. This variable inserts the From: address that is displayed in the email. $(SENDER) Inserts a variable that automatically indicates the sender's email address (From: address) from the email that violated the policy. This variable inserts the SMTP envelope From: address received from the sending email server. $(TO) Inserts a variable that automatically indicates the recipient's email address (To: address) from the email that violated the policy. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 85
Define the Format and Text of Notifications to Users Email Protection Administrator Guide $(DATE) Inserts a variable that automatically indicates the date when the email was received that violated the policy. $(REASON) Inserts a variable that automatically indicates the reason why the email violated the policy. $(ACTION) Inserts a variable that automatically indicates the action that was applied to the email that violated the policy. $(DOMAIN) Inserts a variable that automatically indicates the Domain that received the email that violated the policy. $(POSTMASTER) Inserts postmaster (ex. postmaster@domain.com) email address for the Domain. Variable syntax requires $({name_of_variable}), where {name_of_variable} is replaced with the predefined variable name (without the curly brackets). Email Authentication Subject Headers As mentioned, the Subject field in the Email Authentication Email Subject Line, the Email Authentication Email Header, and the Email Authentication Notification Message Body will not contain Subject data since the email was denied and no data was retrieved. The following examples demonstrate the Subject Field or Subject Notification only displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an empty variable. Email Subject Line 86 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Disaster Recovery Email Subject Header Email Authentication Notification Subject Header Response Disaster Recovery Disaster Recovery allows you to specify what actions to take when email cannot be delivered. There are three available options: Defer to domain-based Email Continuity access control configured under Disaster Recovery Setup Select this option to use the configuration settings from the Disaster Recovery Setup window. Allow users to use the Email Continuity webmail client Select this option to allow users to use the Email Continuity webmail client when email cannot be delivered. Do not allow users to use the Email Continuity webmail client Select this option if you do not wish to allow users to use the Email Continuity webmail client when email cannot be delivered. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 87
Assign a Group to the Custom Policy Email Protection Administrator Guide Assign a Group to the Custom Policy To perform this task, you must first create the group of users who are to be assigned to the policy. See Managing Groups in Account Management Administrator Guide. 1 Click Email Protection Policies. 2 Select the custom policy to which you want to assign a group. 3 Click Group Subscriptions. The Policy Configuration Groups window is displayed. 4 Select the group you want to assign. 5 Click Add. 88 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Create a Custom Outbound Policy 6. Customize Outbound Mail Filters You can customize the default outbound policy for any and each domain, or any and each group, to fit your business needs. Note: Outbound email is not filtered for spam. You also can not customize allow or deny lists for outbound email. You can, however, copy allow or deny lists from an existing inbound policy. Create a Custom Outbound Policy Important Note: It is assumed that all domains within an Enterprise Customer will have the same package assigned to them. If some domains have different packages, unexpected results may occur. when a policy is applied to a group in which members reside within different domains. 1 Click Email Protection Policies Outbound Policies link. 2 Click New. The New Policy Set fields are displayed. Field Description Name Description Enter a name for the policy set you are creating. The name should reflect the name or purpose for the group or groups that you will assign to the policy. Enter a description of the new policy set. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 89
Configure a Virus Filter Email Protection Administrator Guide Direction Copy From Copy Sender Allow List Copy Sender Deny List Copy Recipient Shield List Copy ClickProtect Allow List From the drop-down menu, select the direction of email, outbound SMTP, for which this policy will be configured. From the drop-down menu, select an existing policy set whose settings you want to copy to the new policy set. Most settings are copied based on this selection. However, you must choose to copy some settings from the existing policy separately by selecting the following fields. Select to copy the Sender Allow list from the policy set selected in the Copy From field. Select to copy the Sender Deny list from the policy set selected in the Copy From field. Select to copy the Recipient Shield list from the policy set selected in the Copy From field. Select to copy the ClickProtect Allow list from the policy set selected in the Copy From field. 3 Click Save. The Policy Sets list is updated with the new policy. You can now modify the new policy to meet your business needs. Configure a Virus Filter You configure a virus filter for outbound email in the same way as that for inbound email. For more information, see Configure a Virus Filter Policy Configure a Content Filter You can create a custom content filter for outbound email. You can only set up Content Groups and Notifications. HTML Shield and ClickProtect are not available for outbound email. You set up content groups and notifications in the same way as that for inbound email. For more information, see Create a Custom Policy. 90 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Configure a Content Filter Email Encryption for Content Groups Group Names You are able to send regular email based on your selected policies but, you may also encrypt messages for a specific Group Name under Content Groups if desired. Select the group name you wish to encrypt, from the Action drop-down list select to have that Group encrypted. More Options If a Customer or Domain subscribes to Email Encryption, then selecting this option can be used to enforce Email Encryption if the outbound message contains the word [encrypt]. This word, [encrypt] can reside in the message Subject line or the body of the outbound message. This option can be found under Email Protection Policies Outbound (default) Content Content Groups. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 91
Define an Attachment Filter Email Protection Administrator Guide Define an Attachment Filter You configure an attachment filter for outbound email in the same way as that for inbound email. For more information, see Define an Attachment Filter Policy. Define the Format and Text of Notifications to Users You configure notifications for outbound email in the same way as that for inbound email. For more information, see Define the Format and Text of Notifications to Users Policy. Assign a Group to the Custom Policy You assign a group to a policy for outbound email in the same way as that for inbound email. For more information, see Disaster Recovery. 92 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Protectionr Administrator Guide Set up Quarantine Reports 7. Managing Quarantine Reports Set up Quarantine Reports When Email Protection scores email and determines that email might be problematic, but the email is not clearly a security risk, Email Protection place the email into quarantine. You can set up quarantine reports so that users can see which of their messages were filtered and placed in quarantine. You can also determine how much control users have over these reports, including: How reports are formatted. How often reports are sent How Spam is filtered What actions users can take on quarantined email See the Email Protection User Guide on how users might manage quarantine reports. To set up quarantine reports for users, see Set up Spam Quarantine Reports. Monitor Users Quarantined Email Email is quarantined based the filtering for spam, viruses, content, and attachments, as designated on your domains or groups policies. To monitor quarantined email, you can perform the following tasks: Search for Quarantined Email Interpret the Search Results Sort the Search Results Delete Quarantined Messages Release Quarantined Messages View Quarantines Messages As an administrator, you can also directly access your own quarantined email within the Control Console. See Monitor Your Own Quarantine. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 93
Monitor Users Quarantined Email Email Protectionr Administrator Guide Primary Email Addresses, Aliases, and Public Domain Addresses Most quarantined emails show the primary email address as the recipient email address. However, if Intelligent Routing is used, quarantined email to a public domain address continues to be shown as a public domain address. If an email that was sent to an alias email address is quarantined, the recipient email address is changed to be the associated primary email address. Any emails released out of any of the quarantine areas are sent to the primary email address. Thus, no alias email addresses will be listed in these windows. Search for Quarantined Email To search quarantined email, perform the following steps: 1 Click Email Protection Quarantine. 2 If necessary, click Quarantine Search. 3 Complete any or all of the following fields to define your search: 94 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Protectionr Administrator Guide Monitor Users Quarantined Email Note: All fields are used in the search. If your search finds a large number of messages, narrow your search by narrowing the scope within one or more fields. Field Description From To Threat Day list Inbound/ Outbound Enter a full sender email address. The address must include the recipient name and the domain name, for example joesmith@acme.com. Enter a recipient email address. The address must include the recipient name and the domain name. From the drop-down menu, select one of the following: Spam Virus Attachment Content All Threats From the drop-down menu, select the day, from the past week, whose messages you want to see. You can also select All Days. Note: The date of a message is determined by the time, according to the user s timezone, the message was placed in quarantine. From the drop-down menu, select one of the following:. View inbound only View outbound only View inbound & outbound Note: This field is available only if the selected Domain has both inbound and outbound packages associated with it. 4 Click Search. A list of messages is displayed at the bottom of the window. Interpret the Search Results The Search Results section of the Quarantine Search window displays the following information for each email message: Date The date the message was quarantined, according to the local timezone of the recipient. From The sender of the message. To The recipient of the message. Subject The subject of the message. Size The size of the message, in kilobytes, including any attachments. Also, a sixth column displays information that varies, depending on the type of threats you searched for: The following table lists the type of information that might be contained in this column. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 95
Monitor Users Quarantined Email Email Protectionr Administrator Guide Threat Type Selected Column Label Description Virus Virus Displays the type of virus detected in the email Spam Spam Score Displays a score that indicates how likely that the email is spam. A spam score of 90% - 98.9% is considered medium likelihood if default settings are used. A spam score of 99% or higher is considered high likelihood if default settings are used. Email Protection anti-spam filtering uses a large number of filtering processes, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework to determine the score. If you specified an additional Realtime Blackhole List (RBL) in the Anti-Spam window of the assigned policy, the RBL can influence the spam score as well. Attachment Attachment Displays the name of an attachment that was included in the email message and violates attachment rules (size, file typ, zip file attachments) as defined on the Attachment windows of the assigned policy. If a message contains more than one delinquent attachment, the first attachment found in the message is listed. You can check to see all attachments by opening the message. Content Keyword Displays Content to indicate that the email that violated a content policy, as defined in the Content Groups window for the assigned policy. You can see what keywords were violated by opening the message and checking the Status line. All Threats Type Displays the type of threat filtering that the email violated. Sort the Search Results You can sort the search results according to any of the columns in the Search Results section. 1 Click on the heading of the column you want to sort. You have the choice of sorting the messages in ascending or descending order of the values in the column. 2 Click Sort Ascending or Sort Descending. 96 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Protectionr Administrator Guide Monitor Users Quarantined Email 3 To hide columns in the results, move your cursor over the Columns menu item and Select select or deselect the columns you want to display in your sorted list. 4 To move columns around so they are displayed in a different left-to-right sequence, perform the following steps: A B C Place your cursor on the column you want to move. Click and hold the mouse button. Drag the column to a different location. Delete Quarantined Messages Email Protection deletes each message automatically if the messages stays in quarantine for more than seven days. However, you can immediately delete quarantined email listed in the Quarantine Search Results in one of two ways: Highlight each email in the list and click Delete. Click Delete All, which deletes all email in the Search Results list. Release Quarantined Messages By releasing a quarantined email message, you remove the message from quarantine and send the email to the mailbox of the recipient s primary email address. You can release email in one of two ways: Select each email you want to release, and click Release. The email is removed from quarantine and sent to the recipient mailbox or mailboxes. Select email you want to release, and click the Always Allow for User. The email is removed from quarantine and sent to the recipient mailbox or mailboxes. This option also adds the sender address of each selected message to the Allow list of the associated recipient. Caution: Releasing emails that contained worms or viruses can potentially allow the recipients machines to be infected. View Quarantines Messages Email Protection allows you to view a quarantined message without risk of infection by any malicious virus or attachments. To view a message in the quarantine: 1 Double-click the message you want to view. The message opens in a new tab with the subject heading. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 97
Monitor Users Quarantined Email Email Protectionr Administrator Guide 2 Check the email for any of the following, depending on the Threat type: If the Threat type is Spam, check the subject line and body of the message, as well as the Status line for the spam score. If the Threat type is Content, check the Status line for the word or words that violated the content filter. If the Threat type is Attachment, check the Attachments list for size and/or type of file or for html code violations. The Content Type is based on the MIME protocol. If the Threat type is Virus, check the Virus list for the viruses found. 3 Note the IP address listed in the message. This address is the last hop the message took prior to delivery to Email Protection. The IP address can be useful in tracking the path of a message and can help identify spoofed senders. 4 After checking a message, do one of the following: Delete the message as described in Delete Quarantined Messages. 98 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Protectionr Administrator Guide Monitor Users Quarantined Email Release the message as described in Release Quarantined Messages. Close the message by clicking the X in the tab at the top of the message. Monitor Your Own Quarantine You can check your own messages in quarantine and take the same actions on those messages that you do on other users. To access your own quarantined messages, perform the following steps: 1 Click Email Protection Quarantine. 2 Click My Spam. Your message quarantine is displayed. 3 Perform any of the following tasks: Search for Quarantined Email Interpret the Search Results Sort the Search Results Delete Quarantined Messages Release Quarantined Messages View Quarantines Messages November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 99
Monitor Users Quarantined Email Email Protectionr Administrator Guide 100 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer Disaster Recovery Services 8. Set up Disaster Recovery Services Administer Disaster Recovery Services Disaster Recovery Services consists of one of two services: Fail Safe Fail Safe saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Fail Safe delivers the messages. Users cannot access their messages while messages are in Fail Safe only. Fail Safe has an unlimited amount of storage capacity but removes messages that have been in Fail Safe storage for more than 5 days. Email Continuity Email Continuity saves messages for later delivery if your mail server becomes unavailable. When your mail server becomes available, Email Continuity delivers the messages. Users can access their messages through a Webbased interface while messages are in Email Continuity only. Email Continuity also has unlimited storage capacity and removes messages that have been in Email Continuity storage for more than 60 days. Set up Spooling for Disaster Recovery 1 Click Email Protection Setup Disaster Recovery. 2 From the Domain drop-down menu, select the domain you want to set up for Disaster Recovery. 3 In the Configuration Settings section, select one of the following options: Automatic This option automatically spools all incoming email when Email Protection detects a loss of connectivity with your email server(s). With this option, you must also specify how long Email Protection should wait after connectivity is lost to begin spooling. Note: Be aware that it may take several minutes to determine that your inbound server is unavailable. During this time, and during the time delay, received emails can be tempfailed if your inbound server is unavailable Manual This option allows you to start and stop Disaster Recovery spooling manually for planned email server outages such as server maintenance. When necessary, you then select Start Spooling to initiate manual spooling; and select Stop Spooling to stop it. Note: It may take a few minutes for manual spooling of incoming mail to start and stop. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 101
Administer Disaster Recovery Services Email Protection Administrator Guide 4 If you selected the Manual option, check the Deliver spooled email when connectivity is available box to deliver spooled email when connectivity to the email server(s) is restored. 5 If your service includes Email Continuity, check the checkbox Allow users to use Email Continuity to set the default permission for users to get messages through Email Continuity. This setting applies to the domain. You can override this setting on the Disaster Recovery window under Policies if you have some groups that you don t want to allow access. Set up Notifications of Disaster Recovery You can specify that notifications are emailed automatically to designated recipients, typically yourself or other administrators, when the following Disaster Recovery events occur: Automatic spooling has started Automatic unspooling has started Automatic or manual unspooling has completed. 1 Under the Notifications section of the Disaster Recovery Setup window, type, in the Recipient Email Address field, the email address of a person who should receive notification of a disaster recovery event. Note: In order to minimize the possibility that Disaster Recovery notifications cannot be delivered to listed recipients, it is recommended that notifications be sent to email addresses associated with cell phones or pagers. 2 Click Add. 3 Repeat steps 1 and 2 for up to three more notification recipients. 102 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
9. User-Level Policy Configuration You can modify some aspects of a policy for individual users. For more information, see the following sections in the Account Management Administrator Guide. Personalize Spam Reporting for a User Allow or Deny Email to a User from Specific Addresses Search the Quarantine of a User View the Email Activity Summary of a User Users can also manage some aspects of their email filtering. See Email Protection User Guide. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 103
104 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Email Protection Reports 10. System Reports Email Protection Reports Email Protection provides a large number of reports with which to monitor your service. Report Traffic Overview Threat: TLS Traffic Encryption Threats: Overview Threats: Viruses Threats: Spam Threats: Content Threats: Attachments Enforced TLS Details Enforced SPF Description Information about all Inbound and Outbound email traffic and bandwidth for the designated domain(s) during the selected date or date range. Information about all TLS Inbound and Outbound email traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range. Information about all outbound email traffic, percentages and bandwidth for the designated domain during the selected date or date range sent out to be encrypted. Information about email violations by policy type for the designated domain(s) during the selected date or date range. Information about all Inbound and Outbound emails that violated the virus policies for the designated domain(s) during the selected date or date range, Information about emails that violated the spam policies for the designated domain(s) during the selected date or date range. Information about emails that violated the content keyword policies for the designated domain(s) during the selected date or date range. Information about emails that had attachments that violated the attachment policies for the designated Domain(s) during the selected date or date range. Information about all Enforced TLS Inbound and Outbound email traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation. The Enforced SPF report displays all Enforced SPF inbound email traffic, including the information about number of messages and validations for the designated domains, during a selected time frame. The report also includes a percentage of incoming email messages that were denied, validated or unavailable due to an Enforced SPF Policy violation. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 105
View an Email Protection Report Email Protection Administrator Guide Report ClickProtect: Overview ClickProtect: Click Log Quarantine: Release Overview Quarantine: Release Log User Activity Event Log Audit Trail Inbound Server Connections Disaster Recovery: Overview Disaster Recovery: Event Log Description Information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in emails that can be clicked and followed by the user or that can be blocked, depending on the ClickProtect policy configurations for the designated domain(s) during the selected date or date range. Information about Web hyperlinks in emails that were clicked by the recipient for the designated domain(s) during the selected date or date range. Information about emails that were quarantined and released from all quarantine areas within the Email Protection for the designated domain(s) during the selected date or date range. Information about emails that were released from all quarantine areas within the Email Protection for the designated domain(s) during the selected date or date range. Information about all Inbound and Outbound email traffic and bandwidth for the designated domain(s) during the selected date or date range. Displays messages that have had actions performed based on the content, spam content, virus, or attachment policy definitions. Messages can be sorted per domain, and Inbound direction, Outbound direction or both. Messages that are identified as threats by the Email Protection are also included. Displays the audit log items for all actions performed by users at Report Manager, or higher level, roles within the Control Console for the designated domain(s) during the selected date or date range, including sign ins and configuration changes. Displays information about the connections made to the Inbound email servers during processing Information about emails that were spooled and unspooled by the disaster recovery service for the designated domain(s) during the selected date or date range. Displays the event log items for actions performed within the disaster recovery service. Included are actions performed automatically by the Email Protection and performed manually by the administrator. View an Email Protection Report To view an Email Protection Report, perform the following steps: 1 Click Email Protection Reports. 2 From the Domain drop-down menu, select the domain for which you want the report. The Traffic Overview report is displayed. 106 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
View an Email Protection Report 3 From the Reports drop-down menu, select the report you want. 4 Click the Period field to display the Calendar selector. 5 From the Calendar selector, do one of the following: A Select Today for data on the current day. B Select a specific date, within the last 7 days, to display data only for that date. C Select the name of the month that appears at the bottom of the calendar. D Select a month and date in the drop-down lists. E Position cursor over the week number (to the left of the first date in a week) and click to display data for the entire week beginning with that date. Note: You can select only the current month or click the down arrow at the top of the calendar to select the previous month. You cannot retrieve data from a timeframe beyond the previous month. Change the Graphic Display of the Report You can display some of the information in a report as a bar graph, as a line graph, or as a pie chart. To select a graphic display type, select the appropriate icon on the upper right corner of each graphic, if available. The icons are as follows: This icon displays the graphic as a bar graph. This icon displays the graphic as a line graph. This icon displays the graphic as a solid (filled) line graph. Download a Report To download textual report information into a Microsoft Excel spreadsheet (*.csv), click Download on any report, then follow the instructions. Traffic Overview The Traffic: Overview window displays overview information about the inbound and outbound email traffic for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 107
View an Email Protection Report Email Protection Administrator Guide The following table lists the report items in the report. Report Item Traffic Trends Traffic Summary Bandwidth Trends Description The number of inbound and outbound emails for the designated Domain and date range. Green Inbound data Purple Outbound data Information about inbound and outbound email traffic for the designated Domain and date range as follows: Inbound Messages Indicates the total number of inbound emails received. Average Inbound Messages/Hour Indicates the average number of inbound emails received each hour. Outbound Messages Indicates the total number of outbound emails sent. Average Outbound Messages/Hour Indicates the average number of outbound emails sent each hour. The bandwidths, in kilobytes, used by inbound and outbound email for the designated Domain and date range. Green Inbound data Purple Outbound data 108 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
View an Email Protection Report Report Item Bandwidth Summary Description Information about the bandwidth used by inbound and outbound email for the designated domain and date range as follows: Inbound Total Bandwidth The total bandwidth used by received inbound emails. Average Inbound Message Size The average size of inbound emails. Outbound Total Bandwidth The total bandwidth used by sent outbound emails. Average Outbound Message Size The average size of sent outbound emails. Traffic: Enforced TLS Report The Traffic: TLS Report window displays information about all TLS Inbound and Outbound email traffic, percentages and bandwidth for the designated Domain(s) during the selected date or date range.. Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month. You can use the Download button to save a copy of the currently displayed report results in spreadsheet format. Report Purpose Identifies Inbound and Outbound email messages that were delivered via a TLS connection and any email messages that were denied due to an Enforced TLS Policy violation. Traffic Summary TLS Inbound Messages - The total of TLS inbound messages that were processed via a TLS connection. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 109
Traffic: Encryption Email Protection Administrator Guide % Inbound Messages sent via TLS - The percentage of incoming email messages processed via a TLS connection Inbound Messages blocked by Enforced TLS - The total of inbound email messages blocked by an Enforced TLS policy TLS Outbound Messages - The total of TLS outbound messages that were processed via a TLS connection. % Outbound Messages sent via TLS - The percentage of outgoing email messages processed via a TLS connection. Outbound Messages blocked by Enforced TLS - The total of outgoing email messages blocked by an Enforced TLS policy. Bandwidth Summary TLS Inbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes. % Inbound Bytes sent via TLS - The percentage of Inbound mail sent via TLS, measured in bytes Outbound Total Bandwidth - The quantity of data transferred via TLS, measured in bytes % Outbound Bytes sent via TLS - The percentage of Outbound mail sent via TLS, measured in bytes. Traffic: Encryption The Traffic: Encryption report displays information about all outbound email traffic, percentages and bandwidth for the designated domain during the selected date or date range sent out to be encrypted. 110 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Traffic: Encryption Selecting the checkbox for Email Encryption on both the Create/Edit Customer window and Create/Edit Domain window allows customers to use the Encrypt Message action when working with Outbound policy Content Groups. When the Encrypt Message action is selected for a Content Group, then any message that contains that content is routed to an encryption server and available to the recipient. Email Encryption is only available for a selected Outbound package. Email Encryption Summary Outbound Messages blocked by Email Encryption - The total outbound messages to be delivered for encryption. % Outbound Messages sent via Encryption - The percentage of outgoing email messages sent out to be encrypted. Email Encryption Bandwidth Summary Outbound Total Bandwidth - TThe total bandwidth of outgoing email messages sent for encryption. % Outbound Bytes sent via TLS - The percentage of outgoing bytes messages sent out to be encrypted. Threats: Overview The Threats: Overview report displays overview information about email violations by policy type for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 111
Traffic: Encryption Email Protection Administrator Guide The following table lists the report items in the report. Report Item Inbound Threat Trends Inbound Threat Summary Description The total number of inbound emails that violated each policy type for the designated Domain and date range. Data for each policy type is colorcoded as indicated in the legend below the graphic. Information about the number of inbound emails that violated each policy type for the designated Domain and date range. Total Viruses The total number of inbound emails that contained known worms and viruses. Infection Rate The percentage of inbound emails that contained known viruses vs. the total number of received inbound emails. Total Spam Identified The total number of inbound emails filtered for potential spam. Spam Volume The percentage of inbound emails that were filtered for potential spam. Spam Beacons Detected The total number of spam beacons detected in inbound emails. Note that each email may contain multiple spam beacons. Content Keyword Violations The total number of inbound emails that violated the content keyword policies. Attachment Policy Violations The total number of inbound emails that had attachments that violated the attachment policies. 112 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Traffic: Encryption Report Item Outbound Threat Trends Outbound Threat Summary Description The total number of outbound emails that violated each policy type for the designated domain and date range. Data for each policy type is color-coded as indicated in the legend below the graphic. Information about the number of outbound emails that violated each policy type for the designated Domain and date range as follows: Total Viruses The total number of outbound emails that contained known viruses. Infection Rate The percentage of outbound emails that contained known viruses vs. the total number of sent outbound emails. Content Keyword Violations The total number of outbound emails that violated the content keyword policies. Attachment Policy Violations The total number of outbound emails that had attachments that violated the attachment policies. Threats: Viruses The Threats: Viruses report displays information about emails that violated the virus policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 113
Traffic: Encryption Email Protection Administrator Guide The following table lists the report items in the report. Report Item Virus Volume Trends Description The total number of emails that contained known viruses. Green Inbound data Purple Outbound data 114 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Threats: Spam Report Item Virus Detection Summary Top Inbound Viruses Virus Policy Actions Top Outbound Viruses Description Indicates information about the emails that contained worms or viruses: Total Viruses Inbound The total number of inbound emails that contained known viruses ( infected emails ). Inbound Infection Rate The percentage of infected inbound emails vs. the total number of received inbound emails. Total Viruses Outbound The total number of infected outbound emails. Outbound Infection Rate The percentage of infected outbound emails vs. the total number of sent outbound emails. Disinfected (cleaned) The total number of infected emails that had their viruses successfully removed and the emails were forwarded to their destinations. Stripped The total number of infected emails that had the infected attachments stripped and then were forwarded to their destinations. The most frequently encountered viruses in inbound emails, in the order of most frequent to less frequent, and the total number of encounters for each virus. The percentage of policy actions applied to infected emails. The most frequently encountered viruses in outbound emails, in the order of most frequent to less frequent, and the total number of encounters for each virus. Threats: Spam The Threats: Spam window displays information about emails that violated the spam policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 115
Threats: Spam Email Protection Administrator Guide The following table lists the report items in the report. Report Item Spam Volume Trends Description The total number of emails that violated spam policies. Green Inbound data Purple Outbound data 116 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Threats: Content Report Item Spam Detection Summary Spam Policy Actions Description Information about the emails that violated spam policies: Total Inbound Spam Identified The total number of inbound emails that violated spam policies. Inbound Spam Volume The percentage of inbound emails that violated spam policies vs. the total number of received inbound emails. Spam Beacons Detected The total number of spam beacons detected in emails. Note that each email may contain multiple spam beacons. RBL The total number of emails that were filtered by the Real-time Blackhole List (RBL). DUL The total number of emails that were filtered by the Dial-up User List (DUL). RSS The total number of emails that were filtered by the Relay Spam Stopper (RSS). Spam Content Group The total number of emails that contained keywords from the content groups that were created in the Anti- Spam Content Group subtab; in this example, the group named Viagra. The percentage of policy actions applied to the emails that violated spam policies. Threats: Content The Threats: Content window displays information about emails that violated the content keyword policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 117
Threats: Content Email Protection Administrator Guide The following table lists the report items in the report. Report Item Content Policy Violation Trends Description The total number of emails that violated the content keyword policies. Green Inbound data Purple Outbound data 118 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Threats: Attachments Report Item Top Inbound and Outbound Content Group Violations Content Policy Actions Description Both the Top Inbound Content Group Violations and the Top Outbound Content Group Violations reports measure the number of messages found to violate the top ten inbound / outbound customer email content policies for both global policies and custom policies. Information about the emails that violated content keyword policies: Credit Card - The total number of emails that contained keywords and phrases from the Credit Card predefined content group. Profanity The total number of emails that contained keywords from the Profanity content group. Racially Insensitive The total number of emails that contained keywords from the Racially Insensitive content group. Sexual Overtones The total number of emails that contained keywords from the Sexual Overtones content group. Social Security - The total number of emails that contained keywords and phrases from the Social Security predefined content group. Custom Content Groups The total number of emails that contained keywords from the content groups that were created in the Current Content Groups window; in this example, HIPPA Compliance. The percentage of policy actions applied to the emails that violated content keyword policies. Threats: Attachments The Threats: Attachments window displays information about emails that had attachments that violated the attachment policies for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 119
Threats: Attachments Email Protection Administrator Guide The following table lists the report items in the report. Report Item Attachment Policy Violation Trends Description The total number of emails that had attachments that violated the attachment policies. Green Inbound data Purple Outbound data 120 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Enforced TLS: Details Report Item Attachment Summary Attachment Policy Actions Description Information about the emails that had attachments that violated the attachment policies: Average Attachment Size The average size of attachments encountered in emails. Executables The total number of executables (for example, *.exe or *.com) received as attachments. Scripts The total number of script files received as attachments. Office Documents The total number of Microsoft Office documents (for example, *.doc or *.xls files) received as attachments. Audio The total number of audio files (for example, *.wav or *.mp3 files) received as attachments. Images The total number of graphic files (for example, *.gif or *.bmp files) received as attachments. Compressed Archives The total number of archive files (for example, *.zip or *.tar files) received as attachments. The percentage of policy actions applied to the emails that had attachments that violated the attachment policies. Enforced TLS: Details The Enforced TLS Details report displays information about all Enforced TLS Inbound and Outbound email traffic, including the number of messages and bandwidth for the designated Domain(s) during a selected timeframe. The report also includes a count of Inbound and Outbound messages that were denied due to an Enforced TLS Policy violation. Reporting Period: All report data is viewable on either a day, week, or month basis for the current month, or the previous month. You can use the Download button to save a copy of the currently displayed report results in a spreadsheet format. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 121
Enforced SPF Report Email Protection Administrator Guide Select your customer to manage. Field Description Customer From the drop-down list select the Customer. (If needed) Domain From the drop-down list select the Domain or All Domains. (If needed) Note: When there are 1000 domains listed in the drop-down a Find button will display to assist the user in locating the correct domain. Depending on how your system is configured, you may run a report for a primary domain, a domain alias, or a public domain. A Public Domain is a registered domain with a public MX record that is used for uniform email addresses across multiple primary domains. A public domain name will have the primary domain appended to it with brackets [primary domain], and a Domain Alias is appended with brackets [alias]. The following examples demonstrate this feature: acme.com [acme-denver.com] is the public domain [primary domain] respectively. acme.com [alias] Traffic Summary Enforced TLS Accepted - Inbound Messages - The total number of TLS inbound messages that were processed via an Enforced TLS connection for a given domain. Enforced TLS Accepted - Outbound Messages - The total number of TLS outbound messages that were processed via an Enforced TLS connection for a given domain. Enforced TLS Accepted - Inbound Bandwidth - The quantity of data transferred via Enforced TLS for inbound messages, measured in bytes, for a given domain. Enforced TLS Accepted - Outbound Bandwidth - The quantity of data transferred via Enforced TLS for outbound messages, measured in bytes for a given domain. Enforced TLS Denied - Inbound Messages - The total of incoming email messages blocked by an Enforced TLS policy for a given domain. Enforced TLS Denied - Outbound Messages - The total of outgoing email messages blocked by an Enforced TLS policy for a given domain. Enforced SPF Report The Enforced SPF report identifies inbound email messages that were delivered or denied due to an Enforced SPF Policy violation. 122 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
ClickProtect: Overview SPF Report Summary Field Description Top Enforced SPF Denied Domains - The total number of email messages, including the top ten defined domains, that were denied by an Enforced SPF policy because their SPF record could not be validated. Note: Data in the report table does not display unless an Enforced SPF policy has been created with a deny action or domains have been added to the list for the Enforced SPF policy. SPF Message Summary - Summarizes in text form the totals and percentages of Enforced SPF emails that were successful, unavailable or failed. ClickProtect: Overview The ClickProtect: Overview window displays overview information about ClickProtect processing. ClickProtect processing tracks Web hyperlinks received in emails that can be clicked and followed by the user or that were blocked, depending on the ClickProtect policy configurations. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 123
ClickProtect: Overview Email Protection Administrator Guide The following table lists the report items in the report. Report Item ClickProtect Trends Description The numbers of emails that contained hyperlinks and that contained hyperlinks that were clicked by the recipients. Green Total number of emails that contained hyperlinks. Purple Number of emails that contained hyperlinks that were clicked by the recipients. 124 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
ClickProtect: Click Log Report Item ClickProtect Statistics Description Information about the emails that contained hyperlinks that were processed by ClickProtect: Messages with links The total number of emails that contained hyperlinks. Messages with multiple links The total number of emails that contained multiple hyperlinks. Total clicks The total number of times that a recipient clicked a hyperlink in an email. Total allowed click throughs The total number of times that a recipient was allowed to access the destination designated in a clicked hyperlink. Total denied click throughs The total number of times that a recipient was prevented from accessing the destination designated in a clicked hyperlink. Number of individual users that clicked The total number of recipients that attempted to click a hyperlink in an email. Spam messages with clicks The total number of spam emails that contained hyperlinks clicked by recipients. Messages with links on the ClickProtect Allow List The total number of emails that contained hyerlinks that were listed on the ClickProtect Allow list. ClickProtect: Click Log The ClickProtect: Click Log window displays information about hyperlinks in emails that were clicked by recipients. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 125
Quarantine: Release Overview Email Protection Administrator Guide The following table lists the report items in the report. Report Item Timestamp From To Subject URL Score Description The date, time, and time zone when the hyperlink was clicked in the filtered email. The email address that sent this email ( sender email address ). The email address to which this email was sent ( recipient email address ). The text that was in the subject header of this email. The URL destination defined in the clicked hyperlink (the URL to where the recipient attempted and/or was successful in clicking through). The spam likelihood score that was assigned to the email by Email Protection. Quarantine: Release Overview The Quarantine: Release Overview displays overview information about emails that were quarantined and released from all the quarantine areas within Email Protection for the designated domain. 126 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Quarantine: Release Overview The following table lists the report items in the report. Report Item Inbound Quarantine Release Trends Inbound Spam Release Summary Description The total number of emails that were quarantined and then released in all the quarantine areas. Data for each policy type is color-coded as indicated in the legend below the graphic. Information about the emails that were quarantined as potential spam and then released. Total Spam Identified The total number of quarantined emails that were identified as potential spam. Total Spam Released The total number of emails released from the spam quarantine. Release Percent The percent of emails released from the spam quarantine vs. the total number of emails that were quarantined as potential spam. Total # of individuals The total number of user accounts that had emails released from the spam quarantine. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 127
Quarantine: Release Log Email Protection Administrator Guide Report Item Inbound Virus Release Summary Inbound Content Release Summary Inbound Attachment Release Summary Description Information about the emails that were quarantined because of viruses and then released. Total Viruses Identified The total number of viruses detected in incoming emails that were quarantined. Total Virus Released The total number of emails released from the virus quarantine. Release Percent The percent of emails released from the virus quarantine vs. the total number of emails that were quarantined because of viruses. Total # of individuals The total number of user accounts that had emails released from the virus quarantine. Information about the emails that were quarantined because of content and then released. Total Content Policy Violations The total number of quarantined emails that violated content policies. Total Content Released The total number of emails released from the content quarantine. Release Percent The percent of emails released from the content quarantine vs. the total number of emails that was quarantined because of content. Total # of individuals The total number of user accounts that had emails released from the content quarantine. Information about the emails that were quarantined because of attachments and then released. Total Attachment Policy Violations The total number of quarantined emails that violated attachment policies. Total Attachment Released The total number of emails released from the attachment quarantine. Release Percent The percent of emails released from the attachment quarantine vs. the total number of emails that were quarantined because of attachments. Total # of individuals The total number of user accounts that had emails released from the attachment quarantine. Quarantine: Release Log The Quarantine: Release Log displays detailed information about emails that were released from all the quarantine areas within Email Protection for the designated domain. 128 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Quarantine: Release Log The following table lists the report items in the report. Report Item Display Type From To Subject Release Date Size Additional Feature Description Designates which type of quarantine release events to display. All Events Displays release events for all the quarantines. Spam Displays release events for the spam quarantine. Attachments Displays release events for the attachment quarantine. Content Displays release events for the content quarantine. Viruses Displays release events for the virus quarantine. The reason why this email was quarantined. Spam Email violated spam policies. Virus Email contained a known virus. Attach Email s attachment violated the attachment policies. Content Email contained content that violated the content policies, including keywords and HTML. The email address that sent this email ( sender email address ). The email address to which this email was sent ( recipient email address ). The text that was in the subject header of this email. The date, time, and time zone when this email was released from quarantine in Email Protection. The total file size of this email, including all attachments. Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 129
View Details of Log Items Email Protection Administrator Guide View Details of Log Items You can view detailed information about a log item when the cursor is positioned over it. The specific information differs depending on which report you are viewing. The following table lists the report items in the report. Report Item Type Subject To Sender IP From Released by Quarantine Size Description The reason why the email was quarantined. Spam Email was quarantined because it violated spam policies. Viruses Email was quarantined because it violated virus policies. Attachments Email was quarantined because it violated attachment policies. Content Email was quarantined because it violated content policies. The contents of the Subject line of the email. The email address to which this email was addressed ( recipient email address ). The IP address of the server that sent the email. The email address from which this email was sent ( sender email address ). The user account of the user who released the email from the quarantine. Depending on the reason why the email was quarantined, this description indicates the specific reason why the email was quarantined: Score Indicates the spam likelihood score that was assigned to the email. Attachment Type Indicates the name of the attachment that caused the email to be quarantined. Virus Indicates the name of the virus that caused the email to be quarantined. Content Keyword Indicates the specific content keyword that caused the email to be quarantined. The total file size of the email, including attachments. 130 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
User Activity Report Item Release Date Quarantine Date Timestamp Details Actions Server Registered on Status Preference Domain(s) d The date, time, and time zone when the email was released from the quarantine. The date, time, and time zone when the email was quarantined. The date, time, and time zone when the logged item was processed (for example, when an email was processed by Email Protection. Additional information about the logged item (for example, the name of the virus in the email). The email action that was performed on the email. The name or IP address of the inbound server. The DNS Authorized Name Server where the inbound server is registered. The status of the inbound server. Description The preference level assigned to the inbound server. The domains that are using this inbound server in Email Protection. User Activity The User Activity report displays the user accounts that have received the most inbound emails and have sent the most outbound emails for the designated domain. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 131
User Activity Email Protection Administrator Guide The following table lists the report items in the report. Report Item Description Top Inbound Users area Email Addresses Messages Size The recipient email addresses that received the most inbound email, in order of volume. The total number of emails received by each email address. The size of the largest email, including attachments, received by each email address. Top Outbound Users area Email Addresses Messages Size The sender email addresses that sent the most outbound email, in order of volume. The total number of emails sent by each email address. The size of the largest email, including attachments, sent by each email address. 132 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Event Log Event Log The Event Log displays the event log items for actions performed for emails that were determined to violate content, spam content, virus, or attachment policies for the designated Domain and date range, including actions performed automatically by Email Protection and performed manually by the users. The following table lists the report items in the report Report Item Display Description Designates which set of event log items to display. All Events Displays event log items for actions performed for all the quarantines. Attachments Displays only event log items for actions performed on emails that had attachments that violated the attachment policies. Content Displays only event log items for actions performed on emails that violated the content policies. Spam Keyword Displays only event log items for actions performed on emails that violated the spam content keyword policies. Viruses Displays only event log items for actions performed on emails that contained known viruses. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 133
Audit Trail Email Protection Administrator Guide Report Item Direction Type Timestamp From To Subject Details Action Additional Feature Description Designates whether event log items for inbound emails or outbound emails are displayed. Inbound Only Designates that only inbound emails are display. Outbound Only Designates that only outbound emails are displayed. Inbound & Outbound Designates that both inbound and outbound emails are displayed. The type of policy that the filtered email violated. The date, time, and time zone when the action was performed on the filtered email. The email address that sent this email ( sender email address ). The email address to which this email was sent ( recipient email address ). The text that was in the subject header of this email. The reason for the action (for example, if the email contained a virus, the virus name is shown). The action that was applied to the email. Position your cursor anywhere over a log item and the Item Pop-up window appears, displaying more information about the item. Audit Trail The Audit Trail report displays the audit log items for all actions performed by users of Report Managers or higher level roles within the Control Console for the designated domain and date range, including user names and configuration changes. 134 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Inbound Server Connections The following table lists the report items in the report Report Item Timestamp column Domain column Details column Description The date, time, and time zone when the action was performed in the Control Console. The domain where the action was performed. A description of the action that was performed, including the role and user account of the user that performed the action. Inbound Server Connections The Inbound Server Connections report displays information about the connections made to the inbound email servers (a.k.a. Customer MTAs) during processing. This report may be useful in determining down times or connection issues. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 135
Inbound Server Connections Email Protection Administrator Guide The following table lists the report items in the report. Report Item Display Volume Trends For Connection Volume Trends for All Servers Overall Failure Rate Total Successes Total Failures Server:Port Description Designate which inbound server(s) to display. All Servers Display information for all the inbound servers configured for the selected Domain. Inbound Server Display information about the selected inbound server only. The total number of successful and unsuccessful connections to the designated server(s). Green Indicates successful connections. Purple Indicates failed connection attempts. Optionally, select one of the graphic display type icons to change the appearance of the graph. The percentage of connection failures to the designated server(s). The total number of successful connections to the designated server(s). The total number of unsuccessful attempts to connect to the designated server(s). The server address and port being reported. 136 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Disaster Recovery: Overview Report Item Failure Rate % Success Fail Description The percentage of connection failures to this server and port. The total number of successful connections to this server and port. The total number of unsuccessful attempts to connect to this server and port. Disaster Recovery: Overview The Disaster Recovery: Overview report displays information about emails that were spooled and unspooled by the disaster recovery service, which can be either FailSafe or Email Continuity. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 137
Disaster Recovery: Event Log Email Protection Administrator Guide The following table lists the report items in the report. Report Item Disaster Recovery Trends Messages Disaster Recovery Summary - Messages Disaster Recovery Trends Bytes Disaster Recovery Summary Bytes Description The total number of spooled and unspooled emails processed by the disaster recovery service over the designated time period. Optionally, select one of the graphic display type icons to change the appearance of the graph. The numbers of emails processed by the disaster recovery service. Spooled Messages Indicates the number of emails that were spooled, either automatically or manually. Unspooled Messages Indicates the number of emails that were unspooled, either automatically or manually. The amount of spool storage used by spooled and unspooled emails processed by the disaster recovery service over the designated time period. Optionally, select one of the graphic display type icons to change the appearance of the graph. Details of the file size of spooled and unspooled emails processed by the disaster recovery service over the designated time period. Spooled Bytes Indicates the amount of spool storage used by spooled emails. Unspooled Messages Indicates the amount of spool storage freed by unspooled emails. Disaster Recovery: Event Log The Disaster Recovery: Event Log displays the event log items for actions performed within the disaster recovery service, which can be either FailSafe or Email Continuity. Actions include those performed automatically by Email Protection and those performed manually by the users. 138 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer MSP Connector The following table lists the report items in the report. Report Item Timestamp Event Initiated By Description The date, time, and time zone when the action was performed in disaster recovery. The event log items for disaster recovery actions performed for the designated domain and date range. The responsible party that performed the disaster recovery action. If an action was manually performed, indicates the role and user account of the person who performed the action. Administer MSP Connector Managed Service Platform (MSP) Connector enables the delivery of email traffic and threat data directly to your ConnectWise network performance dashboards. The MSP Connector will only push data from the previous calendar month to the ConnectWise dashboard. All data will be kept for two calendar months. For example, in July, customers would be able to view data from both May and June. Customers who also subscribe to the ConnectWise network automation services will be able to obtain a quick, at-a-glance view of their monthly Email Protection traffic and threat data directly through the ConnectWise dashboard, without having to log into the Control Console. To utilize the MSP Connector capabilities, you should: Configure your ConnectWise information on the Configuration window. Select the domains needed to push your data to ConnectWise. Enable Exception Notification if you wish to receive csv. files reporting data. Create a distribution list for your domains. NOTE: To utilize this functionality the user must have ConnectWise 7.2 and an MSP Integration Add-On. Configure the MSP Connection To configure the MSP connection to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. The Configuration window is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 139
Administer MSP Connector Email Protection Administrator Guide 2 Check the box to enable the ConnectWise integration 3 Click the SSL: Enable to ensure your information is encrypted through Secure Socket Layer. NOTE: When SSL is disabled, a warning message displays. 4 In the Site field, type your ConnectWise access site. 5 In the Company ID field, type your ConnectWise Company ID. 6 In the Integrator Username field, type your ConnectWise Integrator Username. 7 In the Integrator Password field, type your Integrator Password for ConnectWise. Note: Click the Change Password button to update or change your Integrator Password information to match your Integrator Password to ConnectWise. 8 In the Time Zone drop-down menu, select the time zone on which to base the timestamp for the ConnectWise instances. 9 Click Test to make sure the connection works. 10 Click Save. 140 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer MSP Connector Add Domains to the MSP Connection To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Domains. The Domains window is displayed. 3 To find one or a few domains out of a large number of domains, type the name of the domain you wish to find in the Filter field. 4 Click Filter. 5 In the Available Domains column, check all domains whose information is to be pushed to ConnectWise. 6 Click Add to move them to the Selected Domains column. Note: Clicking Add All selects all domains, even those not displayed due to pagination. Add All is disabled if there is an active filter for available domains. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 141
Administer MSP Connector Email Protection Administrator Guide Remove Domains from the MSP Connection To remove domains from the MSP connection, select the domain(s) you want to remove, and click Remove. Note: Clicking Remove All will remove the domains listed even those not displayed due to pagination. The Remove All button is disabled if there is an active filter for selected domains. Turn on Exception Notifications for the MSP Connection To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Notifications. 3 Click the Exceptions Notifications: Enable checkbox to turn on notifications. 142 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer MSP Connector 4 From the Exception Notification Distribution drop-down menu, select the distribution list to receive an MSP Connector Exception report via email. The Exception Report is a.csv file, sent out at approximately 12:00 A.M. MT, which includes all failures that occurred in the last 24 hours. Failures may include one of the following: Failed - authentication Failed - connection Failed - invalid Company ID Failed - invalid Solution Name Failed - rejected Failed - unknown 5 Click Save. The following figure displays an example of a MSP Connector Exception report View an MSP Connector Audit Report To assign the domain(s) for which should be sent to ConnectWise, perform the following steps: 1 Click Account Management Customers MSP Connector. 2 Click Audit Report. A list of Audit Reports is displayed. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 143
Administer MSP Connector Email Protection Administrator Guide The Status column lists the status of attempts to pass data to ConnectWise. 3 Double-click a report to view the details of the report. The details of the audit reports are displayed. 144 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer MSP Connector November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 145
Administer MSP Connector Email Protection Administrator Guide The following table lists the report items in the report Report Item Status Description The following table defines the possible reports status in the Audit Report and the suggested actions to correct the status. Completed - X domains succeeded Status Definitions Partially Completed - X of Y domains failed No action required. Suggested Actions Domains failed because they may not have been provisioned on the ConnectWise side. Failed - authenticatio n Failed - connection Failed - invalid Company ID Failed - invalid Solution Name Failed - rejected Failed - unknown Username, password, or site is invalid; check information on the ConnectWise side. ConnectWise server was moved ConnectWise server was offline ConnectWise network potentially down Company ID may have changed on the ConnectWise side Contact Support. Domains failed because they may not have been provisioned on the ConnectWise side. Contact Support Domain Spam removed Viruses Removed Account Messages The customer's domain. The total number of inbound messages detected as medium or high-likelihood spam for the previous calendar month. The total number of messages with known viruses (infected emails) for the previous calendar month. The total number of messages successfully delivered to the receiving MTA for the previous calendar month. 146 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer Performance Reports Report Item Total Messages Spam Removed Viruses Removed Account Messages Total Messages Description The total number of messages processed for the previous calendar month. Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages. The total number of inbound messages detected as medium or high-likelihood spam starting from the beginning of the current calendar year through the date the report was generated. The total number of messages with known viruses (infected emails) starting from the beginning of the current calendar year through the date the report was generated. The total number of messages successfully delivered to the receiving MTA starting from the beginning of the current calendar year through the date the report was generated. The total number of messages processed starting from the beginning of the current calendar year through the date the report was generated Note: The sum of Spam Removed, Viruses Removed and Account Messages may not equal the Total Messages. Download an Audit Report You can download an Audit Report in the form of a.csv file by clicking Download. Administer Performance Reports Performance Reports are pdf files, delivered only via email, that provide graphs and charts that visually present statistical information regarding your Email Protection. Your Performance Report information can be set to report weekly and/or monthly data. You may copy this statistical report for your company's use. Note: Performance Reports are also available for Web Protection Service. The report period for weekly reports is 12:00 a.m. Monday until 11:59 p.m. Sunday. The report period for monthly reports is the first day of the month at 12:00 a.m. until the last day of the month at 11:59 p.m. Some of the data within this report is subject to variables such as: Time zone settings Message delivery timing (may be briefly queued) Quarantine releases Reporting period November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 147
Administer Performance Reports Email Protection Administrator Guide To administer Performance Reports, perform the following steps: 1 If necessary, click Account Management Customers Distribution Lists to set up a distribution list to which you want to sent the reports. For more information, see the online Help or Create a Distribution List for Email Protection Status Messages and Performance Reports in Account Management Administrator Guide. 2 Click Account Management Customers Performance Reports. The Customer Performance Reports window is displayed. 3 From the Deliver To drop-down menu, select the distribution list containing the recipient(s) for the Performance Reports. 4 From the Time Zone drop-down menu, select the time zone for the Performance Reports. 5 Click either or both of the Frequency checkboxes to specify how often a report is sent and what data is included: Weekly The report is sent at the beginning of the week and shows data for the previous week, from Monday through Sunday. Monthly The report is sent at the beginning of the month and shows data for the previous month, from the first day through the last day of the month. 6 Click Save. Note: You can also click Send Now to immediately email the Performance Report from the last reporting period to the distribution list. Performance Report Descriptions The following tables reflect either weekly or monthly reports depending on the customer s request. 148 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer Performance Reports Inbound Messages Report, Weekly or Monthly The Inbound Messages Overview reflects the total number of Inbound Messages that were processed and delivered. This includes: Inbound Threats Inbound Message Actions Disaster Recovery reports Field Total Inbound Messages Inbound Messages Delivered Spam Detected Description The total number of all inbound messages processed. When users have the same filtering options, the message is counted only one time. When a user has a specific filtering option, the message is counted for particular each user configuration. The total number of all inbound messages successfully delivered. The total number of all inbound messages counted as SPAM November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 149
Administer Performance Reports Email Protection Administrator Guide Field Virus Detected Attachment Violations Content Violations Normal Delivery Cleaned Denied Quarantined Stripped Tagged Spooled Messages Unspooled Messages Description The total number of all inbound messages counted as Viruses. The total number of all inbound messages with attachments that violated the policy rules for attachments. The total number of all the inbound messages with words that violated the policy rules for content groups. The total number of all inbound messages delivered that did not have the policy action Clean, Quarantine, Strip, Tag, or Deny applied to the message. The total number of all inbound messages that violated the policy rules for virus and had the policy action Clean applied to the message. The record of all the inbound messages refused because they violated the policy rules for spam, virus, content, or attachments or is on a deny list. The total number of all inbound messages that violated the policy rules for spam, virus, content, or attachments and had the policy action Quarantine applied to the message. The total number of all inbound messages that violated the policy rules for attachments or virus and had the policy action Strip applied to the message. The total number of all inbound messages that violated the policy rules for spam or content and had the policy action Tag applied to the message. The total number of all messages spooled, either automatically or manually. The total number of all messages unspooled, either automatically or manually. 150 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Administer Performance Reports Outbound Messages Overview The Outbound Messages Overview reports on the number of messages processed and successfully delivered. This includes: Outbound Threats Outbound Message Actions November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 151
Administer Performance Reports Email Protection Administrator Guide 152 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
11. Tips and Frequently Asked Questions FAQs User Management Question: Can a user see another user s quarantined emails? Answer: Sign in access to the Control Console is user-specific. Unless the user has logged in as an Administrator or Quarantine Manager, the user will not be able to see quarantined emails or any other data for any other user. The exception is that Report Managers will be able to see data in the reports if it is user-specific (for example in the User Activity Report window. Question: I see email addresses in the User Management window that aren t real or that I didn t add. Answer: Email Protection delivers all email that is addressed to your Domains, unless the email is rejected by your inbound servers or the email has been filtered because it violated a defined policy. This type of email delivery is known as proxy service. If the User Creation field is set to SMTP Discovery, Email Protection will auto-create user accounts for new email addresses if all the following are true: A specified number (default is 3) emails that were not quarantined or denied have been received within a day for the new email address. Emails that had content stripped, but were sendable can still trigger automatic user account creation. Emails that would have been quarantined, but were received before the user account was created, will be denied. Your inbound server accepted delivery of the emails. A user account does not already exist for the new email address. The new email address was not sent to an alias domain name. Thus, you will see email addresses in the User Management window that may be invalid in your system, but that your inbound server accepted. You can either manually delete these user accounts or they will be automatically deleted after a default time period if no sign-ins or user-level configurations are detected for these user accounts. Sign-ins from the Spam Quarantine Report are included. Because user accounts might be continually created and deleted, both manually and automatically, and that a single user may use multiple email addresses, billing is not determined by the number of user accounts in a Domain. Billing is determined by the value entered in the Total Billed Users Qty field during Domain creation or edit. If you want to disable the automatic creation of user accounts, do one of the following: November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 153
Set the User Creation field to Explicit. Configure your inbound email servers to deny emails received for invalid recipients. Question: How does the user log into the Control Console for the autocreated email address? Answer: One of the following must occur before a user can log into the Control Console: The user must receive a Spam Quarantine Report and click one of its links before they expire. The user must request a Set Password email in the Sign in window. An Administrator can manually set the password for the user in the Control Console. Question: Why does a Web browser open when I try to do anything on my Spam Quarantine Re port? Answer: The Spam Quarantine Report provides an easy-to-use connection into the appropriate feature in the Control Console. The Control Console is a Web-based graphical user interface and is the primary interface to Email Protection. When a user clicks a link in the Spam Quarantine Report, it causes the default Web browser to open, automatically logs the user into the Control Console, and performs the action designated in the clicked link. Email Filtering Question: I ve just made a change to my policies; how long does it take before it is active? Answer: Typically, most configuration changes in the Control Console, including policy configurations, Allow and Deny lists, and changes to entity configurations, will take approximately 10-15 minutes before the configuration is effective. Depending on the system architecture, the changes must be stored and then propagated to multiple MTAs performing the processing for Email Protection. Some changes may take longer, such as deleting an entire domain with all its related data. Question: There are emails in my quarantine that I want to always receive. I clicked the Always Allow button, but the emails still get caught What am I doing wrong? Answer: The user-level Allow list does not disable virus, content, or attachment filtering; it only disables the spam filtering. If the email violated any of the enabled policies, it would be filtered even if its sender address was added to the user-level Allow list. In addition, companies often send items in a format that looks like spam that a user may have opted to receive, such as electronic newsletters or emails, causing the email to be quarantined. When a user clicks the Always Allow link in the Spam Quarantine Report or the Spam Message Quarantine window, the sending email address is added to the userlevel Allow list. However, for various reasons, emails of this nature may not always come from the same address every day. Because senders often rotate the address of these types of emails, the same item could be delivered the very next day and still be blocked because the sender address does not match the previous entry in the Allow list. 154 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
To help prevent this situation, you can use wildcards to designate an entire domain or part of an email address (if there is a common pattern) to be added in the Allow list, thus accepting all mail from the domain or email addresses that matched the designated pattern. Question: What are the default email policies? Answer: You can view the current default policy configurations in the Policy Configurations set of windows. The default settings are designed to minimize the possibility that email will be blocked while still providing reasonable protections against attacks and viruses. Question: How does Email Protection score spam? What about false positives? Answer: The Anti-Spam filtering technology detects the likelihood that an email is spam by processing the email through thousands of heuristics, rules, and tests, as well as sophisticated statistical classification techniques, as part of its Stacked Classification Framework. Each test provides a weighted score that is added to the overall spam score. We have pre-defined two threshold scores for your Anti-Spam policy, high and medium. You can designate a separate action to be performed for each threshold. It is important to note that some emails might be marked as spam when in fact they are legitimate emails ( false positive ). While we believe that this false positive tagging will not be a frequent occurrence, it may happen occasionally, especially to mailing-list and newsletter traffic. Using the Control Console, you can quarantine, tag, or block emails based on the corresponding threshold levels. Additionally, you can construct enterprise-level Allow and Deny lists that override spam threshold levels. Finally, you can enable or disable the Realtime Blackhole List (RBL). Question: What exactly does deny delivery do? Will we add to email volume by generating bounce messages if we set our policies to Deny? Answer: To satisfy standard SMTP protocol, if an email is denied for any reason, the Email Protection MTA sends a 5xx Deny message to the sender MTA. At that point, the standard configuration for the sender MTA is to send a bounce email to the sender address. It is possible that the sender MTA will just drop the message, but this is atypical. Email Protection has no control over the actions of the sender MTA. The exception to this processing is if the Recipient Shield policy is set to Deny. In this case, Email Protection will generate the bounce email and send it directly to the sender address. Use the Accept and Silent Discard email action for the relevant policies if you want to minimize email volume caused by 5xx Deny messages or if you do not want the sender to be notified that the email was denied. This email action accepts the email as if it was valid, and then discards it without notification to the sender or recipient. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 155
Question: I m receiving spam email from my own email address and I know I didn t send it. What s happening and how do I stop it? Answer: A spammer has spoofed your email address. Spoofing means that the From: address in emails has been falsified to be an address other than the real source of the emails. The intent is to trick the recipient into opening the email because it appears to be from a trusted source. In your case, they made the mistake of using your own email address as the spoofed address and you realized that you had not sent the email. Spoofing is illegal according to the CAN-SPAM Act of 2003; however, it is still a common tactic used by spammers. You can do any of the following in Email Protection to block these types of emails. Confirm that your own email address is not in an Allow list. It is possible that the spoofed email would be caught by normal spam filtering; however, if your email address is in an Allow list, spam filtering will be disabled. If necessary, remove your email address from any Allow lists to make sure spam filtering is performed. Add your own email address to your user-level Deny list This policy will automatically deny any emails received from your email address. It will apply to all emails received from the Internet into Email Protection that are filtered and then sent to you. It will affect only emails sent to your address. Add your own email address or entire Domain name to your policy set Sender Deny list This policy will do the same as above, but will apply all user accounts subscribed to that policy set. If the Domain name is used, then all emails from that Domain will be filtered. Note: Using a Deny list as a filtering tactic in this situation will succeed only if your corporate email is not sent into the Internet cloud before delivery to other addresses in your Domain name. The assumption is that your corporate email is delivered within your internal network without filtering by Email Protection. If your organization does deliver your corporate email using a delivery method that includes sending it into the Internet, it is possible that valid corporate emails will be filtered if you make the above policy changes. System Configuration Question: I just redirected my MX Record. How can I make sure that my email is coming through Email Protection? Answer: Once the MX Record has been redirected and the entities (Reseller, Customer, Domain, and user accounts) have been configured, emails can be sent from a sender outside of the system to a user provisioned on the Domain. To see if the email was received in your system from Email Protection, monitor email processing flow in the Overview window. You should be aware that email servers do not always accept changes immediately after the redirection of the MX Record. This means that some email servers may still send email directly to your inbound servers and not to the redirected MX Record for the first 2-3 days after the redirection. 156 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
It is also highly recommended that you block the acceptance of email traffic from any source other than Email Protection into your inbound servers to help prevent the possibilities of hackers directly connecting your servers. Question: Why am I redirecting the MX Record and how does my email get back to me? Answer: The MX Record is the method of telling all the other email servers on the Internet who you are (your domain names) and where you are (your inbound server addresses). When any email is sent, the sending email server looks at the MX Record to verify the email server to which the email should be delivered. By redirecting your MX Record to point to the server where Email Protection is installed, you are sending your email to Email Protection. Email Protection captures your domain s email traffic by acting as the email server for the Domain, routing the traffic through Email Protection filters, and then delivering the acceptable emails to your email servers. You configure your email servers in the Inbound Servers Setup window. In a similar way, if you have enabled outbound email filtering, you would configure your sending email server to send your email to Email Protection. Email Protection filters your email and then sends it to the Internet cloud. One advantage of redirecting your MX Record is that the addresses of your email servers are now no longer published, which helps to protect your email servers from direct email attacks and bad email. Question: My server went down for a short period of time what happened to our company s emails? Answer: Email Protection attempts to connect to all the servers configured for your domain in the Inbound Servers Setup window in the order designated in the Preference column, from the lowest number to the highest number. It then determines whether you have Fail Safe enabled for your email and if it is, it will start spooling and unspooling the email appropriately. If Fail Safe is not enabled and if Email Protection cannot establish a connection with any of your email server(s), it will deliver a temporary failure message to the sending email server. When this occurs, the sending email server will usually attempt to redeliver the email again. Most email servers are set to keep trying to deliver the email for an extended period of time before they finally stop and permanently fail the email. Email Protection cannot control the length of time or the frequency at which the sender s email server will continue to attempt deliver these emails. However, the Fail Safe feature can store emails in the event that Email Protection cannot deliver emails due to an email server malfunction. Contact your sales representative for more information about Fail Safe. Question: How does Email Protection affect my MTA? Answer: Email Protection architecture naturally provides high-level redundancy and disaster recovery by leveraging a secondary MX record set to your internal mail servers. The service is currently configured to deliver your inbound email traffic to the Message November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 157
Transfer Agent (MTA) servers (a.k.a. inbound servers) on your premises configured in each domain. if you change the addressing in your network for your inbound servers, you must update the configurations in Email Protection. At any time in Email Protection, you may change configuration of the IP address of your inbound servers. Be prudent when making changes to your delivery MTA configuration as any applied modifications will be enabled instantly and affect inbound SMTP routing. Question: I want to temporarily stop filtering a domain s emails, but I do not want to delete the domain s information. How do I do this? Answer: You can set the inbound servers for the Domain to be inactive. This action causes all emails received for that domain to be tempfailed. Be aware that email traffic for that domain will still consume bandwidth because it is likely that the sending email servers will reattempt multiple times to send the email until it finally permfails the email as undeliverable. This process matches standard SMTP protocols. Question: Why is Email Protection refusing connections from my inbound email servers? Answer: If Email Protection received a minimum of 20 attempted connections from an IP address where more than 60% of the recipients are invalid, it adds the IP address to a temporary global blacklist for 4 hours (by default the time period is configurable at the system level). After the time period has passed, Email Protection will remove the IP address from the temporary global blacklist and again accept connections from it. This process helps protect against Dictionary Harvest Attacks, where spammers are attempting all combinations of email addresses to glean valid email addresses for subsequent spamming. It also helps protect against Denial of Service attacks. This feature and its configurations are controlled at the system level. The above values are the defaults. Question: The Internet Explorer Content Advisor keeps blocking the Control Console. How do I prevent that? Answer: You must disable the Content Advisor feature of the Internet Explorer to be able to use the Control Console. Do the following to disable the Content Advisor feature if it is enabled: 1 In the Internet Explorer window, click Tools Internet Options. 2 In the Internet Options window, click the Content tab. 3 In the Content Advisor area in the Content tab, click the Disable button. If there is an Enable button, but no Disable button, this means that Content Advisor is already disabled. Click the Cancel button until you return to the browser window. 4 Enter the password in the Supervisor Password Required dialog. 5 Click the OK button. 6 Continue clicking the OK button until you return to the Internet Explorer window. 158 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012
Question: When I click a command in the Control Console, nothing seems to happen. Answer: If you ve set your Web browser to not accept cookies or Javascript, the Control Console will not work. Cookies are mini-applications that run in your Web browser to communicate with the originator of the cookie through the Internet. The Control Console downloads cookies to your computer to allow it to send and receive data from the Email Protection data center as you perform actions and navigate between the windows. If you are concerned about security, you can configure your Web browser to allow cookies only for a single session. This means that only while you have that specific instance of your Web browser open, cookies will be accepted. If you close the Web browser and then reopen it, cookies will not be accepted. Do the following to configure Internet Explorer to accept cookies: 1 In the Internet Explorer window, click Tools Internet Options. 2 In the Internet Options window, click the Privacy tab. 3 In the Settings area in the Privacy tab, do one of the following: A B Move the slider to select Medium. Click the Sites button. 4 In the Per Site Privacy Actions window, enter the URL for your Control Console in the Address of Web Site field 5 Click the Allow button. 6 Click the OK button until you return to your browser. Do the following to configure Internet Explorer to accept Javascript: 7 In the Internet Explorer window, click Tools Internet Options. 8 In the Internet Options window, click the Security tab. 9 In the Security tab, click the Internet (globe) icon and then click the Custom Level button. 10 Confirm that the items under the Scripting section in the list are all set to Enabled. 11 Click the OK button until you return to the browser window. Tips/Techniques Change Zip File Attachment Policy We regularly receive a large zipped file as an email attachment from a trusted source, but it is automatically denied before we see it. How do we get that file without turning off attachment filtering altogether? The default settings in Email Protection are to deny automatically emails with zipped files whose content cannot be analyzed or if the file size exceemail Protection certain criteria. If you want to receive such files, but not turn off attachment filtering, you have two options. November 2012 Proprietary: Not for use or disclosure outside McAfee without written permission 159
Option 1 Modify Message contains a high risk zip attachment field in the Additional Policies subtab and save the policy change. This method affects emails for all user accounts associated with the policy set. Option 2 If the attachment filename is always the same or contains the same string (for example, if the filename always contains monthly_report ), you can designate a policy specific to that filename. In this case, create a custom filename policy in the Filename Policies subtab. Caution: This policy would allow any attachment file that contains the designated string in its name to potentially bypass email filtering. Wrong Email Got Past Filter What do we do if spam email, virus email, etc., was delivered anyway? If you or an email recipient in your system has received email that you feel should have been filtered, do the following: 1 Check that the email addresses were not added to an Allow list by either the email recipient or by an Administrator. 2 Check your policy settings in the Control Console to confirm that you have not changed any settings to allow these emails to bypass filtering. 3 If you have determined that Email Protection or your email system was not configured to let these emails bypass filtering, forward the email with all content, header information, and attachments to AT&T. Service personnel will analyze the email information to refine the filtering engines for subsequent release, and if necessary, post any urgent updates to virus scanners, etc., to support filtering these emails properly. 160 Proprietary: Not for use or disclosure outside McAfee without written permission. November 2012