Symantec Mail Security Appliance Version 7.5 Administration Guide

(1)

Symantec Mail Security

Appliance Version 7.5

Administration Guide

Symantec Information Foundation

(2)

Symantec Mail Security Appliance Version 7.5

Administration Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 7.5 PN: 12617000

Legal Notice

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

(3)

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com

(4)

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ A telephone and web-based support that provides rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

www.symantec.com/techsupp/

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL:

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

When you contact Technical Support, please have the following information available:

■ Product release level

(5)

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

Customer service

Customer service information is available at the following URL: www.symantec.com/techsupp/

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

■ Information about the Symantec Value License Program

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

(6)

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services

To access more information about Enterprise services, please visit our Web site at the following URL:

www.symantec.com

(7)

Technical Support

Chapter 1 About Symantec Mail Security

Key features ... 17

New features ... 18

Migration: what to expect ... 20

Policy migration ... 21

Instant Messaging ... 21

User interface changes ... 22

Functional overview ... 26

Architecture ... 28

What you can do with Symantec Mail Security ... 30

Protect against security threats ... 31

Manage outbreaks ... 32

Identify and process spam messages ... 32

Create content compliance policies ... 33

Protect against Instant Messaging viruses and Spim ... 33

Quarantine messages and hold for review ... 33

Send notifications of threats and violations ... 34

Where to get more information ... 34

Chapter 2 Understanding message filtering

About email filtering ... 35

Notes on filtering actions ... 38

Multiple actions per verdict ... 42

Verdict and action combinations ... 43

Multiple content compliance policies ... 44

Spyware or adware verdict details ... 44

Creating groups and adding members ... 45

Groups, recipients, and senders ... 46

Create a group, add or remove members ... 46

Importing and exporting group members ... 47

Assigning filter policies to a group ... 48

Selecting virus policies for a group ... 49

Selecting spam policies for a group ... 50

(8)

Selecting compliance policies for a group ... 51

Enabling and disabling end user settings ... 52

Allowing or blocking email based on language ... 53

Managing Groups ... 54

Manage Groups ... 54

About Instant Messaging ... 55

Protocols settings ... 56

Virus settings ... 57

Spam settings ... 57

Reports ... 58

Chapter 3 Configuring spam filtering

Creating spam policies ... 59

Understanding email spam settings ... 61

Configuring suspected spam ... 61

Enabling language identification ... 62

Software acceleration ... 62

Configuring email spam settings ... 62

Configuring directory harvest attack recognition ... 62

Configuring sender groups ... 64

About Allowed and Blocked Senders Lists ... 65

How Symantec Mail Security identifies senders and connections ... 67

Adding senders to Blocked Senders Lists ... 70

Adding senders to Allowed Senders Lists ... 70

Deleting senders from lists ... 71

Editing senders ... 71

Enabling or disabling senders ... 71

Importing allowed and blocked sender group information ... 72

Enabling Open Proxy Senders, Safe Senders, and Suspected Spammers lists ... 75

About SMTP traffic shaping ... 76

Configuring Sender Authentication ... 78

Configuring IM Scan Settings for Spim ... 79

About Spim ... 79

How Spim works ... 79

How Spim detection works ... 80

Chapter 4 Configuring virus filtering

Creating virus policies ... 85

Determining your suspicious attachment policy ... 87

Configuring virus settings ... 87 Contents

(9)

Configuring LiveUpdate ... 87

Excluding files from virus scanning ... 89

Configuring Bloodhound settings ... 90

Configuring virus attack recognition ... 91

Configuring IM Scan Settings for file transfers ... 92

Chapter 5 Configuring content compliance filtering

About content compliance ... 95

Content compliance examples ... 98

Monitor compliance policies ... 99

Policy resources ... 100

Dictionaries ... 101

Attachment Lists ... 102

Patterns ... 103

Premium Content Compliance resources ... 103

Premium dictionaries ... 103

Premium Attachment List resources ... 109

Premium patterns ... 110

Regular expressions ... 111

Record resource ... 114

Compliance policy templates ... 116

About premium templates ... 126

Regulatory compliance mitigation ... 127

Templates best practices ... 127

Viewing policy templates ... 128

U.S. regulatory policy templates ... 128

Confidential data-protection policy templates ... 138

Acceptable use policy templates ... 144

Customer and employee data-protection templates ... 148

Network security policy templates ... 153

UK and international regulatory policy templates ... 155

Managing policy resources ... 160

Annotating messages ... 160

Configuring attachment lists ... 162

Configuring dictionaries ... 435

Adding and editing notifications ... 167

Managing Patterns ... 169

Creating a Record resource ... 171

Creating compliance policies ... 182

Preparation for adding compliance policies ... 183

Adding compliance policies ... 184

Compliance policy conditions ... 189 9 Contents

(10)

Adding conditions to compliance policies ... 193

Using Perl-compatible regular expressions in conditions ... 197

Determining compliance policy order ... 200

Enabling and disabling compliance policies ... 200

Archiving messages ... 201

Configuring optional archive tags ... 202

Configuring TLS encryption for remote domains ... 202

Chapter 6 Configuring compliance incident management

Creating compliance folders ... 205

Managing compliance folders ... 206

Adding compliance folders ... 207

Editing the notification template ... 209

Managing incidents ... 210

Compliance folder overview ... 211

Incident Management ... 212

Compliance Incident Management details ... 215

Working with incidents ... 216

Chapter 7 Configuring protocol settings

Configuring address masquerading ... 219

Importing masqueraded entries ... 220

Configuring aliases ... 221

Managing aliases ... 223

Importing aliases ... 224

Configuring invalid recipient handling ... 224

IP Reputation ... 225

Configuring local domains ... 227

Importing local domains and email addresses ... 228

Message audit logging ... 229

Enable the Message Audit Log ... 230

Searching for a message ... 230

Message queues ... 233

Work with message queues ... 233

Message trends ... 234

Configuring scanning settings ... 235

Configuring container settings ... 235

Configuring content filtering settings ... 236

Configuring bad message handling ... 237

Blocking access to an IM network ... 238

Viewing IM network server status ... 239

Viewing active IM users ... 239 Contents

(11)

Working with search results ... 241

Registering IM users ... 242

About user registration ... 243

Registering an IM user in the Control Center ... 244

Self-registering an IM user ... 244

Editing and deleting IM users in the Control Center ... 246

Chapter 8 Working with Spam Quarantine

About Spam Quarantine ... 249

Delivering messages to Spam Quarantine ... 250

Working with messages in Spam Quarantine for administrators ... 250

Accessing Spam Quarantine ... 250

Checking for new Spam Quarantine messages ... 250

Administrator message list page ... 251

Administrator message details page ... 253

Searching messages ... 255

Configuring Spam Quarantine ... 258

Delivering messages to Spam Quarantine ... 258

Configuring Spam Quarantine port for incoming email ... 259

Configuring Spam Quarantine for administrator-only access ... 260

Configuring the Delete Unresolved Email setting ... 260

Configuring the login help ... 261

Configuring recipients for misidentified messages ... 261

Configuring the user and distribution list notification digests ... 262

Configuring the Spam Quarantine Expunger ... 267

Specifying Spam Quarantine message and size thresholds ... 268

Troubleshooting Spam Quarantine ... 270

Chapter 9 Working with Suspect Virus Quarantine

About Suspect Virus Quarantine ... 275

Routing messages to Suspect Virus Quarantine ... 275

Accessing Suspect Virus Quarantine ... 276

Checking for new Suspect Virus Quarantine messages ... 276

Suspect Virus Quarantine messages page ... 276

Searching messages ... 278

Configuring Suspect Virus Quarantine ... 280

Configuring Suspect Virus Quarantine port for incoming email ... 280

Configuring Suspect Virus Quarantine message release ... 281

Configuring the size for Suspect Virus Quarantine ... 281 11 Contents

(12)

Chapter 10 Working with reports

About reports ... 283

About charts and tables ... 284

Selecting report data to track ... 284

Running reports ... 285

Saving and editing favorite reports ... 286

Running and deleting favorite reports ... 287

Printing, saving, and emailing reports ... 287

Scheduling reports to be emailed ... 288

Configuring the report Expunger ... 290

Setting the retention period for report data ... 290

Setting the Expunger frequency and start time ... 290

Troubleshooting report generation ... 291

No data available for the report type specified ... 291

Sender HELO domain or IP connection shows gateway information ... 291

Reports presented in local time of Control Center ... 291

By default, data are saved for one week ... 292

Processed message count recorded per message, not per recipient ... 292

Recipient count equals message count ... 292

Deferred or rejected messages are not counted as received ... 293

Reports limited to 1,000 rows ... 293

Chapter 11 Administering Scanners

About administering scanners ... 295

Managing Scanners ... 296

Adding Scanners ... 296

Editing Scanners ... 296

Enabling and disabling Scanners ... 297

Deleting Scanners ... 298

Configuring Scanner host settings ... 298

Working with Services ... 298

DNS/Time servers ... 302

Proxy ... 303

Ethernet settings ... 303

SMTP settings ... 307

Configuring SMTP Advanced Settings ... 310

Internal mail hosts ... 313

IM settings ... 314

Checking Scanner status ... 316

Managing software licenses ... 316 Contents

(13)

Shutting down an appliance ... 317

Rebooting an appliance ... 317

Using network utilities ... 317

Backing up an appliance ... 318

Restoring an appliance ... 319

Returning to factory defaults ... 320

Updating system software ... 321

Chapter 12 Administering the system

About administration settings ... 323

Managing system administrators ... 324

Manage administrators ... 324

Finding users ... 325

Archiving messages ... 325

Configuring optional archive tags ... 326

About alerts ... 328

Configuring alerts ... 330

Configuring certificate settings ... 331

Manage certificates ... 332

Configuring Control Center settings ... 335

Control Center administration ... 335

Control Center certificate ... 336

Configuring, enabling and scheduling Scanner replication ... 337

Control Center SMTP host settings ... 338

System locale and fallback encoding ... 338

About logs ... 339

Configuring log levels and local logging ... 339

Details about the maximum log size and the Log Expunger ... 341

Configuring remote logging to Syslog ... 341

Viewing logs ... 343

Working with logs ... 346

Checking the Control Center error log ... 346

Configuring SNMP settings ... 347

Setting up UPS monitoring ... 349

Administering the system with the command line ... 349

agentconfig ... 351 cat ... 352 cc-config ... 352 clear ... 353 crawler ... 354 date ... 355 db-backup ... 355 13 Contents

(14)

db-restore ... 357 deleter ... 358 diagnostics ... 359 dns-control ... 360 dn-normalize ... 361 grep ... 361 help ... 361 http ... 362 ifconfig ... 362 install ... 362 iostat ... 363 ldapsearch ... 363 ls ... 366 mallogs ... 366 malquery ... 367 more ... 374 mta-control ... 374 mta-stats ... 377 netstat ... 378 nslookup ... 378 passwd ... 379 pause-mode ... 379 ping ... 379 reboot ... 379 rebuildrpmdb ... 380 rm ... 380 route ... 380 service ... 380 shutdown ... 382 sshdctl ... 382 system-stats ... 384 tail ... 385 telnet ... 385 traceroute ... 386 update ... 386 version ... 387 watch ... 387

Chapter 13 Getting status information

Overview of system status ... 389

Dashboard ... 390

Hardware ... 391 Contents

(15)

View hardware status ... 392

LDAP synchronization ... 392

Perform synchronization tasks ... 392

Synchronization status information ... 393

Perform replication tasks ... 395

Replication status information ... 395

Logs ... 396

Work with logs ... 397

Services ... 398

Host details ... 398

Chapter 14 Configuring LDAP synchronization and Scanner

replication

Configuring LDAP settings ... 401

Directory servers ... 403

Authentication ... 405

Synchronization ... 407

Routing ... 411

Configure LDAP settings ... 415

Replicating data to Scanners ... 419

Starting and stopping replication ... 419

Troubleshooting replication ... 419

Appendix A

Action and verdict combinations

Limits on combining actions ... 423

Action processing combinations ... 423

User interface action combinations ... 425

Verdict combinations ... 427

Appendix B

Premium Content Compliance Resources

Premium resources ... 431

Premium dictionary resources ... 431

Premium pattern and regular-expression resources ... 435

Premium Attachment Lists ... 437

Appendix C

Available reports

Choosing a report ... 445

Glossary

15 Contents

(16)

Index

Contents 16

(17)

About Symantec Mail

Security

This chapter includes the following topics:

■ Key features

■ New features

■ Migration: what to expect

■ Functional overview

■ Architecture

■ What you can do with Symantec Mail Security

■ Where to get more information

Key features

Symantec Mail Security offers enterprises a comprehensive gateway-based message security solution incorporating the following features:

■ SMTP traffic shaping – Over time, this feature evaluates email sources and develops a record of their reputation for sending spam to your site. As the reputation record grows, Symantec Mail Security accepts fewer connections from those sources identified to be illegitimate, reducing the volume of spam received at your site and saving computing resources needed to filter spam messages.

■ Email Firewall – This early response feature improves message throughput by analyzing incoming SMTP connections, comparing them to Symantec's

1

Chapter

(18)

Reputation service data and industry-generated lists of known hostile senders and enabling you to refuse or defer connections from those hosts.

■ Antispam technology – Symantec's state-of-the-art spam filters assess and classify email as it enters your site.

■ Antivirus technology – Virus definitions and engines protect your users from email-borne viruses.

■ Content Compliance – These features help you enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements.

■ Groups and filter policies – An easy-to-use authoring tool lets administrators create powerful, flexible ad hoc filters for users and groups.

■ Instant Messaging (IM) – Protects your corporate network against external threats delivered via IM, such as viruses, worms, and malicious URLs.

New features

The following table lists the features that have been added to this version of Symantec Mail Security:

Table 1-1 New features for Symantec Mail Security Appliance

Description Features

Migration: what to expect

If you are upgrading your installation from a previous version of the Symantec Mail Security Appliance, you will have already received a software update notification that details any known issues in installing the new version. See "Migrating to Symantec Mail Security Appliance 7.5" in the Symantec Mail Security

Appliance Installation Guide for more information.

After you have updated your Symantec Mail Security Appliance installation, you should remain aware of the following issues:

■ Policy migration – When migrating your policies data from a previous version of Symantec Mail Security, all policy data is preserved. With this release, Symantec Mail Security Appliance offers the ability to combine multiple actions for different verdicts on the same message. This capability provides advantages over the previous model in which only one verdict for a message can result in actions. Existing policies, however, may generate multiple actions in cases where a single message results in multiple verdicts.

See“Policy migration”on page 21.

■ Instant Messaging – When upgrading from Symantec Mail Security Appliance 5.x, Instant Messaging (IM) is disabled by default. You must enable Instant Messaging for each Scanner on which you intend to filter IM. You must also configure the DNS settings for any IM-enabled Scanner to route instant messages to their public IM networks over the Internet.

See“About Instant Messaging”on page 55.

■ User interface changes – The new version of Symantec Mail Security Appliance accommodates all the elements of the previous user interface. However, many of these elements are located in different menus and under different headings. For instance, many elements, including Hosts, that were under the System Settings heading in the Settings menu, are now accessed from the

Administration menu under Settings. In addition, threat-specific page links that were previously listed under System Settings in the Settings menu have been moved to Settings headings under separate top-level menus for each type of threat (Virus, Spam, Compliance). In a few cases, the name of a page link has changed. For instance, what was Spam Throttling under Policies > Email Firewall Policies in Symantec Mail Security Appliance 5.x is now SMTP Traffic Shaping under Spam > Settings. New user interface elements have been added for new features, such as Instant Messaging.

See“User interface changes”on page 22. About Symantec Mail Security

Migration: what to expect 20

(21)

Policy migration

Because Symantec Mail Security Appliance 7.5 supports multiple verdict-action combinations, a message triggering multiple verdicts may invoke more than one policy's actions. In previous versions of Symantec Mail Security, a message could trigger only one applicable policy and only the actions triggered by that policy were invoked, even if more defined policies could apply. Symantec Mail Security employs a sophisticated processing logic that automatically resolves potential conflicts between actions. For instance, a message that returns both virus and suspect-spam verdicts could trigger both a virus-policy action that cleans the message (removes the virus) and a suspect-spam policy that holds the message in Spam Quarantine. However, if the same message triggers a virus policy configured to delete the message, the delete action will supersede the actions of the suspect-spam policy, even if the message triggers both virus and suspect-spam policies. In general, actions that delete messages prevent all other actions from occurring.

See“Verdict and action combinations”on page 43.

Instant Messaging

Symantec Mail Security's IM filtering features provide a proxy for securing, managing, and logging IM activity for public and enterprise IM protocols. It delivers real-time threat protection, management, and compliance for your organization’s IM traffic.

When you enable IM for a Scanner, Symantec Mail Security Appliance configures the following settings:

■ The primary IP address for the Internal IM Interface defaults to the IP address of the appliance's network interface card (Ethernet 1). Symantec Mail Security Appliance uses the Internal IM Interface to handle instant messaging within your organization.

■ The secondary IP address for the Internal IM Interface defaults to the card's virtual IP address. Symantec Mail Security Appliance uses the secondary internal IP address to support extended IM client services.

■ The extenal IP address for the External IM Interface also defaults to the active IP address of the network interface card (Ethernet 1). Symantec Mail Security Appliance uses the External IM interface to route instant messaging over the Internet.

Email filtering and IM filtering can run on the same Scanner. Because email and IM use different ports, both protocols can share the same IP addresses on the same network interface card. The IP address that you use for incoming email can be the same as your primary IP address that you use for internal IM. Likewise,

21 About Symantec Mail Security

(22)

you can use the same external IP address for your outgoing mail as you use for external IM.

You can assign an external IP address for your External IM Interface to a card that is different from the card that is used for the primary IP address of your Internal IM Interface. You cannot, however, assign the primary and secondary IP addresses used by the Internal IM Interface to different network interface cards. You must configure your enterprise DNS server to route IM messages from IM users to any Scanner that has instant messaging filtering enabled. You must then configure the Scanner's DNS settings to route IM messages to their public IM networks over the Internet.

Refer to "Configuring your DNS for IM Filtering" in the Symantec Mail Security

Installation Guide for more information.

See“DNS/Time servers ”on page 302.

User interface changes

Changes in the Symantec Mail Security Appliance have been implemented to enhance the user interface.Table 1-2maps the menus, headings, and page links as they appeared in Symantec Mail Security Appliance 5.x to the corresponding elements as they appear in Symantec Mail Security Appliance 7.5. To find the corresponding user interface element, locate the page link by the menu and heading that it appeared under in Symantec Mail Security Appliance 5.x. Read across the table to the adjacent page link to determine what heading and menu it appears under in Symantec Mail Security Appliance 7.5. The table does not list new user interface elements that have been added to Symantec Mail Security Appliance 7.5, since no elements in Symantec Mail Security Appliance 5.x correspond to them.

About Symantec Mail Security Migration: what to expect 22

(23)

Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5

Symantec Mail Security Appliance 7.5 Symantec Mail Security Appliance 5.x

Menu Heading Page links Page links Heading Menu Compliance Incident Management Folder Overview Compliance Overview Status Status System Hardware Hardware Status Logs Logs Services Services LDAP Synchronization Synchronization Protocols SMTP Message Queues Message Queues Message Trends Message Details IP Reputation Connections Troubleshooting Message Audit Log Message Administration Hosts Utilities Network Users Find User User Reports Favorites NA Favorites Reports Reports Schedule NA Schedule View Compliance View SMTP Spam Virus 23 About Symantec Mail Security

(24)

Table 1-2 User interface changes between Symantec Mail Security Appliance versions 5.x and 7.5(continued)

Menu Heading Page links Page links Heading Menu Administration Users Groups N/A Group Policies Policies Compliance Policies Email Compliance Filter Policies Spam Policies Email Spam Virus Policies Email Virus Spam Settings Directory Harvest Attacks Directory Harvest Attacks Email Firewall Policies Sender Authentication Sender Authentication Sender Groups Sender Groups SMTP Traffic Shaping Spam Throttling Virus Settings Virus Attacks Virus Attacks Compliance Resources Annotations Annotations Policy Resources Attachment Lists Attachment Lists Dictionaries Dictionaries Notifications Notifications Patterns Patterns

About Symantec Mail Security Migration: what to expect 24

(25)

Menu Heading Page links Page links Heading Menu Administration Settings Alerts Alerts System Settings Settings Compliance Settings Archive Archive Administration Settings Certificates Certificates Compliance Settings Compliance Folders Compliance Administration Settings Control Center Control Center Hosts Configuration Hosts Settings LDAP LDAP Logs Logs Spam Settings Quarantine Quarantine Virus Settings Quarantine Administration Settings Reports Reports SNMP SNMP UPS UPS Protocols SMTP Address Masquerading Address Masquerading Email Scanning Aliases Aliases Compliance Settings Encryption Encryption Protocols SMTP Invalid Recipients Invalid Recipients Local Domains Local Domains Scanning Settings Scanning Spam Settings Spam 25 About Symantec Mail Security

(26)

Menu Heading Page links Page links Heading Menu Email Scan Settings Virus Settings LiveUpdate Virus Email Scan Settings Administration Users Administrators N/A Administrators Administration Hosts Shutdown Reboot Device Management Shutdown Version Backup Software Management Licenses Licenses Version Factory Reset Restore Software Updates Spam Quarantine Email Spam Spam Quarantine Quarantine Quarantine Virus Quarantine Email Suspect Virus Suspect Virus Quarantine Compliance Incident Management Default Default Incident Management Compliance

Functional overview

Each Symantec Mail Security Scanner uses the following three separate message transfer agents, or MTAs when scanning email messages:

About Symantec Mail Security Functional overview 26

(27)

The component that sends inbound and outbound messages that have already been filtered to their required destinations. To do this, the delivery MTA uses the filtering results and the configuration settings for relaying inbound and outbound mail. Delivery MTA

The component that receives inbound mail and forwards it to the Filtering Hub for processing.

Inbound MTA

The component that receives outbound mail and forwards it to the Filtering Hub for processing.

Outbound MTA

You can deploy Symantec Mail Security in different configurations to best suit the size of your network and your traffic processing needs.

Note:Symantec Mail Security provides neither mailbox access for end users nor message storage. It is not intended for use as the only MTA in your email infrastructure.

Each Symantec Mail Security host can be deployed in the following ways: Deployed as a Scanner, a Symantec Mail Security Scanner can filter email for viruses, spam, IM threats, and noncompliant messages.

Scanner

(28)

Deployed as a Control Center, Symantec Mail Security allows you to add and configure Scanners. You then manage email filtering, SMTP routing, system settings, and all other functions from the Web-based Control Center interface. You can deploy multiple Symantec Mail Security Scanners enterprise-wide, but only one Control Center is required (or supported) to administer them. The Control Center provides information on the status of all Symantec Mail Security Scanners in your deployment, including system logs and extensive customizable reports. Use the Control Center to configure both system-wide and host-specific details. The Control Center also hosts the Spam and Suspect Virus Quarantines to isolate and store spam and virus messages, respectively. End users can view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure Spam Quarantine for administrator-only access. Messages which trigger

content-based compliance policies are also stored on the Control Center, in compliance folders.

Control Center

A single Symantec Mail Security host performs both functions. Scanner and Control

Center

Note:Symantec Mail Security does not filter messages that do not flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, their messages will not pass through the Symantec Mail Security filters.

Architecture

Symantec Mail Security Appliance Architecture shows how a Symantec Mail Security installation processes an email message, assuming the sample message passes through the Filtering Engine to the Transformation Engine without being rejected. The diagram also shows the path IM traffic takes through the system. About Symantec Mail Security

Architecture 28

(29)

Figure 1-1 Symantec Mail Security Appliance Architecture

Path an email message takes through the system:

■ At the gateway, traffic shaping checks the message’s IP address to determine if it comes from a known source of spam or email-borne viruses.

■ The incoming connection arrives at the inbound MTA via TCP/IP.

■ Before accepting the connection, the inbound MTA sends the message’s IP address to the Email Firewall to check whether it is a known source of spam or email-borne viruses. If it is not, the inbound MTA accepts the connection and moves the message to its inbound queue.

■ The Filter Hub accepts a copy of the message for filtering.

■ The Filter Hub consults the LDAP SyncService directory to expand the message’s distribution list.

■ The Filtering Engine determines each recipient’s filtering policies.

(30)

■ Antivirus and configurable heuristic filters determine whether the message is infected.

■ Content Compliance filters scan the message for restricted attachment types or words, as defined in configurable dictionaries.

■ Antispam filters compare message elements with current filters published by Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings.

■ The Transformation Engine performs actions based on filtering results and configurable Group Policies.

Path an instant message takes through the system (from an external source):

■ IM traffic enters your network and is redirected to the IM proxy by your enterprise DNS servers.

■ The IM proxy filters IM traffic based on your settings and compares the traffic with current filters published by Symantec Security Response to determine whether the message is Spim or contains a virus. If a message is determined to contain Spim or a virus, you can choose to block this traffic.

■ The IM traffic reaches the internal user's IM client.

■ If you have enabled outbound IM filtering, outbound messages are also routed through the IM proxy before reaching an external user's IM client.

What you can do with Symantec Mail Security

Symantec Mail Security scans email messages, their attachments, and IM messages for violations to policies. A policy is a set of rules designed to detect certain conditions that you specify. When a message triggers one or more policies, Symantec Mail Security takes the action that you specify for that policy. Symantec Mail Security enforces the following policy types:

Contains rules controlling scanning limits, exceptions, and outbreak management based on the number of attacks from an email or IP address or domain.

Email firewall

Contains rules for detecting threats in messages and attachments with viruses, virus-like characteristics, or security risks, such as adware or spyware

Virus About Symantec Mail Security

What you can do with Symantec Mail Security 30

(31)

Enforces rules that you configure for the following:

■ Detecting and blocking spam and Spim (Instant Messaging)

■ Specifying recipients whose email messages are not scanned for spam

Spam, Spim (Instant Messaging)

Contains rules for filtering inappropriate content in message bodies and attachments

Also contains filtering rules that let you detect and block messages by file name and file type.

Compliance

Protect against security threats

Symantec Mail Security prevents messages from sources known to disseminate viruses, including adware, spyware, and other malware, from entering your network. Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, and worms) to identify new risks. Symantec Response Center stores information about a threat (a signature) in a definition file. Definition files contain information to detect and eliminate threats. Symantec Mail Security downloads these definition files several times per hour using LiveUpdate or Rapid Release. Symantec Mail Security also uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments.

When Symantec Mail Security scans for threats, it searches for these signatures. Symantec Mail Security's firewall protection uses them to thwart known threats from intruding into your mail system. Such firewall protection serves as your first line of defense against email-borne viruses. You can also use Symantec Mail Security to limit inbound messages to those from trusted sites or domains, further reducing risk.

Symantec Mail Security lets you update your protection from threats and security risks using the following tools:

LiveUpdate downloads and installs available definitions from the Symantec LiveUpdate server. LiveUpdate certified definitions undergo stringent testing and are updated daily.

LiveUpdate is enabled by default with a recommended daily schedule. However, you can modify the schedule.

LiveUpdate

31 About Symantec Mail Security What you can do with Symantec Mail Security

(32)

Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection.

Rapid Release definitions can also be retrieved manually on-demand. Rapid Release

Both methods let you update definitions on demand and automatically, based on the schedule that you specify. You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates. For example, you can schedule daily LiveUpdates and then manually run Rapid Release when a new threat emerges. See“Configuring virus settings”on page 87.

Note:You must have a valid content license to update definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions, and your servers are vulnerable to risks.

Manage outbreaks

Access to regular updates of threat information maximizes security and guards your organization's mail server against infections and the downtime that is associated with an outbreak. An outbreak situation occurs when the number of messages containing a virus received within a specified (short) period of time exceeds a specified limit. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical. Symantec Mail Security lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Mail Security to send notifications and alerts in the case of an outbreak.

See“Configuring virus attack recognition”on page 91.

Identify and process spam messages

Symantec Mail Security can detect if an incoming email message is spam with a high level of accuracy. You can adjust antispam detection by specifying domains that are automatically permitted to bypass antispam scanning, enable sender authentication and requirements for TLS encryption, define policies for handling email messages that have been identified as spam, and more.

See“Understanding email spam settings ”on page 61. About Symantec Mail Security

What you can do with Symantec Mail Security 32

(33)

Create content compliance policies

Symantec Mail Security lets you configure content filtering rules for inbound and outbound mail. These rules can be used to enforce regulatory policies and organizational requirements, prevent data leakage, and protect customer and employee data. Content filtering rules let you filter messages for attachment names, attachment content, specific words, phrases, subject lines, and senders. Mail Security takes the action that you specify in the rule when policy conditions match message content.

Content compliance policies reference resources, such as dictionaries, patterns, and data-source records, to filter email messages and attachments for specific words, terms, phrases, regular expressions, and propritary data.

Symantec Mail Security also lets you scan email messages based on attached file names or file types, such as multimedia or executable files.

See“About content compliance”on page 95.

Protect against Instant Messaging viruses and Spim

When properly enabled, Symantec Mail Security scans IM attached files for viruses and blocks infected files from delivery. It scans IM for Spim (Instant Messaging spam) and, optionally, blocks suspected messages from delivery. You can also block access to IM networks that your organization does not support. You can register IM users before allowing them to access IM networks.

See“About Instant Messaging”on page 55.

Quarantine messages and hold for review

You can quarantine email messages that filter policies detect as suspect viruses and spam. You have the option of reviewing these messages in theSpam Quarantine and Suspect Virus Quarantine. If you configure end-user access to Spam

Quarantine, end users receive notification when a message addressed to them is quarantined as spam and can then review these messages and take action as desired.

Email that meets conditions specified in compliance policies can be held for review. Actions that have been configured for such policies are deferred until an administrator or compliance officer has had an opportunity to review the message and approve or reject the actions.

See“About Suspect Virus Quarantine ”on page 275. See“About Spam Quarantine ”on page 249.

33 About Symantec Mail Security What you can do with Symantec Mail Security

(34)

Send notifications of threats and violations

Symantec Mail Security can be configured to send notifications about a wide variety of events and status information.

See“About alerts ”on page 328.

Where to get more information

The Symantec Mail Security documentation set consists of the following manuals:

■ Symantec Mail Security Administration Guide

■ Symantec Mail Security Installation Guide

■ Symantec Mail Security Getting Started

Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information.

You can visit the Symantec Web site for more information about your product. The following online resources are available:

www.symantec.com/enterprise/support Provides access to the technical support Knowledge

Base, newsgroups, contact information, downloads, and mailing list subscriptions

www.symantec.com

/licensing/els/help/en/help.html Provides information about registration, frequently

asked questions, how to respond to error messages, and how to contact Symantec License Administration

www.enterprisesecurity.symantec.com Provides product news and updates

www.symantec.com/security_response Provides access to the Virus Encyclopedia, which

contains information about all known threats; information about hoaxes; and access to white papers about threats

About Symantec Mail Security Where to get more information 34

(35)

Understanding message

filtering

This chapter includes the following topics:

■ About email filtering

■ Notes on filtering actions

■ Multiple actions per verdict

■ Verdict and action combinations

■ Multiple content compliance policies

■ Spyware or adware verdict details

■ Creating groups and adding members

■ Assigning filter policies to a group

■ Managing Groups

■ About Instant Messaging

About email filtering

Although Symantec Mail Security provides default settings for dealing with spam and viruses, you will likely want to tailor the actions taken on spam and viruses to suit your requirements. Content compliance and Email Firewall policies offer further methods of managing mail flow into and out of your organization. You can also use content compliance policies to monitor and enforce compliance with regulatory and organizational requirements.

2

Chapter

(36)

Symantec Mail Security provides a wide variety of actions for filtering email, and allows you to either set identical options for all users, or specify different actions for distinct user groups.

You can specify groups of users based on email addresses, domain names, or LDAP groups. For each group, you can specify an action or group of actions to perform, given a particular verdict. You specify actions when you create or edit a spam, virus, or compliance policy. Each of these policies is a filtering policy.

When you create or edit a filtering policy, you specify the conditions you are looking for in messages. In most cases, conditions are synonymous with verdicts, except in the case of more complex content compliance conditions.

Verdicts are the conclusions reached on a message by the filtering process. Symantec Mail Security performs actions on a message based on the verdict applied to that message, and the groups that include the message recipient as a member. However, for outbound filtering, the groups that impact message filtering are those groups that include the message sender.

Table 2-1describes filtering verdicts by category.

Table 2-1 Filtering verdicts by verdict category

Description Verdict

Verdict Category

An attempt is underway to capture valid email addresses. A directory harvest attack is accomplished by emailing to your domain with a specified number of non-existent recipient addresses sent from the same IP address. Directory harvest

attack Email Firewall

A specified quantity of spam messages has been received during a configurable time window from a particular IP address.

SMTP traffic shaping

A specified quantity of infected messages has been received from a particular IP address.

Virus attack

A message or an IP connection matches one of the following lists:

■ Blocked Senders (Domain-based)

■ Blocked Senders (IP-based)

■ Blocked Senders (Third Party Services)

■ Allowed Senders (Domain-based)

■ Allowed Senders (IP-based)

■ Allowed Senders (Third Party Services)

■ Open Proxy Senders

■ Safe Senders

■ Suspected Spammers

See“Configuring sender groups”on page 64. Sender Groups

Understanding message filtering About email filtering

(37)

Table 2-1 Filtering verdicts by verdict category(continued)

Description Verdict

Verdict Category

A message has failed either SPF or Sender ID authentication. See“Configuring Sender Authentication”on page 78.

Sender authentication Sender

authentication

An email message contains a virus, based on current Symantec virus filters. Virus

Virus

An email message contains a mass-mailing worm, based on current Symantec virus filters.

Mass-mailing worm

An email message exceeds the container limits configured on the Scanning Settings page, or is unscannable for other reasons. For example, the message or an attachment contains malformed MIME.

Unscannable for viruses

An email message contains an attachment that is encrypted or password-protected and therefore cannot be scanned

Encrypted attachment

An email message contains any of the following types of security risks: spyware, adware, hack tools, dialers, joke programs, or remote access programs. SeeSpyware or adware verdict detailsfor descriptions of these risks.

Spyware or adware

An email message either shows virus like signs or because suspicious new patterns of message flow involving this attachment has been detected. Suspicious

attachment

An email message is spam, based on current spam filters from Symantec. Spam

Spam

An email message is suspected spam, based on a configurable Suspected Spam Threshold.

Suspected spam

An email message contains keywords in your configurable dictionary, matches a regular expression, matches a pattern, or matches data in a record resource. Any part of a message (body, subject, or attachment) Content Compliance

An email message contains a specific attachment type as defined by file extension, MIME type, or true file type.

Attachment type

Specific text appears with a specific frequency in the attachments of an email message.

Attachment content

An email message contains specific text in theSubject:line.

Subject:

An email message contains specific text in theFrom:address.

From:Address

An email message contains specific text in theTo:address.

To:Address

An email message contains specific text in theCc:address.

Cc:Address

37 Understanding message filtering

(38)

Table 2-1 Filtering verdicts by verdict category(continued)

Description Verdict

Verdict Category

An email message contains specific text in theBcc:address.

Bcc:Address

An email message contains specific text in theTo:,Cc:, orBcc:address.

To:/Cc:/Bcc:

Address

An email message contains specific text in theFrom:,To:,Cc:, orBcc:

address.

From:/To:/Cc:/Bcc:

Address

An email message envelope contains a particular sender address. Envelope Sender

An email message envelope contains a particular recipient address. Envelope

Recipient

An email message envelope contains a particular SMTP HELO domain. Envelope HELO

An email message contains a particular header. Message Header

An email message exceeds a particular size. Message Size

An email message contains specific text in the body. Body

All email is flagged. For all messages

Notes on filtering actions

Table 2-2describes the filtering actions available for each verdict category. When usingTable 2-2, note the following regarding the columns:

■ SeeTable 2-1for the specific verdicts included in each category.

■ The Attacks column includes Directory Harvest Attacks and Virus Attacks, except that the Remove invalid recipients action applies to Directory Harvest Attacks only.

■ The Sender Groups column includes the following nine lists, plus sender authentication:

■ Blocked Senders (Domain-based)

■ Blocked Senders (IP-based)

■ Blocked Senders (Third Party Services)

■ Allowed Senders (Domain-based)

■ Allowed Senders (IP-based) Understanding message filtering

Notes on filtering actions 38

(39)

■ Allowed Senders (Third Party Services)

■ Open Proxy Senders

■ Safe Senders

■ Suspected Spammers

■ The Defer SMTP connection and Reject SMTP connection actions cannot be used with domain-based blocked or allowed senders lists, and cannot be used with sender authentication.

When usingTable 2-2consider the following limitations:

■ All Virus verdicts except virus and suspicious attachments share the same available actions. One additional action, clean, is available only for the virus verdict. Two additional actions, Hold message in Suspect Virus Quarantine and Strip and Delay in Suspect Virus Quarantine, are available only for the suspicious attachment verdict.

■ All spam verdicts share the same available actions.

■ All Content Compliance verdicts share the same available actions.

■ In general, messages from senders in the Allowed Senders Lists bypass spam filtering, but do not bypass virus filtering or content filtering.

See“Verdict combinations”on page 427.

■ By default, inbound and outbound messages containing a virus are cleaned of the virus. Inbound and outbound messages containing a mass-mailing worm, unscannable messages, including malformed MIME messages, are deleted. If you are concerned about losing important messages, you may want to create a different filter policy for unscannable messages and apply that new filter policy to some or all of your groups.

SeeTable 2-4on page 49.

■ The Send a bounce message action delivers the original message to the recipient.

■ The Forward the message action delivers the original message to the recipient.

Table 2-2 Filtering actions by verdict category

Sender Groups Content Compliance Spam Virus Attacks Description Action x x x x x Add an email header.

Add a header x x x x x Insert predefined text (a disclaimer, for example). Add

annotation

(40)

Table 2-2 Filtering actions by verdict category(continued) Sender Groups Content Compliance Spam Virus Attacks Description Action x x x x x Blind carbon copy to the designated SMTP

address(es). Add BCC recipients x x x x x Forward a copy to the designated SMTP address, and, optionally, host.

Archive the message

x Repair repairable virus infections and delete

unrepairable virus infections. Clean the

message

x Create a record of a compliance or regulatory

incident. Optionally, hold for review and defer certain actions.

Create an incident

x x

Using a 4xx SMTP response code, tell the sending MTA to try again later. Cannot be used with sender authentication, or with domain-based blocked or allowed senders lists.

Defer SMTP connection x x x x x Delete the message.

Delete message x x x x x Deliver the message. Viruses and mass-mailing

worms are neither cleaned nor deleted. Deliver message normally x x x x x Deliver to end-user Spam folder(s). Requires use of the Symantec Spam Folder Agent for Exchange or the Symantec Spam Folder Agent for Domino. Deliver the message to the recipient's Spam folder x Send the message over an encrypted channel.

Deliver message with TLS encryption x x x x x Copy to designated SMTP address(es).

Forward the message x x x x x Send to the Spam Quarantine.

Hold message in Spam Quarantine

Understanding message filtering Notes on filtering actions 40

(41)

Table 2-2 Filtering actions by verdict category(continued) Sender Groups Content Compliance Spam Virus Attacks Description Action x Hold in the Suspect Virus Quarantine for a

configured number of hours (default is six), then refilter for viruses only, using the latest virus definitions. Only available for the suspicious attachment verdict. Hold message in Suspect Virus Quarantine x x x x x Add a tag to the message'sSubject:line.

Modify the Subject line

x x

Using a 5xx SMTP response code, notify the sending MTA that the message is not accepted. Cannot be used with sender authentication, or with domain-based blocked or allowed senders lists. Reject

SMTP connection

x If a directory harvest attack is taking place, remove each invalid recipient rather than sending a bounce message to the sender. You must complete LDAP synchronization and Scanner replication before enabling this feature.

Remove invalid recipients (for directory harvest attacks only) x x x x x Deliver via the designated SMTP host.

Route the message x x x x x Return the message to itsFrom:address with a

custom response, and deliver it to the recipient, with or without attaching the original message. Send a bounce message x x x x x Deliver the original message and send a predefined notification to designated SMTP address(es) with or without attaching the original message. Send

notification

x Remove all non-text content and deliver the stripped

message immediately. Hold the complete message in Suspect Virus Quarantine for a configured number of hours (default is six hours), then release and rescan. Only available for the suspicious attachment verdict. Strip and Delay in Suspect Virus Quarantine x x x Remove all attachments according to a specific

attachment list. Strip

attachments

(42)

Table 2-2 Filtering actions by verdict category(continued) Sender Groups Content Compliance Spam Virus Attacks Description Action x Process using the action(s) specified in the

domain-based Blocked Senders List. Applies even if the domain-based Blocked Senders List is disabled. Treat as a

blocked sender

x Process using the action(s) specified in the

associated worm policy. Treat as a

mass-mailing worm

domain-based Allowed Senders List. Applies even if the domain-based Allowed Senders List is disabled. Treat as an

allowed sender

associated virus policy. Treat as a

virus

associated spam policy. Treat as

spam

associated suspected spam policy. Treat as

suspected spam

Multiple actions per verdict

Within a filtering policy, you can create compound actions, performing multiple actions for a particular verdict.

When more than one filtering policy applies to a message, Symantec Mail Security uses special logic to combine actions from different filtering policies. However, this section covers combining actions within one filtering policy.

An example follows:

1

Defining a virus policy, the administrator selects the Virus verdict and then assigns the actions, Clean, Add annotation, and Send notification to the policy.

2

Defining a Group Policy, the administrator assigns members then selects the new virus policy.

3

An email message is received whose recipients include someone in the new Group Policy.

4

Symantec Mail Security cleans the message, annotates it, delivers it, then sends a notification to its intended recipients.

Understanding message filtering Multiple actions per verdict 42

(43)

Verdict and action combinations

Symantec Mail Security offers the ability to combine multiple actions for different verdicts on the same message. This capability provides advantages over a model in which only one verdict for a message can result in actions. For example, suppose a spam message also contains a virus, and your policies specify quarantining of spam messages and cleaning of viruses. Instead of cleaning the virus and delivering the spam to user inboxes, Symantec Mail Security cleans the virus and holds the cleaned, spam message in Spam Quarantine. Or, if your policies specify

modification of the subject line of spam messages and cleaning of viruses, Symantec Mail Security cleans the virus from the message and modifies the subject line.

Other types of messages can be affected by more than one filtering policy. A message can meet the criteria for two different content compliance policies. Or, the same spam message could contain a virus and meet the criteria for several content compliance policies. Symantec Mail Security combines the various filtering policies to determine which actions should be taken on the message.

In order to implement multiple actions, Symantec Mail Security includes sophisticated processing logic that resolves potential conflicts between actions automatically. In general, there is no need to worry about how actions will combine between your filtering policies. However, remember that a particular message can match multiple filtering policies, and therefore the actions that result for a message may not match your expectations. This section explains the basics of how actions from different policies can combine.

What happens to a message depends on the particular combination of actions applied to that message by the one or more policies that affect the message. In other words, actions combine with each other (or not, in some cases) based solely on action types. The kind of policy that called for the action has no impact on processing. The order in which actions are listed in the Control Center has no impact on processing.

For example, you create a compliance policy to take action on messages that contain two or more words from your Profanity custom dictionary in the the subject, body, or attachments of the message. You only use this policy for your Sales group. The action you specify for these messages is Delete message. Your default virus policy specifies the action Clean the message, and your default spam policy specifies the action Modify the subject line, placing [SPAM] before the subject line text. Your Sales group uses the default virus and spam policies. A spam message addressed to a member of your Sales group arrives containing three words from your Profanity dictionary, and also containing a virus. What happens to that message?

43 Understanding message filtering Verdict and action combinations

(44)

Because one of the actions specified is Delete message, Symantec Mail Security deletes the message and does not apply the other actions. In most cases, the Delete message action prevents other actions from taking place. However, what if the compliance policy did not apply, because the message contained only one word from your Profanity dictionary? In that case, the message is cleaned and delivered to the user's inbox with [SPAM] prepended to the subject line.

Many types of actions from different policies can be combined for the same message.

See“Limits on combining actions”on page 423.

Multiple content compliance policies

When more than one content compliance policy applies to a message, some of the actions specified may not happen.

■ The order of policies on the Email Content Compliance Policies page determines content compliance policy priority. Higher priority content compliance policies appear higher up in the list.

■ Actions specified for the highest priority content compliance policy that applies to a message do happen, according to the rules for combining actions.

■ For the other content compliance policies that apply to the message, the only actions that can happen are Send notification and Create an incident (without holding for review) actions.

Spyware or adware verdict details

Symantec Mail Security can detect security risks. Symantec Mail Security applies the spyware or adware verdict to all security risks. Security risks are programs that do any of the following:

■ Provide unauthorized access to computer systems

■ Compromise data integrity, privacy, confidentiality, or security

■ Present some type of disruption or nuisance

These programs can put your employees and your organization at risk for identity theft or fraud by logging keystrokes, capturing email and instant messaging traffic, or harvesting personal information, such as passwords and login identifications. Security risks can be introduced into your system unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in email messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license agreement Understanding message filtering

Multiple content compliance policies 44

(45)

from another software program related to or linked in some way to the security risk.

Table 2-3lists the categories of security risks that Symantec Mail Security detects. Each of these risks can cause a verdict of spyware or adware.

Table 2-3 Security risk categories included in spyware or adware verdict

Description Category

Stand-alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the user's knowledge.

Adware might monitor browsing habits for advertising purposes. It can also deliver advertising content.

Adware

Programs used to gain unauthorized access to a user's computer. For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses.

Hack tools

Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.

Dialers

Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome.

For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it.

Joke programs

Programs that let a remote user gain access to a computer over the Internet to gain information, attack, or alter the host computer. Remote access

programs

Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer.

Spyware

Creating groups and adding members

You can specify configurable message management options for an unlimited number of user groups which you define. Groups collect the spam, virus, and compliance verdicts and actions for a set of users.

45 Understanding message filtering Creating groups and adding members