Our state of the art email security device does several checks on incoming emails. If our email security device has dropped your mail this means that one of the following checks has failed:
5.1 Reverse DNS
Reverse DNS Lookup determines the host associated with a given IP address. If an email from somecompany.eu with a source IP address of X.X.X.X is delivered to our anti-spam security gateway, the Reverse DNS lookup feature will check the IP Address X.X.X.X is actually associated with the domain somecompany.eu. If this is not the case, it is assumed the email has been spoofed.
5.2 SPF
The owner of a domain (somecompany.eu) will publish an SPF record which will consist of all authorised senders for this domain. An email receiver can check the sender's records to see if it is associated with that domain, and when the SPF records specify this is the case, the email is accepted.
The SPF record will prove the sender is a trusted sender for that domain.
There is a difference between:
- SPF softfail
v=spf1 ip4:X.X.X.X ~all
~all means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as suspicious.
-> Protime will tag the email with a tag [SPF SOFTFAIL]
-> Protime will put the mail in the users personal SPAM Quarantine where it can be released if wanted
-> Domains which get a tag [SPF SOFTFAIL] cannot be added to personal whitelist
- SPF Hardfail
The owner of the domain can specify the SPF record for the domain like:
v=spf1 ip4:X.X.X.X -all
-all means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded
-> Protime will tag the email with a tag [SPF FAIL]
-> Protime will put the mail in Quarantine where it can be checked by the Itservicedesk team
5.3 DKIM
DKIM (DomainKeysIdentified Mail) is an email security standard designed to make suremessages aren’t altered in transit between the sending and recipient servers.It uses public-key cryptography to sign email with a private key as it leaves asending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the messagehasn’t changed during transit. Once the signature is verified with thepublic key by the recipient server, the message passes DKIM and is considered authentic.
The mail security will flag messages with error "DKIM: permfail body hash did not verify [final]" for every mail send by $sender" with a tag [DKIM failed]
This can be caused by several things:
>> The public key specified in the DKIM-Signature header is wrong.
>> The public key published by the sender in their DNS is wrong.
>> The body of the email was modified after it left the mailserver
>> Someone spoofed the email and signed it without having the correct private key.
>> Other causes are also possible
Anyway the emails with DKIM failed flag are "suspected" and quarantined.
The sender will have to solve this issue!
5.4 Anti-Malware - Virusscan
The Anti-Malware System combines Web Reputation Filters, a critical first layer of preventative defense against new outbreaks, with best-of-breed signature-based verdict engines to provide powerful, fully integrated anti-malware defense.
As the second layer of defense Anti-Malware System scans web content, as it is downloaded, against malware and virus signatures - eliminating the broadest range of known and emerging web-based threats. A combination multiple antivirus engines, including Sophos and McAfee, provide maximum security without compromising scalability.
5.5 AMP (Advanced Malware Protection)
AMP analyzes emails for threats hidden in malicious attachments. It gives advanced protection against spear phishing, ransomware, and other sophisticated attacks.
AMP uses a combination of file reputation and file sandboxing to identify and stop threats.
- File Reputation captures a fingerprint of each file as it traverses the Email Security gateway and sends it to AMP’s cloud-based intelligence network for a reputation verdict. Given these results, malicious files are automatically blocked
- File Sandboxing provides the ability to analyze unknown files that are traversing the Email Security gateway. A highly secure sandbox environment enables AMP to glean precise details about a file’s behavior and to combine that data with detailed human and machine analysis to determine the file’s threat level. This disposition is then fed into AMP’s cloud-based intelligence network and used to dynamically update and expand the AMP cloud data set for enhanced protection.
5.6 Outbreak filters - URL Filtering
Outbreak Filters protect our network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur.
Global traffic patterns are used to develop rules that determine if an incoming message is safe or part of an outbreak. Messages that may be part of an outbreak are quarantined until they are determined to be safe based on updated outbreak information or new anti-virus definitions are published by Sophos and McAfee.
Outbreak Filters analyze a message’s content and search for URL links to detect this type of non-viral attack.
The reputation and category of links in messages, in conjunction with other spam-identification algorithms, to help identify spam. For example, if a link in a message belongs to a marketing web site, the message is more likely to be a marketing message.
5.7 Blackmail (SPAM)
All our incoming mails are scanned by an anti-spam engine. This engine has a very large rule base (thousands of rules) to check mails and give them an overall spam score.
If mails get a score between 50 en 90 they will get a tag [SUSPECTED SPAM].
If mails get a score between 90 en 100 they will get a tag [SPAM].
We cannot check why the overall score is what it is. Nor can we read the current score or get insight on past scores.
5.8 Graymail (SOCIAL/MARKETING/BULK)
Graymail messages are messages that do not fit the definition of spam, for example, newsletters, mailing list subscriptions, social media notifications, and so on. These messages were of use at some point in time, but have subsequently diminished in value to the point where the end user no longer wants to receive them.
The difference between graymail and spam is that the end user intentionally provided an email address at some point (for example, the end user subscribed to a newsletter on an e-commerce website or provided contact details to an organization during a conference) as opposed to spam, messages that the end user did not sign up for.
The graymail engine classifies each graymail into one of the following categories:
- Marketing Email. Advertising messages sent by professional marketing groups, for example, bulletins from Amazon.com with details about their newly launched products.
- Social Network Email. Notification messages from social networks, dating websites, forums, and so on. Examples include alerts from: LinkedIn, for jobs that you may be interested in, CNET forums, when a user responds to your post.
- Bulk Email. Advertising messages sent by unrecognized marketing groups, for example, newsletters from TechTarget, a technology media company.
5.9 Suspected Domain
When our colleagues keep receiving "clean" unwanted messages from the same domain, we classify the domain as SUSPECTED and all mail from that domain will be quarantined!
If you have further questions, please contact your Protime consultant or our helpdesk.