trendmicro™ hosted email securitydocs.trendmicro.com/all/smb/hes/vall/en-us/hes_bpg.pdf ·...
TRANSCRIPT
TrendMicro™HostedEmailSecurity
BestPracticeGuide
TrendMicroIncorporatedreservestherighttomakechangestothisdocumentandtotheproductsdescribedhereinwithoutnotice.Thenamesofcompanies,products,people,characters,and/ordatamentionedhereinarefictitiousandareinnowayintendedtorepresentanyreal individual,company,product,orevent,unlessotherwisenoted.Complyingwithallapplicablecopyright lawsistheresponsibilityoftheuser.
Copyright©2016TrendMicroIncorporated.Allrightsreserved.TrendMicro,theTrendMicrot-balllogo,andTrendLabsaretrademarksorregisteredtrademarksofTrendMicro,Incorporated.Allotherbrandandproductnamesmaybetrademarksorregisteredtrademarksoftheirrespectivecompaniesororganizations.Nopartofthispublicationmaybereproduced,photocopied,storedinaretrievalsystem,ortransmittedwithouttheexpresspriorwrittenconsentofTrendMicroIncorporated.Authors :MichaelMortiz,JeffersonGonzagaEditorial :JasonZhangReleased :June2016
TableofContents1 BestPracticeConfigurations.................................................................................................................................8
1.1 Activatingadomain.......................................................................................................................................8
1.2 AddingApproved/BlockedSender................................................................................................................8
1.3 HESorderofevaluatingemails......................................................................................................................8
1.4 InboundEmails..............................................................................................................................................9
1.4.1 EnableValidRecipientcheck..............................................................................................................9
1.4.2 Makesuredefaultviruspolicyissettodelete....................................................................................9
1.4.3 Addfilterstodefaultspamandphishpolicy.......................................................................................9
1.4.4 AvoidlongandcomplexregularexpressioninKeywordExpression................................................10
1.5 OutboundEmail...........................................................................................................................................11
1.5.1 Addadditionaloutboundspamandphishpolicy..............................................................................11
1.6 SecuringyourEnvironment.........................................................................................................................12
1.6.1 SecuringyourMailServer.................................................................................................................12
1.6.2 SecuringyourUsers/Clients..............................................................................................................12
1.7 CommonThreatpreventions......................................................................................................................12
1.7.1 SpoofEmails......................................................................................................................................12
1.7.2 Backscatter(or"outscatter")spamandDirectoryHarvestAttacks(DHA)Emails............................18
1.7.3 ZerodayunknownThreats...............................................................................................................19
1.7.4 Ransomware/MacroVirusEmails.....................................................................................................19
2 ProductDescription.............................................................................................................................................20
2.1 MailFlow.....................................................................................................................................................21
2.1.1 InboundScanning..............................................................................................................................21
2.1.1.1 IPReputation-BasedFilteringattheMTAConnectionLevel........................................................22
2.1.1.1.1 Content-BasedFilteringattheMessageLevel.........................................................................22
2.1.1.2 GeneralOrderofEvaluation.........................................................................................................23
2.1.1.3 SenderFilterOrderofEvaluation.................................................................................................24
2.1.1.4 IPReputationOrderofEvaluation................................................................................................24
2.1.1.5 PolicyOrderofEvaluation............................................................................................................25
2.1.2 OutboundScanning...........................................................................................................................26
2.2 MessageRetention......................................................................................................................................27
3 Preparation..........................................................................................................................................................28
3.1 ServiceRequirements..................................................................................................................................28
3.2 DefaultHostedEmailSecuritySettings.......................................................................................................28
4 GettingStarted....................................................................................................................................................29
4.1 Registration.................................................................................................................................................29
4.2 StartingtheActivationProcess...................................................................................................................31
4.2.1 AddingOffice365InboundConnectors............................................................................................33
4.2.2 AddingOffice365OutboundConnectors.........................................................................................34
4.3 FinalizingActivation.....................................................................................................................................35
4.3.1 RepointingMXRecords(BestPractice).............................................................................................36
4.3.2 AboutMXRecordsandHostedEmailSecurity.................................................................................38
4.4 AccessingtheAdministratorConsole..........................................................................................................39
4.4.1 UsingCLPtoAccesstheAdministratorConsole................................................................................39
5 ManagementConsole.........................................................................................................................................42
5.1 WorkingwiththeDashboard......................................................................................................................42
5.1.1 SummaryChart.................................................................................................................................44
5.1.2 VolumeChart....................................................................................................................................45
5.1.3 BandwidthChart...............................................................................................................................46
5.1.4 ThreatsChart.....................................................................................................................................47
5.1.5 ThreatsDetailsChart.........................................................................................................................49
5.1.6 AdvancedAnalysisDetailsChart.......................................................................................................51
5.1.7 TopSpamChart.................................................................................................................................52
5.1.8 TopVirusChart.................................................................................................................................53
5.1.9 TopAnalyzedAdvancedThreats.......................................................................................................54
5.2 ConfiguringaPolicy.....................................................................................................................................56
5.2.1 ManagingPolicyRules......................................................................................................................56
5.2.2 SelectingUserAccountsforRules.....................................................................................................57
5.2.3 AboutRuleTargetCriteria................................................................................................................57
5.2.3.1 ConfiguringVirusorMaliciousCodeCriteria................................................................................58
5.2.3.1.1 AboutAdvancedThreatScanEngine.......................................................................................60
5.2.3.2 ConfiguringSpamCriteria.............................................................................................................60
5.2.3.3 ConfiguringPhishCriteria.............................................................................................................61
5.2.3.4 ConfiguringMarketingMessageCriteria......................................................................................61
5.2.3.5 ConfiguringSocialEngineeringAttackCriteria.............................................................................61
5.2.3.6 ConfiguringAdvancedCriteria......................................................................................................63
5.2.3.6.1 AboutKeywordExpressions.....................................................................................................66
5.2.3.6.1.1 UsingKeywordExpressions................................................................................................67
5.2.3.6.1.2 AddingKeywordExpressions.............................................................................................67
5.2.3.6.1.3 EditingKeywordExpressions.............................................................................................67
5.2.3.6.2 UsingAttachmentNameorExtensionCriteria........................................................................68
5.2.3.6.3 UsingAttachmentMIMEContent-typeCriteria.......................................................................69
5.2.3.6.4 UsingAttachmentTrueFileTypeCriteria................................................................................69
5.2.3.6.5 UsingMessageSizeCriteria......................................................................................................70
5.2.3.6.6 UsingSubjectMatchesCriteria................................................................................................70
5.2.3.6.7 UsingSubjectisBlankCriteria..................................................................................................71
5.2.3.6.8 UsingBodyMatchesCriteria....................................................................................................71
5.2.3.6.9 UsingSpecifiedHeaderMatchesCriteria.................................................................................71
5.2.3.6.10 UsingAttachmentContentMatchesKeywordCriteria...........................................................71
5.2.3.6.11 UsingAttachmentSizeCriteria...............................................................................................71
5.2.3.6.12 UsingAttachmentNumberCriteria........................................................................................72
5.2.3.6.13 UsingAttachmentisPasswordProtectedCriteria..................................................................72
5.2.3.6.14 UsingtheNumberofRecipientsCriteria................................................................................73
5.2.4 AboutRuleActions............................................................................................................................73
5.2.4.1 SpecifyingRuleActions.................................................................................................................74
5.2.4.2 "Intercept"Actions.......................................................................................................................74
5.2.4.2.1 UsingtheDeleteAction............................................................................................................75
5.2.4.2.2 UsingtheDeliverNowAction...................................................................................................75
5.2.4.2.3 UsingtheChangeRecipientAction..........................................................................................75
5.2.4.2.4 UsingtheQuarantineAction....................................................................................................76
5.2.4.3 "Modify"Actions...........................................................................................................................76
5.2.4.3.1 CleaningCleanableViruses.......................................................................................................76
5.2.4.3.2 DeletingMatchingAttachments..............................................................................................76
5.2.4.3.3 TaggingtheSubjectLine...........................................................................................................77
5.2.4.3.4 InsertingaStamp.....................................................................................................................77
5.2.4.3.4.4 ConfiguringStamps............................................................................................................78
5.2.4.3.5 RuleTokens/Variables..............................................................................................................78
5.2.4.4 "Monitor"Actions.........................................................................................................................79
5.2.4.4.1 AbouttheSendNotificationAction..........................................................................................79
5.2.4.4.1.5 ConfiguringSendNotificationActions...............................................................................80
5.2.4.4.1.6 DeletingNotificationsfromRuleActions...........................................................................80
5.2.4.4.1.7 DeletingNotificationsfromListsofMessages...................................................................80
5.2.4.4.2 UsingtheBccAction.................................................................................................................80
5.2.4.5 "ScanLimitations"Actions............................................................................................................80
5.2.4.5.1 RejectingMessages..................................................................................................................81
5.2.4.5.2 BypassingMessages.................................................................................................................81
5.2.4.6 EncryptingOutboundMessages...................................................................................................81
5.2.5 NamingandEnablingaRule.............................................................................................................81
5.3 ConfiguringSenderFilter.............................................................................................................................82
5.3.1 AddingSenders.................................................................................................................................83
5.3.2 EditingSenders.................................................................................................................................84
5.4 UnderstandingIPReputation......................................................................................................................85
5.4.1 AboutDynamicIPReputationSettings.............................................................................................85
5.4.2 AboutStandardIPReputationSettings.............................................................................................86
5.4.3 AboutApprovedandBlockedIPAddresses......................................................................................87
5.4.4 TroubleshootingIssues.....................................................................................................................88
5.5 UnderstandingAdvancedProtection..........................................................................................................88
5.5.1 AboutTransportLayerSecurity(TLS)................................................................................................88
5.5.1.1 TestingTLS....................................................................................................................................89
5.5.1.2 AddingTLSPeers...........................................................................................................................90
5.5.1.3 EditingTLSPeers...........................................................................................................................91
5.5.2 AboutSenderPolicyFramework(SPF)..............................................................................................91
5.5.2.1 EnablingorDisablingSenderPolicyFramework(SPF)..................................................................92
5.5.2.2 AddinganSPFPeertotheIgnoredList.........................................................................................93
5.5.2.3 EditinganSPFPeerintheIgnoredList.........................................................................................93
5.5.2.4 DeletingSPFPeersfromIgnoredList............................................................................................93
5.6 UnderstandingQuarantine..........................................................................................................................94
5.6.1 QueryingtheQuarantine..................................................................................................................94
5.6.2 AbouttheQuarantineDigest............................................................................................................96
5.6.2.1 ConfiguringtheQuarantineDigest...............................................................................................97
5.7 UnderstandingMailTracking......................................................................................................................99
5.7.1 AbouttheBlockedTrafficTab.........................................................................................................100
5.7.2 AbouttheAcceptedTrafficTab......................................................................................................101
5.7.3 AbouttheUnresolvedTrafficTab...................................................................................................102
5.7.4 SocialEngineeringAttackLogDetails.............................................................................................103
5.8 UnderstandingPolicyEvents.....................................................................................................................105
5.9 ConfiguringAdministrationSettings.........................................................................................................107
5.9.1 ManagingAdministratorAccounts.................................................................................................107
5.9.1.1 AboutAccountManagement.....................................................................................................107
5.9.1.2 AddingandConfiguringanAdministratorAccount....................................................................108
5.9.1.3 EditingAdministratorAccountConfiguration.............................................................................108
5.9.1.4 DeletingAdministratorAccounts................................................................................................109
5.9.1.5 ChangingAdministratorPasswords............................................................................................109
5.9.1.6 EnablingorDisablinganAdministratorAccount........................................................................109
5.9.2 ChangingEnd-UserPasswords........................................................................................................109
5.9.3 AboutEnd-UserManagedAccounts...............................................................................................110
5.9.3.1 RemovingEnd-UserManagedAccounts.....................................................................................111
5.9.4 AboutDirectoryManagement........................................................................................................111
5.9.4.1 ImportingUserDirectories.........................................................................................................112
5.9.4.2 SynchronizingUserDirectory.....................................................................................................114
5.9.4.3 VerifyingUserDirectories...........................................................................................................114
5.9.5 AboutDomainManagement..........................................................................................................115
5.9.5.1 AddingaDomain........................................................................................................................116
5.9.5.2 ManagingDomains.....................................................................................................................118
5.9.5.2.1 EnablingOutboundFilteringforaDomain.............................................................................118
5.9.6 AboutCo-Branding..........................................................................................................................119
5.9.6.1 AccessingtheCo-BrandedAdministratorConsoleandEndUserQuarantineWebsite..............120
5.9.7 InstallingWebServices...................................................................................................................121
5.9.8 ViewingYourServiceLevelAgreement...........................................................................................122
Chapter1
1 BestPracticeConfigurations
1.1 Activatingadomain
WhenactivatingadomaininHostedEmailSecurity,TrendMicrorecommendsmakingthesechangestoyourMXrecordtoreducethechanceofsecurityvulnerabilityoraninterruptionofservicewhilerepointingyourMXrecord.
SeeRepointingMXRecords(BestPractice)
1.2 AddingApproved/BlockedSender
• ApprovedSenders
Email messages from senders added to this list are not subject to IP reputation-based, spam, phish, ormarketingmessage filtering. Hosted Email Security still performsmalware and attachment scanning on allmessages received and takes the action configured in policy rules after detecting a malware threat or anattachmentpolicyviolation.GotoSenderFilter>ApprovedSenderstodisplaythisscreen.
• BlockedSenders
HostedEmailSecurityautomaticallyblocksmessagessent fromaddressesordomainsaddedto theblockedlistwithoutsubjectingthemessagestoanyscanning.GotoSenderFilter>BlockedSenderstodisplaythisscreen.
SeeConfiguringSenderFilter
1.3 HESorderofevaluatingemails
HostedEmailSecurityfollowacertainorderonhowitevaluateeachemailthatpassthroughitservers.
SeeGeneralOrderofEvaluation
1.4 InboundEmails
1.4.1 EnableValidRecipientcheck
HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.SeeUsingDirectoryManagement
1.4.2 Makesuredefaultviruspolicyissettodelete
Bydefault theviruspolicy isalready set todeletebut if itwasmodified tootheractionset itback todelete toavoidanyvirusenteringyoursystem.
1. LogintoHESmanagementconsole.2. GotoPolicyandlookforViruspolicy
3. Makesureactionissettodelete.
1.4.3 Addfilterstodefaultspamandphishpolicy
IncreasespamdetectionlevelandenableSocialEngineerattackincludingadvanceanalysistoidentifythreats.
1. LogintoHESmanagementconsole.2. GotoPolicyandlookforSpamandpolicy
3. Click“Andmessageattributematch”
4. CheckallboxesandsetSpamchecktoahigherlevel.Notethatsettingspamcheckhighermightleadtomorefalsepositivebutitcanalsoreducefalsenegativeemailsandavoidmaliciousemailsin.
Note:If advanced analysis is enabled, Hosted Email Security performs observation and analysis on samples in aclosedenvironment.Advancedanalysiscandelaythedeliveryofmessagesby5to30minutes.
1.4.4 AvoidlongandcomplexregularexpressioninKeywordExpression
Regularexpressions,oftencalledregexes,aresetsofsymbolsandsyntacticelementsusedtomatchpatternsoftext.HEScanuseregularexpression(regex)tofilteroutkeywordsintheemail.
Using longandcomplexregularexpressionaremorepronetoerrorsandfalsedetectionso itsrecommendedtosplitlongandcomplexkeywordexpressiontoseveralentries.
SeeAboutKeywordExpressions
1.5 OutboundEmail
1.5.1 Addadditionaloutboundspamandphishpolicy
HESGlobalOutboundPolicy isadefaultrule inHEStoavoidoutboundspamandpreventHESoutboundserversfrombeingblacklistedby third-partyReal-timeBlackhole Lists (RBLs). Thepolicy cannotbeeditedand they areactivatedbydefaultforalldomains.Defaultactionforthispolicyis“donotintercept”andemailsfilteredbythispolicywillbesenttoaspecialservertodelivertheemails.
To control your outbound spam and phish emails it’s recommended to create new outbound spam and phishpolicy.
1. LogintoHESmanagementconsole.2. GotoPolicyandclickAdd.
3. Changepolicyto“outgoingmessage”
4. ClickSenderandaddyourdomainthesave.ClickNext.5. Select“Messagedetectedas”andtickallboxes.ClickNextoncedone.
6. SelectyouractionandclickNext.7. InputpolicynameandclickSave.
1.6 SecuringyourEnvironmentTrend Micro Hosted Email Security prevents spam from entering your mail servers. However, there might beinstanceswhenyouwillstillreceivespamevenaftersubscribingtoHES.Thisoccurswhenthemailserverissettoacceptmailsfromanotherhost.Asaresult,spamgoesdirectlytothemailserverwithoutpassingthroughtheHES/HES-InboundFilteringservers.Toavoidthis,herearethebestpracticesinpreventingspam.
1.6.1 SecuringyourMailServer
1. Lockdownyourfirewall
MakesurethatallunnecessaryportsandIPaddressesareclosedandblocked. OnlyallowIPaddressesfromtrustedonessuchastheonesfromHES.
YoumayfindHESserverIPaddressesbelow: HESIPaddresses
2. InstallOn-premisemailserverAnti-Malware
Although most of the malware and spam are blocked by HES, there are a few instances when amalware/spamgetsthroughtoyourmailserver.ThismaybecausedbyhavingunnecessaryportsandIPaddresses open on your network, or it may not have been detected by the anti-spam/anti-malwarepatternsofHESatthattime.SoitwillbebesttohaveanOn-premisescannertocombatthis.
3. OnlyuseoneMXrecordforyourdomain
ThisMXrecordshouldbepointingtoHES. It’s tomakesurethatall inboundmailswillbeforcedtogothroughHESforfilteringbeforeitgoestoyourmailserver.SeeRepointingMXRecords(BestPractice)
4. Disableallopenmailrelayonyournetwork.
1.6.2 SecuringyourUsers/Clients
1. DoNOTclickunknownlinks
Anylinksinemailorontheinternetshouldnotbeclickedunlessit’sfromatrustedsite.
2. DoNOTsubscribetountrustednewsletters
Unlessit’sabsolutelynecessaryandyou’resurethatthesitecanbetrusted.
1.7 CommonThreatpreventions
1.7.1 SpoofEmails
Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitiveinformation(suchaspasswords).
Emailspoofingmayoccurindifferentforms,butallhaveasimilarresult:auserreceivesemailthatappearstohaveoriginatedfromalegitimatesourcewhenitactuallywassentfromamaliciousone.Tostopreceivingemailsfromspoofedsenders,asidefromSecuringyourMailServerandSecuringyourUsers/Clientsfollowinstructionsbelow:
1. Avoid putting managed email address and domain in the Sender Filter Approved Sender or EUQApprovedSenderasitwillbypassIPreputationcheckingandSpam/PhishRulescanningCheck if thespoofedsender is listedontheApprovedSendersListontheHES/HES- InboundFilteringconsole.Ifthespoofedsenderislisted,removethespoofedsenderfromtheApprovedSendersList.
Ifnot,checkiftheend-userisregisteredtotheHES/HES-InboundFilteringWebEUQ.IftheownerofthespoofedaddressisregisteredtoHESWebEUQ,makesurethattheaddressisalsonotlistedintheWeb-EUQApprovedSenderslist.Todothis,youcan:
• Asktheownerofthespoofedemailaddress.
• OntheHES/HES-InboundFilteringconsole,gotoAdministration>End-Userpasswordandthenquerytheemailaddress.
2. MakesurethatIncomingSpam/PhishRuleisenabledandproperlyconfigureSeeConfiguringSpamCriteria
3. IncreasetheaggressivenessoftheDynamicIPReputationSettings.
SeeUnderstandingIPReputation.
4. Createapolicyforfilteringspoofedemailsfromsamedomainasrecipient.
Warning:Makesureinter-domainemailsarenotroutedtotheinternet.
a. Onyourbrowser,logintoHESmanagementconsole
b. GotoPolicy>ClickAdd
c. OnThisrulewillapplyto>SelectIncomingmessage
d. ClickRecipients>Selectaddresses>MyDomains>Selectyourdomain
e. ClickAdd>ClickSave
f. ClickSender>Selectaddresses>MyDomains>Selectyourdomain
g. ClickAdd>ClickSave
h. ClickNext
i. SelectAdvanced>SelectAnyMatch
j. SelectSpecifiedheadermatches>Clickkeywordexpressions
k. ClickSave
Note:Normalspoofemailsspooftherecipientdomainandbestpractice isemails fromsamedomainshould not be routed out the internet. Create a policy to filter emails coming from your owndomain.
l. ClickNext
m. OnIntercept>SelectQuarantine
n. ClickNext.OnRuleName:SpoofedEmailFiltering
o. SelectEnable
p. ClickSave
5. EnableSPFchecking.
SPFisanopenstandardtopreventsenderaddressforgery.TheSPFprotectstheenvelopesenderaddressthat is used for the delivery of messages. HES enables you to configure SPF to ensure the sender'sauthenticity.TheSPFrequirestheownerofadomaintospecifyandpublishtheiremailsendingpolicyinanSPFrecordinthedomain'sDNSzone.Forexample,whichemailserverstheyusetosendemailfromtheirdomain.Whenanemailserverreceivesamessageclaimingtocomefromthatdomain,thereceivingserververifieswhetherthemessagecomplieswiththedomain'sstatedpolicyornot.If,forexample,themessagecomesfromanunknownserver,itcanbeconsideredasfake.FormoreinformationaboutSPF,refertoAboutSenderPolicyFramework(SPF).
• CreateSPFtxtrecordforyourdomainSeehttp://esupport.trendmicro.com/solution/en-US/1113466.aspx if you are using HESoutbound.
• EnableSPFcheckinginHESSeehttp://esupport.trendmicro.com/solution/en-US/1113466.aspx
• CreateapolicytotrackemailstaggedbyHESSPFchecking.
1. Onyourbrowser,logintoHESmanagementconsole
2. GotoPolicy>ClickAdd
3. OnThisrulewillapplyto>SelectIncomingmessage
4. ClickRecipients>Selectaddresses>MyDomains>Selectyourdomain
5. ClickAdd>ClickSave
6. ClickNext
7. OncriteriaselectAdvancethencheckSpecifiedheadermatches.
8. ClickKeywordexpressionsbesideheadermatch.
9. CheckalltheboxesandclickAdd.
10. TypeListname“ex.SPFmatch”andunderMatchselectAnyspecified.ClickAdd.
11. Addkeyword“X-TM-Received-SPF:SPFresult”thensave.Ex.X-TM-Received-SPF:FailSeeEnablingorDisablingSenderPolicyFramework(SPF)forSPFresults.
12. ClickSave.
13. SelectcreatedKeywordandclickaddthensave.
14. ClickNext.
15. SelectchosenActionsandclicknext.
16. TypeaRuleNameandsave.
1.7.2 Backscatter(or"outscatter")spamandDirectoryHarvestAttacks(DHA)Emails
HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.
• EnableDirectorymanagementtopreventthesetypesofmaliciousemails.SeeAboutDirectoryManagement
1.7.3 ZerodayunknownThreats
• EnableAdvanceThreatScanEngineandPerformadvancedanalysistoidentifyhighriskobjects.
HostedEmailSecurity (HES)nowsupportsDeepDiscoveryAnalyzerasaService (DDAaas). It isacloud-basedwebservicethatactsasanexternalanalyzer.Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends tosandboxandthentakesanaction.TointegrateHESwithDeepDiscoveryAnalyzerasaService(DDAaas):
1. LogintoHESmanagementconsole.
2. GotoPolicyandselectVirusesorMaliciousCode.
3. Under Specify advanced settings, tick the Enable Advance Threat Scan Engine andPerformadvancedanalysistoidentifyhighriskobjectsoptions.
4. ClickSave.HEScanperformadvancedanalysisonsamplesinaclosedenvironmenttoidentifysuspiciousobjectsthattraditional scanningmay not detect.When enabled, HES delays the delivery of themessages until theadvancedanalysiscompletes,whichmaytakeupto30minutes.
1.7.4 Ransomware/MacroVirusEmailsRansomwareisatypeofmalwarethatpreventsorlimitsusersfromaccessingtheirsystem.Thistypeofmalwareforces itsvictimstopaytheransomthroughcertainonlinepaymentmethods inordertorestoreaccesstotheirsystems,ortogettheirdataback.Ransomware can be downloaded by unwitting users who visit malicious or compromised websites. It can alsoarrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered asattachmentstospammedemail.IncreaseprotectionfromRansomwarethreatsinHESbyfollowingguidebelow.SeeRansomwareprotectionusingHostedEmailSecurity
Chapter2
2 ProductDescription
TrendMicro™HostedEmailSecurityisano-maintenancesolutionthatdeliverscontinuouslyupdatedprotectiontostopspam,phishing,andmalwarebeforetheyreachyournetwork.
UsingTrendMicroHostedEmailSecurity,mailadministratorscansetuprulestoremovedetectedvirusesandothermalwarefromincomingmessagesbeforetheyreachthecorporatenetwork.Administratorscanquarantinedetectedspamandotherinappropriatemessages.Then,intendedmessagerecipientsormailadministratorscanchoosetoreleaseordeletethequarantinedmessages.
2.1 MailFlow
2.1.1 InboundScanning
1. TheoriginatingMTAperformsaDNSlookupoftheMXrecordforexample.comtodeterminethelocationoftheexample.comdomain.
TheMX record for example.compoints to the IP address of theHosted Email SecurityMTA instead of theoriginalexample.comInboundServer.
2. TheoriginatingMTAroutesmessagestoHostedEmailSecurity.3. TheHostedEmailSecurityMTAacceptstheconnectionfromtheoriginatingmailserver.4. Hosted Email Security performs IP reputation-based filtering at theMTA connection level to decide on an
actiontotake.Actionsincludethefollowing:
§ HostedEmailSecurityterminatestheconnection,rejectingthemessages.
§ HostedEmailSecurityacceptsthemessagesandfiltersthemusingcontent-basedpolicyfiltering.
SeeIPReputation-BasedFilteringattheMTAConnectionLevel.5. HostedEmailSecurityexaminesthemessagecontentstodeterminewhetherthemessagecontainsmalware
suchasavirus,orifitisspam,andsoon.
SeeContent-BasedFilteringattheMessageLevel.6. Assumingthatamessageisslatedfordeliveryaccordingtothedomainpolicyrules,theHostedEmailSecurity
MTAroutesthemessagetotheoriginalexample.comInboundServer.
2.1.1.1 IPReputation-BasedFilteringattheMTAConnectionLevelWhen an originating or upstreamMTA attempts to connect to aHosted Email SecurityMTA, theHosted EmailSecurityMTAqueries TrendMicro Email Reputation Services (ERS) to determinewhether the IP address of theupstreamMTAhasa"trustworthy"reputationinthedatabase.BasedontheupstreamMTA'sreputationandtheselectionsontheHostedEmailSecurity IPReputationSettingsscreen,HostedEmailSecuritymayterminatetheconnection,rejectingthemessages.This is IPreputation-basedfilteringattheMTAconnectionlevel.HostedEmailSecurityterminatesupstreamMTAconnectionsinthefollowingways:§ If the sending IP address is a known source of spam, the IP address of the sending server is marked
"untrustworthy"accordingtothereputationdatabase.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).
§ If the sender’s computer is part of a botnet or is a zombie PC, the IP address can be found in the Email
ReputationServices(ERS)dynamicreputationdatabasethatidentifiesspamsourcesastheyemergeandforaslong as they are active. Hosted Email Security informs the sending server that Hosted Email Security istemporarilyunavailablebyrespondingwitha450error(atemporaryfailureoftherequestedconnection).Ifthesendingserverislegitimate,itwilltryagainlater.
HostedEmail Securityperforms this filteringprior to receiving theactualmessage; therefore thecontentof themessageisnotyetscanned.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.
2.1.1.1.1 Content-BasedFilteringattheMessageLevel
When an originating or upstreamMTA attempts to connect to aHosted Email SecurityMTA, theHosted EmailSecurityMTAqueries TrendMicro Email Reputation Services (ERS) to determinewhether the IP address of theupstreamMTAhasa"trustworthy"reputationinthedatabase.BasedontheupstreamMTA'sreputationandtheselectionsontheHostedEmailSecurity IPReputationSettingsscreen,HostedEmailSecuritymayterminatetheconnection,rejectingthemessages.This is IPreputation-basedfilteringattheMTAconnectionlevel.HostedEmailSecurityterminatesupstreamMTAconnectionsinthefollowingways:• If the sending IP address is a known source of spam, the IP address of the sending server is marked
“untrustworthy"accordingtothereputationdatabase.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).
• If the sender’s computer is part of a botnet or is a zombie PC, the IP address can be found in the Email
ReputationServices(ERS)dynamicreputationdatabasethatidentifiesspamsourcesastheyemergeandforaslong as they are active. Hosted Email Security informs the sending server that Hosted Email Security istemporarilyunavailablebyrespondingwitha450error(atemporaryfailureoftherequestedconnection).Ifthesendingserverislegitimate,itwilltryagainlater.
HostedEmailSecurityperforms this filteringprior to receiving theactualmessage; therefore thecontentof themessageisnotyetscanned.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.
2.1.1.2 GeneralOrderofEvaluation
1. Senderemailaddressesfiltering:
Message sender email addresses and domains go through approved sender and blocked sender listfiltering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.
SeeSenderFilterOrderofEvaluation.
Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connectionlevelandcontent-based filteringat themessage level forspamdetection,andproceeddirectly tovirusdetection.Messagesfromblockedemailaddressesareblocked.
2. IPreputation-basedfilteringattheMTAconnectionlevel:
Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluateduntilthefirstmatchisfound.
SeeIPReputationOrderofEvaluation.
Messagesfromallowedsender IPaddressesbypass IPreputation-basedfilteringattheMTAconnectionlevelandproceedtospamdetection.MessagesfromblockedsenderIPaddressesareblocked.
3. Domain-levelpolicyfiltering:
Messageswill pass eachoneof the policies for filtering depending on the actionon the first triggeredpolicy.SeeSenderFilterOrderofEvaluation.
Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connectionlevelandcontent-based filteringat themessage level forspamdetection,andproceeddirectly tovirusdetection.Messagesfromblockedemailaddressesareblocked.
Note:HostedEmailSecuritytakesactiononemailmessagesthatpassEmailReputationandcustomapprovedlistfilteringusingthepolicyrulesconfiguredforcontent-basedfilters.Forexample,HostedEmailSecuritymayquarantineaninfectedemailmessagefromanaddressintheapprovedsenderslistifyouhaveconfiguredcontent-basedfilteringtoquarantinemalwarethreats.
Tip:HostedEmailSecuritydefaultrulesdeletealldetectedviruses,maliciouscontent,phish,andspam.
2.1.1.3 SenderFilterOrderofEvaluationMessage sender email addresses and domains go through approved sender and blocked sender list filtering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.Messages from allowed sender addresses bypass IP reputation-based filtering at theMTA connection level andcontent-basedfilteringatthemessagelevelforspamdetection,andproceeddirectlytovirusdetection.Messagesfromblockedemailaddressesareblocked.Evaluationisdoneinthefollowingorder:
1. EndUserQuarantinewebsiteApprovedSenderslists
2. AdministratorconsoleApprovedSenderslists
3. EndUserQuarantinewebsiteBlockedSenderslists
4. AdministratorconsoleBlockedSenderslists
2.1.1.4 IPReputationOrderofEvaluation
Message sender IP addresses go through IP reputation-based filtering. IP addresses areevaluateduntil the firstmatchisfound.MessagesfromallowedsenderIPaddressesbypassIPreputation-basedfilteringattheMTAconnectionlevelandproceedtospamdetection.MessagesfromblockedsenderIPaddressesareblocked.TheorderofevaluationforIPaddressesinthelistsontheApprovedandBlockedIPAddressesscreenisbasedonwhichlistcontainstheIPaddressorClasslessInter-DomainRouting(CIDR)block.Evaluationisdoneinthefollowingorder:
1. TheIPAddresseslist
a) OntheApprovedscreenb) OntheBlockedscreen
2. TheCountry/Regionlist
a) OntheApprovedscreen
b) OntheBlockedscreen
3. TheselectedstandardIPreputationdatabaselistsontheIPReputationSettingsscreen
4. TheadjusteddynamicIPreputationdatabaselistsontheIPReputationSettingsscreen
AnIPaddressaddedtotheIPAddresseslistontheApprovedscreenwillnotbeblockedevenifthatIPaddressisalsoinaCIDRblocklistedontheBlockedscreen.Furthermore,thatIPaddresswillnotbeblockedevenifitisalsointheKnownSpamSourcestandardIPreputationdatabaselist. Important:
IP reputation-based filters use only IP address data to filter messages. You can also use sender emailaddressanddomaintofilterincomingmessages.ApprovedsendersbypassIPreputation-basedfilteringattheMTAconnectionlevel.
2.1.1.5 PolicyOrderofEvaluationMessages sender email addresses and domains go through approved sender and blocked sender list filtering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.Messages from allowed sender addresses bypass IP reputation-based filtering at theMTA connection level andcontent-basedfilteringatthemessagelevelforspamdetection,andproceeddirectlytovirusdetection.Messagesfromblockedemailaddressesareblocked.
SeeAboutRuleActions.Evaluationisdoneinthefollowingorder:
a. "Intercept"actions:Actions inthisclass interceptthemessage,preventing it fromreachingtheoriginal recipient. Intercept actions include deleting the entiremessage and re-addressing themessage.
i. Deleteii. DeliverNowiii. ChangeRecipientiv. Quarantine
b. "Modify" actions: Actions in this class change themessage or its attachments.Modify actions
include cleaning cleanable viruses, deleting message attachments, inserting a stamp in themessagebody,ortaggingthesubjectline.
i. CleaningCleanableVirusesii. DeletingMatchingAttachmentsiii. TaggingtheSubjectLineiv. InsertingaStampv. RuleTokens/Variables
c. "Monitor" actions: Actions in this class allow administrators to monitor messaging. Monitor
actionsincludesendinganotificationmessagetoothersorsendingaBCC(blindcarboncopy)ofthemessagetoothers.
i. SendNotificationActionii. BccAction
d. "ScanLimitation"actions:ActionsinthisclassallowadministratorstorejectorbypassscanningmessagesthatexceedHostedEmailSecuritycapabilities.
i. RejectingMessagesii. BypassingMessages
e. "EncryptEmailMessage"actions:Actionsinthisclassencryptthemessageandthenqueueitfor
delivery.Thisisanon-interceptaction,butnootheractionscanbetakenonthetargetmessageafterthisruleistriggered.Thisactionhasthelowestpriorityofallactions,butwhentriggereditisalwaysthefinalrulerunbeforethemessage isqueuedfordelivery. Ifmorethanonerule intherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.
2.1.2 OutboundScanning
1. Mailserverofexample.comwillforwardtheoutboundemailtoHostedEmailSecurity.
2. Hosted Email Security servers accept the message and perform message filtering and policymatchingonyourbehalf.
3. Assumingthatthemessageisslatedfordeliveryaccordingtoitssecuritypolicyorvaliditystatus,theemailwillbeforwardedtooutboundMTAs.
4. OutboundMTAswillthenroutethisemailtothemailserveroftherecipient.
2.2 MessageRetention
Thefollowingtableshowsmessageretentioninformation:
Note:IncomingMessagequeueisupto10daysbutoutgoingqueuewillonlybekeptfor1day.
Chapter3
3 Preparation
3.1 ServiceRequirements
HostedEmailSecuritydoesnotrequirehardwareonyourpremises.Allscanningishostedoff-siteatsecureTrendMicro network operations centers. To access yourweb-basedHosted Email Security administrator console, youneedacomputerwithaccesstotheInternet.ThefollowingarerequiredbeforeHostedEmailSecuritycanbeactivated:• AnexistingmailgatewayorworkgroupSMTPconnection
Forexample:o AlocalMTAormailservero Acloud-basedMTAsolution
• Access to domainMX records (DNSmail exchanger host records) for repointingMX records to the HostedEmailSecurityMTA(Contactyourserviceprovider,ifnecessary,formoreinformationorconfigurationhelp.)
3.2 DefaultHostedEmailSecuritySettings
Toensurehigh-qualitycontinuousserviceandtoprotectyournetworkfromcommonSMTPattackssuchasmailfloodsandZipofDeath,HostedEmailSecurityhasdefaultsettings.Youcanfindservicesystemlimitationsbydefaultonthelinkbelow:http://esupport.trendmicro.com/solution/en-US/1056545.aspx
Chapter4
4 GettingStarted
4.1 Registration
1. ContactyourTrendMicrosalesrepresentativeforanActivationCode.AnActivationCodeuses37characters,includinghyphens,inthefollowingformat:XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
2. Gotohttps://clp.trendmicro.com/FullRegistration?T=TMTheCreateAccountorSignInscreenfortheTrendMicroCustomerLicensePortalappears.
Youareasked,"Doyoualreadyhaveanaccount?"
3. Selecttheappropriateoptionfromthefollowing:• IfyoudonotalreadyhaveaTrendMicroBusinessaccount,selectNo,Iamafirsttimeuser.• IfyoualreadyhaveaTrendMicroBusinessaccount,dothefollowing:
a. SelectYes,IalreadyhaveaTrendMicroBusinessaccount.b. ClickContinue.
TheCustomerLicensePortalSignInappears.
c. SignintoyourTrendMicroBusinessaccount.TheEnterYourKeyscreenappears.
4. TypeyourHostedEmailSecurityActivationCode.TrendMicrosendsyouanemailmessagewithyourCustomerLicensePortalsignininformation,includingyouraccountusername,theconsolewebaddress,andyourActivationCode.
5. StarttheHostedEmailSecurityactivationprocess.
4.2 StartingtheActivationProcess
1. LogontheHostedEmailSecurityadministratorconsole.SeeAccessingtheAdministratorConsole.Ifnodomainsareactivewhenyou logon theadministrator console, youwill godirectly to theServiceActivation screen. Use this screen to activate the domains youwant tomanage throughHosted EmailSecurity.TomanagedomainsinHostedEmailSecurityafteractivation,seetheAdministrator'sGuide.
2. TypetheinformationforyourcurrentMTAsormailserversinthefollowingfields:• Domainname:Includeseverythingtotherightoftheatsign(@)inemailaddressesmanagedby
theserver(s)beingactivated• Seatcount:Seatscorrespondtothenumberofactualemailusersinthedomain• Inboundserver(s)
Note:Youcanspecifyupto30inboundserversand30outboundservers.Usetheadd andtheremove buttonstomanageadditionalentries.
a. IP address or FQDN: Fully qualified domain name (FQDN) is a unique name, which
includesbothhostnameanddomainname,andresolvestoasingleIPaddress.
i. Forexample:hostmaster1.example.comormailhost.example.comii. Notvalid:example.com
b. Port:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvary
basedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.
c. Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100.
Note:Ifmorethanonemailserverisavailable,deliveryisprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.
• Optionally,selectEnableoutboundfilteringandrefertothefollowingtable:
Warning:Enablingoutboundfilteringwithoutspecifyingoutboundserverswillprevent thedeliveryofanyoutboundtrafficroutedthroughtheservice.
StepstoConfigureOutboundFiltering
EmailSolution Steps
YoucurrentlyuseOffice365 SelectUseOffice365.
YoucurrentlyuseGoogleApps SelectUseGoogleApps.
YoudonotuseOffice365orGoogleApps SelectSpecifyIPaddress(es).TypetheIPaddress(es)ofyouroutboundserver(s).
• Sendtestmessageto:OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagesfromtheDomainManagementDetailsscreen.
3. ClickAddDomain.IfthedomainisvalidandanMXrecordforthedomainexists,thedomainappearsintheDomainstableatthebottomofthescreen.
4. ClickSubmit.TrendMicro sends awelcomemessage to the administrative email address on record confirming thatyourdomainhasbeenaddedsuccessfullyandstating:"Thiswelcomemessageconfirmsyourdomainhasbeensuccessfullyadded."
Warning:DonotrepointyourMXrecorduntilyoureceivethemessageconfirmingthatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,which is that confirmation. If you repoint yourMX record before your domainhasbeensuccessfullyadded,youremailmessagesmaybelost.
5. IfyoucurrentlyuseOffice365,youcanconfigureOffice365connectorstoallowemailtraffictoorfrom
HostedEmailSecurityMTAs.SeeAddingOffice365InboundConnectors.SeeAddingOffice365OutboundConnectors.
6. Finalizeyouractivation.
4.2.1 AddingOffice365InboundConnectors
BeforeintegratingyourMicrosoftOffice365manageddomainnamewithHostedEmailSecurity,performallstepsrecommendedbyMicrosofttocompleteconfigurationofOffice365emailmanagementforyourdomain.Toconfigureinboundconnectors,ensurethatyouhavethefollowing:
• Office365administratoraccount• HostedEmailSecurityadministratoraccount• Office365designationserveraddress• HostedEmailSecuritywelcomeemailmessageforcreateddomain• Maildomainadministratoraccountprivileges
Some organizations use Microsoft Office 365 to remotely host their email architecture, allowing Microsoft tomanagetheday-to-dayaspectsofmaintainingtheiremailservers.HostedEmailSecurityintegrateswithOffice365toprovideadditionalsecurityandbenefits.ConfigureOffice365connectorstoallowemailtraffictoandfromHostedEmailSecurityMTAs. Important:
ConsulttheMicrosoftOffice365helpforinformationaboutaddingconnectors.SomeOffice365plansdonotofferconnectors.http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx
1. LogonyourMicrosoftOffice365admincenteraccount.
2. Inthenavigationontheleft,gotoServiceSettings.
3. Undermailflow,clickCustommailrules.
4. Inthenavigationatthetop,gotoconnectors.
5. AddanInboundConnectortoOffice365.
ConfigureOffice365toacceptmailfilteredbyHostedEmailSecurityfordeliverytoemailaccountsinyourOffice365manageddomain.
a. UnderInboundConnectors,clicktheplusicon.Anewconnectorconfigurationscreenappears,displayingthegeneraltab.
b. IntheNamefield,typeadescriptivenamefortheconnector.Forexample,typeTrendMicroHostedEmailSecurity.
c. SelectEnableinboundconnector.
d. UnderConnectorType,selectPartner.
e. Clicksave.
f. Inthenavigationontheleft,gotosecurity.g. UnderConnectionSecurity,selectOpportunisticTLS.
h. UnderDomainRestrictions,selectNone.
i. Inthenavigationontheleft,gotoscope.
j. IntheDomainsfield,addyourOffice365manageddomainname.
• Forexample:example.com• Notvalid:hostmaster1.example.comormailhost.example.com
k. IntheIPaddressesfield,addthefollowingHostedEmailSecurityIPaddresses:
HESIPaddresses
l. Clicksave.
m. ConfirmthatEnabledisselectedforthenewlyaddedconnector.
4.2.2 AddingOffice365OutboundConnectorsToconfigureoutboundconnectors,ensurethatyouhavethefollowing:
• Office365administratoraccount• HostedEmailSecurityadministratoraccount• HostedEmailSecuritywelcomeemailmessageforcreateddomain
Some organizations use Microsoft Office 365 to remotely host their email architecture, allowing Microsoft tomanagetheday-to-dayaspectsofmaintainingtheiremailservers.HostedEmailSecurityintegrateswithOffice365toprovideadditionalsecurityandbenefits.ConfigureOffice365connectorstoallowemailtraffictoandfromHostedEmailSecurityMTAs.AddanOutboundConnectortoOffice365.ConfigureOffice365torelayoutboundmailtoHostedEmailSecurityforfilteringanddeliverytorecipientsoutsideofyourOffice365manageddomain.
a. UnderOutboundConnectors,clicktheplusicon.Anewconnectorconfigurationscreenappears,displayingthegeneraltab.
b. IntheNamefield,typeadescriptivenamefortheconnector.
Forexample,typeTrendMicroHostedEmailSecurity.
c. SelectEnableoutboundconnector.
d. UnderConnectorType,selectPartner.
e. Clicksave.
f. Inthenavigationontheleft,gotosecurity.
g. UnderConnectionSecurity,selectOpportunisticTLS.
h. UnderOutboundDelivery,selectRoutemailthroughsmarthosts.
i. IntheDomainsfield,addtheFQDNforyourOffice365manageddomainname.
• Forexample:hostmaster1.example.comormailhost.example.com
• Notvalid:example.com
j. UnderSenddomains,addtheoutbounddomainsthatshouldbeappliedtothisconnector.
k. Clicksave.
l. ConfirmthatEnabledisselectedforthenewlyaddedconnector.
4.3 FinalizingActivation
Tofinalizeyouractivation,pointyourMXrecordtotheHostedEmailSecurityMTAforyourregion.
TrendMicrowillnotactivateyourdomainuntiltheMXrecordforyourdomainpointstoaHostedEmailSecurityMTA.
Warning:Donot repointyourMX recorduntil you receive themessageconfirming thatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,whichisthatconfirmation. If you repoint yourMX record before your domain has been successfully added, youremailmessagesmaybelost.
1. PointyourmanageddomainMXrecordstotheHostedEmailSecurityMTAforyourregion.
• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu• Forallotherregions:in.hes.trendmicro.com
2. If you added Outbound Servers when you added your domain, configure those servers to relay mailthroughthefollowingHostedEmailSecurityMTAforyourregion:
• ForEurope,theMiddleEast,Africa:relay.hes.trendmicro.eu• Forallotherregions:relay.hes.trendmicro.com
3. To ensure messages can be received from the Hosted Email Security MTA, configure your firewall to
acceptemailmessagesonlyfromthefollowingHostedEmailSecurityIPaddress/CIDRblocks:HESIPaddresses
Tip:Useanasterisk(*)toincludealloutbounddomains.
Tip:IfyourcompanydoesnothavestandardizedproceduresforpointingMXrecords,oryouwouldlikeadditionalguidance,TrendMicrorecommendsusingthefollowingprocedure,whichalsoincludesallotherstepsonthispage:SeeRepointingMXRecords(BestPractice).
4.3.1 RepointingMXRecords(BestPractice)
WhenactivatingadomaininHostedEmailSecurity,TrendMicrorecommendsmakingthreestep-wisechangestoyourMXrecordtoreducethechanceofsecurityvulnerabilityoraninterruptionofservicewhilerepointingyourMXrecord.
Beforestartingtheprocedurebelow,optionallylearnaboutMXrecords.
See:AboutMXRecordsandHostedEmailSecurity
1. ModifytheMXrecordforyourdomain.AddapointertotheHostedEmailSecurityMTAforyourregion.Setthepreferencenumbertothelowestpriority/highestdistanceofallyourMTAs.
Tip:
Preference,sometimesreferredtoasdistance,isavaluefrom1to100.Ifmorethanonemailserver isavailable,delivery isprioritized to serverswith lower values.Using the samevaluewillbalancedeliverytoeachserver.Thehigherthepreferencenumber,thelowerthepriorityoftheMXrecord.
• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu
<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=100,mailexchanger=in.hes.trendmicro.eu
• Forallotherregions:in.hes.trendmicro.com
<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=100,mailexchanger=in.hes.trendmicro.com
2. Verifythatthestatusofyourdomaindisplaysas"Activated"intheadministratorconsole.
Tip:DNSpropagationcantakeupto48hours.Thestatusof thedomainyouareaddingdoesnotchangeuntilDNSpropagation is complete.During this time,donot turnoffanyon-premisessecurity. Youmay receive some emailmessages directly for a short time until the transitioncompletes.Whilewaiting for DNS propagation, you can use the administrator console to customize thedomainsettingsforPolicy,ApprovedSenders,IPReputation,andDirectoryManagementintheadministratorconsole.SeetheAdministrator'sGuideformoreinformationandprocedures.
a. Logontheadministratorconsole.
SeeAccessingtheAdministratorConsole.
b. GotoAdministration>DomainManagement.
c. IntheDomainslist,verifythattheStatusforthedomaindisplaysas"Activated".
Tip:Ifthestatusofadomaindisplaysas"Adding"formorethan48hours,confirmtheMXrecordforthatdomain ispointedtoaHostedEmailSecurityMTA.Openacommandpromptandtypeoneofthefollowing:ForLinux:digmx<domain_name>ForWindows:nslookup-q=mx<domain_name>
Whendomainstatusdisplaysas"Activated",theservicewillbeginrelayingemailtoyourMTA.
3. ModifytheMXrecordforyourdomain.SetthepreferencenumberforthepointertotheHostedEmailSecurityMTAforyourregiontothehighestpriority/lowestdistanceofallyourMTAs.
Tip:
Thelowerthepreferencenumber,thehigherthepriorityoftheMXrecord.
• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu
<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.eu
• Forallotherregions:in.hes.trendmicro.com
<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.com
4. To ensure messages can be received from the Hosted Email Security MTA, configure your firewall toacceptemailmessagesfromallthefollowingHostedEmailSecurityIPaddress/CIDRblocks:HESIPaddresses
5. Verify thatmessagesarebeingdelivered fromHostedEmailSecurity.Tosenda testmessageusing theservice,dothefollowing:
a. Logontheadministratorconsole.
b. GotoAdministration>DomainManagement.
c. IntheDomainslist,clickthenewly-addeddomainname.TheDomainInformationscreenappears.
d. In the Send testmessage to field, type an email address to send a testmessage to using theservice.
e. ClickSend.
6. Optionally, customize the domain settings for Policy, Approved Senders, IP Reputation, and DirectoryManagement in the administrator console. See the Administrator's Guide for more information andprocedures.
7. If you added Outbound Servers when you added your domain, configure those servers to relay mailthroughthefollowingHostedEmailSecurityMTAforyourregion:
• ForEurope,theMiddleEast,Africa:relay.hes.trendmicro.eu
• Forallotherregions:relay.hes.trendmicro.com
8. ModifytheMXrecordforyourdomain.Deleteallentries intheMXrecordnotrelatedtoHostedEmail
Security.Thisreducesthechanceofspambeingsentdirectlytoyourmailserver.
ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu<your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.eu
Forallotherregions:in.hes.trendmicro.com<your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.com
4.3.2 AboutMXRecordsandHostedEmailSecurity
Tip:To reduce thechanceofa securityvulnerabilityoran interruptionof servicewhile repointingyour MX record, Trend Micro recommends using the following procedure: Repointing MXRecords(BestPractice)MakesuretheMXrecordisenteredexactlyasprovidedintheHostedEmailSecuritywelcomeemail.DNSpropagationcantakeupto48hours.Thestatusof thedomainyouareaddingdoesnotchange until DNS propagation is complete. During this time, do not turn off any on-premisesecurity. Youmay receive some emailmessages directly for a short time until the transitioncompletes.
An MX record (DNS mail exchanger host record) determines the message routing for all messages sent to adomain.ToroutemessagesdestinedforyourdomainthroughtheHostedEmailSecurityMTA,youmustrepointyourMXrecordtothefullyqualifieddomainname(FQDN)providedinthewelcomeemailthatTrendMicrosentyouafteryouregistered.TodisableHostedEmailSecurity,pointyourMXrecordtorouteallinboundSMTPtraffictoyourownmailserver.IfyouareunsurehowtoconfiguretheMXrecordsforyourdomain,contactyourInternetServiceProvideroryourDNStechnician.ThefollowingexternallinkstoMXrecordconfigurationhelppagesareprovidedforyourconvenience:
• GoDaddyhttp://support.godaddy.com/help/article/680/managing-dns-for-your-domain-names
• NetworkSolutions
http://www.networksolutions.com/support/mx-records-mail-servers-2/
• Enomhttp://www.enom.com/help/hostinghelp.asp?displaymenu=ok&hosthelp=9
• DreamHost
http://wiki.dreamhost.com/MX_record
• Yahoo!SmallBusinesshttp://help.yahoo.com/kb/index?page=content&y=PROD_YSB_DOMAIN&locale=en_US&id=SLN17921
4.4 AccessingtheAdministratorConsole
AccesstheHostedEmailSecurityadministratorconsolebasedonyourlicensingagreementwithTrendMicro.Useoneofthefollowingmethods:
• Sign in to your TrendMicroBusiness accountusing theCustomer LicensePortal (CLP), thenaccess theHostedEmailSecurityadministratorconsoleusingthelinkprovidedthere.
SeeUsingCLPtoAccesstheAdministratorConsole.
• Logondirectlytoyouradministratorconsoleatthefollowingwebaddressforyourregion:
§ ForEurope,theMiddleEast,Africa:https://tm.hes.trendmicro.eu
§ Forallotherregions:https://tm.hes.trendmicro.com
• UseoneofthefollowingauthorizedTrendMicroresellercredentialstoaccesstheadministratorconsole
foryourmanagedaccounts:
• ForxSPresellers,gotothefollowingwebaddressforyourregion:
§ ForEurope,theMiddleEast,Africa:https://ui.hes.trendmicro.eu
§ Forallotherregions:https://ui.hes.trendmicro.com
• ForLMPresellers,substituteyourTenantIDfor<tenant-id>inthefollowingwebaddressforyourregion:
§ ForEurope,theMiddleEast,Africa:https://<tenant-id>.hes.trendmicro.eu
§ Forallotherregions:https://<tenant-id>.hes.trendmicro.com
4.4.1 UsingCLPtoAccesstheAdministratorConsole
Tip:When you register, Trend Micro sends you an email message with your Customer LicensePortal sign in information, includingyouraccountusername, theconsolewebaddress,andyourActivationCode.
1. Gotohttps://clp.trendmicro.com/FullRegistration?T=TM.TheCreateAccountorSignInscreenfortheTrendMicroCustomerLicensePortalappears.
2. SelectYes,IalreadyhaveaTrendMicroBusinessaccount.
3. ClickContinue.TheCustomerLicensePortalSignInappears.
4. SignintoyourTrendMicroBusinessaccount.TheEnterYourKeyscreenappears.
5. ClickCancel.TheMyProducts/Servicesscreenappears.
6. ClickOpenConsoleintheboxforHostedEmailSecurity.
7. TheHostedEmailSecurityadministratorconsoleappearsinanewtaborwindow.
Tip:Bookmarktheaddressoftheadministratorconsole.UsethebookmarktobetakendirectlytotheHostedEmailSecurityadministratorconsoleaftersigningintoyourTrendMicroBusinessaccount.End users can access the Hosted Email Security End-User Quarantine website for self-management.SharetheEndUserQuarantineUser'sGuideandthefollowingwebaddressforyourregionwithendusers:ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.euForallotherregions:https://euq.hes.trendmicro.com
5 ManagementConsole
5.1 WorkingwiththeDashboard
TheDashboarddisplayschartsforemailtrafficrelayedthroughHostedEmailSecurity.
ThefollowingarethenavigationtabsontheDashboard:
Tonavigatebetweenthecharts,clickthetabs.
Note:Datacollectedwithinthelast2hoursmaynotbedisplayed.ThetimezoneofthebrowseraccessingHostedEmailSecurityisused.
SelectthedatashowninchartsandtheircorrespondingthumbnailchartsontheSummarytaboftheDashboardusingthefollowingcontrolsandsettings:
Table 1. All Charts Control Settings
Domain and directionoftraffic
Selectadomainandmailtrafficdirectionusingthefollowingcontrols:
Tip:Toselectalldomains,selectallmydomainsfromtheManageddomaindrop-downlist.
Timeperiods Select a time period at the top of each chart. The following are the definitions of timeperiods:Date:Themostrecenteight(8)days.Daysaresplitintohoursfrom0:00to23:59.Becausedaysstartatmidnight,chartswithatimeperiodofthecurrentdaywillnevershowafull24hoursofdata.Week: Themost recent eight (8) weeks.Weeks are the days from Sunday to Saturday.BecauseweeksstartonSunday,chartswithatimeperiodofthecurrentweekwillnevershowafullseven(7)daysofdata.Month:Themostrecenttwo(2)months.Monthsaredaysfromthefirsttothelastdayofthecalendarmonth.Becausemonths starton the first, chartswitha timeperiodof thecurrentmonthwillnevershowthefullmonthofdata.Last12months:Thedata for the last twelvemonthsplusalldaysof thecurrentmonth.
Chapter5
Table 1. All Charts Control Settings
Alwaysshowsmorethanoneyearofdata. Note:
ThespecifiedtimeperiodonlyaffectsthedatashownonthecurrentchartanditscorrespondingthumbnailchartontheSummarytab.Changingtheselectiononachartdoesnotaffectothercharts.
Important:Click Refresh after selecting a new domain under Managed domain, selecting a new direction in theDirectiondrop-downlist,ormakinganychangestootherselections,suchasthetimeperiod.
Table2.SpecificCharts
ChartorTab Settings
VolumeBandwidthThreatsDetailsAdvancedAnalysisDetails
SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.
Threats Select a time period by Date,Week,Month, or Last 12 months to show the totalpercentageofmessagesbyvaluefortheselectedtimeperiod.
TopSpamTopVirusTop Analyzed AdvancedThreats
Selecta timeperiodbyDate,Week,orMonth to showhourlyordailydata for theselectedtimeperiod.
Use theTopviolators’drop-down list to select thenumberofemail addresses thatdisplayonthechart.
5.1.1 SummaryChart
TheSummarytaboftheDashboardprovidesanoverviewofdatadisplayedonallotherchartsinonelocation.Clickonathumbnailtogotothatchart'scorrespondingtab
5.1.2 VolumeChart
The Volume tab of the Dashboard displays the total number of accepted and blockedmessages and the totalpercentageofblockedmessages.
SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfilteringNote:This value does not include messagesblockedbycontent-basedfiltering.
The number of messages blocked usingHosted Email Security relay mail servicefilteringPossiblereasonsforblockinginclude:Recipient address is not resolvable (such assomeone@???.com).Spammers forged the mail sender addressso themessageappears tobe coming fromthecustomerdomain.Thecustomer'sMTA is compromisedand issendingspammessages(forexample,itisanopenrelay).
Accepted ThenumberofemailmessagespassedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering
Thenumber ofmessages passedbyHostedEmailSecurityrelaymailservicefiltering
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
Blocked% The percentage of email messages blockedby IP reputation-based filtering at theMTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering
The percentage of messages blocked byHosted Email Security relay mail servicefiltering
Total Thetotalnumberofemailmessagesprocessed
5.1.3 BandwidthChart
TheBandwidthtaboftheDashboarddisplaysthetotalsizeofemailmessagesacceptedinKB.
SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectiondoesnotchangethedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
NotQuarantined ThetotalsizeofemailmessagesthatHostedEmailSecuritydidnotquarantine
Quarantined ThetotalsizeofemailmessagesthatHostedEmailSecurityquarantinedNote:By default, no messages are quarantined. To begin using the quarantine, select aquarantineactionforoneormorepolicyrules.
TotalSize ThetotalsizeofemailmessagesscannedbyHostedEmailSecurity
5.1.4 ThreatsChart
TheThreatstaboftheDashboarddisplaysthetotalpercentageofmessagesdetectedasthreats.
SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowthetotalpercentageofmessagesbyvaluefortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering
Note:This value does not includemessages blocked by content-basedfiltering.
The number of messages blocked usingHosted Email Security relay mail servicefilteringPossiblereasonsforblockinginclude:Recipient address is not resolvable (such assomeone@???.com).Spammers forged the mail sender addressso themessageappears tobe coming fromthecustomerdomain.Thecustomer'sMTA is compromisedand issendingspammessages(forexample,itisanopenrelay).
Virus Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat
Analyzed AdvancedThreats
The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection and detected as high-riskusingadvancedanalysis
Notavailable
Probable AdvancedThreats
The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection but not analyzed usingadvancedanalysis
Notavailable
Ransomware The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware
The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware
Phish Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats
Spam Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam
Note:Hosted Email Security includesmessages detected asmarketingmessages in the "Spam"category.
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam
Other Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)
Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)
Clean Thenumberof emailmessages thatpassedIP reputation-based and content-based
The number of mail messages that passedHosted Email Security relay mail service
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
filtering filtering
Total Thetotalnumberofemailmessagesprocessed
5.1.5 ThreatsDetailsChartThe Threat Details tab of the Dashboard displays the number of messages detected as threats and the totalpercentageofblockedmessages.For a summary of the total number of emailmessages scannedby detected category, refer to the table at thebottomoftheThreatDetailstab.ThistableisnotshowninthethumbnailviewontheSummaryscreen.
SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering
Note:This value does not includemessages blocked by content-basedfiltering.
The number of messages blocked usingHosted Email Security relay mail servicefilteringPossiblereasonsforblockinginclude:Recipient address is not resolvable (such assomeone@???.com).Spammers forged the mail sender addressso themessageappears tobe coming fromthecustomerdomain.Thecustomer'sMTA is compromisedand issendingspammessages(forexample,itisanopenrelay).
Virus Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat
Analyzed AdvancedThreats
The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection and detected as high-riskusingadvancedanalysis
Notavailable
Probable AdvancedThreats
The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection but not analyzed usingadvancedanalysis
Notavailable
Ransomware The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware
The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware
Phish Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats
Spam Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam
Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam
Table1.DetectedValuesonCharts
DetectedValues ForIncomingMail ForOutgoingMail
Note:Hosted Email Security includesmessages detected asmarketingmessages in the "Spam"category.
Other Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)
Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)
Clean Thenumberof emailmessages thatpassedIP reputation-based and content-basedfiltering
The number of mail messages that passedHosted Email Security relay mail servicefiltering
Total Thetotalnumberofemailmessagesprocessed
5.1.6 AdvancedAnalysisDetailsChartThe Advanced Analysis Details tab of the Dashboard displays the number and level of threats detected by theadvancedanalysisbasedontheselectedmailtrafficdirection.
Note:Thedataonthistabisdisplayedforincomingmailtrafficonly.
For a summary of the total number of emailmessages scannedby detected category, refer to the table at thebottomoftheThreatDetailstab.ThistableisnotshowninthethumbnailviewontheSummaryscreen.
5.1.7 TopSpamChart
TheTopSpamtaboftheDashboarddisplaystheemailaddressesthatsentorreceivedthemostspammessagesbasedontheselectedmailtrafficdirection.Hoveroverabartoseedetails.
SelectatimeperiodbyDate,Week,orMonthtoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.UsetheTopviolatorsdrop-downlisttoselectthenumberofemailaddressesthatdisplayonthechart.
5.1.8 TopVirusChart
The Top Virus tab of the Dashboard displays the email addresses that sent or received the most messagescontainingmalwarethreatsbasedontheselectedmailtrafficdirection.Hoveroverabartoseedetails.
SelectatimeperiodbyDate,Week,orMonthtoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.UsetheTopviolatorsdrop-downlisttoselectthenumberofemailaddressesthatdisplayonthechart.
5.1.9 TopAnalyzedAdvancedThreats
The TopAnalyzedAdvanced Threats tab of theDashboard displays the email addresses that received themostmessagescontainingadvancedthreatsbasedontheselectedmailtrafficdirection.
Note:Thedataonthistabisdisplayedforincomingmailtrafficonly.
Hoveroverabartoseedetails.
SelectatimeperiodbyDate,Week,orMonthtoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.UsetheTopviolatorsdrop-downlisttoselectthenumberofemailaddressesthatdisplayonthechart.
5.2 ConfiguringaPolicyThePolicyscreenshowsalistofthecurrentlydefinedrulesandtheirstatus.Fromthisscreenyoucanaddanewruleandedit,copy,ordeleteexistingrules.Therulesaredisplayed ina table,sortedbytheorder inwhichtherulesareappliedduringscanningbyHostedEmailSecurity.Youcanfiltertheinformationbyusingthedrop-downlistsatthetop.
Table1.PolicyTerminology
Column Description
Rules Nameoftherule.
Action Actiontakeniftherule'scriteriaaremet.
Order Thesequenceoftherules.
Modified Timestampwhentherulewaslastmodified.
LastUsed Timestamp ofwhen the rulewas last used. If the rulehasnotyetbeentriggered,thevalueinthiscolumnwillbe"Never".
Status Ruleisenabled.Ruleisdisabled.
5.2.1 ManagingPolicyRules
HostedEmailSecurityofferscontent-basedfilteringatthemessagelevel.RulesarethemeansbywhichmessagingpoliciesareappliedtomessagetrafficinHostedEmailSecurity.Atanytime,anadministratorcanseetherulesthatapplytotheirorganization,andcanmakechangestotherulesthatcomprisetheirpolicy,renamethoserules,andcreatenewrules.Eachrulecanbedisabledifdesiredwithoutlosingitsdefinition,andre-enabledatalatertime.
Table1.PolicyRuleTasksTasks Steps
AddingPolicyRules
Tip:Oftenanewrulewillbeverysimilarto one you already have. In thatcase,itisusuallyeasiertocopytheruleandedititratherthancreateanewrulefromscratch.
ClickAdd .1. Select theuser(s),domains(s)orgroup(s) that theruleapplies
to.SeeSelectingUserAccountsforRules.
2. Selectandconfigurecriteria.SeeAboutRuleTargetCriteria.
3. Selectandconfigureactions.SeeAboutRuleActions.
4. Edit the remaining rule parameters (rule name, whether it isenabledornot,andadministrativeoptions).SeeNamingandEnablingaRule.
Table1.PolicyRuleTasksTasks Steps
CopyingPolicyRules IntheRuleslist,selecttheruletocopy.ClickCopy .
EditingPolicyRules In the Rules list, click the name of the rule youwant to edit andfollowtheselectionproceduresinAddingPolicyRules.
DeletingPolicyRules IntheRuleslist,selecttheruleorrulestodelete.ClickDelete .
5.2.2 SelectingUserAccountsforRulesConfiguring sender, recipient, and exclusion lists with specific users and groups is done using this screen. Itsappearance differs slightly depending on which direction the messages are routed and whether Sender orRecipientaddressesarebeingselected.1. (ForoutgoingmessagesforRecipientsandincomingmessagesforSendersonly)Chooseoneofthefollowing:
• Anyonetoselectanyemailaddressesatall.• Selectedaddresses.
2. Fromthedrop-downlist,selectameansofaddingselectedaddresses.
• Mydomainspopulatealistboxbelowwiththeavailabledomains.• Mygroupspopulatealistboxbelowwiththeavailablegroups.• Typeaddressordomainprovidesatextentryfield.•
3. (ForMyDomainsorMygroupsoption)SelectanydesireddomainsorgroupsfromthatdisplayandclickAdd>.Theselecteditemsarecopiedtotheselectedlistattheright.
4. (ForTypeaddressordomainoption)TypeaspecificdomainorwildcardedaddressinthefieldandclickAdd>.5. ClickSavewhentheselectedlistincludesalltheusergroups,domains,andaddressesthatyouwantinit.
5.2.3 AboutRuleTargetCriteria
Rule criteria allow you to specify the conditions that the rule applies to messages scanned by Hosted EmailSecurity.
Theavailablecriteriaareshownina list inthecenterofthescreen.Someofthesecriteriahave linkstoscreenswhereyouspecifytheassociateddetails.
Table1.BasicCriteriaCriteria FilterBasedOn
Nocriteria Allmessages
Messagecontains "virusesormaliciouscode" Detectedviruses,worms,andotherthreats.
Messagedetectedas "Spam" Detectedspam.
Table1.BasicCriteriaCriteria FilterBasedOn
"Phish" Detectedphish.
"Marketingmessage" Detectedmarketingmessage.
"Socialengineeringattack" Detectedsocialengineeringattack.
Advanced Note:
SelectAdvancedtodisplaythe"Advanced"criteria.
"AllMatch""AnyMatch"
SpecificattributeandcontenttargetsSeeConfiguringAdvancedCriteria.
5.2.3.1 ConfiguringVirusorMaliciousCodeCriteriaTheMessagecontains"virusesormaliciouscode"criteriaallowyoutocreaterulesthattakeactionsonmessagesthatcontainviruses,worms,orothermaliciouscode.1. SelectMessagecontains.
2. ClickthevirusesormaliciouscodelinkontheRule>Criteriascreen.
TheVirusesorMaliciousCodescreenappears.
3. Toperformscanningforlessconventionalthreats,selectEnableAdvancedThreatScanEngine.SeeAboutAdvancedThreatScanEngine.
• SelectPerformadvancedanalysistoidentifythreats,andthenselectthethreatlevelfromthedrop-down
list,toperformfurtherobservationandanalysisforthreatsdetectedbytheAdvancedThreatScanEngine.
• SelectIncludemacroscanningduringadvancedanalysistoincludemacrothreatsduringobservationandanalysis.
Note:
If advanced analysis is enabled, Hosted Email Security performs observation and analysis on samples in aclosedenvironment.Advancedanalysiscandelaythedeliveryofmessagesby5to30minutes.
HostedEmailSecuritylogsadvancedthreatsasfollows:
• "ProbableAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocial
EngineeringAttackProtectionbutnotanalyzedusingadvancedanalysis
Tip:Some detected files may be safe. Trend Micro recommends selecting the Quarantine action forsuspectedthreatsdetectedbytheAdvancedThreatScanEngine.
• "AnalyzedAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionusingadvancedanalysis
Note:
The Advanced Threat Scan Engine or Social Engineering Attack Protection considermessages as suspectedthreatsaccordingtothesecuritylevelconfiguredforadvancedanalysis.Thatis:
• if theHigh security level is configured for advancedanalysis, then theactionwill beappliedonallmessagesthatexhibitanysuspiciousbehavior.
• if theMediumsecurity level is configured foradvancedanalysis, then theactionwill beappliedon
messagesthathavemoderatetohighprobabilityofbeingmalicious.
• if theLowsecurity level isconfiguredforadvancedanalysis, thentheactionwillbeappliedonlyonmessagesthathavehighprobabilityofbeingmalicious.
4. Specifyatleastoneofthefollowingdetectiontypes.
Option Description
Cleanablevirusesormaliciouscode
Apply the rule tomessagesorattachments that containcleanableviruses.Cleanablevirusesare those that canbe safely removed from the contents of the infected file, resulting in anuninfectedcopyoftheoriginalmessageorattachment.
Warning:SelectingCleanablevirusesormaliciouscodeasrulecriteria,andthenselectingarule action other than Delete or Clean, can result in infected messages orattachments entering your messaging environment. By default, Hosted EmailSecurity is configuredwith virus rules to appropriately handle threats when it isinstalled.
Uncleanableswithmass-mailingbehavior
Applytheruletomessagesthatcontainuncleanableviruses,worms,orotherthreatsthatcannotberemovedfrommessagesorattachments,andthatpropagatebymass-mailingcopiesofthemselves.
Uncleanableswithoutmass-mailingbehavior
Selectthecategoriesbelowasdesired:• Spyware• Dialers• Hackingtools• Passwordcrackingapplications• Adware• Jokeprograms• Remoteaccesstools• Allothers
5.2.3.1.1 AboutAdvancedThreatScanEngine
TheAdvancedThreatScanEngine(ATSE)usesacombinationofpattern-basedscanningandheuristicscanningtodetectdocumentexploitsandotherthreatsusedintargetedattacks.Majorfeaturesinclude:
• Detectionofzero-daythreats
• Detectionofembeddedexploitcode
• Detectionrulesforknownvulnerabilities
• Enhancedparsersforhandlingfiledeformities
Important:Because ATSE identifies both known and unknown advanced threats, enabling ATSE may increase thepossibilityoflegitimatefilesbeingflaggedasmalicious.
5.2.3.2 ConfiguringSpamCriteria
The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages. Note:
Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.
1. SelectMessagedetectedas.
2. Select"Spam".3. Chooseabaselinespamcatchrate.
• Lowest(mostconservative)• Low• Moderatelylow• Moderatelyhigh• High• Highest(mostaggressive)
5.2.3.3 ConfiguringPhishCriteria
The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.
Note:Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.
1. SelectMessagedetectedas.
2. Select"Phishandothersuspiciouscontent".
5.2.3.4 ConfiguringMarketingMessageCriteria
Marketingmessages are emailmessages that have commercial or fund-raising content that the usermay haverequested,butthatoftendonotincludeanopt-outoption.The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.
Note:Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.
1. SelectMessagedetectedas.2. Select"Marketingmessage".3. ToomittheIPaddressesofspecificmailserversfromthisrule,selectExceptionlist.
TheMarketingMessageExceptionListscreenappears. Note:
TherulewillnotapplytomarketingmessagesfromIPaddresses inthisexceptionlist.Thelist isspecificjusttotherulebeingedited.
5.2.3.5 ConfiguringSocialEngineeringAttackCriteria
Social Engineering Attack Protection detects suspicious behavior related to social engineering attacks in emailmessages.Formoreinformationaboutsocialengineeringattackdetections,seeSocialEngineeringAttackLogDetailsThe Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.
Note:Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.
1. SelectMessagedetectedas.
2. SelectSocialengineeringattack.
• SelectPerformadvancedanalysistoidentifythreats,andthenselectthethreatlevelfromthedrop-downlist, to perform further observation and analysis for threats detected by Social Engineering AttackProtection.
Note:Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.
HostedEmailSecuritylogsadvancedthreatsasfollows:
• "ProbableAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionbutnotanalyzedusingadvancedanalysis
Tip:Some detected files may be safe. Trend Micro recommends selecting the Quarantine action forsuspectedthreatsdetectedbySocialEngineeringAttackProtection.
• "AnalyzedAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionusingadvancedanalysis
Note:TheAdvanced Threat Scan Engine or Social EngineeringAttack Protection considersmessages as suspectedthreatsaccordingtothesecuritylevelconfiguredforadvancedanalysis.Thatis:
• if theHigh security level is configured for advancedanalysis, then theactionwill beappliedonallmessagesthatexhibitanysuspiciousbehavior.
• if theMediumsecurity level is configured foradvancedanalysis, then theactionwill beappliedon
messagesthathavemoderatetohighprobabilityofbeingmalicious.
• if theLowsecurity level isconfiguredforadvancedanalysis, thentheactionwillbeappliedonlyonmessagesthathavehighprobabilityofbeingmalicious.
5.2.3.6 ConfiguringAdvancedCriteria
OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.Dooneofthefollowing:• Select"AllMatch"totherightofAdvancedtotriggertheruleonlywhenallselected"Advanced"criteriaare
matched.• Select"AnyMatch"totherightofAdvancedtodothefollowing:
§ Triggertherulewhenanyselected"Advanced"criteriaarematched
§ DisplaytheAttachmentis"passwordprotected"andRecipientnumbercriteriainthe"Advanced"criterialist
The following tablesall contain the same information sorteddifferently.Use the following sorted tables to findappropriate"Advanced"criteriatofiltermessagesbyyourdesiredruletargets:
Table1.AdvancedCriteriaSortedbyDisplayOrder
RuleTargets Criteria FilterBasedOn
Sortedbydisplayorder
Attachmentis
"nameorextension" Attachmentnameorextension
"MIMEcontent-type" AttachmentMIMEcontent-type
"truefiletype" Attachmenttruefiletype
Messagesizeis>,<=<number>KB,MB
Size
Subjectmatches "keywordexpressions"
Keywordsinheadersandcontent
Subjectis "blank"
Bodymatches "keywordexpressions"
Specifiedheadermatches "keywordexpressions"
Attachmentcontentmatches "keyword
Table1.AdvancedCriteriaSortedbyDisplayOrder
RuleTargets Criteria FilterBasedOn
expressions"
Attachmentsizeis>,<=<number>B,KB,MB
Attachmentsize
Attachmentnumberis >,<=<number> Numberofattachments
Attachmentis Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
"passwordprotected"
Zipped,signed,orpassword-protectedattachment
Recipientnumber Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
>,<=<number> Numberofrecipients
Table2.AdvancedCriteriaSortedbyAttributeandContentTargets
RuleTargets Criteria FilterBasedOn
Nameandtypeattributes Attachmentis
"nameorextension" Attachmentnameorextension
"MIMEcontent-type" AttachmentMIMEcontent-type
"truefiletype" Attachmenttruefiletype
Sizeattributes
Messagesizeis>,<=<number>KB,MB
Size
Attachmentsizeis>,<=<number>B,KB,MB
Attachmentsize
Keywordcontent
Subjectmatches "keywordexpressions"
Keywordsinheadersandcontent
Subjectis "blank"
Bodymatches "keywordexpressions"
Specifiedheadermatches "keywordexpressions"
Table2.AdvancedCriteriaSortedbyAttributeandContentTargets
RuleTargets Criteria FilterBasedOn
Attachmentcontentmatches "keywordexpressions"
Quantityattributes
Attachmentnumberis >,<=<number> Numberofattachments
Recipientnumber Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
>,<=<number> Numberofrecipients
Compressed,signed,orencryptedattributes
Attachmentis Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
"passwordprotected"
Zipped,signed,orpassword-protectedattachment
Table3.AdvancedCriteriaSortedbyMessage-OnlyorAttachment-OnlyTargets
RuleTargets Criteria FilterBasedOn
Message-only
Messagesizeis>,<=<number>KB,MB
Size
Subjectmatches "keywordexpressions"
Keywordsinheadersandcontent
Subjectis "blank"
Bodymatches "keywordexpressions"
Specifiedheadermatches "keywordexpressions"
Recipientnumber Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
>,<=<number> Numberofrecipients
Attachment-only Attachmentis
"nameorextension" Attachmentnameorextension
"MIMEcontent-type" AttachmentMIMEcontent-type
"truefiletype" Attachmenttruefiletype
Table3.AdvancedCriteriaSortedbyMessage-OnlyorAttachment-OnlyTargets
RuleTargets Criteria FilterBasedOn
Attachmentcontentmatches "keywordexpressions" Keywordsinheadersandcontent
Attachmentsizeis>,<=<number>B,KB,MB
Attachmentsize
Attachmentnumberis >,<=<number> Numberofattachments
Attachmentis Note:
Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.
"passwordprotected"
Zipped,signed,orpassword-protectedattachment
5.2.3.6.1 AboutKeywordExpressions
Keywordexpressionscanbe:• Groupsofliteraltextcharacters• Patterns,definedusingsymbols(regularexpressions)thatdescribearangeofpossiblegroupingsoftext• AmixtureofliteraltextandsymbolicpatternsForexample,akeywordexpressionmightbeasingleword,aphrase,orevenasubstring;oritmightbeapatternthatdefinesamoregeneralgroupingoftext,suchasanasteriskusedasawildcardtostandinforanytextofoneormorecharactersinlength.Regularexpressions,oftencalledregexes,aresetsofsymbolsandsyntacticelementsusedtomatchpatternsoftext.Thesymbolsstand in forcharacterpatternsordefinehowtheexpression is tobeevaluated.Usingregularexpressions is sophisticatedway to search for complex character patterns in large blocks of text. For example,supposeyouwanttosearchfortheoccurrenceofanemailaddress—anyemailaddress—inablockoftext.Youcanbuilda regularexpression thatwillmatchanypatternof text thathasanyvalidnamestring, followedbyan@character, followedbyanyvaliddomainnamestring, followedbyaperiod, followedbyanyvaliddomain suffixstring.HostedEmailSecurityusesasubsetofPOSIXregularexpressionsyntax.Fora fewsimpleexamples, seeRegularExpressionExamples.
Tip:Ifyourexpressionincludesthecharacters\|(){}[].^$*+or?,youmustescapethembyusinga\immediatelybeforethecharacter.Otherwise,theywillbeassumedtoberegularexpressionoperatorsratherthanliteralcharacters.
Thishelpsystemcontainsabriefsummaryofcommonregexelements,butathoroughguidetoregularexpressionsyntax is beyond the scope of this help system. However, there are many sources of reference informationavailableontheWeborinbooks.
5.2.3.6.1.1 UsingKeywordExpressions
You can select existing keyword expressions from the list of those available. New keyword expressions can bedefinedandsaved,eitherfromscratchorbycopyingandeditinganexistingexpression.
1. SelectanexistingkeywordexpressionfromtheAvailablefield.
2. Clickthemovebutton(Add>)tomovetheselectedkeywordexpressiontotheSelectedfield.
Note:Youcanalsoadd,edit,copy,ordeletekeywordexpressions.
3. Repeatuntilyouhavemovedallthekeywordexpressionsyouwanttoapply.
5.2.3.6.1.2 AddingKeywordExpressionsNewkeywordexpressionscanbedefinedandsaved,andthenappliedtoarule.1. ClickAdd.
2. Typeanameforthelist.3. SelectMatchcriteria:
• SelectAnyspecifiedtomatchkeywordsbasedonalogicalOR.• SelectAllspecifiedtomatchkeywordsbasedonalogicalAND.• SelectNotthespecifiedtoapplytheruletomessagesthatdonotcontainthekeywords.
4. Clickonindividualkeywordexpressionsinthelistbelowtoeditthem.
5. Repeatuntilyouhaveaddedyourkeywordexpressionstothelist.
5.2.3.6.1.3 EditingKeywordExpressionsExistingkeywordexpressionscanbemodified,orcanbecopiedwithanewname.1. ClickEdit.
2. EdittheMatchcriteriaifdesired:
• SelectAnyspecifiedtomatchkeywordsbasedonalogicalOR.• SelectAllspecifiedtomatchkeywordsbasedonalogicalAND.• SelectNotthespecifiedtoapplytheruletomessagesthatdonotcontainthekeywords.
3. Clickonindividualkeywordexpressionsinthelistbelowtoeditthem.
5.2.3.6.2 UsingAttachmentNameorExtensionCriteriaTheAttachmentis"nameorextension"criteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthenameortheextensionofattachmentsamessagecontains.1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentis"nameorextension"criteria.3. Clickthe"nameorextension"link.
TheAttachmentNamesscreenappears.4. Fromthedrop-downlist,selecteitherSelectedattachmentnamesornottheselectedattachmentnames.5. Ifyouwanttoblockattachmentnamesbyfileextension:
a. SelectFileextensionstoblock(recommended)and/orFileextensionstoblock(commonlyexchanged).
Note:The"recommended"categorycontains thosewhose file types commonlyactas containers formalwareandarenottypesthatarenormallyexchangedviaemail inanorganization.This list includesextensionssuchasCOM,DLL,andEXE.Thecommonlyexchangedcategory includes file types thatarecommonlysentbetweenmembersofanorganization.The latter list includes theDOCextensionusedbyMicrosoftWorddocuments. These filesareoftenused topropagateVBmacroviruses,buttheyarealsooftencommonlyexchangedwithinorganizations.
b. Clicktheopenarrowbuttonstodrop-downthelistsofstandardfileextensions.
c. SelectthefileextensionsforHostedEmailSecuritytotriggeronforthisrule.
d. Clicktheclosearrowbuttontocollapsethelist.
6. Ifyouwanttoblockattachmentswithyourownspecifiednamesorextensions:a. SelectAttachmentsnamed.
b. Typeanextensiontoblockoruseanasterisk(*)asasubstituteforanypartofafilename.
Tip:Thefollowingexamplesarevalid:• docor*.doc• docxor*.docx• doc*or*.doc*• LOVE-LETTER-FOR-YOU.TXT.vbs• LOVE-LETTER*.vbs
c. ClickAdd.Thefilenameisaddedtothelistjustbelow.
Tip:Ifthereareanynamesinthelistthatyouwanttodelete,selectthemandclickDelete.
5.2.3.6.3 UsingAttachmentMIMEContent-typeCriteriaTheAttachmentis“MIMEcontent-type”criteriaallowyoutocreaterulesthattakeactionsonmessagesbasedontheMIMEcontent-typeofattachmentsamessagecontains. Note:
Where the Attachment is "MIME content-type" criteria makes decisions based on the MIME content-typeindicated,theAttachmentis"truefiletype"criteriascanstheheadersoftheactualattachedfilesthemselvesfortheidentifyingsignatures.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentis"MIMEcontent-type"criteria.3. Clickthe"MIMEcontent-type"link.
TheAttachmentMIMEscreenappears.4. Fromthedrop-downlist,selecteitherSelectedattachmentnamesorNottheselectedattachmentnames.
5. SelecttheMIMEtypesforHostedEmailSecuritytomatchon.
6. IfyouwanttoblockattachmentsbyexplicitMIMEcontent-types:a. SelectOtherMIMEcontent-type.
b. TypethenamesoftheMIMEcontent-typestoblock.
Tip:Thefollowingexamplesarevalid:• 3dmor*.3dm• 3dmfor*.3dmf
Tip:Ifthereareanynamesinthelistthatyouwanttodelete,selectthemandclickDelete.
5.2.3.6.4 UsingAttachmentTrueFileTypeCriteriaTheAttachmentis"truefiletype"criteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthetruefiletypeofattachmentsamessagecontains. Note:
Where the Attachment is "name or extension" criteria makes decisions based on just filenames and/orextensions, the Attachment is "true file type" criteria scans the headers of the files themselves for theidentifyingsignatures.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentis"truefiletype"criteria.3. Clickthe"truefiletype"link.
a) TheAttachmentTrueFileTypescreenappears.
4. Fromthedrop-downlist,selectselectedattachmenttypesorNottheselectedattachmenttypes.
5. SelectthetruefiletypesforHostedEmailSecuritytomatchon.
Note:TheCompressed file typeofother includesonly the following file types:ar,arc,amg, lzw,cab, lha,pklite,diet,lzh,andlz.
5.2.3.6.5 UsingMessageSizeCriteria1. OntheCriteriapage,selectAdvancedtodisplaytheadvancedcriteria.
2. SelectMessagesizeisinthecriterialist.
3. Select>or<=fromthecomparisondrop-downlist.
• Select>toapplytheruletomessagesthatarelargerthanthespecifiedsize.• Select<=toapplytheruletomessagesthataresmallerthanorequaltothespecifiedsize.
Forexample,<=10MBappliestheruletoallmessagesthataresmallerthanorequalto10megabytes.
4. Typeanumberforthesize.
5. Selectaunitofmeasurementfromthefollowingchoices:• KB:Kilobytes• MB:Megabytes
Note:TheMessage size is a criteria applied to the total size of amessage, including any attachments itmightcontain.
Forexample,ifamessagecontainedtwoattachments,onea3MBattachmentandtheothera1MBattachment,arulethatdeletesmessagesover2MBwoulddeletetheentiremessage,includingbothattachments.
5.2.3.6.6 UsingSubjectMatchesCriteria
HostedEmailSecuritycanscanthemessagesubjectforkeywordexpressions.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelectSubjectmatches“keywordexpressions".
3. Clickthe"keywordexpressions"link.
4. Configurekeywords.
5.2.3.6.7 UsingSubjectisBlankCriteria
HostedEmailSecuritycanscanthemessageforablanksubjectline.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelectSubjectis"blank".
5.2.3.6.8 UsingBodyMatchesCriteria
HostedEmailSecuritycanscanthemessagebodyforkeywordexpressions.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelectBodymatches.
3. Clickthe"keywordexpressions"link.
4. Configurekeywords.
5.2.3.6.9 UsingSpecifiedHeaderMatchesCriteria
HostedEmailSecuritycanscanthemessageheadersforkeywordexpressions.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelectSpecifiedheadermatches.
3. Clickthe"keywordexpressions"link.
4. Configurekeywords.
5.2.3.6.10 UsingAttachmentContentMatchesKeywordCriteria
TheAttachmentcontentmatches"keywordexpressions"criteriaallowsyou tocreate rules that takeactionsonmessagesbasedonkeywordexpressionscontainedinamessage.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentcontentmatches"keywordexpressions"criteria.
3. Clickthe"keywordexpressions"link.TheAttachmentContentKeywordExpressionsscreenappears.
4. Configurethekeywords.
5.2.3.6.11 UsingAttachmentSizeCriteria
TheAttachmentsizeiscriteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthesizeofanyattachmentstothemessage.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentsizeiscriteria.
3. Select>or<=fromthecomparisondrop-downlist.
• Select>toapplytheruletoattachmentsthatarelargerthanthespecifiedsize.• Select<=toapplytheruletoattachmentsthataresmallerthanorequaltothespecifiedsize.
Forexample,<=10MBappliestheruletoallmessagesthatareequaltoorsmallerthan10megabytes.
4. Typeavalueforthesize.
5. Selectaunitofmeasurementfromthefollowingchoices:
• B:Bytes• KB:Kilobytes• MB:Megabytes
Note:TheAttachmentsizeiscriteriaisappliedtothetotalsizeofeachattachment.
Forexample,ifamessagecontainedtwoattachments,onea3MBattachmentandtheothera1MBattachment,arulethatdeletesattachmentsover2MBwoulddeleteonlythe3MBattachment.Theotherattachmentwouldnotbedeleted.
5.2.3.6.12 UsingAttachmentNumberCriteriaTheAttachmentnumberiscriteriaallowyoutocreaterulesthattakeactionsonmessagesbasedonthenumberofattachmentsthemessagecontains.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. SelecttheAttachmentnumberiscriteria.
3. Select>or<=fromthecomparisondrop-downlist.
• Select > to apply the rule tomessages that are sentwithmore than the specified number ofattachments.
• Select<=toapplytheruletomessagesthathavethesamenumberorfewerthanthespecifiednumberofattachments.
Forexample:
>10applytheruletoallmessagesthathavemorethan10recipients.
<=10applytheruletoallmessagesthathave10orfewerrecipients.
4. Typethenumberofattachmentstoevaluate.
5.2.3.6.13 UsingAttachmentisPasswordProtectedCriteria
HostedEmailSecuritycanscanthemessageforazipped,signed,orpassword-protectedattachment.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. Select"AnyMatch".
TheAttachmentis"passwordprotected"andRecipientnumbercriteriabecomeavailable.
3. SelectAttachmentis"passwordprotected".
5.2.3.6.14 UsingtheNumberofRecipientsCriteria
TheRecipientNumbercriteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthenumberofrecipientsthemessageisaddressedto.
1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.
2. Select"AnyMatch".TheAttachmentis"passwordprotected"andRecipientnumbercriteriabecomeavailable.
3. SelectRecipientnumber.
4. Select>or<=fromthecomparisondrop-downlist.
• Select > to apply the rule to messages that are sent to more than the specified number of
recipients.• Select<=toapplytheruletomessagesthathavethesamenumberorfewerthanthespecified
numberofrecipients.
Forexample:
>10applytheruletoallmessagesthathavemorethan10recipients.<=10applytheruletoallmessagesthathave10orfewerrecipients.
5. Typeavalueforthenumberofrecipients.
5.2.4 AboutRuleActions
Ruleactionsallowyoutospecifywhathappenstomessagesthatsatisfytheconditionsoftherule'scriteria.Actionsfallintotheseclasses:• "Intercept" actions: Actions in this class intercept the message, preventing it from reaching the original
recipient.Interceptactionsincludedeletingtheentiremessageandre-addressingthemessage.• "Modify"actions:Actionsinthisclasschangethemessageoritsattachments.Modifyactionsincludecleaning
cleanable viruses, deleting message attachments, inserting a stamp in the message body, or tagging thesubjectline.
• "Monitor" actions:Actions in this class allowadministrators tomonitormessaging.Monitor actions include
sendinganotificationmessagetoothersorsendingaBCC(blindcarboncopy)ofthemessagetoothers.• "ScanLimitation"actions:Actionsinthisclassallowadministratorstorejectorbypassscanningmessagesthat
exceedHostedEmailSecuritycapabilities.
• "EncryptEmailMessage"actions:Actionsinthisclassencryptthemessageandthenqueueitfordelivery.Thisisanon-interceptaction,butnootheractionscanbetakenonthetargetmessageafterthisruleistriggered.Thisactionhasthelowestpriorityofallactions,butwhentriggeredit isalwaysthefinalrulerunbeforethemessageisqueuedfordelivery.Ifmorethanoneruleintherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.
Note:Thisactiononlyappliestooutboundrules.
Eachrulecancontain:• Oneandonlyoneinterceptaction,and• Anycombinationofmodifyormonitoractions
5.2.4.1 SpecifyingRuleActions
• Toaddactionstoaruledefinition,selectthedesiredaction.• Tospecifydetailsofanaction(whererequired),selectthedrop-downlist,textfield,orlinkthatprovidesmore
detailfortherule.For example, if thequarantine action is desired, youneed to selectwhichquarantine to sendmessages towhentheytriggerthisrule.Youalsomightwanttocreateanewquarantinebasedonanexistingone.YoucanclickEdittheretobeginthatprocess.
5.2.4.2 "Intercept"Actions
"Intercept"actionspreventamessagefrombeingdeliveredtothemailboxoftheoriginalrecipient. Instead,themessageisdeleted,quarantined,orsenttoadifferentrecipient."Intercept"actionsare"terminal"actions.Onceaterminalactionexecutes,processingofthatrulestopsandnofurtheractiontakesplaceforthatrule.Terminalactionsexecutefollowingastrictpriorityorder:
1. Deletetheentiremessage.
2. Deliverthemessagenow.
Warning:The Deliver now action is not recommended for use as the only action. If you chooseDelivernowastheonlyactionforSpammail, forexample,allofthatmailwillsimplybedeliveredtoyourrecipients,asiftherewerenospamfilterinplace.IfyouuseDelivernowwithavirusrule,ensurethatyoualsohaveaDeleteactionforthevirusrule.OnlytheDeleteactiontakeshigherprioritythanDelivernowandsowouldbeprocessedbeforeit(andthenterminatestheprocessingofthatrule).IfyouchoseDelivernowastheonlyactionforavirusrule,mailcontainingviruseswouldleakthroughunblocked.
3. Quarantinethemessage.
4. Re-addresstoanotheremailrecipient.
5.2.4.2.1 UsingtheDeleteAction
This action deletes themessage and all attachments. Themessage is recorded as deleted in the Hosted EmailSecuritylogs,butoncedeleted,themessagecannotberecovered.Itisoneofthe"intercept"categoryofactions.Toconfigurearuleactiontodeleteamessage:SelecttheDeleteentiremessageactionfromthe"Intercept"section.
5.2.4.2.2 UsingtheDeliverNowAction
Use theDeliver Now action to deliver email immediately.When this action takes effect, Hosted Email Securitydeliverstheemailwithoutexecutinganymorerulesfortheaffectedemail.All rules are auto-ordered for security and execution efficiency. Administrators are relieved of determining theorderofruleexecution.TheDeliverNowactionbypassestheautomaticorderofexecutionsothatHostedEmailSecuritycandelivertheemailimmediately.
Warning:TheDelivernowactionisnotrecommendedforuseastheonlyaction.IfyouchooseDelivernowastheonlyactionforSpammail,forexample,allofthatmailwillsimplybedeliveredtoyourrecipients,as iftherewerenospamfilterinplace.IfyouuseDelivernowwithavirusrule,ensurethatyoualsohaveaDeleteactionforthevirusrule.OnlytheDeleteactiontakeshigherprioritythanDelivernowandsowouldbeprocessedbeforeit(andthenterminatestheprocessingofthatrule).IfyouchoseDelivernowastheonlyactionforavirusrule,mailcontainingviruseswould leakthroughunblocked.
1. SelecttheDeliverNowactionfromthe"Intercept"section.
2. ClickNextifyouarecreatinganewrule,orSaveifyouareeditinganexistingrule.
3. ClickOKontheDelivernowwarningmessagethatappears.Themessagecloses.
4. Ifcreatinganewrule,typeanamefortheruleintheRuleNamefield.
5.2.4.2.3 UsingtheChangeRecipientAction
TheChangeRecipientactioninterceptsmessagesandsendsthemtoanewrecipient.Thismeansthattheoriginalmessagerecipientwillnotreceiveacopyofthemessage.Itisoneofthe"intercept"classofactions.Youcanonlyselectarecipientaddressthatisinyourdomain.
Note:TheChangeRecipientactionchangestherecipientaddressinthemessageheader.Themessagewillberoutedtothenewaddressandtheoriginalrecipientwillnotreceivethemessage.Thenewrecipient,however,willseethe original recipient's address in themessage header. To have a copy of themessage sent to a differentaddresswhileallowingtheoriginalmessagetogototheoriginalrecipient,selecttheBCCaction.
Warning:Redirectedmessagesmaycontainvirusesormaliciouscode.TrendMicrorecommendsagainstredirectingmessagestoexternaladdressesunlessyouhaveconfiguredanoutboundviruspolicy.
1. Fromthe"Intercept"sectionoftheActionpage,selecttheChangeRecipientaction.
2. Typetheemailaddressoftherecipientinthefield.Ifyouhavemorethanoneemailaddress,enterthem
inthefieldseparatedbycommasorsemicolons.
5.2.4.2.4 UsingtheQuarantineAction
QuarantineditemsarenowstoredinadirectorystructurecreatedbyHostedEmailSecurity.ThisstructureallowsforincreasedperformancewhentheserviceissavingitemsintoquarantinesorwhenusersviewthemthroughtheEndUserQuarantinewebsite.QuarantinedmessagesareindexedintheHostedEmailSecuritydatabasetoprovideyouwithqueriesandimprovedsearchtools.
1. Inthe"Intercept"sectionoftheRuleActionscreen,selecttheQuarantineaction.
2. Selectaquarantineareafromthedrop-downlist,orclickEdittocreateanewquarantinearea.
5.2.4.3 "Modify"Actions
"Modify" actions change the message or its attachments. The original sender will still receive the modifiedmessage,assumingthatthemessagedoesnottriggerotherruleswith"Intercept"actions.
5.2.4.3.1 CleaningCleanableVirusesThis action will clean cleanable viruses (or other configured threats) contained inmessage attachments. If thethreatcannotbecleaned,themessageattachmentthatcontainsitwillbedeleted.CleancleanableVirusesisoneofthe"Modify"classofactions.
Important:TheCleancleanableviruses,delete those thatcannotbecleanedaction isonlyavailable inpolicieswith thetargetcriteriaofMessagecontains"virusesormaliciouscode".IftheCleancleanableviruses,deletethosethatcannotbecleanedactionisusedintherule,andamessagecontainsanuncleanablevirus,theattachmentwillbedeleted.TheDeletematchingattachmentsandClean cleanable viruses, delete those that cannotbe cleanedactionscannotbeusedinthesamerule.
Toconfigurearuleactiontocleanvirus-infectedattachments:From the "Modify" section of the Action page, select the Clean cleanable viruses, delete those that cannot becleanedaction.
5.2.4.3.2 DeletingMatchingAttachments
Thisactiondeletesanyattachmentsthatmatchtherulecriteria.Itisoneofthe"Modify"categoryofactions.
Important:TheDeletematchingattachmentsandClean cleanable viruses, delete those that cannotbe cleanedactionscannotbeusedinthesamerule.
TheDeletematchingattachmentsactionisinvokedonlywhenoneormoreofthefollowingcriteriatriggerarule:
• Messagecontains"virusesormaliciouscode"
• Attachmentis"nameorextension"
• Attachmentis"MIMEcontent-type"
• Attachmentis"truefiletype"
• Attachmentis"passwordprotected"
• Attachmentsizeis
• Attachmentcontentmatches"keywordexpressions"Forexample,a"spam"rulewithanactionofDeletematchingattachmentsdoesnotdeleteanyattachmentsiftheonly target criteria is Message contains "Spam". Add criteria from the list above to use the Delete matchingattachmentsaction.Toconfigurearuleactiontodeleteattachmentsthatmatchacriteria:SelectDeletematchingattachmentsfromthe"Modify"section.
5.2.4.3.3 TaggingtheSubjectLineTheTagSubjectaction inserts configurable text into themessage subject line. It isoneof the "Modify" classofactions.
1. SelecttheTagSubjectaction.
2. Clickthetaglink.TheTagSubjectscreenappears.
3. TypeatagintheTagfield.
4. OptionallyselectDonottagdigitallysignedmessages.
Note:HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.
5.2.4.3.4 InsertingaStampThe Insert stamp in body action inserts a block of text into themessage body. The stamps aremaintained asnamedobjects inthedatabaseandareselectedfroma list.Thestampdefinitionscontainthetextofthestamp(whichcancontainHostedEmailSecuritytokens/variables),whethertheyaretobe insertedatthebeginningortheendofthemessagebody,andwhetherornottoavoidstampingTNEFanddigitallysignedmessagestopreventbreakage.HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.
1. SelectInsertstampinbody.
2. Selectfromthedrop-downlistofavailablestamps.3. Toconfigurestampsinthelist,clickEdit.
SeeConfiguringStamps.
5.2.4.3.4.4 ConfiguringStampsYoucaneditoraddanewmessagestamp.Stampsareinsertedintomessageswhentheytriggertherule.Typicallythey contain some standard confidentiality statement or a similar block of text. Rule Tokens/Variables (forexample,thenameofanattachedfile)canalsobeincludedinthetext.Toeditoraddanewmessagestamp:
1. OntheActionspage,selectInsertstampinbody.
2. ClickEdit.TheStampsscreenappears,showingalistofavailablestamps.
3. ClickAddorselectastampfromthelistandclickEdit.TheStampsscreenappears,showingdetailsforthestamp.
4. TypeanameintheNamefield,oredittheexitingnameifdesired.
5. Selectwhethertoinsertthestampattheendorthebeginningofthemessagebody.
6. Typethedesiredtextintothetextbox.Optionally,useruletokens/variables(suchastheanattachment
name)aspartofthetextmessage.SeeRuleTokens/Variables.
7. To exclude TNEF and digitally signedmessages from stamping, select Do not stamp TNEF and digitally
signedmessages;preventbreakage.
Note:HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.TheMicrosoft TNEF format is used when sending rich text email using the Outlook client. If Hosted EmailSecurity tries to insert a stamp into a TNEF-formatted email, the message might become corrupted orunreadable.Topreventthis, ifyourorganizationusesOutlooktosendrichtext formattedmessages,HostedEmailSecurityenablesyoutoexemptTNEFmessagesfromthoseactionsthatmightcorruptthemessage.
5.2.4.3.5 RuleTokens/Variables
Usethefollowingtokenstoincludevariablesinmessagetagsandstamps:
Table1.TokensandVariables
Token Variable
%SENDER% Messagesender
%RCPTS% Messagerecipients
Table1.TokensandVariables
Token Variable
%SUBJECT% Messagesubject
%DATE&TIME% Dateandtimeofincident
%MAILID% MailID
%RULENAME% Nameoftherulethatcontainedthetriggeredfilter
%RULETYPE% Thetypeofrule:ContentFilter,MessageSizeFilter,andothers
%DETECTED% Currentfilterscanresultinothertask
%FILENAME% Name(s)offile(s)thatwereaffectedbytherule
%DEF_CHARSET% Defaultcharactersetofthenotificationmessage
%MSG_SIZE% Totalsizeofthemessageandallattachments
%ATTACH_SIZE% Totalsizeoftheattachment(s)thattriggeredtherule
%ATTACH_COUNT% Numberofattachmentsthattriggeredtherule
%TACTION% TerminalactiontakenbyHostedEmailSecurity
%ACTION% Allother(non-terminal)actionstakenbyHostedEmailSecurity
%VIRUSNAME% NameofanyvirusdetectedThistokenwillbeemptyifthemessagedidnottriggeravirusaction.
%VIRUSACTION% ActiontakenonanyvirusesdetectedinthemessageThistokenwillbeemptyifthemessagedidnottriggeravirusaction.
5.2.4.4 "Monitor"Actions"Monitor"actionsdonotchangetheoriginalmessageoritsattachments.Theoriginalsenderwillstillreceivethemessage,assumingthatthemessagedoesnottriggerotherruleswithinterceptactions.Therearetwo"Monitor"actions:
• SendNotificationaction
• BCCactionYou can combine the first actionwith anyother kindof action. You can combine theBCCactionwith "modify"actions (and with the first "monitor" action). However, the BCC action cannot be combined with terminal"intercept"actions.
Tip:Thenotificationemailmessagesentto"monitor"actionscanbecustomizedusingthevariablesshowninRuleTokens/Variables.
5.2.4.4.1 AbouttheSendNotificationAction
Notificationsaremessagesthataresentwhentheruleistriggered.Theyareoneofthe"Monitor"actions.Youcanonlysendnotificationmessagesfromaddresseswithinyourowndomain.
5.2.4.4.1.5 ConfiguringSendNotificationActions
1. Selectamessagefromthelistofthoseavailableontheleftsideofthescreen.
2. Clicktherightarrowbutton(Add>).TheselectedmessageappearsintheSelectedlistontherightside.
5.2.4.4.1.6 DeletingNotificationsfromRuleActions
1. SelectthemessageyouwanttodeletefromtheSelectedlistontherightside.
2. ClickDelete.
5.2.4.4.1.7 DeletingNotificationsfromListsofMessagesTodeleteanexistingnotificationmessagefromthelistofmessages:
1. Selectthemessageyouwanttodeletefromthelistofthoseavailableontheleftsideofthescreen.
2. ClickDelete.
5.2.4.4.2 UsingtheBccAction
TheBCCactionsendsaBcc(blindcarboncopy)toarecipientorrecipientsconfiguredintherule.Itisoneofthe"monitor"classofactions.Youcanonlyconfigureanotificationtobesenttoanaddressinyourowndomain.
1. FromtheMonitorsectionoftheActionpage,selectBCC.
2. Typetheemailaddressoftherecipientinthefield.Ifyouhavemorethanoneemailaddress,entertheminthefieldseparatedbycommasorsemicolons.
5.2.4.5 "ScanLimitations"Actions"Scan limitations" actions can only be usedwith policies that protect against viruses ormalware. They can becombinedwithanyterminalor"Modify"actions.Thesearethescanlimitationtriggers:
• Office2007/2010filecontainsmorethan353files.
• Compressedarchivecontainsmorethan353files.
• Office2007/2010filecontainsafilewithdecompressionratioofmorethan100.
• Compressedfilecontainsafilewithdecompressionratioofmorethan100.
5.2.4.5.1 RejectingMessagesTheRejectthemessageactiondeletesthemessageandsendsaNon-DeliveryReport(NDR)tothesender.HostedEmail Security message logs record that the message was deleted. Once deleted, the message cannot berecovered. Note:
TheRejectthemessageactionisonlyavailableinpolicieswiththetargetcriteriaofMessagecontains"virusesormaliciouscode".
SelecttheRejectthemessageactionfromthe"ScanLimitations"section.
5.2.4.5.2 BypassingMessages
Bypassthisruleskipstakinganyactiononthespecifiedmessagebutcontinuestocheckthemessageagainsttheremainingrulesinthepolicy. Note:
TheBypassthisruleactionisonlyavailableinpolicieswiththetargetcriteriaofMessagecontains"virusesormaliciouscode".
SelecttheBypassthisruleactionfromthe"ScanLimitations"section.
Warning:Thedeliveredmessagemaycontainasecurityrisk.
5.2.4.6 EncryptingOutboundMessages
Thepurposeofthisruleactionistoprotectsensitivedatainemailmessagessentbyusersinyourorganization.
Note:Thisactiononlyappliestooutboundrules.
Actionsinthisclassencryptthemessageandthenqueueitfordelivery.Thisisanon-interceptaction,butnootheractions canbe takenon the targetmessageafter this rule is triggered.This actionhas the lowestpriorityof allactions,butwhentriggereditisalwaysthefinalrulerunbeforethemessageisqueuedfordelivery.Ifmorethanoneruleintherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.
Inmostcases,aruletoencryptemailwillbebasedononeofthefollowing:
• Specificsendersorrecipientsofthemessage(forexample,arulethatencryptsallemailsentfromHumanResourcesortheLegaldepartment)
• Specificcontentinthemessagebody
1. Fromthe"Intercept"sectionoftheActionpage,selectDonotinterceptmessages2. Fromthe"Modify"sectionofthepage,selecttheEncryptemailaction.
5.2.5 NamingandEnablingaRuleOnceyouhavecreatedarule,thefinalstepistonameandenableit.Youcanalsoaddnotes.
1. OntheRuletab:
a. Nametherule.
Note:TrendMicro recommendsusingadescriptivenamethatwillallowadministrators toeasily identify this rulefrom the list in the Policy screen. For instance, if you are creating a spam rule that applies to theone.example.comdomain,youmightnameitsomethinglike"OneExampleSpamRule".
b. ClickEnabletoputtheruleintoeffect.
c. Reviewtheruledefinitionsummarizedinthebox.Ifanythinginanyofthethreesectionsneedschanging, you can clickon the links to return to that stepof the ruledefinition andmake thechange.
2. OntheNotestab,enteranynotesaboutthisrule.
3. ClickSave.
ThePolicyscreenisdisplayed,withyourruleintheappropriateorderandhighlightedinthelist.
5.3 ConfiguringSenderFilter
ConfiguretheApprovedSendersandBlockedSendersliststocontrolwhichemailmessagesHostedEmailSecurityscans.Specifythesenderstoalloworblockusingspecificemailaddressesorentiredomains.Forexample,*@example.comspecifiesallsendersfromtheexample.comdomain.Evaluationisdoneinthefollowingorder:1. EndUserQuarantinewebsiteApprovedSenderslists2. AdministratorconsoleApprovedSenderslists3. EndUserQuarantinewebsiteBlockedSenderslists4. AdministratorconsoleBlockedSenderslistsSeeSenderFilterOrderofEvaluation.
Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeGeneralOrderofEvaluation.
Listsofapprovedorblockedsendersaremanagedusingthefollowingscreens:• ApprovedSenders
Email messages from senders added to this list are not subject to IP reputation-based, spam, phish, ormarketingmessage filtering. Hosted Email Security still performsmalware and attachment scanning on allmessages received and takes the action configured in policy rules after detecting a malware threat or anattachmentpolicyviolation.
GotoSenderFilter>ApprovedSenderstodisplaythisscreen.
• BlockedSenders
HostedEmailSecurityautomaticallyblocksmessagessent fromaddressesordomainsaddedto theblockedlistwithoutsubjectingthemessagestoanyscanning.GotoSenderFilter>BlockedSenderstodisplaythisscreen.
TheApprovedSendersandBlockedSenderstablesdisplaythefollowinginformation:• Sender:TheemailaddressordomainthatyouapprovedorblockedforthespecifiedRecipientDomain• RecipientDomain:Themanageddomainforwhichyouapprovedorblockedthespecifiedsender• DateAdded:Thedatethatyouaddedthesendertothelist
5.3.1 AddingSenders
HostedEmailSecurityonlyapprovesorblocksemailmessagesfromthespecifiedsenderforthespecifieddomain.Forexample,afteraddingspammerbob@examplespamdomain.comtotheblockedlistforyourmanageddomainmydomain.com, Hosted Email Security only blocks the email messages sent [email protected] in themydomain.comdomain.HostedEmailSecuritystillscans and possibly passes email messages sent from [email protected] to your othermanageddomains.Toblockorallowemailmessagesfromaspecificsendertoalldomains,selectallmydomainsfromtheManageddomaindrop-downlist.1. Select a specific domain from the Managed domain drop-down list. To select all domains, select all my
domainsfromthelist.a)
2. IntheEmailaddressordomainfield,typeasender.Asendercanbeaspecificemailaddressoralladdresses
fromaspecificdomainorsubdomain.
• Filteraspecificemailaddressbytypingthatemailaddress.
• Filter all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the emailaddress.Forexample,*@example.comwillfilterallemailaddressesintheexample.comdomain.
• Filteralladdressesfromasubdomainbyusinganasterisk(*)totheleftoftheatsign(@)andalsousing
anasterisk(*)inplaceofthesubdomainintheemailaddress.Forexample,*@*.example.comwillfilterallemailaddressesinallsubdomainsoftheexample.comdomain.
Thefollowingtabledisplaysformatexamplesthatarevalidornotvalid:
Table1.FormatExamplesforApprovedSendersandBlockedSenders
Valid NotValid
[email protected] name@*.example.com
*@example.com *@*.com
*@server.example.com *@*
*@*.example.com
3. ClickAddtoListHostedEmailSecurityvalidatesthesenderaddressandaddsittothelist.
Tip:HostedEmailSecurityvalidatestheformatofthesenderaddressbeforeaddingthesendertothelist.Ifyoureceivemultipleformattingerrorsmessagesandaresurethattheaddressprovidedisaccurate,youradministratorconsolemayhavetimedout.Reloadthepageandtryagain.
5.3.2 EditingSenders
1. Select a specific domain from the Managed domain drop-down list. To select all domains, select all mydomainsfromthelist.
2. Clicktheemailaddressordomainofasender.Theemailaddressordomainbecomeseditable,andbuttonslabeledOKorCancelappear.
3. Makeandconfirmyourchangesorcorrections.• Filteraspecificemailaddressbytypingthatemailaddress.• Filter all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the email
address.Forexample,*@example.comwillfilterallemailaddressesintheexample.comdomain.• Filteralladdressesfromasubdomainbyusinganasterisk(*)totheleftoftheatsign(@)andalsousing
anasterisk(*)inplaceofthesubdomainintheemailaddress.Forexample,*@*.example.comwillfilterallemailaddressesinallsubdomainsoftheexample.comdomain.
Thefollowingtabledisplaysformatexamplesthatarevalidornotvalid:
Table1.FormatExamplesforApprovedSendersandBlockedSenders
Valid NotValid
[email protected] name@*.example.com
*@example.com *@*.com
*@server.example.com *@*
*@*.example.com
5.4 UnderstandingIPReputation
Hosted Email Security offers two tiers of protection. IP reputation-based filtering at theMTA connection level,providedbyTrendMicroEmailReputationServices(ERS),isthefirsttier.Thesecondiscontent-basedfilteringatthemessagelevel.
Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeIPReputation-BasedFilteringattheMTAConnectionLevel.SeeGeneralOrderofEvaluation.SeeIPReputationOrderofEvaluation.
HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.EmailReputationServicesusesastandardIPreputationdatabaseandanadvanced,dynamicIPreputationdatabase (a database updated in real time). These databases have distinct entries, allowing Trend Micro tomaintainaveryefficientandeffectivesystemthatcanquicklyrespondtonewsourcesofspam.
ConfigurethefollowingsettingsontheIPReputationSettingsscreen:
• DynamicReputationSettingscontrolhowHostedEmailSecurityusesthedynamicIPreputationdatabasefromEmailReputationServicesAdvancedService.
• StandardIPReputationSettingscontrolhowHostedEmailSecurityusesthestandardIPreputationdatabasefromEmailReputationServicesStandardService.
TheApprovedandBlockedIPAddressesscreenshowsapprovedandblockedcountries,Internetserviceproviders,IPaddresses,andCIDRblocks.
5.4.1 AboutDynamicIPReputationSettings
HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.Dynamic IP Reputation Settings use TrendMicro Email Reputation Services Advanced Service, a real-time anti-spam solution. The TrendMicro network of automated expert systems, alongwith TrendMicro spam experts,continuouslymonitornetworkandtrafficpatternsandimmediatelyupdatethedynamicIPreputationdatabaseasnewspamsourcesemerge,oftenwithinminutes.Asevidenceofspamactivityincreasesordecreases,thedynamicIPreputationdatabaseisupdatedaccordingly.ThedynamicIPreputationdatabaseincludesthefollowingblockinglevels:
• Level0:Off
QueriesthedynamicreputationdatabasebutdoesnotblockanyIPaddresses.
• Level1:Leastaggressive
HostedEmailSecurityallowsthesameamountofspamfromasenderwithagoodratingasinLevel2.Thelength of time that the IP address stays in the database is generally shorter than formore aggressivesettings.
• Level2:(thedefaultsetting)
Hosted Email Security allows a larger volume of spam from a sender with a good rating than moreaggressivesettings.However,ifanincreaseinspamabovetheallowablethresholdisdetected,itaddsthesendertothedynamicreputationdatabase.ThelengthoftimethattheIPaddressstaysinthedatabaseisgenerallyshorterthanformoreaggressivesettings.
• Level3:
Hosted Email Security allows a small volumeof spam from senderswith a good rating.However, if anincrease in spam beyond the allowable threshold is detected, it adds the sender to the dynamicreputationdatabase.The lengthof time that the IPaddress stays in thedatabasedependsonwhetheradditionalspamfromthesenderisdetected.
• Level4:Mostaggressive
IfevenasinglespammessagefromasenderIPaddressisdetected,EmailReputationServicesaddsthesender to the dynamic reputation database and Hosted Email Security blocks all messages from thesender.ThelengthoftimethattheIPaddressstaysinthedatabasedependsonwhetheradditionalspamfromthesenderisdetected.
If legitimateemail isbeingblocked, selecta lessaggressive setting. If toomuchspam is reachingyournetwork,selectamoreaggressivesetting.However,thissettingmightincreasefalsepositivesbyblockingconnectionsfromlegitimateemailsenders.
Note:Toavoidfalsepositivesfromatrustedpartnercompany,gotoIPReputation>Approved/BlockedandaddtheIPaddressfortheirMTAtotheApprovedlist.The IP addresses in the Approved lists bypass other IP reputation-based filtering. This list is useful forensuringallmessagesfromapartnercompanyorotherMTAareallowed,nomattertheirstatuswiththestandard IP reputation databases or with the Trend Micro Email Reputation Services (ERS) dynamic IPreputationdatabase.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.
5.4.2 AboutStandardIPReputationSettings
HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.SeeIPReputation-BasedFilteringattheMTAConnectionLevel.Standard IPReputationSettingsuseTrendMicroEmailReputationServices StandardService,whichhelpsblockspambyvalidatingrequestedIPaddressesagainsttheTrendMicrostandardIPreputationdatabase,poweredbythe TrendMicro Threat Prevention Network. This ever-expanding database currently contains over a billion IPaddresses with reputation ratings based on spamming activity. Trend Micro spam investigators continuouslyreviewandupdatetheseratingstoensureaccuracy.HostedEmailSecuritymakesaquerytothestandardIPreputationdatabaseserverwheneveritreceivesanemailmessage from an unknown host. If the host is listed in the standard IP reputation database, that message isreportedasspam.
YoucanchoosewhichliststoenablefromthestandardIPreputationdatabase.Bydefault,alllistsareenabled.Thedefaultsettingisthemosteffectiveforreducingspamlevels,anditmeetstheneedsofmostcustomers.
Note:IfyoudisablesomeportionsofthestandardIPreputationdatabase,youmayseeanincreaseintheamountofspammessagesthatreachyourinternalmailserverforadditionalcontentfiltering.
ThestandardIPreputationdatabaseincludesthefollowinglists:
• KnownSpamSource:TheReal-timeBlackholeList (RBL) isa listof IPaddressesofmail servers thatareknowntobesourcesofspam.
• Dynamically Assigned IP: TheDynamicUser List (DUL) is a list of dynamically assigned IP addresses, or
thosewith an acceptable use policy that prohibits publicmail servers.Most entries aremaintained incooperationwiththeISPowningthenetworkspace.IPaddressesinthislistshouldnotbesendingemaildirectlybutshouldbeusingthemailserversoftheirISP.
Note:Toavoidfalsepositivesfromatrustedpartnercompany,gotoIPReputation>Approved/BlockedandaddtheIPaddressfortheirMTAtotheApprovedlist.The IP addresses in the Approved lists bypass other IP reputation-based filtering. This list is useful forensuringallmessagesfromapartnercompanyorotherMTAareallowed,nomattertheirstatuswiththestandard IP reputation databases or with the Trend Micro Email Reputation Services (ERS) dynamic IPreputationdatabase.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.
5.4.3 AboutApprovedandBlockedIPAddresses
GotoIPReputation>Approved/Blockedtodisplaythisscreen.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.TheselistsoverridetheDynamicIPReputationSettingsandStandardIP Reputation Settings and allow for customization of which addresses are subjected to IP reputation-basedfiltering.Therearelistsofapprovedandblockedcountries,IPaddresses,andClasslessInter-DomainRouting(CIDR)blocks.
Tip:To add a CIDR block to the list, type the IPv4 address / CIDR block. The following is the only validformat:x.x.x.x/z
TheIPaddressesintheApprovedlistsbypassotherIPreputation-basedfiltering.Thislistisusefulforensuringallmessages from a partner company or other MTA are allowed, no matter their status with the standard IPreputation databases orwith the TrendMicro Email Reputation Services (ERS) dynamic IP reputation database.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.TheIPaddresses intheBlockedlistsarenotsubjecttootherIPreputation-basedfiltering.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).
Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeConfiguringSenderFilter.
5.4.4 TroubleshootingIssues
If youencounterunexpectederrorswhile trying to saveyour settingson the IPReputationSettings screen,youmaybeabletoresolvetheissueonyourown.Consultthefollowingtableforguidanceonresolvingtheproblembeforecontactingtechnicalsupport.
Table1.IPReputationSettings:IssuesandSolutions
Issue PossibleCause PossibleSolution
TheSavebuttonisdisabled.
YoudonothaveavalidActivationCode. ObtainavalidActivationCodefromyourvendor.
YouhaveappliedforanActivationCode,butithasnotyetbeenaddedtotheHostedEmailSecuritysystem.
Tryagainlater.
AtemporarynetworkissueispreventingHostedEmailSecurityfromvalidatingtheActivationCode.
Tryagainlater.
IcannotsavemyIPReputationsettings.
Thereisatemporarynetworkissue.Tryagainlater.
Logoff,logon,andtryagain.
ThereismorethanonebrowserwindowopentotheHostedEmailSecurityadministratorconsole,andthesessioninoneoftheotherwindowshasexpired.
Closetheotherwindowsandtryagain.
Logoff,logon,andtryagain.
5.5 UnderstandingAdvancedProtection
HostedEmailSecurityadvancedprotectionallowsyoutobettersecuredataandensurecommunicationprivacyforemailtrafficinyourManagedDomains.
5.5.1 AboutTransportLayerSecurity(TLS)
TransportLayerSecurity(TLS)isaprotocolthathelpstosecuredataandensurecommunicationprivacybetweenendpoints.HostedEmailSecurityallowsyoutoconfigureTLSencryptionpoliciesbetweenHostedEmailSecurityandspecifiedTLSpeers.HostedEmailSecuritysupportsthefollowingTLSprotocolsindescendingorderofpriority:TLS1.2,TLS1.1,TLS1.0,andSSL3.0.TheTransportLayerSecurity(TLS)screenusesthefollowingimportantterms:
Term Details
TLSpeer Hosted Email Security can apply your specified TLS configuration with this domainduringnetworkcommunications.
Securitylevel Opportunistic:• CommunicatesusingencryptionifthepeersupportsandelectstouseTLS• CommunicateswithoutencryptionifthepeerdoesnotsupportTLS• CommunicateswithoutencryptionifthepeersupportsTLSbutelectsnotto
useTLSMandatory:
• CommunicatesusingencryptionifthepeersupportsandelectstouseTLS• DoesnotcommunicateifthepeerdoesnotsupportTLS• DoesnotcommunicateifthepeersupportsTLSbutelectsnottouseTLS
Important:
Becauseof the riskof losingdata,TrendMicro recommendsconfirmingTLSencryptedmessagedeliverybetweenaManagedDomainandapeerbeforeusingtheMandatorysecuritylevel.SeeTestingTLS.To ensuremessages can be received from the Hosted Email SecurityMTA,configureyour firewall toacceptemailmessages fromthe followingHostedEmailSecurityIPaddress/CIDRblocks:• 216.104.0.0/24• 216.99.128.0/24• 150.70.0.0/24–AllRegions• 54.219.191.0/25–NorthandSouthAmerica,Asia,andJapanRegions• 54.86.63.64/26–NorthandSouthAmerica,Asia,andJapanRegions• 52.58.63.0/25–Europe,Middle-eastandAfrica(EMEA)Regions• 52.58.62.192/26–Europe,Middle-eastandAfrica(EMEA)Regions• 52.48.127.192/26–Europe,Middle-eastandAfrica(EMEA)Regions
Status • Enabled:HostedEmailSecurityappliesyourspecifiedTLSconfigurationtothepeer
• Disabled: Hosted Email Security does not apply your specified TLSconfigurationtothepeerInstead,the"Default"TLSconfigurationapplies.
Default(TLSPeer) Thisconfigurationappliestoalldomainsthatmeetanyofthefollowingcriteria:• Domainisnotinthepeerlist• Domainisinthepeerlist,butisnotenabled
5.5.1.1 TestingTLS Important:
Becauseoftheriskoflosingdata,TrendMicrostronglyrecommendsdoingthefollowingbeforespecifyingaSecurityLevelofMandatory:• Confirm TLS encrypted message delivery between Hosted Email Security and your Managed
Domain.
• Confirm the TLS configuration for any peers on the Internet. Contact themanagers of each peer
yourself.TrendMicroisunabletoassistyouinthisprocess.
Use the followingprocedure to testTLSbetweenHostedEmail Securityand theemail server foryourManagedDomain.
1. GotoAdvancedProtection>TransportLayerSecurity(TLS).
2. SelectaManagedDomain.
3. SelecttheDirectionofIncoming.TestTLSappearsatthetop-rightofthescreen.
4. ClickTestTLS.
5. SpecifytheSendtestmessagetoemailaddress.
6. ClickSendTest.
Hosted Email Security sends a message to the specified email address confirming TLS works for theManagedDomain.
Tip:If themessage does not arrivewithin a short period of time, confirm that the email server for theManagedDomainiscorrectlyconfiguredtouseTLS.Afterverifyingtheserverconfiguration,sendthetestagain.
5.5.1.2 AddingTLSPeers
1. GotoAdvancedProtection>TransportLayerSecurity(TLS).
2. SelectaManagedDomain.
3. SelecttheDirectionofIncomingorOutgoing.
4. SpecifytheTLSPeertoadd.
5. SettheSecurityleveltooneofthefollowing:• Opportunistic:
§ CommunicatesusingencryptionifthepeersupportsandelectstouseTLS§ CommunicateswithoutencryptionifthepeerdoesnotsupportTLS§ CommunicateswithoutencryptionifthepeersupportsTLSbutelectsnottouseTLS
• Mandatory:
§ CommunicatesusingencryptionifthepeersupportsandelectstouseTLS§ DoesnotcommunicateifthepeerdoesnotsupportTLS§ DoesnotcommunicateifthepeersupportsTLSbutelectsnottouseTLS
Important:Because of the risk of losing data, TrendMicro recommends confirming TLSencryptedmessage delivery between aManagedDomain and a peer beforeusingtheMandatorysecuritylevel.SeeTestingTLS.To ensure messages can be received from the Hosted Email Security MTA,configure your firewall to accept emailmessages from the followingHostedEmailSecurityIPaddress/CIDRblocks:
HESIPaddresses
6. SelectEnabledtohaveHostedEmailSecurityapplyyourspecifiedTLSsecurityleveltothenewpeer.
7. ClickAdd.
5.5.1.3 EditingTLSPeers
1. GotoAdvancedProtection>TransportLayerSecurity(TLS).
2. SelectaManagedDomain.
3. SelecttheDirectionofIncomingorOutgoing.
4. Totherightofapeerinthelist,clickEdit.
5. Reconfigurethepeer.
6. ClickSave.
5.5.2 AboutSenderPolicyFramework(SPF)
Sender Policy Framework (SPF) is an open standard to prevent sender address forgery. The SPF protects theenvelope sender address, which is used for the delivery of messages. Hosted Email Security enables you toconfigureSPFtoensuresender'sauthenticity.
TheSPFrequirestheownerofadomaintospecifyandpublishtheiremailsendingpolicyinanSPFrecordinthedomain'sDNSzone.Forexample,whichemailserverstheyusetosendemailfromtheirdomain.
When an email server receives a message claiming to come from that domain, the receiving server verifieswhetherthemessagecomplieswiththedomain'sstatedpolicyornot.If,forexample,themessagecomesfromanunknownserver,itcanbeconsideredasfake.
EvaluationofanSPFrecordcanreturnanyofthefollowingresults:
Result Explanation IntendedAction
Pass TheSPFrecorddesignatesthehosttobeallowedtosend. Accept
Fail TheSPFrecordhasdesignatedthehostasNOTbeingallowedtosend. Reject
Result Explanation IntendedAction
SoftFail TheSPFrecordhasdesignatedthehostasNOTbeingallowedtosendbutisintransition.
Accept
Neutral TheSPFrecordspecifiesexplicitlythatnothingcanbesaidaboutvalidity. Accept
None ThedomaindoesnothaveanSPFrecordortheSPFrecorddoesnotevaluatetoaresult.
Accept
PermError Apermanenterrorhasoccurred(forexample,badlyformattedSPFrecord). Accept
TempError Atransienterrorhasoccurred. Accept
5.5.2.1 EnablingorDisablingSenderPolicyFramework(SPF)
You can enable Sender Policy Framework (SPF) to allow Hosted Email Security to evaluate the legitimacy ofsender'semailaddress,beforedeliveringtheemailtotherecipient.
1. GotoAdvancedProtection>SenderPolicyFramework(SPF).
2. Select Enable SenderPolicy Framework toenable SPF inHostedEmail Security. Clear this check-box todisableSPF.
3. ClickOKontheconfirmationdialogbox.
Note:TheconfirmationdialogboxonlyappearsifthedomainselectedinManagedDomainisallmydomains.
4. IfyoualsowanttoaddtheSPFcheckresultintotheemailmessage'sxheader,selectAddSPFDNScheck
result intomessage'sxheader,andthenclickOKontheconfirmationdialogbox.Clearthischeck-boxtodisable this setting. Hosted Email Security adds messages similar to the following in email message’sxheadernamedX-TM-Received-SPF:
Status xheader
Pass X-TM-Received-SPF: Pass (domain of [email protected] designates 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
Fail X-TM-Received-SPF: Fail (domain of [email protected] does not designates 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
SoftFail X-TM-Received-SPF: SoftFail (domain of transitioning [email protected] discourages use of 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
Status xheader
Neutral X-TM-Received-SPF: Neutral (10.64.72.206 is neither permitted nor denied by domain of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
None X-TM-Received-SPF: None (domain of [email protected] does not designate permitted sender hosts) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
PermError X-TM-Received-SPF: PermError (domain of [email protected] uses mechanism not recognized by this client) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
TempError X-TM-Received-SPF: TempError (error in processing during lookup of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
InternalError X-TM-Received-SPF: InternalError (fail to lookup of or get meaning result of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com
5.5.2.2 AddinganSPFPeertotheIgnoredListHostedEmail Securityenablesyou toaddSPFpeers to the ignored list. If SPF isenabled,HostedEmail SecurityignorestheSPFpeersthatareincludedinthislist,anddoesnotperformverificationforthesepeers.
1. GotoAdvancedProtection>SenderPolicyFramework(SPF).
2. InIgnoredPeerfield,typeasenderdomainname,IPaddressorIP/CIDRblockthatyouwanttoignoreforverification.
3. ClickAddtoList.
5.5.2.3 EditinganSPFPeerintheIgnoredList
1. GotoAdvancedProtection>SenderPolicyFramework(SPF).
2. FromthelistofSPFPeers,clickEditbeforethepeerwhosedomainname,IPaddressorIP/CIDRblockyouwanttomodify.
3. Modifytheinformationinthefielddisplayed,andthenclickSave.
5.5.2.4 DeletingSPFPeersfromIgnoredList
1. GotoAdvancedProtection>SenderPolicyFramework(SPF).
2. FromthelistofSPFpeers,selectthepeersthatyouwanttodelete,andthenclickDelete.
3. ClickOKontheconfirmationdialogbox.
5.6 UnderstandingQuarantine
Quarantinedmessagesareblockedasdetectedspamorother inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.
Warning:HostedEmailSecurityautomaticallydeletesmessagesfromthequarantineafter30days.
Tomanagemessages forothermembersof amanageddomain, theQuery screenof the administrator consolemustbeused.Quarantinemanagementintheadministratorconsoleisdividedintothefollowingparts:
• Use theQuarantine>Query screen toviewa listofquarantinedmessages foryourmanageddomains.Youcanreviewmessages,deletethem,orreleasethemforfurtherfiltering.
Queriesincludedataforuptosevencontinuousdaysinonecalendarmonth.Usemorethanonequerytosearchacrosscalendarmonths.
• Use the Digest Settings screen to configure the schedule and format for the Quarantine Digest. If the
digest is enabled, all domain recipients receive their own customized copy of the digest. Intendedmessage recipients can use the End User Quarantine website to manage messages in quarantinethemselves.
Note:To allow intended recipients use the End User Quarantine website to manage messages in quarantinethemselves,dothefollowing:• Configurepolicyrulestoquarantinemessages:
SeeManagingPolicyRules.• SharetheEndUserQuarantineUser'sGuideandthefollowingwebaddressforyourregionwithend
users:
§ ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.eu
§ Forallotherregions:https://euq.hes.trendmicro.com
5.6.1 QueryingtheQuarantine
Use theQuarantine>Query screen toviewa listofquarantinedmessages foryourmanageddomains.Youcanreviewmessages,deletethem,orreleasethemforfurtherfiltering.
1. IntheDatesfields,selectarangeofdates. Note:
Queries includedata for up to seven continuousdays in one calendarmonth.Usemore thanonequerytosearchacrosscalendarmonths.
2. IntheDirectionfield,selectamailtrafficdirection.
3. Typeyoursearchcriteriaintooneormoreofthefollowingfields:
• Recipient
• Sender
• Subject
Arecipientorsendercanbeaspecificemailaddressoralladdressesfromaspecificdomain.
• Queryaspecificemailaddressbytypingthatemailaddress.
• Queryalladdresses fromadomainbyusinganasterisk (*) to the leftof theatsign (@) in the
email address. For example, *@example.com will search for all email addresses in theexample.comdomain.
Thefollowingtabledisplaysformatexamplesthatarevalidornotvalid:
Table1.FormatExamplesforMailTrackingandQuarantineQuery
Valid NotValid
[email protected] name@*.example.com
*@example.com *@*.com
*@server.example.com *@*
*@*.example.com
4. ClickSearch.
5. Selectthemessagestomanage.
6. Clickoneofthefollowingbuttonstomanageselectedmessages:
• Delete:Canceldeliveryandpermanentlydeletethemessage
• Deliver(NotSpam):Releasefromquarantine
Note:Releasedmessagesarenolongermarkedasspam,buttheywillcontinuetobeprocessedbyHostedEmailSecurity.Thefollowingconditionsapplytodelivery:
• Ifamessagetriggersacontent-basedpolicyrulewithanInterceptactionofQuarantine,itwillonceagainappearinthequarantinedmessagelist.
• Ifamessagetriggersacontent-basedpolicyrulewithanInterceptactionofDeleteentire
messageorChangerecipient,itwillnotarriveatitsintendeddestination.
5.6.2 AbouttheQuarantineDigest
TheQuarantineDigestlistsupto100ofeachenduser'squarantinedemailmessages,andprovidesalinkforthataccountholder toaccessquarantinedmessages through theEndUserQuarantinewebsiteat the followingwebaddressforyourregion:
• ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.eu
• Forallotherregions:https://euq.hes.trendmicro.comUse theDigest Settings screen to configure the schedule and format for theQuarantineDigest. If the digest isenabled,alldomainrecipientsreceivetheirowncustomizedcopyofthedigest.IntendedmessagerecipientscanusetheEndUserQuarantinewebsitetomanagemessagesinquarantinethemselves.TheQuarantineDigestemailmessagefeaturesatemplatewithcustomizableplain-textandHTMLversions.Eachversionofthetemplatecanincorporate"tokens"tocustomizeoutputfordigestrecipients.If theQuarantineDigest InlineActioncheckboxontheDigestSettingsscreen isselected, recipientscandirectlymanage theirquarantine from thedigestemailmessage.Byenabling this function, youcan relieveusersof thenecessity of logging on to the End User Quarantine website andmanually approving quarantinedmessages orsenders.
Warning:AnyonereceivingthisQuarantineDigestemailmessagewillbeabletoaddanyofthesesenderstotheaccountholder'sapprovedsenders list.Therefore,administratorsmustwarndigest recipientsnot toforwardtheQuarantineDigestemailmessage.TheQuarantineDigestformanagedaccountsissenttotheprimaryaccount.Formore informationaboutmanagedaccounts, seeAboutEnd-UserManagedAccounts.The Quarantine Digest Inline Action feature supports only client computers running MicrosoftWindowsXPServicePack3orlaterandusingonlyoneofthefollowingemailclients:
• MicrosoftOutlook2003ServicePack3orlater
• MicrosoftOutlookExpress6.0orlater
5.6.2.1 ConfiguringtheQuarantineDigest
1. GotoQuarantine>DigestSettings.
2. EnablesendingQuarantineDigestemailmessages(disabledbydefault)usingthebuttonatthetop-rightofthescreen.
Tip:The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.
3. SelectaspecificdomainfromtheManageddomaindrop-downlist.
4. IntheFrequencydrop-downlist,selectthefrequencywithwhichtosendthedigest:
• Daily:Specifytosendthedigestamaximumofthreetimesdaily.
Tip:TheQuarantineDigest emailmessage featuresa templatewith customizableplain-textandHTMLversions.Eachversionofthetemplatecan incorporate"tokens"tocustomizeoutputfordigestrecipients.Right-clickanyofthefollowingfieldstodisplayalistofavailableandselectabletokensforthefield.
• Weekly:Specifythedaysoftheweekandtimeofdaytosendthedigest.
Warning:HostedEmailSecurityautomaticallydeletesmessagesfromthequarantineafter30days.
5. UnderDigestMailTemplatefor<managed_domain>,configurethefollowingsettings:
Tip:Usetheadd andtheremove buttonstomanageadditionalentries.
• From:SpecifytheemailaddressthatthedigestdisplaysintheFromfield.
Table1.FromFieldDigestTokens
Token ContentinSentDigestEmailMessage
%DIGEST_RCPT% Digestrecipient'semailaddressappearsintheFromfieldofthereceiveddigestemailmessage
• Subject:Specifythesubjectlineforthedigest.
Table2.SubjectFieldDigestTokens
Token ContentinSentDigestEmailMessage
%DIGEST_RCPT% Digestrecipient'semailaddressappearsinthesubjectline
%DIGEST_DATE% Digestdateappearsinthesubjectline
• HTMLcontent:
§ SpecifyifInlineActionshouldbeEnabled orDisabled usingthetogglebuttonabovetheHTMLcontentfield.
§ SpecifytheHTMLcontentofthedigestiftheemailclientacceptsHTMLmessages.
Table3.HTMLContentFieldDigestTokens
Token ContentinSentDigestEmailMessage
%DIGEST_RCPT% Digestrecipient'semailaddressappearsinHTMLbodyofmessage
%DIGEST_DATE% DigestdateappearsinHTMLbodyofmessage
%DIGEST_BODY_HTML% DigestsummaryinHTMLtableformatappearsinHTMLbodyofmessage
%DIGEST_PAGE_COUNT% Total number of quarantinedmessages in listed digest summary (up to100maximum)appearsinHTMLbodyofdigestemailmessage
%EUQ_HOST_SERVER% AddressofHostedEmailSecurityEndUserQuarantinewebsiteappearsinHTMLbodyofdigestemailmessage
§ Plain text content: Specify theplain text content of thedigest if the email client onlyacceptsplaintextmessages.
Table4.PlainTextContentFieldDigestTokens
Token ContentinSentDigestEmailMessage
%DIGEST_RCPT% Digestrecipient'semailaddressappearsintextbodyofmessage
%DIGEST_DATE% Digestdateappearsintextbodyofmessage
%DIGEST_BODY_TEXT% Digestsummaryinplaintextformatappearsintextbodyofmessage
%DIGEST_PAGE_COUNT% Totalnumberofquarantinedmessageslistedinthedigestsummary(upto100maximum)appearsinplaintextbodyofdigestemailmessage
%EUQ_HOST_SERVER% AddressofHostedEmailSecurityEndUserQuarantinewebsiteappearsinHTMLbodyofdigestemailmessage
5.7 UnderstandingMailTracking
Thisscreenisoptimizedfortracking"missing"messages.TrendMicroHostedEmailSecuritymaintainsupto30daysofmailtrackinginformation.Queriesincludedataforuptosevencontinuousdaysinonecalendarmonth.Usemorethanonequerytosearchacrosscalendarmonths.Whenyouquerythemailtrackinginformation,HostedEmailSecurityprovidesalistofallmessagesthatsatisfythecriteria.YoucanclickSearchatanytimetoexecutethequeryagain.Usethevariouscriteriafieldstorestrictyoursearches.TheMailTrackingqueryresultsaredisplayedintabs:
• BlockedTraffic:Attemptstosendmessages inthatwerestoppedby IPreputation-basedfilteringattheMTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering
Note:Content-basedfilteringisnotincludedinthiscategory.ThedisplayofBlockedTraffic hasdifferentmeanings for incomingandoutgoing traffic. Incomingtraffic is filteredbyTrendMicroEmailReputationServicesandbyHostedEmail Security incomingsecurityfiltering;outgoingtraffic isnot. Ifmessagesareblockedinoutgoingtraffic,thereasonforblocking is unrelated to email reputation butmay be related to Hosted Email Security relaymailservicefiltering.
• AcceptedTraffic:MessagesthatwereallowedinbyHostedEmailSecurityforfurtherprocessing.
• UnresolvedTraffic:MessagesthatcannotbeuniquelyidentifiedbytheirSenderMessageIDbecausethe
IDisnull.Themostefficientwayto trackmessages is toprovidebothsenderandrecipientemailaddresseswithina timerangethatyouwanttosearch.Foranemailmessagethathasmultiplerecipients,theresultwillbeorganizedasonerecipientperentry.Ifthemessageyouaretrackingcannotbelocatedusingthisstrategy,considerthefollowing:
• Expandtheresultsetbyomittingtherecipient.
• If the sender is actuallyblockedby IP reputation-based filtering, theBlockedTraffic results thatdonotmatch the intended recipientmight indicate this. Provide only the sender and time range for a largerresultset.
• Lookforotherintendedrecipientsofthesamemessage.
• If thesender IPaddresshasa"bad" reputation,mail tracking informationwillonlybekept for the firstrecipient in a list of recipients. Therefore, the remainingmessage recipient addresseswill notbe listedwhenqueryingthissender.
• Expandtheresultsetbyomittingthesender.
If the sender IPaddresshasa "bad" reputation,omit the senderandprovideonly the recipient. Ifonly therecipientemailaddressisprovided,allthemessagesthatpertaintotherecipientwillbelisted.
5.7.1 AbouttheBlockedTrafficTab
ThistabdisplaysasummaryofmatchedsenderMTAIPsthatwereeitherpermanentlyortemporarilyblockedbyTrend Micro Email Reputation Services and Hosted Email Security incoming security filtering (for incomingmessages)orbyHostedEmailSecurityrelaymailservicefiltering(foroutgoingmessages).Whendata isavailable in theBlockedTraffic tab, itwillbedisplayedbydefault.Also,anemailmessagemaybepermanently rejected by Hosted Email Security due to its exceedingly large size, for example, if the size of amessageexceeds50MB.ThefollowingBlockedTrafficinformationisdisplayed:
• Timestamp: The time the message attempt was blocked. Click on the Timestamp value to view MailTrackingDetailsforagivenmessage.
• Sender:Thesenderemailaddresson themessageenvelope, inotherwords, thesenderaddress in the
SMTPMAILcommand.
• Recipient:Thefirstrecipientemailaddressonthemessageenvelope,inotherwords,therecipientinthefirstSMTPRCPTcommand.
• Blocked:
§ For incoming messages: The sender IP address was blocked by Email Reputation Services or
HostedEmailSecuritycontent-basedfilteringatthemessagelevel.
BlockedstatusiseitherTemporaryorPermanent.
If themessagehas anexceedingly large size, the statuswill display Size limit. In this case, themessage is rejectedandblockedpermanentlybyHostedEmail Security content-based filteringduetoitssize.HostedEmailSecuritywillrespondtothesendingMTAwitha552error(afailureoftherequestedconnectionbecausethemessageexceededstorageallocation).
§ For outgoingmessages: Themessagewas blocked byHosted Email Security relaymail service
filtering. Outgoing messages are not filtered by Email Reputation Services (ERS). Outgoingmessagescanbeblockedforthefollowingreasons:
o Therecipientaddressisnotresolvable,forexamplesomeone@???.com.
o Spammersforgedthemessagesendertobeinthecustomerdomain.
o Your MTA is compromised, for example it is an open relay, and it is sending spammessages.
• SenderIP:TheIPaddressoftheupstreamMTAthatdeliveredthismessagetoHostedEmailSecurity.
5.7.2 AbouttheAcceptedTrafficTab
ThistabdisplaysasummaryofmatchingmessagesthatwereacceptedbyTrendMicroHostedEmailSecurity.WhenyouclickontheAcceptedTraffictab,youwillseeasummaryofthematchingemailmessagetrafficthatwasacceptedby TrendMicroHosted Email Security.Once amessage is accepted, it goes through various stages ofprocessingbyHostedEmailSecurity.SeeContent-BasedFilteringattheMessageLevel.Thisresultsummaryisorganizedwithrecipientinmind,sincemailtrackingismostlyinitiatedbyanenduser.Foramessagethathasmultiplerecipients,theresultwillbeorganizedasonerecipientperentry.ThefollowinginformationisdisplayedforAcceptedTraffic:
• Timestamp:ThetimethemessagewasacceptedbyHostedEmailSecurity.ClickontheTimestampvaluetoopentheMailTrackingDetailswindowforagivenmessage.
• Sender:Thesenderemailaddresson themessageenvelope, inotherwords, thesenderaddress in the
SMTPMAILcommand.
• Recipient:Thefirstrecipientemailaddressonthemessageenvelope,inotherwords,therecipientinthefirstSMTPRCPTcommand.
• Action:Thelastactiontakenonthemessage.Foralltheactions,seeActionsbelow.
§ Delivered: The message has been delivered to the downstream MTA that is responsible for
transportingthemessagetoitsdestination.
§ Bounced: Themessagehasbeen rejectedby thedownstreamMTA.HostedEmail Securitywillattempttonotifythesenderabouttheevent.
§ Deleted: The message has been deleted by Hosted Email Security according to the policy
establishedbytheauthorizedmailadministratorofthismaildomain.
§ Redirected: Themessage has been redirected to a different recipient according to theHostedEmailSecuritypolicyestablishedbytheauthorizedmailadministratorofthismaildomain.
§ Expired:HostedEmailSecurityattempteddeliveryrepeatedlyoverseveraldayswithoutsuccess
anddecidedthatthemessageisundeliverable.HostedEmailSecuritywillattempttonotifythesenderabouttheevent.
§ Queued for delivery: The message is ready to be delivered to the downstream MTA that is
responsible for transporting the message to its destination. This is a transient state of thismessage;itshouldnotremaininthisstateforanextendedperiodoftime.
§ Temporarydeliveryerror:ThemessageshouldbereadytobedeliveredtothedownstreamMTA
that is responsible for transporting the message to its destination. However, something ispreventing themessage from posting. This is a transient state of this message; it should notremaininthisstateforanextendedperiodoftime.
§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.
§ Encryption in progress: The message is being encrypted by Hosted Email Security. After
encryptioniscomplete,HostedEmailSecuritywillqueuethemessagefordelivery.
§ Others:Allnotlistedabove.
• Subject:Thesubjectline(ifavailable)ofthemessage.
• SenderIP:TheIPaddressoftheupstreamMTAthatdeliveredthismessagetoHostedEmailSecurity.
• Deliveredto:TheIPaddressofthedownstreamMTAthataccepteddeliveryofthismessage.Thisisonlyavailablewhentheactionis"Delivered".
• Size(KB):Thesizeofthemessage.Thisinformationisnotalwaysavailable.
5.7.3 AbouttheUnresolvedTrafficTab
• ThefollowinginformationisdisplayedforUnresolvedTraffic:
• Timestamp:ThetimethemessagewasacceptedbyHostedEmailSecurity.ClickontheTimestampvaluetoopentheMailTrackingDetailswindowforagivenmessage.
• Sender:Thesenderemailaddresson themessageenvelope, inotherwords, thesenderaddress in the
SMTPMAILcommand.
• Recipient:Thefirstrecipientemailaddressonthemessageenvelope,inotherwords,therecipientinthefirstSMTPRCPTcommand.
• Action:Thelastactiontakenonthemessage.Foralltheactions,seeActionsbelow.
§ Delivered: The message has been delivered to the downstream MTA that is responsible for
transportingthemessagetoitsdestination.
§ Bounced: Themessagehasbeen rejectedby thedownstreamMTA.HostedEmail Securitywillattempttonotifythesenderabouttheevent.
§ Deleted: The message has been deleted by Hosted Email Security according to the policy
establishedbytheauthorizedmailadministratorofthismaildomain.
§ Redirected: Themessage has been redirected to a different recipient according to theHostedEmailSecuritypolicyestablishedbytheauthorizedmailadministratorofthismaildomain.
§ Expired:HostedEmailSecurityattempteddeliveryrepeatedlyoverseveraldayswithoutsuccess
anddecidedthatthemessageisundeliverable.HostedEmailSecuritywillattempttonotifythesenderabouttheevent.
§ Queued for delivery: The message is ready to be delivered to the downstream MTA that is
responsible for transporting the message to its destination. This is a transient state of thismessage;itshouldnotremaininthisstateforanextendedperiodoftime.
§ Temporarydeliveryerror:ThemessageshouldbereadytobedeliveredtothedownstreamMTA
that is responsible for transporting the message to its destination. However, something ispreventing themessage from posting. This is a transient state of this message; it should notremaininthisstateforanextendedperiodoftime.
§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriate
contentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.
§ Encryption in progress: The message is being encrypted by Hosted Email Security. After
encryptioniscomplete,HostedEmailSecuritywillqueuethemessagefordelivery.
§ Others:Allnotlistedabove.
• Subject:Thesubjectline(ifavailable)ofthemessage.
• SenderIP:TheIPaddressoftheupstreamMTAthatdeliveredthismessagetoHostedEmailSecurity.
• Deliveredto:TheIPaddressofthedownstreamMTAthataccepteddeliveryofthismessage.Thisisonlyavailablewhentheactionis"Delivered".
• Size(KB):Thesizeofthemessage.Thisinformationisnotalwaysavailable.
• SenderMessageID:Auniqueidentifierforthemessage.Thisinformationisnotalwaysavailable.
5.7.4 SocialEngineeringAttackLogDetails
HostedEmail Security providesdetailed information for emailmessagesdetected as possible social engineeringattacks.Toviewsocialengineeringattackdetails,clicktheDetailslinkbesideSocialengineeringattackontheMailTrackingDetailsscreen.
Thefollowingtableliststhepossiblereasonsforsocialengineeringattackdetections.
EmailCharacteristics Description
Inconsistentsenderhostnames InconsistenthostnamesbetweenMessage-ID(<domain>)andFrom(<domain>).
Brokenmailroutingpath Brokenmailroutingpathfromhop(<IP_address>)tohop(<IP_address>).
Mailroutingpathcontainsmailserverwithbadreputation
Themailroutingpathcontainsmailserverwithbadreputation(<IP_address>).
Significanttimegapduringemailmessagetransit
Significanttimegap(<duration>)detectedduringemailmessagetransitbetweenhops(<source>&<destination>)fromtime(<date_time>)totime(<date_time>).
Inconsistentrecipientaccounts Enveloperecipient(<email_address>)isinconsistentwithheaderrecipient(<email_address>).
Possiblyforgedsenderaccountorunexpectedrelay/forward
Possiblyforgedsenderaccount(<email_address>)issendingemailmessagesviahost/IP(<host_address>)ofwhichASNs(<ASN_list>)areinconsistenttosenderASNs(<ASN_list>);orunexpectedserver-side
EmailCharacteristics Description
relay/forward.
Emailmessagetravelsacrossmultipletimezones Theemailmessagetravelsacrosstimezones(<time_zone_list>).
Possiblesocialengineeringattackcharacterizedbysuspiciouscharsetsinemailentities
Suspiciouscharsets(<character_set_list>)areidentifiedinasingleemailmessage,implyingtheemailmessageoriginatedfromaforeignregion.Thisbehaviorisanindicatorofasocialengineeringattack.
Violationoftimeheaders Multipletimeheaders(<date_time>,<date_time>)existinonemessage,whichviolatesRFC5322section3.6.
Possiblyforgedsender(Yahoo) TheemailmessageclaimedfromYahoo(<email_address>)lostrequiredheaders.
Executablefileswithtamperedextensionnamesintheattachment
Executablefilesincompressedattachment(<file_name>)intendtodisguiseasordinaryfileswithtamperedextensionnames.
Anomalousrelationshipbetweensender/recipient(s)relatedemailheaders
Anomalousrelationshipbetweensender/recipient(s)relatedemailheaders(<email_address>).
Encryptedattachmentintendstobypassantivirusscanengines
Encryptedattachment(<file_name>)withpassword(<password>)providedinemailcontentpossiblyintendstobypassantivirusscanengines.
Emailattachmentcouldbeexploitable Emailattachment(<file_name>)couldbeexploitable.
Emailmessagemightbesentfromaself-writtenmailagentduetoabnormaltransferencodinginemailentities
Content-Transfer-Encoding(<encoding_type>)isabnormalintheemailmessage.Theemailmessagemightbesentfromaself-writtenmailagent.
Fewmeaningfulwordsintheemailmessage
Theemailmessageislessmeaningfulwithonlyfewcharactersinitstext/HTMLbody(<character_count>).
PossibleemailspoofingTheemailmessagewasclaimedasaforwardedorrepliedmessagewithsubject-tagging(<email_subject>),buttheemailmessagedoesnotcontaincorrespondingemailheaders(RFC5322).
EmailmessagetravelsacrossmultipleASNs TheemailmessagetravelsacrossmultipleASNs(<ASN_list>).
Emailmessagetravelsacrossmultiplecountries Theemailmessagetravelsacrossmultiplecountries(<country_code_list>).
AbnormalContent-typebehaviorinemailmessage Content-typeinemailcontentshouldnothaveattributes(<attribute_list>).
Executablefilesarchivedinthecompressedattachment Executablefilesarchivedincompressedattachment(<file_name>).
Exploitablefiletypesdetectedinthecompressedattachment Exploitablefiletypesdetectedincompressedattachment(<file_name>).
5.8 UnderstandingPolicyEvents
Thisscreenenablesyoutotracktheemailmessagesthattriggertheadvancedthreatpolicy.TrendMicroHostedEmailSecuritymaintainsupto30days'logsforpolicyevents.Queriesincludedataforonedayonly.Usemorethanonequerytosearchacrosscalendarmonths.ThePolicyEventQueryscreenprovidesthefollowingsearchcriteria:
• Type
• Advancedpersistentthreat:Querythemessagesthattriggeredtheadvancethreatpolicy
§ All:queryallmessages
§ Analyzed Advanced Threats: Query the messages that are identified as threats according toadvancedanalysisandthepolicyconfiguration
§ Probable Advanced Threats: Query the messages that are treated as suspicious according to
policyconfigurationorthemessagesthatarenotsent foradvancedanalysisduetoexceptionsthatoccurredduringtheanalysis.
• Dates:Thetimerangeforyourquery.
• Direction:Thedirectionofmessages.
• Recipient:Therecipientemailaddress.
• Sender:Thesenderemailaddress.
• Subject:Themessagesubject.
• MessageID:ThesendermessageID.
When you query the email policy event, Hosted Email Security provides a list of all messages that satisfy thecriteria.YoucanclickSearchatanytimetoexecutethequeryagain.Usethevariouscriteriafieldstorestrictyoursearches.Themostefficientway to trackpolicyevents is toprovideboth senderand recipientemail addresses,messagesubjectandmessageIDwithinatimerangethatyouwanttosearch.RecipientandSendercannotusethewild-cardcharacteratthesametime.Thefollowingpolicyeventinformationisdisplayed:
• Timestamp:Thetimethepolicyeventoccurred.ClickontheTimestampvaluetoviewtheeventdetailsforagivenmessage.
• Sender:Thesenderofthemessage.
• Recipient:Therecipientofthemessage.
• MessageSize:Thesizeofthemessage.Thisinformationisnotalwaysavailable.
• RuleName:Thenameofthetriggeredpolicyrulethatisusedtoanalyzethemessage.
• TriggerReason:Thereasonforthepolicyruletotrigger.
• RiskRating:Theriskratingofthemessageidentifiedafteradvancedanalysis.
• Action:Theactiontakenonthemessage.Foralltheactions,seeActionsbelow.
§ BCC:Ablind carbon copy (BCC)was sent to theauthorized recipients according to theHostedEmailSecuritypolicy.
§ Bypass:ThemessagehasbeenignoredandwasnotinterceptedbyHostedEmailSecurity.
§ Changed recipient: The recipienthasbeenchangedand themessagehasbeen redirected toa
different recipient according to theHostedEmail Securitypolicy establishedby theauthorizedmailadministratorofthismaildomain.
§ Clean:ThemessagewascleanedforvirusesbyHostedEmailSecurity.
§ DeleteAttachment: The attachment in the email message has been deleted by Hosted Email
Security.
§ Deliver: The message has been delivered to the downstream MTA that is responsible fortransportingthemessagetoitsdestination.
§ InsertStamp:Ablockoftextwasinsertedintotheemailmessagebody.
§ Message deleted: The message has been deleted by Hosted Email Security according to the
policyestablishedbytheauthorizedmailadministratorofthismaildomain.
§ Notification:Anotificationwassenttotherecipientwhenthepolicyrulewastriggered.
§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.
§ TagSubject:Insertedatextdefinedinpolicyrulesintothemessagesubjectline.
§ Encryption in progress: The message is being encrypted by Hosted Email Security. After
encryptioniscomplete,HostedEmailSecuritywillqueuethemessagefordelivery.
• Scanned File Report (s): The report for the attached files in the message. If the file is analyzed foradvancedthreats,therisklevelforthefileisdisplayedhere.Ifthereportexists,clickViewreporttoseethedetailedreport.
Note:Ifa file isdetectedashigh-risk,HostedEmailSecuritywillnot send the file foradvancedanalysis,andtherefore,adetailedreportwillnotbeavailableforsuchfile.Reportscouldalsobeunavailableifanerroroccursingeneratingthereport.
If an email message contains multiple recipients, the result will be organized for each recipientseparately.
5.9 ConfiguringAdministrationSettings
DoanyofthefollowingfromtheAdministrationscreens:
• ManageadministratoraccountsfortheHostedEmailSecurityserverSeeManagingAdministratorAccounts.
• ResetenduserpasswordsfortheHostedEmailSecurityEndUserQuarantinewebsite
SeeChangingEndUserPasswords.
• UploaduserdirectoriestoHostedEmailSecurityforimprovedspammanagementSeeAboutDirectoryManagement.
• ManagedomainstatusesinHostedEmailSecurity
SeeAboutDomainManagement.
• Co-brandandcustomizeHostedEmailSecurityscreensSeeAboutCo-Branding.
• AutomatedirectorymanagementinHostedEmailSecurityusingwebserviceclients
SeeInstallingWebServices.
• ViewtheHostedEmailSecurityServiceLevelAgreementSeeViewingYourServiceLevelAgreement.
5.9.1 ManagingAdministratorAccounts
5.9.1.1 AboutAccountManagementUse theAdministration>AccountManagement screen to search foraccountsunder your controland toactonbehalfofthoseaccounts.
AfterclickingAssumeControlbesideanaccountinthelist,youwillassumecontrolofthataccount.Forexample,youwillseeandbeabletochangetheirApprovedSendersandBlockedSenderslists,theirMailTrackinglogs,andtheirmanageddomainsontheDomainManagementscreens.YouwillalsoseetheaccountstheycancontrolfromtheirAccountManagementscreen.
Tostopactingonbehalfofanaccount,clickReleaseinthetitlebararea.
5.9.1.2 AddingandConfiguringanAdministratorAccount
1. GotoAdministration>AccountManagement.
2. ClickAdd.AddSubaccountscreenappears.
3. Configurethefollowinginformationonthescreen:
• SubaccountBasicInformation:addtheuserAccountNameandEmailAddress.• Select Permission Types: select predefined permissions from the Predefined Permission Types
list,orconfigurepermissionsforeachofthefeaturemanually.• SelectDomains:selectdomainsthattheaccountcanuseandupdate.
4. ClickOK.
HostedEmailSecuritygeneratesapasswordandsendsittothenewlycreatedaccountownerthroughanemailmessage.
Note:Iftheaccountownerdoesnotreceivethenotificationmessageordeletesthenotificationmessagebymistake,youcanresentthenotificationbyclickingSendundertheSendEmailcolumnonAccountManagementscreen.TheSendbuttonwillbedisabledaftertheaccountownerlogsinsuccessfully.
5.9.1.3 EditingAdministratorAccountConfiguration
1. GotoAdministration>AccountManagement.
2. Clickontheaccountnamethatyouwanttoedit.EditSubaccountscreenappears.
3. Modifythefollowinginformationonthescreenasrequired:• SubaccountBasicInformation:modifytheuserEmailAddress.
Note:TheuserAccountNamecannotbemodified.
• Select Permission Types: select predefined permissions from the Predefined Permission Typeslist,orconfigurepermissionsforeachofthefeaturemanually.
• SelectDomains:selectdomainsthattheaccountcanmanage.
4. ClickOK.
5.9.1.4 DeletingAdministratorAccounts
1. GotoAdministration>AccountManagement.
2. Selecttheaccountsthatyouwanttodelete,andthenclickDelete.
3. ClickOKontheconfirmationdialogbox.
5.9.1.5 ChangingAdministratorPasswords
Note:If you have a Business account on the Customer License Portal (CLP), sign in to your CustomerLicensePortalaccountandfollowtheinstructionsprovidedthere.TrendMicrorecommendschangingyourpasswordregularly.Youcannotchangethepasswordforadisabledaccount.
1. GotoAdministration>AccountManagement.
2. Selecttheaccountsforwhichyouwanttochangepasswords,andthenclickResetPassword.Hosted Email Security generates new passwords for the accounts, and sends it to the account ownersthroughanemailmessage.
5.9.1.6 EnablingorDisablinganAdministratorAccount
1. GotoAdministration>AccountManagement.
2. Click (enabled) or (disabled) to toggle the status of the account, and then click OK on theconfirmationdialogbox.
5.9.2 ChangingEnd-UserPasswordsIfanenduserlosestheirpassword,thesystemadministratorcanresetthatpassword.
1. GotoAdministration>End-UserPasswords.
2. Typethemanagedemailaddressoftheenduser.
3. Typeandconfirmthenewpasswordtobeassociatedwiththeaccount.
Important:Passwordsmust contain 8 to 32 alphanumeric characters. TrendMicro recommends using a longpassword.Strongpasswordscontainamixofletters,numbers,andspecialcharacters.
5.9.3 AboutEnd-UserManagedAccounts
End-users canmanagemultiple Hosted Email Security End User Quarantinewebsite accounts by using a singleaccounttologon.Afteranend-userbeginsmanaginganaccount,theycanviewthequarantinedmessagesandsettheApprovedSendersassociatedwiththataccount.End-users log onwith their primary account, and then specify one of theirmanaged accounts or All managedaccounts at the top of the screen to view Quarantined messages and set Approved Senders for the specifiedaccountoraccounts.Figure1.ExampleoftheEnd-UserManagedAccountSelectionControl
Afteranend-userbeginsmanaginganaccount, thatmanagedaccountwillbeunable to logon to theEndUserQuarantine website. The managed account will be able to log on again only if the account managementrelationship is removed. To allow the account to log on again, the primary account can remove themanagedaccountfromtheManagedAccountsscreenoftheEndUserQuarantinewebsite.Addingamanagedaccountdoesnotchangethecredentialsforthataccount.TheHostedEmailSecurityadministratorconsoleallowsyoutoenableordisable(enabledbydefault)theabilityofuserstoaddmanagedaccounts.Disablingthefeaturedoesnotchangetheaccountmanagementrelationshipofaccountsthatend-usershavealreadyadded.
Tip:The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.
End-users can always remove accounts from their list ofmanaged accounts. However, end-users can only addmanagementofaccountsunderthefollowingconditions:
• TheHostedEmailSecurityadministratorhasenabledthefeature.
• TheaccountisaregisteredEndUserQuarantinewebsiteaccount.
• TheaccountisnotcurrentlyamanagedaccountofanotherEndUserQuarantinewebsiteaccount.
• Theend-userisabletoopentheconfirmationemailmessagesenttotheaccountaddress.
• Theend-userhastheEndUserQuarantinewebsitepasswordfortheaccount.
5.9.3.1 RemovingEnd-UserManagedAccountsThe primary account can remove the managed account from the Managed Accounts screen of the End UserQuarantinewebsite.To removeanaccountmanagement relationshipusing theHostedEmailSecurityadministratorconsole,use thefollowingprocedure.
1. GototheEnd-UserManagedAccountsscreen.
2. Selecttheprimaryaccountandmanagedaccountpairorpairsinthelist.
3. ClickRemove.
5.9.4 AboutDirectoryManagement
You can import LDAPData Interchange Format (LDIF) or comma-separated values (CSV) files intoHosted EmailSecurity. This helps Hosted Email Security to better filter and process messages for valid email addresses.Messagestoinvalidemailaddresseswillberejected.HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.HostedEmailSecurityalsoprovidesaSynchronizationTool thatenablesyoutosynchronizeyourcurrentgroupsandemailaccountsontheActiveDirectoryserverwiththeHostedEmailSecurityserver.TheDirectoryManagementscreenincludesthefollowingtabs:
• DirectoryImport
§ ImportUserDirectory:Selectionsforimportinganewuserdirectoryfile
§ ImportedUserDirectories:Thecurrentuserdirectoryfile(s)thatHostedEmailSecurityisusing
• DirectorySynchronize
§ SynchronizationSummary:Displaysthenumberofvalidrecipientsandgroupssynchronizedusingthesynchronizationtool.
§ SynchronizationHistory:Displaysthelastseven(7)days'synchronizationhistory.
5.9.4.1 ImportingUserDirectories
You can import LDAPData Interchange Format (LDIF) or comma-separated values (CSV) files intoHosted EmailSecurity. This helps Hosted Email Security to better filter and process messages for valid email addresses.Messagestoinvalidemailaddresseswillberejected.
Important:BeforeyouimportanLDIForCSVdirectoryfile,notethefollowing:
• HostedEmailSecurityonlyrecognizesANSI-encodedLDIF(withtheextension.ldf)andANSIor UTF-8-encoded CSV (with the extension .csv) files. Do not include blank lines or otherirrelevantdatainthefilethatyouimport.Usecautionwhencreatingafile.
• When importing user directory files, Hosted Email Security replaces all records for a
manageddomainatonce.Ifanyemailaddressesforamanageddomainareimported,allotheremailaddresses for thatdomainare removed.Newly importedemailaddresses forthat domain, and records for other managed domains, will be kept. If you import anupdateduserdirectoryfilethatdoesnothaveanyinformationforoneofyourdomains,theentriesforthosedomainsremainthesameandarenotoverwritten.
• Every time you import a directory file, it overwrites the old version. If you import an
updateddirectory file that has information for oneof your domains, all entries for thosedomainsareoverwritten.Usecautionwhenimportingadirectory.
• Youcanonlyseethedirectoriesthatareassociatedwithyouradministratoraccount.Ifyou
aresharingyourHostedEmailSecurityservicewithanotheradministrator(forexample,avalue-addedreseller)who logsonwithhis/herspecificaccount information,HostedEmailSecuritywillnotshowthedirectoriesforthataccount.
• Every time you add more users to your network, you must import your updated user
directories;otherwise,HostedEmailSecuritywillrejectemailfromnewlyaddedusers.
Warning:TrendMicrostronglysuggeststhatyoudonotimportmorethan24directoriesinaday.Doingsocouldoverwhelmsystemresources.
1. NexttoFormat,selecttheformattype:
• LDIF
• CSV
Important:If you create a CSV file, divide the records into fields for email_address and FirstnameLastnameandseparatethemusingacommaandoptionalquotationmarks.Useofspacesorotherdelimitersisnotsupported.Useonerecordperline.Forexample:
[email protected],[email protected],SallyJones"[email protected]","BobSmith""[email protected]","SallyJones"
NotValid
[email protected],BobSmith,[email protected],SallyJonesMicrosoftExcelwillsaveatwocolumnchartasaCSVusingvalidformatting.
2. NexttoName,typeadescriptivenameforthefile.
3. NexttoFile location,typethefiledirectorypathandfilenameorclickChooseFileandselectthe .ldfor.csvfileonyourcomputer.
4. ClickVerifyFiletoreadthefileandshowasummaryofhowmanyemailaddresseswerefound.
Aftertheprogressbarcompletes,asummaryscreenappearsshowingthefollowing:
• Summary:Asummaryoftheinformationabove
• DomainsandNumberofCurrentUserstoReplaceCurrentUsers:ThedomainsthatyouspecifiedwhenyousubscribedtotheHostedEmailSecurityservice
• Invalid domains: Any domains that are included in your directory file, but are not officially
registeredwithyourHostedEmailSecurityservice
5. ClickImport.Thiswillimportandthenenabletheemailaddresslist.
Note:Youcanverifywhichemailaddresseswere foundbyselectingyourdomainnameandclicking theExporttoCSVbutton.Ifyouneedtodisablethefeature,youcanclickthetoggle.The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.
5.9.4.2 SynchronizingUserDirectory
• TheDirectorySynchronize tabdisplayssynchronizationsummaryandhistory.Thescreen isdivided intotwosections:
• SynchronizationSummary:Thissectiondisplaysthenumberofvalidrecipientsandgroupssynchronized
usingthesynchronizationtool.
• SynchronizationHistory:Thissectiondisplaysthelastseven(7)days'synchronizationhistory. It includesthefollowinginformation:
§ Synchronizationtime
§ Type:whetherthesynchronizeddataincludesvalidrecipients,groupsorboth
§ thesynchronizationtoolinformationincludingthemachine'sIPaddressorhostnamewherethe
toolisinstalled
§ synchronizationresult:whetherthesynchronizationissuccessfulorunsuccessful,orwhetheranygroupsorpolicieswereaddedorremoved.
5.9.4.3 VerifyingUserDirectories
If you are uncertain which domains in the user directories are going to be active for your service, you cantemporarilydisablethedirectories,importthefile,exportthedirectoriestoaCSVfile,andviewthemwithoutthedirectorybeingenabled.Whenyouareconfidentthattheuserdirectoryiscorrect,youcanre-enableit.
Note:HostedEmailSecuritytakesuptofiveminutestoenableordisablethedirectories.
VerifyingUserDirectoriesforValidRecipients
1. DisabletheValidrecipientcheck.
Note:The togglebuttonshows thecurrentenabled ordisabled stateof thesetting.Clickthebuttontoswitchthestateofthesetting.
2. Importdirectoriesorsynchronizevalidrecipients.
3. SelectthedomainsfromtheValidrecipientdrop-downlistthatyouwanttoverify.
4. ClickExporttoCSVforValidrecipient.
5. Savethedirectoryfile.
6. OpenthedirectoryfileinanapplicationthatreadsCSVfiles.
7. Verifythattherecipientinformationiscorrect.
8. Re-enabletheValidrecipientcheck.
Note:The togglebuttonshows thecurrentenabled ordisabled stateof thesetting.Clickthebuttontoswitchthestateofthesetting.
VerifyingUserDirectoriesforDirectoryGroups
Note:PerformthisprocedureafteryouhavesynchronizedusergroupsusingSynchronizationTool.
1. SelectthegroupsfromtheDirectorygroupsdrop-downlistthatyouwanttoverify.
2. ClickExporttoCSVforDirectorygroups.
3. Savethegroupfile.
4. OpenthegroupfilesinanapplicationthatreadsCSVfiles.
5. Verifythatthegroupinformationiscorrect.
5.9.5 AboutDomainManagement
UsetheAdministration>DomainManagementscreentoadd,modify,ordeactivatedomains.
Table1.ActivateaDomainFieldDescriptions
Field Description
InboundServer(s)
IPaddressorFQDN:Fullyqualifieddomainname(FQDN)isauniquename,whichincludesbothhostnameanddomainname,andresolvestoasingleIPaddress.
• Forexample:hostmaster1.example.comormailhost.example.com
• Notvalid:example.comPort:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvarybasedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100. Note:
Ifmorethanonemailserver isavailable,delivery isprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.
OutboundServer(s)
Ifoutboundfilteringisenabled,thisistheinformationfortheMTA(s)thatHostedEmailSecurityrelaysyouroutboundmessagesfrom.Thefollowingchoicesareavailable:UseOffice365:RelaysyouroutboundmessagesfromyourOffice365solution
Table1.ActivateaDomainFieldDescriptions
Field Description
UseGoogleApps:RelaysyouroutboundmessagesfromyourGoogleAppssolutionSpecifyIPaddress(es):RelaysyouroutboundmessagesfromthespecifiedIPv4address(es)foryourcurrentMTA(s)
Seatcount Thisisthelicensedseatcountusedbythisdomain.Seatscorrespondtothenumberofactualemailusersinthedomain.
Sendtestmessageto OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagestothisaddressfromtheDomainManagementscreen.
Domain status is shown in the Domains table at the bottom of the screen. Domain status can be one of thefollowing:
Table2.DomainStatusDescriptions
DomainStatus Description
Adding Hosted Email Security is waiting for you to point yourMX record to the Hosted EmailSecurityMTAforyourregion
Activated Domainissuccessfullydeliveringemailmessages
5.9.5.1 AddingaDomain
1. TypetheinformationforyourcurrentMTAsormailserversinthefollowingfields:
• Domainname:Includeseverythingtotherightoftheatsign(@)inemailaddressesmanagedby
theserver(s)beingactivated• Seatcount:Seatscorrespondtothenumberofactualemailusersinthedomain• Inboundserver(s)
§ IP address or FQDN: Fully qualified domain name (FQDN) is a unique name, whichincludesbothhostnameanddomainname,andresolvestoasingleIPaddress.
§ Port:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvarybasedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.
§ Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100.
Note:Ifmorethanonemailserverisavailable,deliveryisprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.
Note:Youcanspecifyupto30inboundserversand30outboundservers.Usetheadd andtheremove buttonstomanageadditionalentries.
• Optionally,selectEnableoutboundfilteringandrefertothefollowingtable:
Warning:Enablingoutboundfilteringwithoutspecifyingoutboundserverswillprevent thedeliveryofanyoutboundtrafficroutedthroughtheservice.
StepstoConfigureOutboundFiltering
EmailSolution Steps
YoucurrentlyuseOffice365 SelectUseOffice365.
YoucurrentlyuseGoogleApps SelectUseGoogleApps.
YoudonotuseOffice365orGoogleApps SelectSpecifyIPaddress(es).TypetheIPaddress(es)ofyouroutboundserver(s).
• Sendtestmessageto:OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagesfromtheDomainManagementDetailsscreen.
To display the DomainManagement Details screen, follow the step to edit information for adomainatManagingDomains.
2. ClickActivateDomain.
IfthedomainisvalidandanMXrecordforthedomainexists,thedomainappearsintheDomainstableatthebottomofthescreen.TrendMicro sends awelcomemessage to the administrative email address on record confirming thatyourdomainhasbeenaddedsuccessfullyandstating:"Thiswelcomemessageconfirmsyourdomainhasbeensuccessfullyadded."
Warning:DonotrepointyourMXrecorduntilyoureceivethemessageconfirmingthatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,which is that confirmation. If you repoint yourMX record before your domainhasbeensuccessfullyadded,youremailmessagesmaybelost.
3. IfyoucurrentlyuseOffice365,youcanconfigureOffice365connectorstoallowemailtraffictoorfrom
HostedEmailSecurityMTAs.SeeAddingOffice365InboundConnectors.SeeAddingOffice365OutboundConnectors.
SeeRepointingMXRecords(BestPractice)
5.9.5.2 ManagingDomains
1. Selectdomainsbydoingoneofthefollowing:
• Toselectoneormoredomains,selectthecheckboxestotheleftofeachentry.
• Toselectalldomains,selectthecheckboxtotheleftoftheDomainNamecolumntitle.
2. Manageselecteddomainsbyclickingoneofthefollowingbuttons:
• Deactivate:SubmitadeactivationrequesttoTrendMicroforaction
• CheckMXRecord:VerifytheMXrecordpointstotheHostedEmailSecurityinboundMTA
3. Toeditinformationforadomain,dothefollowing:
a. ClickthedomainnameintheDomainslistatthebottomoftheDomainManagementscreen.The DomainManagement Details screen appears, displaying the title DomainManagement >{your-domain-name}withfieldspre-filledwiththeinformationonrecordforthatdomain.
b. Modifythefieldsasneeded.
5.9.5.2.1 EnablingOutboundFilteringforaDomain
1. FollowthestepstoopentheDomainManagementDetailsscreenforyourmanageddomain.Todisplay theDomainManagementDetails screen, followthesteptoedit information foradomainatManagingDomains.
2. EnableOutboundFilteringforyourmanageddomain.
SelectEnableoutboundfilteringandrefertothefollowingtable:
Warning:Enablingoutboundfilteringwithoutspecifyingoutboundserverswillprevent thedeliveryofanyoutboundtrafficroutedthroughtheservice.
Table1.StepstoConfigureOutboundFilteringEmailSolution Steps
YoucurrentlyuseOffice365
a. SelectUseOffice365.
Tip:IfyouuseOffice365,configureOffice365connectorstoallowemailtrafficfromHostedEmailSecurityMTAs.SeeAddingOffice365OutboundConnectors.
YoucurrentlyuseGoogleApps a. SelectUseGoogleApps.
YoudonotuseOffice365orGoogleAppsa. SelectSpecifyIPaddress(es).
b. TypetheIPaddress(es)ofyouroutboundserver(s).
5.9.6 AboutCo-Branding
HostedEmailSecurityenablesyoutodisplayaservicebanner,suchasyourcompanylogo,onthetopbannerofthe Hosted Email Security logon screen, administrator console, and End User Quarantine website. You can setdifferentdomainswiththesameordifferentservicebannersorcanallowdomainadministratorstosettheservicebannertobedisplayedfortheirdomain.Youcanalsoleavethefeaturedisabled.Thefollowingisanexampleofacustomizedservicebanner:
TheservicebannerselectedforadomainwilldisplayinthetopbanneroftheHostedEmailSecuritylogonscreen,the Hosted Email Security End User Quarantine website, and the administrator console associated with thatdomain. The service banner selected for an account name will display only in the Hosted Email Securityadministratorconsole.
Resellerscansetdifferentservicebannersfordifferentdomainsorallowsystemadministratorsofthedomaintosettheservicebannerforthatdomain.Before attempting to establish co-branding, verify that your service banner image meets the followingrequirements:
Table1.ServiceBannerSpecifications
ImageAttributes Specifications
Height Exactly60pixels(notallerorshorter)
Width 800-1,680pixels
Fileformat GIFJPEG(withtheextension.jpg)PNG
Note:Co-brandingisdisabledbydefault.Thetogglebuttonshowsthecurrentenabled ordisabled stateofthesetting.Clickthebuttontoswitchthestateofthesetting.
5.9.6.1 Accessing the Co-Branded Administrator Console and End User QuarantineWebsite
Asareseller,youcansupplyyourcustomerswithawebaddresstheycanusetoaccesstheirco-brandedHostedEmailSecurityadministratorconsoleandEndUserQuarantinewebsite.
Refertotheaccesslocationsforyourregioninthetablebelow:
Table1.AccessLocations
ConsoleorWebsite StepsforEurope,theMiddleEast,Africa StepsforAllOtherRegions
Administrator consolefor Customer LicensingPortal (CLP) Businessaccounts
Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:
• Hosted Email Securityadministratorconsole:https://tm.hes.trendmicro.eu
• Co-brandedadministratorconsolefortheaccountnamed"adminA":https://tm.hes.trendmicro.eu/co-brand/adminA
Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:
• Hosted Email Securityadministratorconsole:https://tm.hes.trendmicro.com
• Co-branded administrator console
fortheaccountnamed"adminA":https://tm.hes.trendmicro.com/co-brand/adminA
Administrator consolefor xSP and localaccounts
Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:
• Hosted Email Securityadministratorconsole:https://ui.hes.trendmicro.eu
• Co-brandedadministratorconsole
fortheaccountnamed"adminB":https://ui.hes.trendmicro.eu/co-brand/adminB
Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:Hosted Email Security administratorconsole:https://ui.hes.trendmicro.comCo-branded administrator console for theaccountnamed"adminB":https://ui.hes.trendmicro.com/co-brand/adminB
End User Quarantinewebsite
Append /euq-co-brand/ and theHostedEmailSecuritymanageddomaintothebaseURL.Forexample:
Append /euq-co-brand/ and theHosted Email Securitymanaged domain tothebaseURL.Forexample:
Note:Ifanenduseraccessesaco-brandedwebsitewithoutappending theaccountnameordomainname, thewebsitewillstilluseco-brandingforallscreensexceptthelogonscreen
Table1.AccessLocations
ConsoleorWebsite StepsforEurope,theMiddleEast,Africa StepsforAllOtherRegions
Note:ThisappliestoCustomerLicensingPortal,xSP,andlocalaccounts.
Hosted Email Security End UserQuarantinewebsite:https://euq.hes.trendmicro.euCo-branded administrator console for themanageddomain"example.com":https://euq.hes.trendmicro.eu/euq-co-brand/example.com
HostedEmailSecurityEndUserQuarantinewebsite:https://euq.hes.trendmicro.comCo-branded administrator console for themanageddomain"example.com":https://euq.hes.trendmicro.com/euq-co-brand/example.com
5.9.7 InstallingWebServices
HostedEmailSecurityWebServicesautomatesomerepetitivetasks.TheWebServicesClientandActiveDirectorySynchronizationToolautomatetheimportofdirectoryfilesofvalidrecipientemailaddresses.TheActiveDirectorySynchronization Tool also enables you to import user groups. The Web Services Client and Active DirectorySynchronization Tool functionally is similar to the Import User Directory feature on the DirectoryManagementscreen.
1. GotoAdministration>WebServices.
2. IfCurrentKeyunderServiceAuthenticationKeyisblank,clickGenerateNewKeytogenerateakey.TheServiceAuthenticationKeyistheglobaluniqueidentifierforyourWebServiceClienttoauthenticateitsaccesstoHostedEmailSecurityWebServices.
3. EnableApplicationsusingthebuttonattherightofthescreen(disabledbydefault).
Tip:The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.
4. In the Downloads list, click download to download the desired items. Download theWeb Services
GuideforadditionalinstructionsontheuseandconfigurationofHostedEmailSecurityWebServices.
• Active Directory Synchronization Tool: For synchronizing accounts and groups between localActiveDirectoryandHostedEmailSecurityserver
• Active Directory Synchronization Tool User Guide: For more information on using the
synchronizationtool
• WebServicesClient:Formostenvironments
Important:CurrentKeydisplaystheServiceAuthenticationKeythattheWebServicesClientshoulduse.Ifyougenerateanewkey,youmustupdateWebServicesClienttousethenewkey.TheServiceAuthenticationKeyallowsyour Web Services Client to communicate with Hosted Email Security Web Services. Keep the ServiceAuthenticationKeyprivate.
• WebServicesGuide:Formoreinformationonusingtheclients
5. Savetheclientonalocaldrive.
6. Followtheclientinstallationstepstoinstalltheclient.
5.9.8 ViewingYourServiceLevelAgreement
TrendMicro provides a Service Level Agreement (SLA) for Hosted Email Security that is intended to help yourorganizationreceivesecure,uninterruptedemailservice.
The Service Level Agreement covers availability, latency, spam blocking, false positives, antivirus, and support.Specific service-level guarantees are included in themost current version of the Hosted Email Security ServiceLevelAgreement,whichyoucanviewordownloadfromthisscreen.
ToviewtheServiceLevelAgreementforyourregion:
1. Go to Administration > Service Level Agreement. The Hosted Email Security Service Level Agreementscreenappears.
2. Inthedrop-downlist,selectyourlanguage/region.
Tip:Disableanypop-upblockersforyourbrowserinordertodownloadtheServiceLevelAgreement.
HostedEmailSecuritydisplaysanAdobeReader(PDF)documentoftheServiceLevelAgreementforthelanguageandregionthatyouselected.
Important:Provisionsof the Service LevelAgreementmay vary among regions, sobe sure to select your region andlanguagewhenusingthisscreen.TrendMicroreservestherighttomodifytheserviceatanytimewithoutpriornotice.ThecurrentversionoftheHostedEmailSecurityservicelevelagreementisavailableforreviewbypaidcustomersandbycustomersconductingatrial.