■ Notes on filtering actions
■ Multiple actions per verdict
■ Verdict and action combinations
■ Multiple content compliance policies
■ Spyware or adware verdict details
■ Creating groups and adding members
■ Assigning filter policies to a group
■ Managing Groups
■ About Instant Messaging
About email filtering
Although Symantec Mail Security provides default settings for dealing with spam and viruses, you will likely want to tailor the actions taken on spam and viruses to suit your requirements. Content compliance and Email Firewall policies offer further methods of managing mail flow into and out of your organization. You can also use content compliance policies to monitor and enforce compliance with regulatory and organizational requirements.
2
Symantec Mail Security provides a wide variety of actions for filtering email, and allows you to either set identical options for all users, or specify different actions for distinct user groups.
You can specify groups of users based on email addresses, domain names, or LDAP groups. For each group, you can specify an action or group of actions to perform, given a particular verdict. You specify actions when you create or edit a spam, virus, or compliance policy. Each of these policies is a filtering policy.
When you create or edit a filtering policy, you specify the conditions you are looking for in messages. In most cases, conditions are synonymous with verdicts, except in the case of more complex content compliance conditions.
Verdicts are the conclusions reached on a message by the filtering process. Symantec Mail Security performs actions on a message based on the verdict applied to that message, and the groups that include the message recipient as a member. However, for outbound filtering, the groups that impact message filtering are those groups that include the message sender.
Table 2-1describes filtering verdicts by category. Table 2-1 Filtering verdicts by verdict category
Description Verdict
Verdict Category
An attempt is underway to capture valid email addresses. A directory harvest attack is accomplished by emailing to your domain with a specified number of non-existent recipient addresses sent from the same IP address. Directory harvest
attack Email Firewall
A specified quantity of spam messages has been received during a configurable time window from a particular IP address.
SMTP traffic shaping
A specified quantity of infected messages has been received from a particular IP address.
Virus attack
A message or an IP connection matches one of the following lists:
■ Blocked Senders (Domain-based)
■ Blocked Senders (IP-based)
■ Blocked Senders (Third Party Services)
■ Allowed Senders (Domain-based)
■ Allowed Senders (IP-based)
■ Allowed Senders (Third Party Services)
■ Open Proxy Senders
■ Safe Senders
■ Suspected Spammers
See“Configuring sender groups”on page 64. Sender Groups
Understanding message filtering About email filtering
Table 2-1 Filtering verdicts by verdict category (continued) Description
Verdict Verdict Category
A message has failed either SPF or Sender ID authentication. See“Configuring Sender Authentication”on page 78.
Sender authentication Sender
authentication
An email message contains a virus, based on current Symantec virus filters. Virus
Virus
An email message contains a mass-mailing worm, based on current Symantec virus filters.
Mass-mailing worm
An email message exceeds the container limits configured on the Scanning Settings page, or is unscannable for other reasons. For example, the message or an attachment contains malformed MIME.
Unscannable for viruses
An email message contains an attachment that is encrypted or password-protected and therefore cannot be scanned
Encrypted attachment
An email message contains any of the following types of security risks: spyware, adware, hack tools, dialers, joke programs, or remote access programs. SeeSpyware or adware verdict detailsfor descriptions of these risks.
Spyware or adware
An email message either shows virus like signs or because suspicious new patterns of message flow involving this attachment has been detected. Suspicious
attachment
An email message is spam, based on current spam filters from Symantec. Spam
Spam
An email message is suspected spam, based on a configurable Suspected Spam Threshold.
Suspected spam
An email message contains keywords in your configurable dictionary, matches a regular expression, matches a pattern, or matches data in a record resource. Any part of a message (body, subject, or attachment) Content Compliance
An email message contains a specific attachment type as defined by file extension, MIME type, or true file type.
Attachment type
Specific text appears with a specific frequency in the attachments of an email message.
Attachment content
An email message contains specific text in the Subject: line. Subject:
An email message contains specific text in the From: address. From:Address
An email message contains specific text in the To: address. To:Address
An email message contains specific text in the Cc: address. Cc:Address
37 Understanding message filtering
Table 2-1 Filtering verdicts by verdict category (continued) Description
Verdict Verdict Category
An email message contains specific text in the Bcc: address. Bcc:Address
An email message contains specific text in the To:, Cc:, or Bcc: address. To:/Cc:/Bcc:
Address
An email message contains specific text in the From:, To:, Cc:, or Bcc: address.
From:/To:/Cc:/Bcc: Address
An email message envelope contains a particular sender address. Envelope Sender
An email message envelope contains a particular recipient address. Envelope
Recipient
An email message envelope contains a particular SMTP HELO domain. Envelope HELO
An email message contains a particular header. Message Header
An email message exceeds a particular size. Message Size
An email message contains specific text in the body. Body
All email is flagged. For all messages