Configuring Spam Scanning Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.Yo2IBgvWqr on Oct 9, 2017
Version 10Show Document
  • View in full screen mode

The aim of our defense layer is to reject unwanted spam and malware in protocol. Mimecast's multiple scanning engines examine the content of inbound mail by searching for key phrases and identifiers commonly used by spammers. These scanning checks can use:

  • Content matching rules
  • DNS based filtering
  • Checksum based filtering
  • Statistical filtering

 

However there are occasions where we cannot determine if a message is wanted by an end user of not. You can configure spam scanning to examine the content of all inbound mail, and apply different levels of sensitivity and actions.

 

Considerations


Consider the following before configuring a definition or policy:

  • A message with a spam score of 28 or higher is automatically rejected in protocol and logged in the Rejection Viewer. This happens regardless of whether a spam scanning policy is configured.
  • If an email address, domain name, or IP address is added as a permitted sender, the inbound message always bypasses these content based spam checks. Virus scanning still applies.
  • If a DNS Authentication policy applies to a message, but the permitted sender fails the DNS checks (e.g. SPF) the message is still be subjected to spam scanning.

 

Configuring a Spam Scanning Definition

 

To configure a Spam Scanning definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on the Definitions button. A list of the definition types is displayed.
    Definition list
  5. Click on the Scan Definitions definition type from the list. The list of definitions is displayed.
  6. Click on a Folder in the navigator. A Scan Scanning definition cannot be created in the Root folder.
  7. Either click on the:
    • Policy to be changed.
    • New Message Scan Definition button to create a definition.
  8. Complete the Spam Scanning Sessions section section as follows:
    Field / OptionDescription
    DescriptionEnter a description for the definition.
    Spam Detection LevelSpecify the level of spam detection to be used by selecting one of the following:
    • Relaxed: Sets the triggering threshold of the spam definitions to 7 points. This setting is recommended for users that receive some junk email.
    • Moderate: Sets the triggering threshold of the spam definitions to 5 points. This setting is recommended for users that are actively targeted by promotional and junk emails.
    • Aggressive: Sets the triggering threshold of the spam definitions to 3 points. This setting is recommended for users who do not want to receive any possible spam or junk emails.
    We recommend starting with a Relaxed level, and adjusting it according to the results and feedback from end users. Moderate and Aggressive Spam Detection levels should be applied to selected groups of users that still receive spam, as opposed to applying Aggressive checks to all internal users. This will help to reduce false positives generated in the held queue.
    Spam Detection ActionSpecify the action to be taken if spam is detected, by selecting one of the following:
    • Tag Headers: Doesn't affect the delivery of a message, but inserts a "X-Mimecast-Spam-Signature: yes" tag into the message headers. The tags are analyzed by the Mimecast Security team, and the data is used to augment the scan definitions. Alternatively, a rule can also be configured in Microsoft Outlook to move any messages with the header tag to another folder for review by the end user.
    • Hold for Review: This is the recommended option, as message delivery will be halted in the held queue. The digest can be utilized to inform the user of held messages, at which point it can be released or blocked.
    • Reject to Sender: The message is rejected in protocol, and the content isn't retained by us. If the sender is legitimate, they must re-transmit the message once the spam checks have been bypassed.
    • None: This action supports customers who're applying their own spam filtering upstream, but want to take advantage of our graymail filtering. If this option is selected, no action will be taken on spam messages.
    Enable Graymail ControlEnable this option to allow bulk mail to be treated differently to regular mail. Graymail is typically defined as "mail you want, but just not in your Inbox right now". Examples are subscribed newsletters and marketing mails which are not person-to-person communication. Actions for graymail control are defined using the graymail detection action setting.
    Graymail Detection ActionEnables you to select a different action for graymail control:
    • Same as Spam Detection Action: Bulk mail is treated as per the spam handling configuration options above. This is the default action.
    • Tag Headers as Spam: Adds the following SMTP header to graymail, so they are treated as spam - X-Mimecast-Spam-Signature: yes
    • Tag Headers as Bulk: Adds the following SMTP header to Graymails - X-Mimecast-Bulk-Signature: yes
      With this header enabled, users can define a rule in their email client to take action on graymail. For example, if a folder called "Graymaill" is created under the Inbox, a message rule can be configured to automatically move messages into this folder. This removes email noise from the Inbox and allows the user to browse the bulk mail in their own time. End users can prevent mails from being classified as graymail by adding senders to their Managed Senders list using a Mimecast end user application.
    • Hold for Review: Graymail will be placed in a hold queue. The digest email informs the user of messages on hold and allows the graymail to be released or blocked.
    • Reject to Sender: The message is rejected in protocol, and the content is not retained by us. If the sender is legitimate, they must retransmit the message once spam checks are bypassed. If a message is classified as both spam and graymail, and both the spam and graymail detection actions can be applied, both actions will trigger. If this is not possible, the more severe action takes priority. If you are using an external third-party email marketing service to send marketing emails on behalf of your domain, these emails may be identified as graymail as they pass inbound through the Mimecast Gateway.
  9. Complete the Hold Notification section section as follows:
    Field / OptionDescription
    Hold TypeSelect the applicable audience that held messages should be visible to via a Mimecast end user application:
    • User: Messages held by the policy are available in the user's Personal On Hold view (default setting).
    • Moderator: Moderators can see the held messages in the Moderated On Hold view.
    • Administrator: Only Administrators can view messages triggered by the policy.
    Moderator GroupThis field is displayed if the Hold Type filed is set to "Moderator" or "User". The field is used to select an appropriate group by selecting the Lookup button.
    Notification OptionsSelect if any additional notifications should be sent. For any message where the attachment is stripped, the recipient will receive the notification discussed previously:
    • A group of users.
    • Select the relevant checkbox Notify (Internal) Sender or Notify (Internal) Recipient to enable internal senders or recipients to receive a notification for any attachments that match the definition.
    • Select the relevant checkboxes to notify external senders or recipients by using Notify (External) Sender or Notify (External) Recipient.
    • A group of Overseers.
  10. Click on the Save and Exit button.

Configuring a Spam Scanning Policy

 

To configure a Spam Scanning policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on Spam Scanning. A list of policies is displayed.
  5. Either click on the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    OptionDescription
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Message Scan DefinitionUse the Lookup button to select the required Message Scanning definition for the policy.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section:
    OptionDescription
    The Return Address This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

 

See Also...

 

Attachments

    Outcomes