The Email Firewall Download Service uses the FTP proxy server to automatically download the latest anti-virus and anti-spam filters
3 Working With Queues
3.5 Quarantine Queue Management
The Quarantine queue contains messages that triggered a policy that checks for potentially harmful or nonsecure messages, and messages in this queue remain here until released or otherwise acted upon by an administrator or are
automatically expired. When the Personal Quarantine Manager is installed and enabled, recipients can opt to have a copy of a quarantined message sent to them, but the original message remains in the Quarantine queue. This queue can become very large.
The most important recommendations for making queue management easier is to use quarantine tags effectively, and to create Quarantine custom queues in which to store these messages based on the tags used. This means that policies should be configured to tag messages in a way that makes the job of the queue reviewer as simple as possible.
For example, if customized weighted word lists are being used for spam, quarantine tags could be set up that reflect the confidence level and the presence or absence of adult content. This will allow queue filters to be easily built that will show, for example, only the high confidence spam messages that also had adult content. A quarantine custom queue that is created to hold all these messages can be used to further refine message review.
If the Personal Quarantine Manager is installed and enabled for recipient white-listing requests, then consider creating a Saved Search showing only messages requested for white listing. See 3.8.4 User Requests for “White List” on page 168.
For additional information about managing spam messages, see 3.7 Using Personal Quarantine Manager on page 142 and Chapter 7, Dynamic Anti-Spam Service.
3.5.1 Setting Up a Model Spam Review Process
Some Email Firewall administrators have successfully used the following general approach to reviewing spam candidates.
To set up an effective spam review process:
1. To begin with, create Quarantine custom queues to sort messages by quarantine tag type.
2. Create queue filters to reduce the quarantine queues to the set of messages that have various combinations of the spam-related quarantine tags. See 3.3 Setting Up Queue Searches on page 126 for instructions on creating filters.
The review process starts by selecting the quarantine queue and quarantine filter that results in the set of messages that are most likely to be false pos-itives.
3. Apply the filter. Sort the result set by time so that you are viewing the oldest messages first.
4. Release the messages that are false positive and delete the remaining spam messages in the filter.
5. Select the next queue filter most likely to contain false positives.
6. Repeat the process until you have used all of your spam-related queue filters.
3.5.2 Additional Queue Management Tips
Use Bulk Actions on Messages
Filtered messages with the same sender or subject can be deleted in bulk from the queue. See 3.4.1 Deleting Multiple Messages From the Queues on page 132.
Selected messages can also be identified by marking the checkbox beside the message and then using the options to Delete, Release, Return or Reprocess all the selected messages, or all the messages in the filter.
Use Quarantine Queue Threshold Actions
Email Firewall can be configured to log an event or send an email notification when the quarantine queue reaches a certain size. See 3.2.2 Setting Up Queue Actions on page 120. It may be helpful to enable this feature so the queue reviewers are notified when there are a large number of messages needing review.
Use Quarantine Queue Aging
It is recommended that you enable queue aging to automatically delete messages that have been in the quarantine queue for a specified period of time.
See 3.2.3 Setting Up Queue Aging on page 122 for instructions. Select a time limit that you are comfortable with and which takes into account holiday periods when there may be no regular queue reviews.
Create Quarantine Queue Custom Queues
Setting up additional Quarantine queues allows you to place messages into the custom queues based on the policy the message triggered or the tag applied to the message. This allows for more efficient screening of quarantined messages.
3.5.3 Checking the Quarantine Queue for Inbound Messages
If there is a problem with the database server that causes an internal processing error, or in a cluster environment during a failover, inbound messages and messages being processed by the Policy Engine may be diverted to the Quarantine queue. This diversion does not occur immediately; the Policy Engine will return messages to the Inbound queue following an internal error.
This allows the same (or another) Policy Engine service to attempt to process the message again, in case the initial error was transient in nature.
If the same message is processed by a Policy Engine service for the third time, then the message is automatically moved to the Quarantine queue. Messages automatically diverted to the Quarantine queue due to these internal errors are identifiable by the tag Internal Error.
This message diversion can occur until the open connections to the non-responding database are refreshed and the Policy Engine is informed that the connection to the database has been lost.
While no messages are lost due to this event, the administrator should review the Quarantine queue to determine whether any inbound messages were diverted while the database was unavailable. The Event Log information can also help to determine whether this occurred, and indicate the time period that should be reviewed.
When this expected behavior occurs, the administrator must manually release the messages from the Quarantine queue. The messages can be released back to the Policy Engine, or directly to the recipient. For information on how releasing messages affects reporting statistics, see 11.1 Setting Up Email Firewall Reports on page 612.
3.5.4 Stopping Inbound Message Acceptance
The normal method of stopping inbound message acceptance is in the Relay Setup, described in Stopping Inbound or Outbound Mail on page 34. There is another method of stopping inbound mail when the Inbound queue or Spam Analysis queue reaches a configurable limit. This option is located in the Setup
> Inbound Queue Configuration and Set Up > Spam Analysis Queue Configuration page.
When the Dynamic Anti-spam Service is installed, the Spam Analysis queue setup option should be used.
The task checking the number of messages in the Inbound/Spam Analysis queue checks every 60 seconds. It is possible that the number of messages set for the stop action may be exceeded before the stop action occurs, if more than that number of messages enters the Inbound queue during the 60 seconds between checks.
Because this option stops messages from being received by Email Firewall, this option is normally used only when there is a message backlog or for
troubleshooting.
To stop inbound message acceptance:
1. In the left menu, click Setup.
2. In the Setup page, Queues heading, click Inbound (or Spam Analysis if the Dynamic Anti-spam Service is installed).
3. In the Set up > Queue Configuration page, Actions tab, enter a low number
4. Optionally, mark the checkbox to Send a notification to alert you that the threshold has been reached and message acceptance has been stopped.
5. Optionally, mark the checkbox to Log an Event to alert you that the threshold has been reached and message acceptance has been stopped 6. Click Save.
To re-enable inbound message acceptance:
1. In the Set up > Inbound/Spam Analysis Queue Configuration page,
Actions tab, enter a higher number of messages in the When the queue grows to or exceeds field and unmark the Stop the SMTP relay from accepting incoming messages checkbox.
2. Click Save.
3. In the Reset tab, click Reset Actions Now if the actions need to be reset.
4. Click Save.
3.5.5 Getting Rid of Undeliverable Bounced Messages
One headache caused by the spam problem is due to spam messages being sent from an invalid sender to invalid addresses in your internal domains. The SMTP email system generates a delivery status notification (DSN) for such messages indicating that the message could not be delivered. The recipient of the DSN is the sender of the spam message. Because the sender may not be a valid address, these DSN messages may consume Email Firewall SMTP Relay time and take up resources in the Outbound, Retry, or Dead Letter queues.
The recommended best practice for this situation is to maintain a list of invalid domains that appear to include recipient addresses on the DSN messages that you find in the Dead Letter queue. You can then use the Email Firewall Policy Engine to drop messages sent to those addresses.
For example, you could create a subfolder in the External folder and call it
Undeliverable. Within this folder, you should create a user record or domain record for each undeliverable address or domain that seems to be used on undeliverable spam messages.
Apply to the Undeliverable folder a recipient-based policy that will drop all messages sent that user. Alternatively, if you don't want to drop all mail sent to users or domain in the Undeliverable folder, you could create the policy so that the mail is only dropped if it appears to be a delivery status notification (i.e., check for an attachment whose MIME type is message/delivery-status.)
The Email Firewall Policy Engine does not use the message/delivery-status MIME type in the notifications that are generated when a policy takes the return-to-sender action. Two ways to identify policy-generated return notifications are to match the Email Firewall notifier as the sender address and to look for the phrase “this message could not be delivered to the following recipients” in the body of the message.