Email Protection Administrator Guidecreative.att.com/.../filtering/SEG_Administrator_Guide_V20.pdf · Notifications Subtab ... You can enable or disable specific layers by changing

AT&T Secure Email Gateway (SEG)

Administrator Guide

Updated: Oct 2011

Proprietary and Confidential

SEG Administrator Guide

RESTRICTION ON USE, PUBLICATION, OR DISCLOSURE OF PROPRIETARY INFORMATION. Copyright © 2011

AT&T Information in this and other associated documents is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. This document is confidential and proprietary. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of AT&T. The software described in this document is furnished under a license agreement and may be used or copied only in accordance with the terms of such license and with the inclusion of the AT&T copyright notice. This publication could include technical inaccuracies or typographical errors. This publication is provided "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission ii


Contents

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Account Management Necessary for Secure Email Gateway (SEG) . . . . . . . . . . . . . . . . . . . . . . 1

Auto-creation of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Email Filtering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Types of Inbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Anti-Spam Filtering.. ...........................................................................................................3

Real-time Blackhole List . ....................................................................................................4

Anti-Virus Filter ..... ..............................................................................................................5

Content Filtering and ClickProtect . .....................................................................................5

Attachment Filtering ... ........................................................................................................6

Multi-Level Allow and Deny Lists... .....................................................................................7

Types of Outbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Configurable Actions for Filtered Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Notifications for Filtered Email..... .....................................................................................10

User-level Policy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Emailed Reports of Quarantined Spam Emails .. ..............................................................11

Customizing the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Outbound Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Message Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

2. Secure Email Gateway (SEG) Administration.. . . . . . . . . . . . . . . . . .15

Who Can Access Secure Email Gateway (SEG) Administration Screens . . . . . . . . . . . . . . . . 15

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission iii


Ensure You Can Receive Email from Your Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Sign into the Control Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Reset Your Password from the Sign in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

3. Status of Secure Email Gateway (SEG) on the Overview . . . . . . . . .25

4. Set up Your Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Confirm Your Inbound Servers Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Set up Additional Inbound Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Delete an Inbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Add IP Address of Outbound Server, If Necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Delete an Outbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Set up a Smart Host (If Outbound Mail Defense is Turned on) . . . . . . . . . . . . . . . . . . . . . . .32

Add an Outbound Email Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Redirect Your MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Set up User Creation Mode — SMTP Discovery or Explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

5. Customize Inbound Mail Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Create a Custom Policy . … … … … … … … … … … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Set Secure Email Gateway (SEG) to Notify Users about Emails with Viruses . . . . . . . . . . . 40

Configure a Spam Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Define the Action to Take on Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Define Additional Words That Indicate Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Set up Spam Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission iv


Turn Off a Default Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Custom Content Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Notify Users about Spam Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons . . . . . . . . . . . . . . . .54

Configure Web Hyperlink Filters (ClickProtect) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Upload a List of Allowed URLs ........................................................................................ 57

Download a List of Allowed URLs from the Control Console .......................................... 58

Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Filter by Attachment File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Filter by Attachment File Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Filter Zip File Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Notify Users about Attachment Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Allow or Deny Email to or from Specific Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Allow Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Sender Policy Framework (SPF) ....... ..............................................................................66

Deny Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Deny Email to a Specific Recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Save a Copy of an Allow, Deny, or Recipient Shield List . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Add Allow, Deny, or Recipient Shield Addresses with a Batch File . . . . . . . . . . . . . . . . . . . .69

Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Enforced TLS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Notifications Subtab .........................................................................................................72

Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Variables within a Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Define the Format and Text of Virus Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Define the Format and Text of Content Violation Notifications . . . . . . . . . . . . . . . . . . . . . . .75

Define the Format and Text of Attachment Violation Notifications . . . . . . . . . . . . . . . . . . . .76

Enforced TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Enforced TLS Subject Headers …………………. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

6. Customize Outbound Mail Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Create a Custom Outbound Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Email Encryption for Content Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Group Names ....... ............................................................................................................83

Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission v


Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

7. Managing Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Set up Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Monitor Users’ Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Primary Email Addresses, Aliases, and Public Domain Addresses . . . . . . . . . . . . . . . . . . .86

Search for Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Interpret the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Sort the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Delete Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Release Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

View Quarantines Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Monitor Your Own Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

8. Set up Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Administer Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Set up Spooling for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Set up Notifications of Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

9. System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Secure Email Gateway (SEG) Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

View an Secure Email Gateway (SEG) Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Change the Graphic Display of the Report... ...................................................................96

Download a Report.......................................................................................................... 96

Traffic Overview. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Traffic: TLS Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Traffic Summary …............................................................................................................98

Bandwidth Summary ........................................................................................................99

Traffic: Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Email Encryption Summary .... ........................................................................................100

Email Encryption Bandwidth Summary ..........................................................................100

Threats: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Threats: Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Threats: Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Threats: Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Threats: Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Enforced TLS Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission vi


Traffic Summary .............................................................................................................111

ClickProtect: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

ClickProtect: Click Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Quarantine: Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Quarantine: Release Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

View Details of Log Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Inbound Server Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Disaster Recovery: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Disaster Recovery: Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Administer Performance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Performance Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Inbound Messages Report, Weekly or Monthly..............................................................130

Outbound Messages Overview ......................................................................................132

10. Tips and Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . 133

FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

User Management ..........................................................................................................133

Email Filtering. ................................................................................................................133

System Configuration .. ...................................................................................................134

Tips/Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Change Zip File Attachment Policy ................................................................................139

Wrong Email Got Past Filter...........................................................................................140

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission vii


This page intentionally left blank.

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission viii


1. Overview

Secure Email Gateway (SEG) provides security services that safeguard corporations from

unsolicited spam email ("junk mail"), viruses, worms, and unwanted content at the

network perimeter before they can enter the internal network.

Multiple layers of Secure Email Gateway (SEG) provide secure and complete email

filtering to protect your users. You can enable or disable specific layers by changing the

licensed packages of features and/or through configuring the specific email policies in the

Control Console, the comprehensive graphical interface into Secure Email Gateway

(SEG).

This document describes the tasks necessary to configure and maintain your Secure Email

Gateway (SEG) Service.

Account Management Necessary for

Secure Email Gateway (SEG)

Account Management is a set of administrative screens you use to configure and manage

the entities that use or are affected your Secure Email Gateway Service (SEG).

• Domains

• Users

• Other administrators, including other Customer Administrators, Domain

Administrators, Quarantine Managers, and Reports Managers

In addition, you use Account Management to administer groups of users that share a

common email filtering policy.

Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 1


Alias Domain Names

You can configure ―alias‖ domain names that act as virtual domains using the

configurations and email addresses defined in the primary Domain name. Email addresses

are created automatically for alias domains (for example,

―[email protected]‖ is automatically created for

―[email protected]‖), allowing the single user to receive email for both

addresses.

Auto-creation of Users

Secure Email Gateway (SEG) automatically creates new user accounts if all the following

is true:

• SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a

convenient way to add users to your service. However, this capability might also add

users who are not real users at your company and not add users who are real.

• Three to six emails for that email address have been received, passed filtering, and

accepted by your email server within a configured time period (typically, a single

day).

• A user account does not exist for the email address in the designated Domain.

• The emails were not addressed to an alias domain name.

Email Filtering Policies

Secure Email Gateway (SEG) has default inbound and outbound mail filters to block and

clean malicious email and to quarantine email that might be malicious. The filters are

configured by using policies, which are the parameters for the filters Default policies are

automatically assigned to each of your domains.

You can customize the default inbound policy for any and each domain, or any and each

group, to fit your business needs.

2 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011

mailto:[email protected]





Types of Inbound Email Filtering

Secure Email Gateway (SEG) can filter both inbound and outbound email. Inbound

filtering that is available to be configured is as follows:

Anti-Spam Filtering

Real-time Blackhole List

Anti-Virus Filter

Content Filtering and ClickProtect

Attachment Filtering

Multi-Level Allow and Deny Lists

Anti-Spam Filtering

Spam is usually defined as unsolicited (and usually unwanted) and commercial email sent

to a large number of addresses. However, what one recipient may consider as spam,

another recipient would consider as legitimate email.

In addition, spam has become a tool of hackers and ―electronic terrorists‖ who deliberately

attempt to gather proprietary information from computer systems and/or attempt to cause

harm to a company‘s email system. Typically, these types of spammers deliberately use

naming standards, hijacked ―From:‖ addresses, scrambled content, etc., to bypass spam

filters such as blacklists and keyword lists.

Using Stacked Classification Framework®, Secure Email Gateway (SEG) provides the

most comprehensive and effective spam-blocking product on the market today—blocking

98% of spam and providing an industry-leading low false positive rate (legitimate email

marked as spam).

The Stacked Classification Framework aggregates the most effective spam filters and

techniques in the industry into a spam likelihood. As appropriate, email is assigned a

―high‖ or ―medium‖ likelihood of being spam. A separate email action can be assigned to

each likelihood.

The spam classification techniques include the following:

Spam FilterType Description

IP Reputation

Connection Manager This filter operates at the front of the Stacked Classification

Framework. It rates the reputation of every incoming email, based

on IP reputation data collected by Secure Email Gateway (SEG)

on an on-going basis. Connections are dropped for all messages

which originate from IP addresses that are determined to carry a

reputation for sending spam.



Spam FilterType Description

Bayesian Statistical

Filtering Statistical algorithms built by your Secure Email Gateway (SEG)

identify and quantify the possibility that an email is spam based on

how often elements in that email have appeared in identified spam

emails.

Industry Heuristics Secure Email Gateway (SEG) incorporates thousands of

successful industry- wide spam-fighting rules to recognize

characteristics of spam. Proprietary Heuristics Secure Email Gateway (SEG) experts write and update thousands

of proprietary rules to block spam, including fraudulent ―phishing‖

spam, using real-time data from your service provider‘s Threat

Center. URL Filtering URL filtering works by comparing embedded links found in emails

with URLs associated with identified spam.

Reputation Analysis Secure Email Gateway (SEG) constantly monitors inbound email

to build a list of IP addresses and domain names to rate the

reputation of the sender based upon the percentage of spam

emails received from that address in the past.

Reputation-Based RBL

Filtering Using up to 31 real-time blackhole lists (RBLs) of known

spammers provided by the industry, Secure Email Gateway (SEG)

creates a single RBL indicator to help gauge the likelihood of an

email being sent by a known spammer. By using multiple black

lists to create a single vote and by rating the reputation of each

RBL based on its accuracy at distinguishing spammers from

senders of legitimate email helps to minimize the possibility of a

non-spammer being blocked by mistake.

Sender Policy

Framework (SPF) The SPF classifier helps identify and block fraudulent ―spoofing‖

emails – those sent by spammers with forged ―From‖ addresses –

from entering your email network. For each inbound email, the SPF

classifier will look up the sending domain‘s Domain Naming

System (DNS) record and its list of authorized IP addresses.

Emails that carry an IP address not found on the authorized list will

be included within the Stacked Framework Classification System

for the detection of spam. By determining whether or not the

relationship between the DNS record and the IP address is

legitimate, Secure Email Gateway (SEG) is able to more accurately

filter out fraudulent spoofed emails. As a result, this reduces the

risk for users who might be duped by the email into divulging

confidential personal information.

Real-time Blackhole List

The Real-time Blackhole List (RBL) is a system for creating intentional network outages

("blackholes") for the purpose of limiting the transport of known-to-be-unwanted mass

email. The RBL is a database of IP addresses that are reported to be spam sources.



Anti-Virus Filter

Secure Email Gateway (SEG) provides highly effective, organization-wide virus and

worm protection. By identifying viruses and worms at your network perimeter—before

they enter or leave your messaging infrastructure— Secure Email Gateway (SEG)

minimizes outbreak and infection risks to your enterprise messaging infrastructure. You

can configure whether infected emails are quarantined, denied, or stripped of infection.

• Provides maximum protection using multiple, industry-leading anti-virus engines to

allow Secure Email Gateway (SEG) to customize the protection to meet the latest

threats.

• Virus definition updates every 5 minutes provide up-to-the-minute defense against the

latest threats.

• Provides safe, external virus scanning and quarantine management for protection

against viruses before they reach your network. Protects your users, networks, and

data from harm

Content Filtering and ClickProtect

Secure Email Gateway (SEG) protects your organization and reduces liability and risk by

automatically identifying unwanted and malicious content before it enters or leaves your

network.

You can enable any of the following types of content filtering:

Content Filter Type Description

Predefined Content

Keyword Groups You can enable or disable predefined content keyword groups

provided by Secure Email Gateway (SEG):

• Profanity

• Sexual Overtones

• Racially Insensitive

Customized Content

Keyword Groups You can define customized content keyword groups containing

terms and phrases to satisfy the business and security

requirements of your organization.

Multiple Levels of

HTML Filtering You can designate the level of HTML filtering to be used (low,

medium, or high), with predefined actions for each level.

Depending on the level, malicious HTML tags and scripting

options embedded in email are stripped.

Graphic Image

Replacement You can enable or disable the automatic replacement of images

with a transparent 1x1 pixel GIF within HTML emails.



Content Filter Type Description

Stripping of Spam

Beacons or Web bugs ―Spam beacons‖ and ―web bugs‖ are typically transparent, 1x1

pixel graphics embedded in HTML content that send information

about your system to the source (usually a URL) of the spam

beacon or web bug. Typically, web bugs are used on Web sites to

monitor surfing behavior, but now spammers are hiding them in

their mass mailings as spam beacons. If the graphic is not removed

before an email is opened, the spam beacon sends a signal back to

the spammer‘s URL that lets the spammer know whether the email

was opened and if the recipient‘s email address is valid. If the

spammer gets this signal, the recipient is marked as a ―valid‖

email address and is guaranteed to receive more spam in the

future.

You can enable or disable the automatic stripping of spam beacons

or Web bugs within HTML emails.

Disabling hyperlinks

within email with

ClickProtectSM

ClickProtect allows you to monitor and disable or enable

whether Web hyperlinks received in emails can be clicked

and followed by the user. With multiple levels of

ClickProtect policy control, Administrators can customize

the desired level of protection. This feature supports

blocking phishing sites and accidental downloads of viruses

and worms.


Secure Email Gateway (SEG) provides you the ability to control the types and sizes of

allowed attachments entering your email network. You can control attachment filtering

using any of the following:

Attachment Filter

Type

Description


by File Type You can enable or disable filtering of attachments by file type. File

type is determined using the file extension, MIME content type,

and binary composition.


by Size You can designate a maximum allowed size for each enabled

attachment type.

Custom Attachment

Rules by Filename You can configure custom rules using filenames that override the

―global‖ settings for an attachment file type. You can designate that

the rule use the entire filename or any part of the filename.

Filtering for Files

Contained within a Zip

File Attachment

You can configure custom rules to cause Secure Email Gateway

(SEG) to analyze the files within a zip file attachment, if possible,

to determine if a file in the zip file violates attachment policies. If

the zip file cannot be analyzed, you can designate the email action

to be applied.



Attachment Filter

Type

Description

Encrypted or ―High

Risk‖ Zip File

Attachment Rules

You can configure custom rules for emails with encrypted zip files

and/or zip files that are considered ―high risk‖ (too large, too many

nested levels, etc.).

Aggregate Message

Size

You can limit the aggregate size of e-mails in 10MB increments up to the maximum

100 MB limit.

Multi-Level Allow and Deny Lists

Secure Email Gateway (SEG) allows you to define lists of emails that will always be

denied (―blacklists) or will always be accepted (―whitelists‖) at multiple levels. In

addition, you can enable third-party Real-time Blackhole List to be used to filter

unwanted emails.

The administrator-level lists override the user-level lists in a top-down manner: global lists

first, policy set lists next and lastly user-level lists. For example, if the same address is

added to a user-level Allow list and the policy set Deny list, the address is always denied.

At the same level, the Allow list overrides the Deny list. For example, if you designate a

range of email addresses (for example, by designating an entire domain) in the Deny list,

but then designate a single email address from that domain in the Allow list, the email

from that single address will be always accepted while the email from any other address in

the domain in the Deny list will be always denied.

The same address string cannot be added multiple times in the same list or added to both

the Allow and Deny lists.

Be aware that emails that have been quarantined by Secure Email Gateway (SEG) may

not need to be added to Deny lists because they are already being blocked from entering

your email network.

Following are the types of Allow and Deny lists that are available in Secure Email Gateway (SEG):

Allow/Deny List

Type

Description

Global Deny List If your Secure Email Gateway (SEG) provider determines that a

Sending SMTP has sent too many invalid incoming emails within

a specified time period, it will add the IP address for that Sending

SMTP to a Global Deny List for a designated time period (default

is 2 hours). During the denial period, all emails received from that

Sending SMTP will be automatically denied. This process helps to

protect against dictionary harvest and Denial of Service attacks.

This process can be disabled at the system level.



Allow/Deny List

Type

Description

Policy set-level

Sender Deny Lists

and Sender Allow

Lists

Sender Deny lists indicates sender addresses from which email is

denied automatically. Sender Allow lists indicate sender addresses

from which email is allowed without spam, content, or attachment

filtering (virus filtering is always enabled unless specifically

disabled).

You can designate a single email address, entire domains or IPs, or

use wildcards to designate ranges of addresses. Optionally, you

can save these lists to a spreadsheet file.

Each policy set affects the email filtering for all user accounts in

the groups that are subscribed to that policy set.

User-level Deny Lists

and Allow Lists Maintained by you and/or the user, Deny lists indicate sender

addresses from which email is denied automatically. Allow lists

indicate sender addresses from which email is allowed without

spam filtering (all other enabled filtering will be applied).

You can designate a single email address, entire domains or IPs, or

use wildcards to designate ranges of addresses. Optionally, you

can save these lists to a spreadsheet file.

These lists affect only the emails received for the designated user

account and its alias addresses (―user-level‖ lists).

Recipient Shield List You can define a list of recipient email addresses for which you

want to specify special email actions (for example, you want to

deny all emails for a user who is an ex-employee). You can also

specify the email action to take if the recipient email address is

invalid in your system (permfailed by your email server as an

―invalid recipient‖).

Types of Outbound Email Filtering

You can add outbound filtering to each package, helping to ensure the safety and

appropriateness of information being sent from your corporate email system to valued

customers or business partners.

Filter Type Description

Content

Filtering This feature automatically prevents inappropriate, malicious, or

confidential content from leaving your corporate email system,

allowing you to monitor and enforce your corporate email

policies.

Attachment

Filtering Outbound attachments can be filtered by size, by MIME content

type, or by binary content, according to your corporate email

policies.



Filter Type Description

Virus

Scanning Outbound virus scanning stops viruses and worms from leaving

your corporate email system, preventing your enterprise from

being the source of email-borne viruses to customers, suppliers,

and partners.

Configurable Actions for Filtered Email

In Secure Email Gateway (SEG), email filtering policies control how emails are filtered

within a specific Domain and how Secure Email Gateway (SEG) will respond during

email filtering and reporting. Depending on the feature package that is licensed for a

domain, specific email filters will be available to be enabled and configured. Also,

depending on the enabled email filter, various actions must be configured that define

how Secure Email Gateway (SEG) will respond if an email violates the specific filter

policy.

Based on the defined policy configuration, each email that violated the specified policy

can have any of the following actions taken, depending on the type of policy:

Action Description

Quarantine The email is added to the respective quarantine area and is not sent to

the recipient email address. If the email violated a spam policy, the

email is reported in the user‘s Spam Quarantine Report.

Tag The subject line of the email has a descriptive phrase (for example,

―[SPAM]‖) added to the beginning of the subject text and the email is

sent to the recipient email address.

Deny Delivery The email is blocked automatically. Depending on the sending system‘s

configuration, the email sender Oct. or may not be notified with a 5xx

Deny email.

Do Nothing or Allow

Delivery The email is forwarded to the recipient email address with no

processing applied. The values in the reports and the Overview window will be incremented for the relevant email policy to indicate

that an email did trigger the specific policy.

Silent Copy A copy of the email is forwarded to a list of designated email addresses

with no notification to the sender or recipient.

Strip Attachment If the email had an attachment that violated configured policies, this

action causes that attachment to be removed from the email and the

email is be sent to the recipient email address. Text is inserted into the

email notifying the recipient that an attachment has been stripped. Only

the attachment that violated the policy is stripped.

Clean If the email had an attachment that contained a virus or worm, this

action attempts to remove the virus or worm and preserve the

attachment. If the clean is successful, text is inserted into the email

notifying the recipient that an attachment had contained a virus and

was cleaned. If this action is selected, a second ―fall-back‖ action also

must be designated in case the Clean action fails. This action is specific

to the virus filtering policies.



Action Description

Custom X-Header If the email was determined to have a high or medium likelihood of

being spam, you can configure that a custom X-header be inserted into

the email. This X-header can be used by your email servers to perform

additional actions within your network, such as redirecting the email.

Each spam likelihood can have a different custom X-header. This

action is specific to the spam filtering policies.

Disable Filter A non-administrator user cannot disable virus filtering if it is licensed

and enabled for a specific Domain or policy set. Only Administrators

can enable or disable virus filtering for a specific Domain or policy set.

You can designate that SEG first attempts to remove the virus from an

infected attachment, and if the clean fails, perform another action. You

can designate that only the infected attachment is stripped. and the

remaining email contents and attachments are sent to the recipient.

Notifications for Filtered Email

You can enable or disable email notifications to the sender and/or recipient email

addresses of email that was filtered because of virus, content keywords, or attachment.

For more information, see one of the following:

• Set Secure Email Gateway (SEG) to Notify Users about Emails with Viruses

• Notify Users about Spam Content

• Notify Users about Attachment Violations

User-level Policy Configurations

By default, policy configurations are defined for each domain and group. All emails

received for all user accounts within a domain or group are processed using the same

policy configurations.

Optionally, user-level policy configurations can be defined for individual users that

override the Domain/Group policies. Thus, if there is a conflict between a user-level

policy and any of the other types of policy configurations, the user-level policy setting will

be used. These user-level policy configurations allow customization of email actions for

each user.

User-level policies are confined to the following policies:

• Enable or disable email processing for spam, virus, content keyword, attachments,

and/or HTML content.

• Specify actions to take for emails if they are determined to have a high or medium

likelihood of being spam.

• Configure the spam quarantine reporting



To manage the policy for an individual user, see User-Level Policy Configuration.

To establish user control of policies, see Set up Spam Quarantine Reports.

User also can have some control over their policies.

Quarantine

Secure Email Gateway (SEG) provides multiple quarantine areas with different

security accesses to store and support review of suspect email outside of your email

network.

Emails that violate configured policies and that have the Quarantine action applied are

sorted into multiple quarantines to ease email management and support security levels:

• Spam Quarantined Messages – Accessible to all users, with users with role of User or

Reports Manager allowed to access only their own personal spam quarantine

• Virus Quarantined Messages – Accessible to only Administrators and Quarantine

Managers

• Attachment Quarantined Messages – Accessible to only Administrators and

Quarantine Managers

• Content Keyword Quarantined Messages – Accessible to only Administrators and

Quarantine Managers

Within each quarantine, you can do any of the following:

• Delete selected emails or all emails

• Release selected emails or all emails for delivery to the recipient

• View selected email in a Safe View window

• Add the sender email addresses to the recipients‘ user-level Allow list and release the

emails (available only for quarantined spam emails)

Emailed Reports of Quarantined Spam Emails

Optionally, emails are sent to users to indicate that spam emails that have been

quarantined, using either of the following types of emails:

• Spam Quarantine Report

Spam Quarantine Reports are HTML-based email notifications of quarantined spam

emails that sent to users. Multiple links in the Reports allow management of

quarantined spam email based on policy set-level and user-level configurable control

settings. When the user clicks a link, the designated action is performed and the user is

automatically logged into the Control Console.

• Spam Quarantine Summary

Spam Quarantine Summaries are optional text-based email notifications of

quarantined spam email sent to users, to support email applications that are not

HTML-compatible. The user clicks the link provided in the email and is automatically

logged into the Control Console. Once logged in, the user can navigate to the relevant

window to manage the spam quarantine and modify personal settings. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 11


Customizing the Interface

Language Localization

Within the Control Console, windows and features available to the non-administrative

user (whose role is User) can be provided in translated form supporting multiple

languages. When the user logs in via the Sign in window, he or she can select the desired

language in the Language field. Thereafter, all spam quarantine reporting emails and

window and field labels will be provided in the designated language.

The following languages are supported:

• English

• French

• German

• Italian

• Japanese

• Spanish

This feature is available only to non-administrative user accounts. This feature must be

enabled at the system level to be available.

.

Outbound Disclaimer

You can define text that will be appended to the email content to support liability or legal

requirements for your organization. Every email that was sent from your organization to

Secure Email Gateway (SEG) for email filtering will have the designated text added to

the end of the email content. This feature requires that outbound filtering be licensed.





Notifications

You can customize the content of the notification email for each combination of the type

of filter and each type of email action (quarantine, deny, or strip).

See Define the Format and Text of Notifications to Users.

Monitoring and Reporting

Secure Email Gateway (SEG) provides near-real-time monitoring for most reports of

system usage, email filtering, etc., for the designated Domain and date or date range.

Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv).

There are multiple reports available for viewing in the Control Console:

For more information, see System Reports.

Oct 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 13


Disaster Recovery Services

Message Continuity

Message Continuity saves messages for later delivery if your mail server becomes

unavailable. When your mail server becomes available, Message Continuity delivers the

messages. Users can access their messages through a Web-based interface while messages

are in Message Continuity only.

Message Continuity also has unlimited storage capacity and removes messages that have

been in Message Continuity storage for more than 60 days.

For more information, see Administer Disaster Recovery Services.



2. Secure Email Gateway

(SEG) Administration

Who Can Access SEG

Administration Screens

As a customer of Secure Email Gateway (SEG), you can have administrators who access the

Control Console with different levels of privileges within Account Management.

The levels of administrative users you can add are as follows:

Administrative level Description

Reports Manager The Reports Manager can view, for an assigned domain, reports

available with Secure Email Gateway (SEG). The Reports

Manager can also manage his or her own user preferences and all

other tasks a user can perform.

Group Administrator The Group Administrator can add and remove members from one

or more groups if assigned to those groups. A Group Administrator

can also create, edit, and modify Secure Email Gateway (SEG)

policies for the assigned groups. Finally, a Group Administrator

can view user lists and user details. A Group Administrator does

not need to be a member of a group in order to have these

capabilities.

Note: A Group Administrator cannot add or remove a group nor

edit user information

Quarantine Manager The Quarantine Manager, for an assigned domain, can manage the

same areas as a Report Manager, plus manage, for the assigned

domain, all users‘ Quarantine for spam and other problematic

messages.

Domain Administrator The Domain Administrator, for an assigned domain, can manage

the same areas as a Quarantine Manager, plus manage server setup

and authentication rules for the domain.

Customer Administrator The Customer Administrator can manage all aspects of the

customer‘s Account Management for all domains.

Group Administrator

The Group Administrator can, within the Group Administrator‘s

assigned domain, add and remove members from one or more

groups if assigned to those groups. A Group Administrator can also

create and modify Secure Email Gateway (SEG) policies for the

assigned groups. A Group Administrator does not need to be a

member of a group in order to have these capabilities.

Oct 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 15


The following figure summarizes the levels of administrators, plus users, in an

Secure Email Gateway (SEG) configuration.

Table 1: Secure Email Gateway (SEG) Screen Access Privileges Screen Access Feature

Enablement

Required

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Group

Administrator

Overview No Yes Yes No No

Policies tab

Policy Sets No Yes No No Yes

Anti-virus: Action No Yes No No Yes

Anti-virus:

Notifications No Yes No No Yes

Anti-SPAM:

Classification No Yes No No Yes

Anti-SPAM:

Content Groups No Yes No No Yes

Anti-SPAM:

Reporting No Yes No No Yes

Content: Content

Groups No Yes No No Yes



Screen Access Feature

Enablement

Required

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Group

Administrator

Content: Custom

Content Groups No Yes No No Yes

Content:


Content: HTML

Shield No Yes No No Yes

Content: Click

Protect Yes No No Yes

Attachments: File

Types No Yes No No Yes

Attachments: File

Name Policies No Yes No No Yes

Attachments:

Additional Policies No Yes No No Yes

Attachments:

Additional

Notifications

No Yes No No Yes

Allow/Deny:

Sender Allow No Yes No No Yes

Allow/Deny:

Sender Deny No Yes No No Yes

Allow/Deny:

Recipient Shield No Yes No No Yes

Enforced TLS:

Actions No Yes No No Yes

Enforced TLS:


Notifications:

Content No Yes No No Yes

Notifications:

Attachment No Yes No No Yes

Group

Subscriptions No Yes No No Yes

Disaster Recovery Yes No No Yes

Quarantine Tab No Yes Yes Yes No

Setup Tab No




Enablement

Required

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Group

Administrator

Inbound Servers

Setup No Yes Yes No No

Outbound Servers

Setup Yes.

Depending on

your purchased

package, this

service might

need to be

enabled.

Yes Yes No No

Outbound

Disclaimer Yes.

Depending on

your purchased

package, this

service might

need to be

enabled.

Yes Yes No No

Disaster Recovery

Setup Yes. Either

FailSafe or

Message

Continuity

must be

enabled or

included in

your package.

Yes Yes No No

MX Records Setup No Yes Yes No No

User Creation

Settings No Yes No No No

Reports tab

Traffic Overview No Yes Yes Yes No

Threats Overview No Yes Yes Yes No

Threats: Viruses No Yes Yes Yes No

Threats: Spam No Yes Yes Yes No

Threats: Content No Yes Yes Yes No

Threats:

Attachments No Yes Yes Yes No

ClickProtect:

Over view

No Yes Yes Yes No

ClickProtect:

Click Log No Yes Yes Yes No




Enablement

Required

Customer

Administrator

Domain

Administrator

Quarantine

Manager

Group

Administrator

Quarantine:

Release Overview No Yes Yes Yes No

Quarantine:

Release Log No Yes Yes Yes No

User Activity No Yes Yes Yes No

Event Log No Yes Yes Yes No

Audit Trail No Yes Yes Yes No

Inbound Server

Connections No Yes Yes Yes No

Disaster Recovery:

Overview Yes. Either

FailSafe or

Message

Continuity

must be

enabled.

Yes Yes Yes No

Disaster Recovery:

Event Log Yes. Either

FailSafe or

Message

Continuity

must be

enabled.

Yes Yes Yes No


SEG Administrator Guide SEG Administrator Guide

Ensure You Can Receive Email from

Your Service Provider

If you had or still have a different email security or filtering service and your network is

administered so that you can receive email only from IP addresses associated with that

security service, you must administer your network to allow incoming email from the

networks specified in your Service Launch Guide.

Sign into the Control Console

To manage your account, you must sign into the Control Console with the following steps.

Note: The first time you sign in, you might need to create your password. If so, see Reset

Your Password from the Sign in Page.

1. Open a browser on your computer and enter the URL for the Control Console, which is https://access.seg.att.com

2. At the Control Console Sign in page, enter your email address and

password.

3. Click Sign-in

If you have not previously entered an answer to a security question, the Security

Question screen pops up.

The answer to the security question is used is used to validate you, the user, if you

forget your password.

4. Select a security question and type the answer. Your answer is not

case-sensitive.

Reset Your Password from the Sign in

Page

Note: This capability may not be available if the user authentication method is set to

LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the

system level.

If you forget your password or want to reset it, perform the following steps:

1. On the Sign in page, click the Forgot your password or need to create a password? link.

The following screen is displayed.


https://access.seg.att.com/


2. In the Username field, type your email address.

3. Do one of the following:

If your email address is working and you are already receiving email, select

Email password information to me.

If your email address is not working, select Email password information to my

Domain Contact.

Your Domain Contact might be your administrator or another person your

administrator defined for your domain within the Control Console. Check with

your administrator on who that person is.

4. Click Next.

If you selected the option for your email, your email application receives an email

momentarily with further instructions. Continue with Step 5.

If you selected the option to email a Domain Contact, that person receives an email

from which the person can reset your password. The person can also forward the

message to an alternative email address you might have. Contact that person for the

password, then try to sign in again. You are finished with this procedure.

5. If you selected the option to email information to you, open the email in your email

application. The email subject line says Control Console Sign in Information.



The email is similar to the following:



6. Click the link in the email. The link is active for only a limited time after the email is

sent (typically, 60 minutes.

7. If you previously had selected a security question, the security question is displayed.

If you had not previously selected a security question, select a question from the

Security Question drop-down menu.

8. Type the answer to the question in the Security Answer field.

9. For the Security Question field, click Change if you need to change the security

question or answer. You must answer this question when you forget your password or

need to reset it.

The Security Question and Security Answer fields are displayed. Select a question

from the Security Question drop-down menu, then type an answer.

10. In the Password field, type a password.

• The password must comply with the following rules:

• Length must be a minimum of 8 characters.

• Alpha, numeric, and special character types are allowed.

• There must be at least one character that differs in character type (alpha, numeric,

or special) from the majority of characters. Thus, if the password contains mostly

alpha characters, then at least one character must be either a special character or

numeric. For example, majordude is invalid, but majordude9 is valid.

left parenthesis ( ( ) ampersand ( & ) right bracket ( ] )

right parenthesis ( ) ) asterisk ( * ) colon ( : )

apostrophe ( `) hyphen ( - ) semicolon ( ; )

tilde ( ~ ) plus sign ( + ) double quotes ( " )

exclamation ( ! ) equals sign ( = ) single quotes ( ' )

@ bar ( | ) less than sign ( < )

hash ( # ) backslash ( \ ) greater than sign ( > )

dollar sign ( $ ) left curly bracket ( { ) period ( . )

percentage sign ( % ) right curly bracket ( }) question mark ( ? )

caret ( ^ ) left bracket ( [ )

• Spaces are not allowed.

• Passwords are case-sensitive (for example, ―Password‖, ―password‖, and

―PASSword‖ would be different passwords).

Make sure you can remember your password, but do not use obvious passwords (for

example, ―password‖, your name, or a family member‘s name). Keep your password

safe and private.

11. Retype your password in the Confirm Password field.

12. Click Save. 23 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011





3. Check the Status of Email

Protection on the Overview

The Overview window provides the following high-level information about the email

traffic to your domain(s) over the previous 24 hours:

• Disaster recovery information

• News and update information

Customer Administrators will see the information for all the Domains in the Customer

where the role was defined. Domain Administrators will see the information for only the

Domain where the role was defined.

1. Click Email Protection > Overview.

The Overview page is displayed with the initial view.

2. Click Display Statistics.

The Overview page is displayed with the complete view.



The sections on the screen provide the following information:



Section Description

Inbound 24-Hour Snap Shot This box displays a 24-hour snapshot of inbound email

traffic:

Messages – Number of inbound messages processed

Avg Size – Average size of inbound messages, including

attachments

Bandwidth – Average bandwidth used by inbound messages

Viruses – Number of inbound emails that contained viruses

Spam – Number of inbound emails that were potentially

spam

Quarantined – Total number of inbound emails that were

quarantined for any reason, including spam, virus, etc.

Outbound 24-Hour Snap

Shot This box displays a 24-hour snapshot of the Domain‘s or

Customer‘s outbound email traffic:

Messages – Number of outbound messages processed

Avg Size – Average size of outbound messages, including

attachments

Bandwidth – Average bandwidth used by outbound

messages

Avg Size – Average size of outbound messages, including

attachments

Viruses – Number of outbound emails that contained viruses

Quarantined – Total number of outbound emails that were

quarantined for any reason, including viruses.

Traffic (Last 24 Hours –

{timezone}) This box shows a graph of traffic volume for the last 24 hours

of the designated time zone.

Optionally, select one of the graphic display type icons to

change the appearance of the graph.

Policy Enforcement (Last 24

Hours – {timezone}) This section shows the percentage of messages that had the

different email actions applied (for example, stripped,

blocked, tagged, quarantined, cleaned, or normally delivered)

over the past 24 hours of the designated time zone.

Optionally, select one of the graphic display type icons to

change the appearance of the graph.

Disaster Recovery Current

Status This section lists domains that are currently in Disaster

Recovery. SEG is currently spooling the specified

domain's email



Section Description

Disaster Recovery Activity

(Last 24 Hours) This box shows how many emails were spooled and

unspooled by Fail Safe for all Domains in the indicated

Customer during the last 24 hours of the designated time

zone.

Spooled Messages – Indicates the number of emails that were

spooled by Fail Safe in the last 24 hours and how much spool

storage was used by them.

Unspooled Messages – Indicates the number of emails that

were spooled by Fail Safe in the last 24 hours and how much

spool storage was used by them.



4. Set up Your Servers

This section describes how to ensure your inbound and outbound servers are set up

correctly for Secure Email Gateway (SEG).

Confirm Your Inbound Servers Setup

Secure Email Gateway (SEG) filters email destined for your inbound Simple Mail

Transfer Protocol (SMTP) email server or servers. Your Service Implementation

Manager (SIM) should have already defined one or more SMTP servers in the Control

Console. To confirm that these servers are defined, perform the following steps:

1. Click Email Protection > Setup.

2. From the Domain drop-down menu on the Setup page, select the domain whose

SMTP server you want to check.

The SMTP Host Address field displays the domain name(s) or IP address(es) for the

domain‘s SMTP server. In our example, domain denver.acme.com has an SMTP

server with a domain name of mail1.denver.acme.com.

The Inbound Servers Setup page is displayed.

3. Make sure the SMTP server(s) listed are valid and correct.

4. Ensure that all other information on the page is correct, and select Save.

5. Repeat steps 2 through 4 for any other domains in your network.

Set up Additional Inbound Servers

You can configure additional inbound servers to receive inbound email from Secure Email

Gateway (SEG) for the designated domain. All servers for a domain that receive inbound

email from Secure Email Gateway (SEG) must be configured on the Inbound Servers

Setup screen. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 29


Any server addresses designated here must be valid and available to connection from

Secure Email Gateway (SEG). After the Save Changes button is clicked, the Secure

Email Gateway (SEG) immediately routes email to the active servers.

1 Click Email Protection > Setup.

2 From the Domain drop-down menu, select the domain whose SMTP server you want

to add.

3 Click Add New Host.

A new set of fields appears for the server

4 In the SMTP Host Address field, type the fully qualified DNS or IP address of the

server host being configured. CIDR notation is not allowed.

If you do not have a registered and valid DNS name for your email servers, you must

enter the IP addresses of each server.

5 In the Port field, type the port on the server to which the Secure Email

Gateway (SEG) will connect. The default value is 25.

6 In the Preference field, type the number indicating order of connection preference

between multiple servers. Secure Email Gateway (SEG) attempts to connect first to

the server with the lowest preference number. If that server is not available (either

down or too busy), Secure Email Gateway (SEG) tries the server with the next lowest

preference number, and so on. If multiple servers have the same preference number,

Secure Email Gateway (SEG) will randomly route the email delivery between them.

7 Click the Active checkbox to allow the server is immediately start accepting email

traffic.

Caution: If all servers are set to inactive, all emails received for this Domain will

be tempfailed.

8 Click Save.

Delete an Inbound Server

To delete an inbound server, perform the following steps:

1 Access the appropriate domain on the Inbound Server Setup screen

2 Click the Delete checkbox next to the server you want to delete.

3 Click Save.



Add IP Address of Outbound Server, If

Necessary

If your service includes Outbound Message filtering, you must identify one or more

outbound mail servers through which your users send outgoing mail. While your outbound

server might use a Domain Name Server (DNS) name within your network (for example,

lewisoutbound.acme.com), you identify the outbound sever within Secure Email

Gateway (SEG) with an IP address (for example, 111.222.111.0). Alternatively, you can

specify a Classless Inter-domain Routing (CIDR) address for a range of outbound servers

(for example,

111.222.111.0/27) only. The address must be a public address.

Any server addresses designated here must be valid and available for a connection. After

the Save Changes button is clicked, Secure Email Gateway (SEG) immediately accepts

email traffic from the active servers.

Note: If email is received from an outbound server that is not configured in the Secure

Email Gateway (SEG) system, it will be refused. If no outbound package has been

designated for the selected domain, this window is unavailable.

1 Click Email Protection > Setup> Outbound Servers.

The Outbound Server Setup page is displayed.

2 Click Add New Address, and add the address of the outbound server.

3 Click Save Changes.

4 Record the address listed under Recommended Smart Host Server Settings. You

should use this address to perform the next task, Set up a Smart Host (If Outbound Mail

Defense is Turned on).

Important: You or your network administrator should also do the following before or

immediately after adding your outbound server(s):

• Update Sender Policy Framework (SPF) records on your mail server(s) to ensure

only authorized sources are sending outbound email.

• Scan your network for open relays, viruses and malware.



Delete an Outbound Server

To delete an outbound server, perform the following steps:

1 Access the appropriate domain on the Outbound Server Setup screen

2 Click the Delete checkbox next to the server you want to delete.

3 Click Save Changes.

Set up a Smart Host (If Outbound Mail

Defense is Turned on)

To ensure that your outbound email is filtered, you must designate, for each of your

outbound mail servers, a Secure Email Gateway (SEG) server as your Smart Host. Your

outbound email is then relayed through Secure Email Gateway (SEG) before continuing

to its final destinations. The outbound Smart Host address is listed at the bottom of the

Outbound Server Setup screen, or you can refer to your SEG Service Launch Guide for

more details.

Note: This task is performed on your outbound email server or servers, on your network

router, or on some other server, depending on your network‘s configuration.

Add an Outbound Email Disclaimer

You can create and assign text that will be appended to all outgoing emails that are filtered

by Secure Email Gateway (SEG) for the designated domain. For example, you might

want to specify that the email sent from your company is the property of your company

with all right reserved.

Note: If no outbound package has been designated for the selected Domain, this window

is unavailable.

1 Click Email Protection > Setup> Outbound Servers.



The Outbound Server Setup page is displayed.

2 Click Display disclaimer in outbound email messages.

3 In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000

characters is allowed.

4 Click Save.

Redirect Your MX Records

The Mail Exchange (MX) record for each of your mail servers is a specification within a

Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP).

Each MX record specifies a host name and preference that determines where and how

your ISP routes your company‘s email.

Your MX record or records at your ISP must be changed to fully-qualified domain names

(for example, denver.acme.com) within the Secure Email Gateway (SEG) network.

These changes allow Secure Email Gateway (SEG) to filter your email before it arrives at

your company‘s mail servers.

Your Network Administrator or Domain Registrar is typically the individual responsible

for making these changes.

The information necessary for your company to make these changes is provided in your

SEG Service Launch Guide, which you receive when you first sign up for service.




34 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011


Set up User Creation Mode — SMTP

Discovery or Explicit

Explicit user creation means that you must add user email addresses using one of the

methods that are described later. SMTP Discovery means that users are created

automatically based on SMTP transactions. That is, several incoming email messages to a

user indicate that the user exists for the customer. As a result, Secure Email Gateway

(SEG) creates that user in the Control Console.

SMTP Discovery is the default setting for a new customer, such that at initial startup of

service, users might be created in the Control Console without any administration by you,

the Customer Administrator.

Note: Only messages delivered to recipient email addresses in a primary domain are

counted for the purpose of user creation. Messages sent to recipient email addresses in

alias domains are not counted.

If you use Directory Integration, explicit user creation is highly-recommended.

To turn on Explicit User Creation, perform the following steps:

1. Click Email Protection > Setup.

2. Click User Creation Settings.

3. Under the User Creation Mode heading, select Explicit.

4. Click Save. 35 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011


5. Customize Inbound Mail

Filters

Secure Email Gateway (SEG) has default inbound and outbound mail filters to block and

clean malicious email and to quarantine email that might be malicious. The filters are

configured by using policies, which are the parameters for the filters Default policies are

automatically assigned to each of your domains.

You can customize the default inbound policy for any and each domain, or any and each


Create a Custom Policy

1. Click Email Protection > Policies.

2. Click the New button to launch the New Policy screen.



The New Policy Set fields are displayed.

Field Description

Name Enter a name for the policy set you are creating. The name should reflect

the name or purpose for the group or groups that you will assign to the

policy.

Owner The Owner heading indicates who can edit the policy. If the owner is

Customer, only Customer Administrators can edit the policy. If the owner

is Group, then Group Administrators assigned to that group, as well as

Customer Administrators, can view or edit the policy.

Description Enter a description of the new policy set.

Direction From the drop-down menu, select the direction of email, inbound SMTP

or outbound SMTP, for which this policy will be configured.

Copy From From the drop-down menu, select an existing policy set whose settings

you want to copy to the new policy set. Most settings are copied based on

this selection. However, you must choose to copy some settings from the

existing policy separately by selecting the following fields.

Copy Sender

Allow List Click the checkbox to copy the Sender Allow list from the policy set

selected in the Copy From field.

Copy Sender Deny

List Click the checkbox to copy the Sender Deny list from the policy set


Copy Recipient

Shield List Click the checkbox to copy the Recipient Shield list from the policy set


Copy ClickProtect

Allow List Click the checkbox to copy the ClickProtect Allow list from the policy set




3. Click Save.

The Policy Sets list is updated with the new policy. You can now modify the new

policy to meet your business needs.



Configure a Virus Filter

Secure Email Gateway (SEG) uses multiple virus scanning applications to analyze email

to determine if a virus may be present. In your custom policy, you can configure how

Secure Email Gateway (SEG) handles an email that contains a known virus.

Important Note: If an email is detected that contains a wide-spread worm or virus (for

example, SoBig or MyDoom), Secure Email Gateway (SEG) may automatically block

that email, regardless of the settings in your custom policy.

To create a new policy content filter, perform the following steps:


2. Click the policy you want to change.

3. Click Virus.

The Actions screen is displayed.



4. Complete the fields as described in the following table.

Field Description

If a Message

Contains a Virus Select an action SEG should take if an email contains a virus:

• Do nothing – SEG sends the email to the recipient with no filtering

or notification.

— Caution: This action is potentially hazardous because the email

will still contain the virus.

• Quarantine the message after attachment is stripped – Email

Protection strips an infected attachment from the email and sends the

email to quarantine with the message that an attachment had been

stripped. SEG does not send a separate notification to the recipient.

• Strip the attachment – SEG strips the infected attachment from the

email and sends the email to the recipient. SEG inserts text into the

email to notify the recipient that an attachment has been stripped.

• Deny delivery – SEG denies delivery of the email.

• Clean the message – SEG attempts to remove the virus content and

save the remainder of the message. If successful, SEG sends the

email to the recipient with the message that the email had been

cleaned of a virus. If you select this action, you must also select an

action for the If a Message Cannot be Cleaned field.

If a Message

Cannot be Cleaned If you previously selected Clean the message, select an action Email

Protection should take if CSEG fails to clean an infected email:

• Quarantine the message after attachment is stripped – The

infected attachment is stripped from the email and the email is sent to

the recipient‘s virus quarantine area without notification to the

recipient. Text is inserted into the email indicating that an attachment

has been stripped.

• Strip the attachment – The infected attachment is stripped from the

email and the email is sent to the recipient. Text is inserted into the

email notifying the recipient that an attachment has been stripped.

• Deny delivery – The email is denied delivery.

5. Click Save or click on the Notifications under the Virus tab.



Set Secure Email Gateway (SEG) to Notify

Users about Emails with Viruses

You can direct Secure Email Gateway (SEG) to send notification emails to the recipient

and/or sender when an email is filtered because it contained a known virus. You can see

the content of notifications and change it in the Notifications tabs. See Define the

Format and Text of Notifications to Users.

Note: Virus notifications will not be sent out for emails that are infected with widespread

viruses or worms (for example, SoBig or MyDoom). These notifications will be

automatically disabled by the Secure Email Gateway (SEG).



3. Click Viruss

4. Click Notifications.



5. Complete the following fields:

Field Description

To the sender when

a message is … due

to a virus infection

Select one or more conditions that will cause Secure Email Gateway

(SEG) to send a notification email to the sender.

• Quarantined – The infected email was quarantined.

• Denied delivery – The infected email was denied delivery.

• Stripped – The infected attachment was stripped and the email sent

to the recipient.

To the recipient

when a message is

… due to a virus

infection


(SEG) to send a notification email to the recipient.



• Stripped – The infected attachment was stripped and the email sent

to the recipient.

Configure a Spam Filter

Secure Email Gateway (SEG) spam filtering uses a large number of filtering processes, as

well as sophisticated statistical classification techniques, as part of its Stacked

Classification Framework® to determine if email is spam. Based on this analysis, SEG

gives each email a score.

• A spam score of .9 to .99999 is considered ―medium‖ likelihood.

If default settings are used, if default settings are used this e-mail is quarantined.

• A spam score of .999999 to .99999999 is considered ―high‖ likelihood.

If default settings are used, if default settings are used this e-mail is denied • A spam score of greater than .99999999 is considered ―critical‖ likelihood.

These emails will always be denied

Note: Occasionally, some emails might be marked as spam when in fact they are

legitimate emails. These ―false positive‖ email messages can be reported to seg-

[email protected].

To configure a spam filter, you can perform the following tasks

• Define the Action to Take on Spam

• Spam – Content Groups Subtab

• Spam – Reporting Subtab

Define the Action to Take on Spam







3. Click Spam.

The Classification screen is displayed.


Field Description

If a Message is

Probably Spam

(Medium

likelihood) area

Select an action Secure Email Gateway (SEG) should take if an email has

a spam score of 90% or higher:

• Tag the message subject with ―[SPAM]‖ – Secure Email Gateway

(SEG) adds the phrase ―[SPAM]‖ to the beginning of the email‘s

subject text and sends the email to the recipient.

• Quarantine the message – Secure Email Gateway (SEG) sends

the email to quarantine.

• Deny delivery – SEG denies delivery of the email.

Note: Emails that have the following actions applied will be

reported as Other in the Threats: Spam report.

• Do nothing – Secure Email Gateway (SEG) sends the email to the

recipient with no filtering or notification.

If a Message is

Probably Spam

(High likelihood)

area

Select an action Secure Email Gateway (SEG) should take if an email has

a spam score of 99.9% or higher. These actions are the same as those for

Medium likelihood.

5. Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go

to step 8.

Multiple real-time blackhole lists (RBLs) of known spammers are provided by the

industry, from which Secure Email Gateway (SEG) creates a single RBL indicator to

assess the risk of an email originating from a known spammer. The use of multiple

blackhole lists to create a single vote and rate the reputation of each RBL for accuracy

helps to minimize the possibility of blocking a non-spammer by mistake.



6. If you clicked More Options, click the Enable Real Time Blackhole List (RBL)

checkbox.

Note: You can also block spammers by completing a Sender Deny List under the

policy‘s Allow/Deny option.

7. Click Save or click on Content Groups under Virus.

Define Additional Words That Indicate

Spam

Secure Email Gateway (SEG) spam content filtering controls spam by comparing the

content (subject and body) of an email against predefined lists of keywords and/or phrases

(―spam content groups‖).

You can define a custom spam content group that contains additional lists of keywords

that are used to filter email as spam. For each content group, you also define the action to

take on email that contains a keyword. If the action is to send spam matches to quarantine,

users who receive Spam Quarantine Reports can view the matching messages in the

quarantine.

Note: A spam content group does not analyze the content within attachments.

The action for a content group you define overrides spam actions for Secure Email

Gateway (SEG) default spam filters. For example, if Secure Email Gateway (SEG)

determines that an email has a medium likelihood of being spam and also contains a

keyword that is in your spam content group, the action defined for your spam content

group is applied.

However, if you also define content filtering on the Content – Content Groups screen

(see Configure a Content Filter, that content filter overrides the keyword filtering you

define on the following Spam – Content Groups screen. In addition, spam identified by

the Content – Content Groups filter is accessible only by Quarantine Managers or higher

level administrators. Users cannot view this spam.



3. Click the Spam.

4. Click Content Groups



5. Double-click the Content Group you wish to modify.

6. In the Group Name field, type the name of your spam content group.

This name should summarize the kind of keywords you want Secure Email Gateway

(SEG) to look for. For example, you might want to identify musical terms, such as

concert, music, rock, jazz, and so on, as spam.

7. From the Action drop-down menu, select an action to take if an email matches a

keyword:

• None - The email is forwarded to the recipient email address.

• Quarantine the message - The email is sent to the recipient's domain content

quarantine area.

• Deny Delivery - The email is denied delivery.

• Allow - The email is sent to the recipient email address.

Note: The Allow option is useful if you want to override standard Secure Email Gateway (SEG)

spam content filtering for particular keywords.

Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam

report.

• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the

subject line of the email at the beginning of the subject text and the email is sent to the

recipient email address.

• Encrypt Message- is also available for Outbound content groups, if the Customer has

subscribed to Encryption.

• Silent Copy - allows you to forward a copy of the original message. To send a copy,

select a predefined distribution list from the drop-down.



8. Content List the content keywords needed to define your Customer Content Group.

In the Content field, type any keywords you want to search for in email. Use the

following rules for entering keywords.

• Each entry must be on its own line (separated by a hard return).

• If an entry contains multiple words, the entire phrase is used as a literal string (―as

is‖).

• If individual words are desired, each word must be on its own line.

• Letter-case (for example, upper case or lower case) is ignored.

• The wildcards question mark (―?‖) and asterisk (―*‖) can be used to designate the

following:

— ―?‖ (without quotes) designates any single character, including white space

characters (for example, menu, space, line break, etc.).

— For example, ―w?y‖ would catch ―way‖, ―why‖, and ―w y‖.

— ―*‖ (without quotes) at the end of the string designates multiple characters

until a white space character is encountered.

For example, ―refi*‖ would catch ―refinance‖, ―refinancing‖ and ―refine‖.

— ―*‖ (without quotes) followed by a literal character designates multiple

characters, including white space characters, until the designated character is

encountered.

For example, ―refi*d‖ would catch ―refinanced‖, but would also catch

―refinishing is a great way to save d‖.

— If the literal asterisk or question mark is desired, it must be preceded by a

backslash (for example, ―\*‖ or ―\?‖).

9. For example, ―why\?‖ (without quotes) would catch the string ―why?‖ and the

question mark would not be used as a wildcard. Click the Enable checkbox to turn on

the spam content group.

10. Click Save for the new spam content group

11. Click Save for the policy or continue to the Reporting tab.

.



Set up Spam Quarantine Reports

When Secure Email Gateway (SEG) scores email and determines that email might be

problematic, but the email is not clearly a security risk, SEG places the email into

quarantine. You can set up quarantine reports so that users can see which of their

messages were filtered and placed in quarantine. You can also determine how much

control users have over these reports, including:

• How reports are formatted.

• How often reports are sent

• How Spam is filtered

• What actions users can take on quarantined email

To set up quarantine reports for users, perform the following steps:

1. Click Email Protection> Policies.

2. Select a policy set for which the quarantine reports will apply.

3. Click Spam > Reporting.

4. Under the Enable Spam Quarantine Reporting for heading, select one of the

following options:

• All users – All user accounts associated with the policy set receive Spam

Quarantine Reports.

Note: Users must be able to log into the Control Console to manage their spam

quarantine areas.

• Selected users – Only those user accounts configured for Spam Quarantine

Reports on the User Management screens receive the reports.

• No users – No users associated with this policy set receive Spam Quarantine

Reports.



5. Under the Default Settings heading, complete the following field:

Field Description

Frequency From the Frequency drop-down menu, select how often users

receive Spam Quarantine Reports if they have email in spam

quarantine.

Report Type From the Report Type drop-down menu, select the content that

each Spam Quarantine Report should contain:

HTML – All Quarantined – All emails in your spam quarantine

area are listed in the Spam Quarantine Report.

HTML – New Items Since Last Report – Only those emails

received since the previous Spam Quarantine Report are listed in

the Spam Quarantine Report.

Text – Summary – A text-only email notification is sent to you

with a link to your spam quarantine, instead of the Spam

Quarantine Report. This option supports users with email

applications that do not support HTML content.

Text – New Items Since Last Report – A text-only email report is

sent to you that indicates how many new emails have been

quarantined as spam since the last report and the total number of

spam emails in your spam quarantine. The report also lists the

email messages that have been quarantined since the last report.

HTML Format From the HTML Format drop-down menu, select one of the

following:

HTML with Actions – The links Allow, Deny, and Release are

enabled in the Spam Quarantine Reports.

HTML without Actions – The links Allow, Deny, and Release are

disabled in the Spam Quarantine Reports. Users must log into the

Control Console to perform these actions.

Note: This field is ignored if the Report Type field is set to Text-

only Summary.

6. Under the Spam Quarantine Report Security Settings heading, complete the

following fields:

Field Description

Report Links From the Report Links drop-down menu, select the number of days

after which the links in the Spam Quarantine Report become

inactive.

A low value may not give the users enough time to review their

Spam Quarantine Report and perform any spam management. A

high value might increase the security risk of unauthorized access

into the Control Console using an old Spam Quarantine Report.



Field Description

Restrict user rights

when accessing

quarantine from spam

quarantine report

Click the checkbox so that administrator-level users will be logged

in with role of User when accessing the Spam Quarantine Reports.

If you leave the checkbox blank, administrator-level users will be

logged as their administrative role.

Note: Selecting this option is recommended to provide additional

security for the Control Console. This option applies to all

administrative levels, including Reseller Administrators, Customer

Administrators, Domain Administrators, Quarantine Managers,

and Reports Managers.

7. Under the Other Options heading, select any or all of the following options:

Field Description

Allow users to

personalize

spam filtering

actions

Click the checkbox to allow users to customize actions that Secure Email

Gateway (SEG) takes on email that is likely to be spam. Users actually

select the actions on spam from the Preferences screen on the Control

Console.

Allow users to

personalize

delivery

frequency

Click the checkbox to allow users to change the frequency with which

they receive Spam Quarantine Reports. Users select the frequency of

reports from the Preferences screen on the Control Console.

Allow users to

personalize

report type

Click the checkbox to allow users to change the default settings you set in

the Report Type field on this screen. Users can change the Report Type

from the Preferences screen on the Control Console.

Allow users to

―opt out‖ of

spam filtering

Click the checkbox to allow users to turn filters for spam on or off. Users

can turn off spam filtering from the Preferences screen on the Control

Console.

Enable ―Always

Deny‖ shortcut

from spam

quarantine

report

Click the checkbox to enable the Always Deny link in user‘s Spam

Quarantine Reports, the Message Quarantine windows, and the Safe

Message View window.

If you leave the checkbox blank, users must go to the Allow/Deny Sender

Lists window to change their Allow or Deny lists.

Show spam

score on spam

quarantine

report

Click the checkbox to display the spam likelihood score for each

quarantined message in the Spam Quarantine Reports.

Allow users to

download Spam

Control For

Outlook®

Click the checkbox to display a link in Spam Quarantine Reports, from

which users can download the Spam Control For Outlook utility. The

location from which the utility is downloaded is configured in the

Branding Settings window.

Note: This feature can be enabled or disabled at the system level.



Field Description

Allow non-

admin users to

sign in directly

to the Control

Console

Click the checkbox to allow users to log into the Control Console using

the Sign in window.

Note: This feature does not affect the ability of users to log in by clicking

a link in a Spam Quarantine Report. If Control Console access is not

enabled and users do not receive the Spam Quarantine Report, the

Quarantine Manager or higher level roles must perform any changes to

the user settings, maintenance of the users‘ spam quarantine, etc.

Display message

content in Safe

Message View

Click the checkbox to allow users to view the body content of an email in

the Safe Message View window.

If you leave the checkbox blank, the user must release the email to see

what it contains in the body content.

Display user

email addresses

in spam

quarantine

report

Click the checkbox to enable the view of user addresses in the HTML

SQR report so that users do not have to scroll through multiple addresses

before they get to the quarantine items.

Allow users to

configure

alternate email

address for

spam report

delivery

Click the checkbox to allow users to choose an alternate email address to

reroute their Spam Quarantine Report if needed. Users may go to Account

Management>User>Preferences to add their email alternate.

Alert! – Please be advised that redirecting a user's SQR allows the chosen

alternate recipient to have full access to their Control Console account,

including access to that user's Preferences. Therefore; please encourage

the user to choose their alternate email address carefully.

8. Click Save.

Configure a Content Filter

You can create a custom content filter. The content filter does the following:

• Blocks or quarantines the email that contains prohibited keywords.

• Notifies the sender or recipient when an email has been quarantined or blocked.

• Blocks HTML malicious tags or prohibited images.

• Manages the ability for users to click on links in email.

Note: Content filtering does not analyze the content within attachments.

Note: You also define content filtering on the Spam – Content Groups screen (see

Configure a Spam Filter, the Content – Content Groups overrides the keyword filtering

you define on the following Spam – Content Groups screen. In addition, spam identified

by the Content – Content Groups filter is accessible only by Quarantine Managers or

higher level administrators. Users cannot view this spam.



Note: Due to the nature of the content filtering, the screen images may contain offensive

material.




3. Click Content.

The Content Groups screen is displayed, showing the default content groups.

• Profanity



You cannot change the keywords in these groups..

The Content Group Policy fields are displayed.

Secure Email Gateway (SEG) also provides predefined content groups that contain valid

and acceptable personal identifiable information that is allowed in email messages due

to specific policies. You cannot edit these content groups, but can designate whether or

not they are used. Following are the two types of predefined content groups:

• Credit Card Number

• Social Security Number

The Credit Cards that are supported include AMEX, VISA, MC, and DISC.

Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in

various ways and Secure Email Gateway (SEG) may not be able to capture all

messages that contain this information.

More Options...

If a Customer or Domain subscribes to Email Encryption, then selecting this option can be

used to enforce Email Encryption if the outbound message contains the word '[encrypt]'.

The word, [encrypt] can reside in the message subject line or the body of the outbound

message.



Note: This option is only available on the Outbound Policy Content Group page.

1. Click Edit or double-click on your selected Content Group, you may perform the

following:

• Group Name This defaults to the name of your selected group.

• Content This field is disabled for Content Groups

2. From the drop-down Action list, the following actions may be applied to a Content

Group


• Quarantine the message -The email is sent to the recipient's domain content

quarantine area.

• Deny Delivery -The email is denied delivery.

• Allow -The email is sent to the recipient email address.

• Tag the message subject with "[SPAM]" -The phrase "[SPAM]" is added to the

subject line of the email at the beginning of the subject text and the email is sent to

the recipient email address.

• Encrypt Message is also available for Outbound content groups, if the Customer

has subscribed to Encryption.

3. Silent Copy allows you to forward a copy of the original message. To send a copy,


4. Click Save

Turn Off a Default Content Filter

You can deactivate any of the Secure Email Gateway (SEG) default content filters if you

want to allow email containing those keywords to be delivered or you want to replace the

list of keywords with your own list.

Note: Instead of turning off the content filter, you can also choose the action None for the

filter. In this case, Secure Email Gateway (SEG) filters email, but delivers matching email

to users with no other notifications or marking.



3. Click Content.

The Content Groups screen is displayed, showing the default content groups.

• Profanity



4. Double-click one of the default content groups.

5. Uncheck the Enable checkbox.

6. Click Save.



Custom Content Group

The Custom Content Groups subtab allows customers to define their own custom

content keyword group and assist in monitoring their email. By configuring a Content

Group, the customer can determine how the system reacts if it receives an email that

contains text that violated that content policy. Customers can also define a different action

for each content group.

Note: If the content group is enabled, then email will be filtered for that content.

1. Click New or double-click your selected Custom Content Group, and perform the

following:

2. Group Name: select and type of your Custom Content Group.

3. Content List the content keywords needed to define your Customer Content Group.

In the Content field, type any keywords you want to search for in email. Use the

following rules for entering keywords.

• Each entry must be on its own line (separated by a hard return).

• If an entry contains multiple words, the entire phrase is used as a literal string (―as

is‖).

• If individual words are desired, each word must be on its own line.

• Letter-case (for example, upper case or lower case) is ignored.

• The wildcards question mark (―?‖) and asterisk (―*‖) can be used to designate the

following:

— ―?‖ (without quotes) designates any single character, including white space

characters (for example, menu, space, line break, etc.).

— For example, ―w?y‖ would catch ―way‖, ―why‖, and ―w y‖.

— ―*‖ (without quotes) at the end of the string designates multiple characters

until a white space character is encountered.

For example, ―refi*‖ would catch ―refinance‖, ―refinancing‖ and ―refine‖.



— ―*‖ (without quotes) followed by a literal character designates multiple

characters, including white space characters, until the designated character is

encountered.

For example, ―refi*d‖ would catch ―refinanced‖, but would also catch

―refinishing is a great way to save d‖.

— If the literal asterisk or question mark is desired, it must be preceded by a

backslash (for example, ―\*‖ or ―\?‖).

For example, ―why\?‖ (without quotes) would catch the string ―why?‖ and the

question mark would not be used as a wildcard.

Caution: It is possible to create wildcard combinations that will filter valid email,

including all email, and/or will substantially slow email processing. Be very careful if you

use wildcards to ensure that only the desired content is filtered.

4. From the Action drop-down menu, select an action to take if an email matches a

keyword:


• Quarantine the message - The email is sent to the recipient's domain content

quarantine area.

• Deny Delivery - The email is denied delivery.

• Allow - The email is sent to the recipient email address.

Note: The Allow option is useful if you want to override standard Secure Email Gateway (SEG)

spam content filtering for particular keywords.

Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam

report.

• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the

subject line of the email at the beginning of the subject text and the email is sent to the

recipient email address.

• Encrypt Message- is also available for Outbound content groups, if the Customer has

subscribed to Encryption.

• Silent Copy - allows you to forward a copy of the original message. To send a copy,


5. Click the Enable checkbox to turn on the spam content group.

6. Click Save for the new spam content group.

7. Click Save for the policy or continue to the Notifications tab.

Notify Users about Spam Content


and/or sender when an email is filtered because it contained spam content. You can see

the content of notifications and change it in the Notifications tabs. See Define the




Note: Virus notifications will not be sent out for emails that are infected with widespread

viruses or worms (for example, SoBig or MyDoom). These notifications will be

automatically disabled by the Secure Email Gateway (SEG).



3. Click Content.


Complete the following fields:

Field Description

To the sender

when a message

is … due to a

content group

violation





To the recipient

when a message

is … due to a

content group

violation





Configure a Filter for HTML, Java Script,

ActiveX, and Spam Beacons

You can configure how Secure Email Gateway (SEG) filters email for HTML

attachments or various forms of HTML coding within email.





3. Click Content.

4. Click HTML Shield.

5. Under HTML Shield Protection, select one of the following options:

Field Description

Low Select this option to remove only malicious HTML tags from the email

and forward the email to the recipient. Text is added to the email to

indicate that HTML content was removed.

Medium Select this option to remove the following HTML content from the email

and forward the email to the recipient:

• Malicious HTML tags

• HTML comments and attributes

• All Java, Javascript, and ActiveX code

Text is added to the email to indicate that HTML content was removed.

High Select this option to remove all HTML content, including scripts as in the

Medium option, from the email and to forward the email to the recipient.

Text is added to the email to indicate that HTML content was removed.

None Select this option to not perform HTML filtering on email.

6. Under Options for Low and Medium Setting, click the checkbox Enable spam

―beacon‖ and web bug blocking to block spam beacons and web bugs.

A spam beacon can reveal user activity to spammers while flagging the recipient‘s

address as active. A Web bug is any one of a number of techniques used to track who

is reading a Web page or e-mail, when, and from what computer. A Web bug can also

be used to see if an e-mail was read or forwarded to someone else, or if a Web page

was copied to another Website.

Note: This option is available only if you picked the Low or Medium options for

HTML filtering.



7. Click the checkbox Replace all image links with a default transparent image to

eliminate objectionable images in email.

This option replaces links to images in email with links to an image with one transparent

pixel.

Note: This option is available only if you picked the Low or Medium options for

HTML filtering.

8. Click Save or continue to ClickProtect.

Configure Web Hyperlink Filters

(ClickProtect)

You can configure whether Web hyperlinks in email are blocked or can be clicked and

followed by the user. You can also designate a ClickProtect Allow List of URL addresses

that are excluded from the ClickProtect processing (for example, your corporate URLs).

As another option, you can set tracking of links that are clicked so that they are reported in

the ClickProtect: Click Log Report.

Caution: ClickProtect only processes links in emails with accepted message formats,

which include HTML or Rich Text



3. Click Content.

4. Click ClickProtect.

5. Click one of the following options:

• Disable ClickProtect — Disables this feature completely and allows users to

click and access Web hyperlinks in the emails without logging information in the

system.



• Display warning message before redirecting — Displays a dialog box with a

customizable warning message. Users can then either stop the click-through

process or continue to the Web site.

• Display warning message and deny click-throughs — Displays a dialog box

with a customizable warning message and does not allow users to continue with

the click-through process.

6. If you clicked one of the last two options above, overtype the text in the Warning

Message text box. You can also leave the default text if desired

7. In the Allow URL or IP field, type URL or IP addresses that you want to allow users

to access and bypass ClickProtect processing.

The following values are allowed:

• IP Address — Complete address (for example, 10.10.10.1) or partial address with

wild cards (for example, 10.10.10.*).

• Domain Name — Qualified domain name (for example, xyz.com) or subdomains

(for example, *@*.xyz.com denies emails from any subdomain of the XYZ

domain, such as [email protected]). If you know you want to allow all emails

from this domain, then use this option instead of typing in each email address

associated with the domain. The following list provides some examples of

allowable URLs.

— www.domainname.com

— www.domainname.n*

— www.domainname.*

— www.domainname.example.com

— www.domainname.*.com

— www.domainname.xxx.xxx.xxx.xxx.com

— domainname.com

The following are not accepted in domain names:

— http://

— slashes

— IP addresses.

8. Click Add.

The value is added to the list box.

Note: (This step is only available to certain user roles, when a user-defined policy set

is selected.) If you want to include the values listed for the Default Inbound policy set,

select the check box located beneath the list.

Upload a List of Allowed URLs

You can create a list of allowed URLs and upload that list to the Control Console. To

upload a list, perform the following steps:

1. Create a file with a predefined list of URLs. The predefined list must be in the

following format:

• Must be a text file


mailto:*@*.xyz.com


http://www.domainname.com/

http://www.domainname.n*/

http://www.domainname.*/

http://www.domainname.example.com/

http://www.domainname.*.com/

http://www.domainname.xxx.xxx.xxx.xxx.com/


• One entry per line

• File must be available for your browser to access

2. On the ClickProtect screen, click More Options.

Additional fields are displayed.

3. To upload the file, click Browse next to the Upload List field and locate the file.

4. Click Upload Allow List.

The contents are added to the ClickProtect Allow List box.

5. Click Save.

Download a List of Allowed URLs from the

Control Console

If you want to download the list of allowed URLs to your local drive, click Download

ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in

Microsoft Excel.

Define an Attachment Filter

You can create a customer attachment filter. You can filter email for attachments based on

the following criteria:

• Filter by Attachment File Types, including file size.

• Filter by Attachment File Name

• Filter Zip File Attachments



Filter by Attachment File Types

To filter email by file type, you must define the following:

• What file types are allowed to be received

• File size restrictions on the allowed file types

• The email action that will be used if an email violates any of the file type attachment

policies




3. Click Attachments.

The Attachments: File Types screen is displayed.

4. For each file type in the Allowed Attachment Types section, select one of the

following options from the drop-down menu:

• Disallow — All email containing this file type are blocked.

• A file size, such that an email with a file of this file type that exceeds the file size

is blocked.

— Max 500 KB

— Max 1 MB

— 2 MB

— 5 MB

— 10 MB

— 15 MB

• Any size — Email with this file type is allowed and delivered.

Note: By default, each listed attachment file type is allowed unless you specifically

select it to be disallowed, except for the types Executables and Scripts. These two

file types are relatively easy to self-invoke from an email, and thus increase the

security risk of a self-running virus or worm.



The following table lists the file extensions associated with each file type:

File Type Example File Extensions

Microsoft Word

Documents *.doc, *.dot, *.rtf, *.wiz

Microsoft Powerpoint

Documents *.pot, *.ppa, *.pps, *.ppt, *.pwz

Microsoft Excel

Documents *.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw

Microsoft Access Files *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp

Other Microsoft Office

Files *.cal, *.frm, *.mbx, *.mif, *.mpc, *.mpd, *.mpp, *.mpt,

*.mpv, *.win, *.wmf

Adobe Acrobat (PDF)

Files *.abf, *.atm, *.awe, *.fdf, *.ofm, *.p65, *.pdd, *.pdf

Macintosh Files *.a3m, *.a4m, *.bin, *.hqx, *.rs_

Compressed or Archived

Files *.arj, *.bz2, *.cab, *.gz, *.gzip, *.jar, *.lah, *.lzh, *.rar,

*.rpm, *.tar, *.tgz, *.z, *.zip

Audio Files *.aff, *.affc, *.aif, *.aiff, *.au, *.m3u, *.mid, *.mod,

*.mp3, *.ra, *.rmi, *.snd, *.voc, *.wav

Video/Movie Files *.asf, *.asx, *.avi, *.lsf, *.lsx, *.m1v, *.mmm, *.mov,

*.movie, *.mp2, *.mp4, *.mpa, *.mpe, *.mpeg, *.mpg,

*.mpv2, *.qt, *.vdo

Image Files *.art, *.bmp, *.dib, *.gif, *.ico, *.jfif, *.jpe, *.jpeg,

*.jpg, *.png, *.tif, *.tiff, *.xbm

Executables Note: This file type defaults to Disallow.

*.bat, *.chm, *.class, *.cmd, *.com, *.dll, *.dmg, *.drv,

*.exe, *.grp, *.hlp, *.lnk, *.ocx, *ovl, *.pif, *.reg, *.scr,

*.shs, *.sys, *.vdl, *.vxd

Scripts Note: This file type defaults to Disallow.

*.acc, *.asp, *.css, *.hta, *.htx, *.je, *.js, *.jse, *.php,

*.php3, *.sbs, *.sct, *.shb, *.shd, *.vb, *.vba, *.vbe,

*.vbs, *.ws, *.wsc, *.wsf, *.wsh, *.wst

ASCII Text Files *.cfm, *.css, *.htc, *.htm, *.html, *.htt, *.htx, *.idc,

*.jsp, *.nsf, *.plg, *.txt, *ulx, *.vcf, *.xml, *.xsf

Postscript Files *.cmp, *.eps, *.prn, *.ps

All Other Files Any file extensions that are not included in the other

file types

5. In the Action to take for Disallowed Attachments section, select one of

the following options:



• Do nothing – Secure Email Gateway (SEG) sends the email to the recipient with

no filtering or notification.

• Deny delivery – Secure Email Gateway (SEG) denies delivery of the email.

• Strip the attachment – Secure Email Gateway (SEG) strips the attachment from

the email and the email is sent to the recipient. Text is inserted into the email

notifying the recipient that an attachment has been stripped.

• Quarantine the message – Secure Email Gateway (SEG) sends the email to

quarantine.

6. Click Save or continue to the Filename tab.

Filter by Attachment File Name

You can create custom filter to filter email for specific file names. This filter overrides any

conflicting file type policies you may have defined.

To define a filter for attachment file name, perform the following steps:





4. Click Filename Policies.

The Filename Policies screen is displayed.

5. Click New.

The New Attachment Filename Policy section is displayed.

6. From the Filter drop-down menu, select one of the following:

• Is – Secure Email Gateway (SEG) filters for file names that have an exact match

to the text in the Value field. For example, if you want to filter for the file name

config.exe and no others, you must select Is and then type config.exe in the Value

field. For this example,, the Is option has the meaning ―File name IS config.exe.‖ Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 61


• Contains – Secure Email Gateway (SEG) filters for file names that contain the

text in the Value description anywhere within the filename string. For example, if

you want to filter for any file that contains config in its name, like postconfig or

config.ini, select this option.

• Ends with – Secure Email Gateway (SEG) filters for file names that end with

the text in the Value description. For example, if you want to filter for any

executable files ending with .exe, select this option.

7. In the Value field, type the name or partial name with which Secure Email Gateway

(SEG) should search incoming email. For example, if you want Secure Email

Gateway (SEG) to search for any file containing the text config, type config.

8. From the Action drop-down menu, select one of the following options:

• Do nothing – Secure Email Gateway (SEG) sends the email to the recipient with

no filtering or notification.


• Strip the attachment – Secure Email Gateway (SEG) strips the attachment from

the email and the email is sent to the recipient. Text is inserted into the email

notifying the recipient that an attachment has been stripped.


quarantine.

9. Ignore the Silent Copy drop-down list. No silent copy will be sent.

10. Click Save to save the new filename filter.

11. Click Save for the policy or continue to the Additional Policies tab to filter for zip

file attachments.

Filter Zip File Attachments

You can create a custom filter for zipped file or compressed file attachments. These

policies are ignored unless the Compressed or Archived Files filetype is allowed in the

Attachments: File Types screen.

To define a filter for attachment file name, perform the following steps:





4. Click Additional Policies.

The Additional Attachment Policies screen is displayed.



5. From the Message contains high-risk attachment drop-down menu, select one of the

following options:

• Allow delivery – Secure Email Gateway (SEG) sends the email to the



quarantine.


This action applies if an email has an attachment that is a zipped file and that violates

any of the following rules:

• The zip file itself is too large ( > 500MB).

• A file contained in the zip file is too large ( > 100MB).

• The zip file contains too many files ( > 1500 files).

• The compression rate is too high ( > 95% compressed).

• The zip file contains too many levels of nesting ( > 3 levels).

6. From the Message contains an encrypted zip attachment drop-down menu, select

one of the following options:

• Allow delivery – Secure Email Gateway (SEG) sends the email to the



quarantine.


The action applies if an email message has an attachment that is a zipped file and is

encrypted and password-protected. This format is commonly used to prevent scanning

for viruses in zipped files.

7. From the File in zip attachment violates attachment policy drop-down menu,

select one of the following options.

• Attachment policy action – The action for the specific policy that was violated

will be performed on the entire attachment. If multiple policies were violated, the

policies defined in the Attachment – Filename Policies subtab override the

policies defined in this subtab.

• Do nothing – The email is sent to the recipient with no filtering applied.

The action applies if an email that has an attachment that is a zipped file and the

zipped file contains files that violate the previously-defined filters for attachments.



Notify Users about Attachment Violations


and/or sender when an email is filtered because it contained an attachment violation. You

can see the content of notifications and change it in the Notifications tabs. See Define the







Field

Description

To the sender

when a message

is … due to an

attachment

policy violation



• Quarantined – The email that contained an attachment violation was

quarantined.

• Denied delivery – The email that contained an attachment violation

was denied delivery.

• Stripped – The infected attachment was stripped and the email sent to

the recipient.

To the recipient

when a message

is … due to an

attachment

policy violation



• Quarantined – The email that contained an attachment violation was

quarantined.

• Denied delivery – The email that contained an attachment violation

was denied delivery.

• Stripped – The violating attachment was stripped and the email sent to

the recipient.

6. Click Save.



Allow or Deny Email to or from

Specific Addresses

You can define lists of sender email addresses, domain names, or IP addresses whose

email is always delivered to your users, or conversely, whose email is always denied

delivery. In addition, you can define lists of recipient email addresses that are always

denied receiving email.

The Sender Allow and Sender Deny lists are used in combination with the user-level

Allow and Deny lists that can be defined for specific user accounts. In the case of a

conflicting entry (for example, the same email address is in the user-level Allow list and

the Sender Deny list at the policy set level), the lists defined in these tabs override the

user-level lists.

The allowed maximum of items for each list is defined at the system level and may vary

for different installations of Secure Email Gateway (SEG).

Allow Email from a Specific Address

You can define a list of sender addresses whose email will always be accepted without

email filtering. The exception is that virus filtering is always applied if licensed for that

policy set, unless overridden by the user-level policy configurations. In addition, the user-

level Deny list will override the policy set-level Sender Allow list.

You can add individual addresses one a time or you can add them with a batch file. See

Add Allow, Deny, or Recipient Shield Addresses with a Batch File.



3. Click Allow/Deny.

The Sender Allow screen is displayed.

4. In the Add Address field, type the address of a sender whose email should be

delivered without filtering.



The following values are allowed in the list entries:

• Email addresses – Complete sender email address or partial address with

wildcards (for example, ―[email protected]‖ or ―g*@domain.com‖)

• Domain names – Complete domain name or partial name with wildcards (for

example, ―domain.com‖)

• IP addresses – Complete IP address or partial address with wildcards (for

example, ―123.123.12.3‖ or ―123.123.12.*‖)

Note: CIDR notation is not allowed. Each IP address must be designated separately.

5. Click Add.

The address is added to the allowed address box on the right.

6. Repeat steps 4 and 5 for each address you want to add.

7. Click Save.

You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient

Shield List.

Sender Policy Framework (SPF)

You are able to whitelist a specific email addess or domain and assign an SPF check to that

address. Subsequent mail coming from the whitelisted domain is then checked against

SPF records. Should the SPF check fail, the mail is denied.

The following conditions apply to an SPF verification:

• If the record can be verified, then content and spam filtering is skipped for the

sender‘s inbound messages.

• If the record cannot be verified, then filtering is not skipped for the sender‘s inbound

messages.

Note: If a sender on the allow list does not have an SPF record the inbound message is still

allowed.



mailto:g*@domain.com


Deny Email from a Specific Address

You can define a list of sender addresses whose email will always be denied regardless of

email filtering. This Deny list overrides the user-level Allow list.







4. Click Sender Deny.

The Sender Deny screen is displayed.

5. In the Add Address field, type the address of a sender whose email should be denied

without filtering.

The following values are allowed in the list entries:

• Email addresses – Complete sender email address or partial address with

wildcards (for example, ―[email protected]‖ or ―g*@domain.com‖)

• Domain names – Complete domain name or partial name with wildcards (for

example, ―domain.com‖)

• IP addresses – Complete IP address or partial address with wildcards (for

example, ―123.123.12.3‖ or ―123.123.12.*‖)

Note: CIDR notation is not allowed. Each IP address must be designated separately.

6. Click Add.

The address is added to the denied address box on the right.


8. In the If the Sender is on the Sender Deny List section, select one of the following

options:

• Accept and silently discard the message – The email is accepted, but is

discarded without notification.






9. Click Save.


Shield List.

Deny Email to a Specific Recipient

You can define a list of recipient user addresses whose incoming email will always be

denied, regardless of email filtering. For example, you can designate that emails received

to an ex-employee‘s user account are always denied. Email received for all alias email

addresses for the designated user account is also included in the Recipient Shield

processing.







4. Click Recipient Shield.

The Recipient Shield screen is displayed.

5. In the Add Address field, type the address of a recipient whose email should be

denied.

You can type a complete recipient email address or partial address with wildcards (for

example, ―[email protected]‖ or ―g*@domain.com‖).

Note: The email addresses must be defined in the primary Domain. Alias domain

names are not allowed.

6. Click Add.

The address is added to the recipient address box on the right.






8. In the If the Recipient is on the Recipient Shield List section, select one of the

following options:

• Accept and silently discard the message – The email is accepted, but is

discarded without notification.


• Do nothing – The email is forwarded to the recipient email address with no

processing applied.

9. Click Save.


Shield List.

Save a Copy of an Allow, Deny, or Recipient

Shield List

You can download the allow or deny list you have created so you can store a copy. To

download a copy, perform the following steps.

1. On the Allow, Deny, or Recipient Shield screen, click More Options.

2. Click Download [] List.

A download window is displayed. Secure Email Gateway (SEG) automatically

creates a Microsoft Excel spreadsheet (*.csv file) containing the address list. You can

choose to save the file or open it directly.

Add Allow, Deny, or Recipient Shield

Addresses with a Batch File

1. Using a text editor, create a text file that contains one email address per line, and save

it to your computer.

2. On the Allow, Deny, or Recipient Shield screen, click More Options.

Additional fields are displayed.

3. Click Browse and search for the text file you created.

4. Click Upload [] List.

5. Click Save.



Transport Layer Security

Transport Layer Security (TLS) has routinely been supported and is still supported by our

Secure Email Gateway (SEG) system. If a TLS connection can be negotiated between the

sender and the recipient MTAs, then the system delivers the email over TLS. If a TLS

connection CANNOT be established between the sender or the recipient MTA, then the

mail transfer agent delivers, via SMTP, without encryption. Therefore, it is recommended

that you specify a Sender‘s domain and/or sub-domain for this policy so that TLS is

enforced. Thus, if TLS cannot be established, then the message will not be delivered and a

bounce message will be generated to the sender, recipient, or both depending on the

Notifications.

Note: Enforced TLS requires a negotiation between our mail transfer agent and yours

to be successful. You must have TLS turned on at your end to accommodate this

transaction. Refer to your MTA software manual on “How to enable/turn-on TLS”

to ensure TLS is implemented in your system prior to setting up your domain lists.

From the Policy Set screen Select the Enforce TLS tab and complete the following steps.

Subscribe to Default TLS List

By checking the subscription to the TLS default list you will be adding the appropriate

Inbound/Outbound Default domain policy to your customized Enforced TLS domain list.

The default list can be viewed by clicking the corresponding Inbound/Outbound Default

selection under the Policies tab.

NOTE: This option is only available in custom (non-default) policy sets.

NOTE: If the default list changes, your subscription to the default is updated to reflect

those changes.



Add Domain

6. To enter values into the TLS domain list enter the full address of the Sender/

Recipient‘s domain and/or sub-domain.

NOTE: To enter values into the TLS domain list enter the full address of the Sender/

Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or

subdomain must be explicitly specified for enforced TLS. Specifying a Sender/

Recipient's domain doesn't automatically include any sub-domains of that domain.

7. Click the Add » button. The value is added to the list box.

NOTE: The maximum number of values allowed in the Add Domain list is specified. This

limit is defined at the system level (see the online help for the specific count). Any

duplicate or invalid values are discarded automatically.

More Options

8. To Upload a file with a predefined list, click the Browse button. After you select the

file and it's path appears in the text field, click the Upload button. The contents are

added to the Add Domain box above.

9. To remove a value from the list, select it in the list box and click the « Remove button.

NOTE: To select more than one value from the list, press Ctrl on your keyboard, click

each entry you want to remove, and then click the « Remove button.

Save

10. Click the Save button to save your information.

Download

To Download a domain list in a csv file, click the Download button, select the list you

wish to download and click Save.



Enforced TLS tab

The Notifications subtab under Enforced TLS allows you to configure whether the sender

and/or recipient is notified if an email can not be sent via a TLS connection.

Notifications Subtab

Send Email Notifications

11. Check the box ―Denied Delivery ―regarding the heading ―To the sender when

a message is.....‖ to notify the sender is unable to send their message due to a

TLS violation.

12. Click Save

13. Check the box ―Denied Delivery ―regarding the heading ―To the recipient when a

message is.....‖ to notify the recipient is unable to receive their message due to a TLS

violation.

14. Click Save

View your selection Click the Notifications Tab in the Policy Set screen



Define the Format and Text of

Notifications to Users

You can configure templates for the notification emails that are sent to the sender and/or

recipient when an email message is filtered for:

• Viruses

• Content

• Attachments

Default notification templates are provided for all the notification scenarios. You can

change these templates if you wish.

One notification email template is defined for each combination of the following:

• Filtering type — For viruses, content, or attachments

• Destination of the notification — Sender or recipient

• Email Action — Deny, strip, or quarantine

Variables within a Notification

Within the notification emails, variables automatically insert content from the system. For

example, the variable $(DATE) inserts the date when the notification email was sent.

Default variables already exist for the default notifications. If you want to use a different

variable, you must manually type the variable as shown below and the variables are case-

sensitive.

$(SUBJECT) Inserts a variable that automatically indicates the subject of the email that

violated the policy.

$(FROM) Inserts a variable that automatically indicates the sender‘s email address

(From: address) from the email that violated the policy. This variable

inserts the From: address that is displayed in the email.

$(SENDER) Inserts a variable that automatically indicates the sender‘s email address

(From: address) from the email that violated the policy. This variable

inserts the SMTP envelope From: address received from the sending email

server.

$(TO) Inserts a variable that automatically indicates the recipient‘s email address

(To: address) from the email that violated the policy.

$(DATE) Inserts a variable that automatically indicates the date when the email was

received that violated the policy.

$(REASON) Inserts a variable that automatically indicates the reason why the email


$(ACTION) Inserts a variable that automatically indicates the action that was applied

to the email that violated the policy.



$(DOMAIN) Inserts a variable that automatically indicates the domain that received the

email that violated the policy.

$(MSG_HEAD

ER)

Inserts a variable that automatically indicates the email header information

from the email that violated the policy.

$(SIZE) Inserts a variable that automatically indicates the size, including

attachments, of the email that violated the policy.

$(POSTMAST

ER)

Inserts the contact email address configured for the domain.

The set of Notifications tabs includes the following subtabs:

• Notifications – Virus Notifications subtab (see page 1)

• Notifications – Content Notifications subtab

• Notifications – Attachment Notifications subtab

In addition, each subtab will have a separate Edit area for each of its notification

templates.

Because all the individual notification templates offer the same functionality, only one set

of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that

the same features are used to modify the remaining notification templates, the only

difference being the combinations of filter type, destinations, and email actions. Be sure to

modify the navigation and information accordingly.

Define the Format and Text of Virus

Notifications




The Notifications: Virus screen is displayed.

4. Click on a notification in the Virus Notifications box.



5. Click Edit.

The Edit section of the screen is displayed.

6. Change, if desired, the text or variables in any or all of the following fields:

From Designates what email address is listed as the From: address in the

notification email. Optionally, you can type variables that insert system

information into this content.

Reply-To Designates what email address is used if the recipient of the notification

email clicks the Reply button in his/her email application. Optionally, you

can type variables that insert system information into this content.

Subject Type the text to be used as the subject for the notification email template.

Optionally, you can type variables that insert system information into this

content.

Body Type the text to be used as the body text for the notification email

template. Optionally, you can type variables that insert system information

into this content.

7 Click Save.

Define the Format and Text of Content

Violation Notifications




The Virus Notifications screen is displayed.

4. Click Content.

The Content Notifications screen is displayed.



5. Click on a notification in the Content Notifications box.

6. Click Edit.











content.



into this content.

8. Click Save.

Define the Format and Text of Attachment

Violation Notifications




The Virus Notifications screen is displayed.



4. Click Attachment.

The Attachment Notifications screen is displayed.

5. Click on a notification in the Attachment Notifications box.

6. Click Edit.











content.



into this content.

8. Click Save.

Enforced TLS

The Notifications > TLS subtab allows you to configure a template of how the

notification email will appear that is sent to the sender and/or recipient.



Within the notification emails, there are available variables that will automatically insert

content from the system. For example, the variable $(DATE) will insert the date when the

notification email was sent. You must manually type the variables as shown below and the

variables are case-sensitive.

9. Highlight the message you wish to review and Click Edit to launch the edit template.

Variables within the template include:

$(SUBJECT) - The Subject field is blank because the message was blocked before the

email content had been sent. If you wish to have a Subject value for the Notification

message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification'.

$(FROM) - Inserts a variable that automatically indicates the sender's email address

(From: address) from the email that violated the policy. This variable inserts the From:

address that is displayed in the email.

$(SENDER) - Inserts a variable that automatically indicates the sender's email address

(From: address) from the email that violated the policy. This variable inserts the SMTP

envelope From: address received from the sending email server.

$(TO) - Inserts a variable that automatically indicates the recipient's email address (To:

address) from the email that violated the policy.

$(DATE) - Inserts a variable that automatically indicates the date when the email was

received that violated the policy.

$(REASON) - Inserts a variable that automatically indicates the reason why the email


$(ACTION) - Inserts a variable that automatically indicates the action that was applied to

the email that violated the policy.

$(DOMAIN) - Inserts a variable that automatically indicates the Domain that received the

email that violated the policy.

$(POSTMASTER) - Inserts postmaster (ex. [email protected]) email address for

the Domain.

Variable syntax requires $({name_of_variable}), where {name_of_variable} is replaced

with the predefined variable name (without the curly brackets).




Enforced TLS Subject Headers

As mentioned, the Subject field in the TLS Email Subject Line, the TLS Email Header,

and the TLS Notification Message Body will not contain Subject data since the email was

denied and no data was retrieved.

The following examples demonstrate the Subject Field or Subject Notification only

displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an

empty variable.

Email Subject Line

Email Subject Header

TLS Notification Subject Header Response

Disaster Recovery

Disaster Recovery allows you to specify what actions to take when email cannot be

delivered. There are three available options:

• Defer to domain-based Message Continuity access control configured under Disaster

Recovery Setup

Select this option to use the configuration settings from the Disaster Recovery Setup

window.

• Allow users to use the Message Continuity webmail client



Select this option to allow users to use the Message Continuity webmail client when

email cannot be delivered.

• Do not allow users to use the Message Continuity webmail client

Select this option if you do not wish to allow users to use the Message Continuity

webmail client when email cannot be delivered.

Assign a Group to the Custom Policy

To perform this task, you must first create the group of users who are to be assigned to the

policy. See ―Managing Groups‖ in Account Management Administrator Guide.


2. Select the custom policy to which you want to assign a group.

3. Click Group Subscriptions.

The Policy Configuration Groups screen is displayed.

4. Select the group you want to assign.

5. Click Add.



6. Customize Outbound Mail

Filters

You can customize the default outbound policy for any and each domain, or any and each


Note: Outbound email is not filtered for spam

Create a Custom Outbound Policy


2. Click New.

The New Policy Set fields are displayed.

Field Description

Name Enter a name for the policy set you are creating. The name should reflect

the name or purpose for the group or groups that you will assign to the

policy.

Description Enter a description of the new policy set.



Direction From the drop-down menu, select the direction of email, outbound

SMTP, for which this policy will be configured.

Copy From From the drop-down menu, select an existing policy set whose settings

you want to copy to the new policy set. Most settings are copied based on

this selection. However, you must choose to copy some settings from the

existing policy separately by selecting the following fields.

3. Click Save.

The Policy Sets list is updated with the new policy. You can now modify the new

policy to meet your business needs.

Configure a Virus Filter

You configure a virus filter for outbound email in the same way as that for inbound email.

For more information, see Configure a Virus Filter.

Configure a Content Filter

You can create a custom content filter for outbound email. You can only set up Content

Groups and Notifications. HTML Shield and ClickProtect are not available for outbound

email. You set up content groups and notifications in the same way as that for inbound

email. For more information, see Configure a Content Filter.



Email Encryption for Content Groups

This feature requires subscription to SEG Premium

Group Names

You are able to send regular email based on your selected policies but, you may also

encrypt messages for a specific Group Name under Content Groups if desired. Select the

group name you wish to encrypt, from the Action drop-down list select to have that Group

encrypted.

More Options …

If a Customer or Domain subscribes to Email Encryption, then selecting this option can be

used to enforce Email Encryption if the outbound message contains the word ‗[encrypt]‘.

This word, [encrypt] can reside in the message Subject line or the body of the outbound

message.

This option can be found under Email Protection > Policies > Outbound (default) >

Content >Content Groups. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 83


Define an Attachment Filter

You configure an attachment filter for outbound email in the same way as that for inbound

email. For more information, see Define an Attachment Filter.

Define the Format and Text of

Notifications to Users

You configure notifications for outbound email in the same way as that for inbound email.

For more information, see Define the Format and Text of Notifications to Users.

Assign a Group to the Custom Policy

You assign a group to a policy for outbound email in the same way as that for inbound

email. For more information, see Disaster Recovery.



7. Managing Quarantine

Reports

Set up Quarantine Reports

When Secure Email Gateway (SEG) scores email and determines that email might be

problematic, but the email is not clearly a security risk, Secure Email Gateway (SEG)

place the email into quarantine. You can set up quarantine reports so that users can see

which of their messages were filtered and placed in quarantine. You can also determine

how much control users have over these reports, including:

• How reports are formatted.

• How often reports are sent

• How Spam is filtered

• What actions users can take on quarantined email

To set up quarantine reports for users, see Set up Spam Quarantine Reports.

Monitor Users’ Quarantined Email

Email is quarantined based the filtering for spam, viruses, content, and attachments, as

designated on your domains‘ or groups‘ policies. To monitor quarantined email, you can

perform the following tasks:

• Search for Quarantined Email

• Interpret the Search Results

• Sort the Search Results

• Delete Quarantined Messages

• Release Quarantined Messages

• View Quarantines Messages

As an administrator, you can also directly access your own quarantined email within the

Control Console. See Monitor Your Own Quarantine.



Primary Email Addresses, Aliases, and

Public Domain Addresses

Most quarantined emails show the primary email address as the recipient email address.

However, if Intelligent Routing is used, quarantined email to a public domain address

continues to be shown as a public domain address. If an email that was sent to an alias

email address is quarantined, the recipient email address is changed to be the associated

primary email address. Any emails released out of any of the quarantine areas are sent to

the primary email address. Thus, no alias email addresses will be listed in these windows.

Search for Quarantined Email

To search quarantined email, perform the following steps:

1 Click Email Protection > Quarantine.

2 If necessary, click Quarantine Search.

3 Complete any or all of the following fields to define your search:



Note: All fields are used in the search. If your search finds a large number of

messages, narrow your search by narrowing the scope within one or more fields.

Field

Description

From Enter a full sender email address. The address must include the recipient

name and the domain name, for example [email protected].

To Enter a recipient email address. The address must include the recipient name

and the domain name.

Threat From the drop-down menu, select one of the following:

• Spam

• Virus

• Attachment

• Content

• All Threats

Day list From the drop-down menu, select the day, from the past week, whose

messages you want to see. You can also select All Days.

Note: The date of a message is determined by the time, according to the

user‘s timezone, the message was placed in quarantine.

Inbound/

Outbound From the drop-down menu, select one of the following:.

• View inbound only

• View outbound only

• View inbound & outbound

Note: This field is available only if the selected Domain has both inbound

and outbound packages associated with it.

4 Click Search.

A list of messages is displayed at the bottom of the screen.

Interpret the Search Results

The Search Results section of the Quarantine Search screen displays the following

information for each email message:

• Date — The date the message was quarantined, according to the local timezone of the

recipient.

• From — The sender of the message.

• To — The recipient of the message.

• Subject — The subject of the message.

• Size — The size of the message, in kilobytes, including any attachments.

Also, a sixth column displays information that varies, depending on the type of threats you

searched for: The following table lists the type of information that might be contained in

this column.





Threat Type

Selected

Column

Label

Description

Virus Virus Displays the type of virus detected in the email

Spam Spam Score Displays a score that indicates how likely that the email is spam.

• A spam score of 90% - 98.9% is considered ―medium‖

likelihood if default settings are used.

• A spam score of 99% or higher is considered ―high‖ likelihood

if default settings are used.

Secure Email Gateway (SEG) anti-spam filtering uses a large

number of filtering processes, as well as sophisticated statistical

classification techniques, as part of its Stacked Classification

Framework® to determine the score. If you specified an additional

Realtime Blackhole List (RBL) in the Anti-Spam screen of the

assigned policy, the RBL can influence the spam score as well.

Note: Occasionally, some emails might be marked as spam when in

fact they are legitimate emails. For these ―false positive‖ email

messages, you can help SEG ―tune‖ the spam thresholds and rules

by sending a forwarded copy of the email with all content and

attachments to [email protected] .

Attachment Attachment Displays the name of an attachment that was included in the email

message and violates attachment rules (size, file typ, zip file

attachments) as defined on the Attachment screens of the assigned

policy. If a message contains more than one delinquent attachment,

the first attachment found in the message is listed. You can check to

see all attachments by opening the message.

Content Keyword Displays Content to indicate that the email that violated a content

policy, as defined in the Content Groups screen for the assigned

policy. You can see what keywords were violated by opening the

message and checking the Status line.

All Threats Type Displays the type of threat filtering that the email violated.

Sort the Search Results

You can sort the search results according to any of the columns in the Search Results

section.

1. Click on the heading of the column you want to sort.

You have the choice of sorting the messages in ascending or descending order of the

values in the column.

2. Click Sort Ascending or Sort Descending.



3. To hide columns in the results, move your cursor over the Columns menu item and

click the checkboxes to select or deselect the columns you want to display in your

sorted list.

4. To move columns around so they are displayed in a different left-to-right sequence,

perform the following steps:

A. Place your cursor on the column you want to move.

B. Click and hold the mouse button.

C. Drag the column to a different location.

Delete Quarantined Messages

Secure Email Gateway (SEG) deletes each message automatically if the messages stays

in quarantine for more than seven days. However, you can immediately delete

quarantined email listed in the Quarantine Search Results in one of two ways:

• Highlight each email in the list and click Delete.

• Click Delete All, which deletes all email in the Search Results list.

Release Quarantined Messages

By releasing a quarantined email message, you remove the message from quarantine and

send the email to the mailbox of the recipient‘s primary email address. You can release

email in one of two ways:

• Click the checkbox for each email you want to release, and click Release.

The email is removed from quarantine and sent to the recipient mailbox or mailboxes.

• Click the checkbox for each email you want to release, and click the Always Allow

for User.

The email is removed from quarantine and sent to the recipient mailbox or mailboxes.

This option also adds the sender address of each selected message to the Allow list of

the associated recipient.

Caution: Releasing emails that contained worms or viruses can potentially allow the

recipients‘ machines to be infected.

View Quarantines Messages

Secure Email Gateway (SEG) allows you to view a quarantined message without risk of

infection by any malicious virus or attachments. To view a message in the quarantine:

1 Double-click the message you want to view.

The message opens in a new tab with the subject heading.



2 Check the email for any of the following, depending on the Threat type:

If the Threat type is Spam, check the subject line and body of the message, as well as

the Status line for the spam score.

If the Threat type is Content, check the Status line for the word or words that violated

the content filter.

If the Threat type is Attachment, check the Attachments list for size and/or type of

file or for html code violations. The Content Type is based on the MIME protocol.

If the Threat type is Virus, check the Virus list for the viruses found.

3 Note the IP address listed in the message. This address is the last hop the message took

prior to delivery to Secure Email Gateway (SEG). The IP address can be useful in

tracking the path of a message and can help identify spoofed senders.

4 After checking a message, do one of the following:

• Delete the message as described in Delete Quarantined Messages.



• Release the message as described in Release Quarantined Messages.

• Close the message by clicking the X in the tab at the top of the message.

Monitor Your Own Quarantine

You can check your own messages in quarantine and take the same actions on those

messages that you do on other users. To access your own quarantined messages, perform

the following steps:

1 Click Email Protection > Quarantine.

2 Click My Spam.

Your message quarantine is displayed.

3 Perform any of the following tasks:

• Search for Quarantined Email

• Interpret the Search Results

• Sort the Search Results

• Delete Quarantined Messages

• Release Quarantined Messages

• View Quarantines Messages



8. Set up Disaster Recovery

Services

Administer Disaster Recovery

Services

.

• Message Continuity — Message Continuity saves messages for later delivery if your

mail server becomes unavailable. When your mail server becomes available, Message

Continuity delivers the messages. Users can access their messages through a Web-

based interface while messages are in Message Continuity only.

Message Continuity also has unlimited storage capacity and removes messages that

have been in Message Continuity storage for more than 60 days.

Set up Spooling for Disaster Recovery

1 Click Email Protection > Setup > Disaster Recovery.

2 From the Domain drop-down menu, select the domain you want to set up for Disaster

Recovery.

3 In the Configuration Settings section, select one of the following options:

• Automatic — This option automatically spools all incoming email when Secure

Email Gateway (SEG) detects a loss of connectivity with your email server(s).

With this option, you must also specify how long Secure Email Gateway (SEG)

should wait after connectivity is lost to begin spooling.

Note: Be aware that it may take several minutes to determine that your inbound

server is unavailable. During this time, and during the time delay, received emails

can be tempfailed if your inbound server is unavailable

• Manual — This option allows you to start and stop Disaster Recovery spooling

manually for planned email server outages such as server maintenance.

When necessary, you then select Start Spooling to initiate manual spooling; and

select Stop Spooling to stop it.

Note: It may take a few minutes for manual spooling of incoming mail to start and

stop.



4 If you selected the Manual option, check the Deliver spooled email when

connectivity is available box to deliver spooled email when connectivity to the email

server(s) is restored.

5 If your service includes Message Continuity, check the checkbox Allow users to use

Message Continuity to set the default permission for users to get messages through

Message Continuity. This setting applies to the domain. You can override this setting

on the Disaster Recovery screen under Policies if you have some groups that you don‘t

want to allow access.

Set up Notifications of Disaster Recovery

You can specify that notifications are emailed automatically to designated recipients,

typically yourself or other administrators, when the following Disaster Recovery events

occur:

• Automatic spooling has started

• Automatic unspooling has started

• Automatic or manual unspooling has completed.

1 Under the Notifications section of the Disaster Recovery Setup screen, type, in the

Recipient Email Address field, the email address of a person who should receive

notification of a disaster recovery event.

Note: In order to minimize the possibility that Disaster Recovery notifications cannot

be delivered to listed recipients, it is recommended that notifications be sent to email

addresses associated with cell phones or pagers.

2 Click Add.

3 Repeat steps 1 and 2 for up to three more notification recipients.



9. System Reports

Secure Email Gateway (SEG) Reports

Secure Email Gateway (SEG) provides a large number of reports with which to monitor your service.

Report Description

Traffic Overview Information about all Inbound and Outbound email traffic and bandwidth for

the designated domain(s) during the selected date or date range.

Threat: TLS Information about all TLS Inbound and Outbound email traffic, percentages

and bandwidth for the designated Domain(s) during the selected date or date

range.

Threats: Overview Information about email violations by policy type for the designated

domain(s) during the selected date or date range.

Threats: Viruses Information about all Inbound and Outbound emails that violated the virus

policies for the designated domain(s) during the selected date or date range,

Threats: Spam Information about emails that violated the spam policies for the designated

domain(s) during the selected date or date range.

Threats: Content Information about emails that violated the content keyword policies for the

designated domain(s) during the selected date or date range.

Threats: Attachments Information about emails that had attachments that violated the attachment

policies for the designated Domain(s) during the selected date or date range.

Enforced TLS Details Information about all Enforced TLS Inbound and Outbound email traffic,

including the number of messages and bandwidth for the designated

Domain(s) during a selected timeframe. The report also includes a count of

Inbound and Outbound messages that were denied due to an Enforced TLS

Policy violation.

ClickProtect: Overview Information about ClickProtect processing. ClickProtect processing tracks

Web hyperlinks received in emails that can be clicked and followed by the

user or that can be blocked, depending on the ClickProtect policy

configurations for the designated domain(s) during the selected date or date

range.

ClickProtect: Click Log Information about Web hyperlinks in emails that were clicked by the

recipient for the designated domain(s) during the selected date or date range.

Quarantine: Release Overview Information about emails that were quarantined and released from all

quarantine areas within the Secure Email Gateway (SEG) for the

designated domain(s) during the selected date or date range.



Report Description

Quarantine: Release Log Information about emails that were released from all quarantine areas within

the Secure Email Gateway (SEG) for the designated domain(s) during the

selected date or date range.

User Activity Information about all Inbound and Outbound email traffic and bandwidth for

the designated domain(s) during the selected date or date range.

Event Log Displays messages that have had actions performed based on the content,

spam content, virus, or attachment policy definitions. Messages can be

sorted per domain, and Inbound direction, Outbound direction or both.

Messages that are identified as threats by the Secure Email Gateway

(SEG) are also included.

Audit Trail Displays the audit log items for all actions performed by users at Report

Manager, or higher level, roles within the Control Console for the

designated domain(s) during the selected date or date range, including sign

ins and configuration changes.

Inbound Server Connections Displays information about the connections made to the Inbound email

servers during processing

Disaster Recovery: Overview Information about emails that were spooled and unspooled by the disaster

recovery service for the designated domain(s) during the selected date or

date range.

Disaster Recovery: Event Log Displays the event log items for actions performed within the disaster

recovery service. Included are actions performed automatically by the

Secure Email Gateway (SEG) and performed manually by the

administrator.

View a Secure Email Gateway Report

To view an Email Protection Report, perform the following steps:

1. Click Email Protection > Reports.

2. From the Domain drop-down menu, select the domain for which you want the report.

The Traffic Overview report is displayed.

3. From the Reports drop-down menu, select the report you want.

4. Click the Period field to display the Calendar selector.

5. From the Calendar selector, do one of the following:

A Select Today for data on the current day.

B Select a specific date, within the last 7 days, to display data only for that date.

C Select the name of the month that appears at the bottom of the calendar.

D Select a month and date in the drop-down lists.

E Position cursor over the week number (to the left of the first date in a week) and

click to display data for the entire week beginning with that date.



Note: You can select only the current month or click the down arrow at the top of the

calendar to select the previous month. You cannot retrieve data from a timeframe

beyond the previous month.

Change the Graphic Display of the Report

You can display some of the information in a report as a bar graph, as a line graph, or as a

pie chart.

To select a graphic display type, select the appropriate icon on the upper right corner of

each graphic, if available. The icons are as follows:

This icon displays the graphic as a bar graph.

This icon displays the graphic as a line graph.

This icon displays the graphic as a solid (filled) line graph.

Download a Report

To download textual report information into a Microsoft Excel spreadsheet (*.csv), click

Download on any report, then follow the instructions.

Traffic Overview

The Traffic: Overview window displays overview information about the inbound and

outbound email traffic for the designated domain.



The following table lists the report items in the report.

Report Item

Description

Traffic Trends The number of inbound and outbound emails for the designated Domain

and date range.

• Green – Inbound data

• Purple – Outbound data

Traffic Summary Information about inbound and outbound email traffic for the designated

Domain and date range as follows:

• Inbound Messages – Indicates the total number of inbound emails

received.

• Average Inbound Messages/Hour – Indicates the average number of

inbound emails received each hour.

• Outbound Messages – Indicates the total number of outbound emails

sent.

• Average Outbound Messages/Hour – Indicates the average number

of outbound emails sent each hour.

Bandwidth Trends The bandwidths, in kilobytes, used by inbound and outbound email for the

designated Domain and date range.





Report Item

Description

Bandwidth

Summary Information about the bandwidth used by inbound and outbound email for

the designated domain and date range as follows:

• Inbound Total Bandwidth – The total bandwidth used by received

inbound emails.

• Average Inbound Message Size – The average size of inbound

emails.

• Outbound Total Bandwidth – The total bandwidth used by sent

outbound emails.

• Average Outbound Message Size – The average size of sent

outbound emails.

Traffic: TLS Report

The Traffic: TLS Report window displays information about all TLS Inbound and

Outbound email traffic, percentages and bandwidth for the designated Domain(s) during

the selected date or date range.

.

Reporting Period: All report data is viewable on either a day, week, or month basis for the

current month, or the previous month.

You can use the Download button to save a copy of the currently displayed report results

in spreadsheet format.

Report Purpose

Identifies Inbound and Outbound email messages that were delivered via a TLS

connection and any email messages that were denied due to an Enforced TLS Policy

violation.

Traffic Summary

TLS Inbound Messages - The total of TLS inbound messages that were processed via a

TLS connection.



% Inbound Messages sent via TLS - The percentage of incoming email messages

processed via a TLS connection

Inbound Messages blocked by Enforced TLS - The total of inbound email messages

blocked by an Enforced TLS policy

TLS Outbound Messages - The total of TLS outbound messages that were processed via

a TLS connection.

% Outbound Messages sent via TLS - The percentage of outgoing email messages

processed via a TLS connection.

Outbound Messages blocked by Enforced TLS - The total of outgoing email messages

blocked by an Enforced TLS policy.

Bandwidth Summary

TLS Inbound Total Bandwidth - The quantity of data transferred via TLS,

measured in bytes.

% Inbound Bytes sent via TLS - The percentage of Inbound mail sent via TLS,

measured in bytes

Outbound Total Bandwidth - The quantity of data transferred via TLS, measured

in bytes

% Outbound Bytes sent via TLS - The percentage of Outbound mail sent via TLS,

measured in bytes.

Traffic: Encryption

Report only available to SEG Premium customers

The Traffic: Encryption report displays information about all Outbound email traffic,

percentages and bandwidth for the designated Domain(s) during the selected date or date

range sent out to be encrypted.



Selecting the checkbox for Email Encryption on both the Create/Edit Customer page

and Create/Edit Domain page allows customers to use the ‗Encrypt Message‘ action

when working with Outbound policy Content Groups.

When the ‗Encrypt Message‘ action is selected for a Content Group, then any message

that contains that content is routed to an encryption server and available to the recipient.

Email Encryption is only available for a selected Outbound package.

Email Encryption Summary

Outbound Messages blocked by Email Encryption - The total outbound messages to be

delivered for encryption.

% Outbound Messages sent via Encryption - The percentage of outgoing email

messages sent out to be encrypted.

Email Encryption Bandwidth Summary

Outbound Total Bandwidth - The total bandwidth of outgoing email messages

sent for encryption.

% Outbound Bytes sent via TLS - The percentage of outgoing bytes messages sent out

to be encrypted.

Threats: Overview

The Threats: Overview report displays overview information about email violations by

policy type for the designated domain.




Report Item

Description

Inbound Threat

Trends The total number of inbound emails that violated each policy type for the

designated Domain and date range. Data for each policy type is color-

coded as indicated in the legend below the graphic.

Inbound Threat

Summary Information about the number of inbound emails that violated each policy

type for the designated Domain and date range.

• Total Viruses – The total number of inbound emails that contained

known worms and viruses.

• Infection Rate – The percentage of inbound emails that contained

known viruses vs. the total number of received inbound emails.

• Total Spam Identified – The total number of inbound emails filtered

for potential spam.

• Spam Volume – The percentage of inbound emails that were filtered

for potential spam.

• Spam Beacons Detected – The total number of spam beacons

detected in inbound emails. Note that each email may contain multiple

spam beacons.

• Content Keyword Violations – The total number of inbound emails

that violated the content keyword policies.

• Attachment Policy Violations – The total number of inbound emails

that had attachments that violated the attachment policies.



Report Item Description

Outbound Threat

Trends The total number of outbound emails that violated each policy type for the

designated domain and date range. Data for each policy type is color-coded

as indicated in the legend below the graphic.

Outbound Threat

Summary Information about the number of outbound emails that violated each policy

type for the designated Domain and date range as follows:

• Total Viruses – The total number of outbound emails that contained

known viruses.

• Infection Rate – The percentage of outbound emails that contained

known viruses vs. the total number of sent outbound emails.

• Content Keyword Violations – The total number of outbound emails

that violated the content keyword policies.

• Attachment Policy Violations – The total number of outbound

emails that had attachments that violated the attachment policies.

Threats: Viruses

The Threats: Viruses report displays information about emails that violated the virus

policies for the designated domain.




Report Item

Description

Virus Volume

Trends The total number of emails that contained known viruses.





Report Item

Description

Virus Detection

Summary Indicates information about the emails that contained worms or viruses:

• Total Viruses Inbound – The total number of inbound emails that

contained known viruses (―infected emails‖).

• Inbound Infection Rate – The percentage of infected inbound

emails vs. the total number of received inbound emails.

• Total Viruses Outbound – The total number of infected outbound

emails.

• Outbound Infection Rate – The percentage of infected outbound

emails vs. the total number of sent outbound emails.

• Disinfected (cleaned) – The total number of infected emails that had

their viruses successfully removed and the emails were forwarded to

their destinations.

• Stripped – The total number of infected emails that had the infected

attachments stripped and then were forwarded to their destinations.

Top Inbound

Viruses The most frequently encountered viruses in inbound emails, in the order

of most frequent to less frequent, and the total number of encounters for

each virus.

Virus Policy

Actions The percentage of policy actions applied to infected emails.

Top Outbound

Viruses The most frequently encountered viruses in outbound emails, in the order

of most frequent to less frequent, and the total number of encounters for

each virus.

Threats: Spam

The Threats: Spam window displays information about emails that violated the spam

policies for the designated domain.




Report Item

Description

Spam Volume

Trends The total number of emails that violated spam policies.





Report Item

Description

Spam Detection

Summary Information about the emails that violated spam policies:

• Total Inbound Spam Identified – The total number of inbound

emails that violated spam policies.

• Inbound Spam Volume – The percentage of inbound emails that

violated spam policies vs. the total number of received inbound

emails.

• Spam Beacons Detected – The total number of spam beacons

detected in emails. Note that each email may contain multiple spam

beacons.

• RBL – The total number of emails that were filtered by the Real-time

Blackhole List (RBL).

• DUL – The total number of emails that were filtered by the Dial-up

User List (DUL).

• RSS – The total number of emails that were filtered by the Relay

Spam Stopper (RSS).

• Spam Content Group – The total number of emails that contained

keywords from the content groups that were created in the Anti-

Spam > Content Group subtab; in this example, the group named

―Viagra.‖

Spam Policy

Actions The percentage of policy actions applied to the emails that violated spam

policies.

Threats: Content

The Threats: Content window displays information about emails that violated the

content keyword policies for the designated domain.




Report Item

Description

Content Policy

Violation Trends The total number of emails that violated the content keyword policies.





Report Item

Description

Top Inbound and

Outbound Content

Group Violations

Both the Top Inbound Content Group Violations and the Top Outbound

Content Group Violations reports measure the number of messages found

to violate the top ten inbound / outbound customer email content policies

for both global policies and custom policies.

Information about the emails that violated content keyword policies:

• Credit Card - The total number of emails that contained keywords

and phrases from the Credit Card predefined content group.

• Profanity – The total number of emails that contained keywords from

the Profanity content group.

• Racially Insensitive – The total number of emails that contained

keywords from the Racially Insensitive content group.

• Sexual Overtones – The total number of emails that contained

keywords from the Sexual Overtones content group.

• Social Security - The total number of emails that contained keywords

and phrases from the Social Security predefined content group.

• Custom Content Groups – The total number of emails that contained

keywords from the content groups that were created in the Current

Content Groups window; in this example, ―HIPPA Compliance.‖

Content Policy

Actions The percentage of policy actions applied to the emails that violated content

keyword policies.

Threats: Attachments

The Threats: Attachments window displays information about emails that had

attachments that violated the attachment policies for the designated domain.




Report Item

Description

Attachment Policy

Violation Trends The total number of emails that had attachments that violated the

attachment policies.





Report Item

Description

Attachment

Summary Information about the emails that had attachments that violated the

attachment policies:

• Average Attachment Size – The average size of attachments

encountered in emails.

• Executables – The total number of executables (for example, *.exe

or *.com) received as attachments.

• Scripts – The total number of script files received as attachments.

• Office Documents – The total number of Microsoft Office

documents (for example, *.doc or *.xls files) received as

attachments.

• Audio – The total number of audio files (for example, *.wav or

*.mp3 files) received as attachments.

• Images – The total number of graphic files (for example, *.gif or

*.bmp files) received as attachments.

• Compressed Archives – The total number of archive files (for

example, *.zip or *.tar files) received as attachments.

Attachment Policy

Actions The percentage of policy actions applied to the emails that had

attachments that violated the attachment policies.

Enforced TLS Details

The Enforced TLS Details report displays information about all Enforced TLS Inbound

and Outbound email traffic, including the number of messages and bandwidth for the

designated Domain(s) during a selected timeframe. The report also includes a count of

Inbound and Outbound messages that were denied due to an Enforced TLS Policy

violation.

Reporting Period: All report data is viewable on either a day, week, or month basis for the

current month, or the previous month.

You can use the Download button to save a copy of the currently displayed report results

in a spreadsheet format.



Select your customer to manage.

• Field

• Description

• Customer

From the drop-down list select the Customer. (If needed)

Domain

From the drop-down list select the Domain or "All Domains". (If needed)

Note: When there are 1000 domains listed in the drop-down a Find button will display to

assist the user in locating the correct domain.

Depending on how your system is configured, you may run a report for a primary domain,

a domain alias, or a public domain. A Public Domain is a registered domain with a public

MX record that is used for uniform email addresses across multiple primary domains. A

public domain name will have the primary domain appended to it with brackets ―[primary

domain]‖, and a Domain Alias is appended with brackets ―[alias]‖.

The following examples demonstrate this feature:

• acme.com [acme-denver.com] is the public domain [primary domain] respectively.

• acme.com [alias]

Traffic Summary

Enforced TLS Accepted - Inbound Messages - The total number of TLS inbound

messages that were processed via an Enforced TLS connection for a given domain.

Enforced TLS Accepted - Outbound Messages - The total number of TLS outbound

messages that were processed via an Enforced TLS connection for a given domain.

Enforced TLS Accepted - Inbound Bandwidth - The quantity of data transferred via

Enforced TLS for inbound messages, measured in bytes, for a given domain.

Enforced TLS Accepted - Outbound Bandwidth - The quantity of data transferred via

Enforced TLS for outbound messages, measured in bytes for a given domain.

Enforced TLS Denied - Inbound Messages - The total of incoming email messages

blocked by an Enforced TLS policy for a given domain.

Enforced TLS Denied - Outbound Messages - The total of outgoing email messages

blocked by an Enforced TLS policy for a given domain.



ClickProtect: Overview

The ClickProtect: Overview window displays overview information about ClickProtect

processing. ClickProtect processing tracks Web hyperlinks received in emails that can be

clicked and followed by the user or that were blocked, depending on the ClickProtect

policy configurations.


Report Item

Description

ClickProtect

Trends The numbers of emails that contained hyperlinks and that contained

hyperlinks that were clicked by the recipients.

• Green – Total number of emails that contained hyperlinks.

• Purple – Number of emails that contained hyperlinks that were

clicked by the recipients.



Report Item

Description

ClickProtect

Statistics Information about the emails that contained hyperlinks that were

processed by ClickProtect:

• Messages with links – The total number of emails that contained

hyperlinks.

• Messages with multiple links – The total number of emails that

contained multiple hyperlinks.

• Total clicks – The total number of times that a recipient clicked a

hyperlink in an email.

• Total allowed click throughs – The total number of times that a

recipient was allowed to access the destination designated in a

clicked hyperlink.

• Total denied click throughs – The total number of times that a

recipient was prevented from accessing the destination designated in

a clicked hyperlink.

• Number of individual users that clicked – The total number of

recipients that attempted to click a hyperlink in an email.

• Spam messages with clicks – The total number of spam emails that

contained hyperlinks clicked by recipients.

• Messages with links on the ClickProtect Allow List – The total

number of emails that contained hyerlinks that were listed on the

ClickProtect Allow list.

ClickProtect: Click Log

The ClickProtect: Click Log window displays information about hyperlinks in emails

that were clicked by recipients.





Timestamp The date, time, and time zone when the hyperlink was clicked in the

filtered email.

From The email address that sent this email (―sender email address‖).

To The email address to which this email was sent (―recipient email

address‖).

Subject The text that was in the subject header of this email.

URL The URL destination defined in the clicked hyperlink (the URL to where

the recipient attempted and/or was successful in clicking through).

Score The spam likelihood score that was assigned to the email by Email

Protection.

Quarantine: Release Overview

The Quarantine: Release Overview displays overview information about emails that

were quarantined and released from all the quarantine areas within Secure Email

Gateway (SEG) for the designated domain.




Report Item

Description

Inbound

Quarantine

Release Trends

The total number of emails that were quarantined and then released in all

the quarantine areas. Data for each policy type is color-coded as indicated

in the legend below the graphic.

Inbound Spam

Release Summary Information about the emails that were quarantined as potential spam and

then released.

• Total Spam Identified – The total number of quarantined emails that

were identified as potential spam.

• Total Spam Released – The total number of emails released from the

spam quarantine.

• Release Percent – The percent of emails released from the spam

quarantine vs. the total number of emails that were quarantined as

potential spam.

• Total # of individuals – The total number of user accounts that had

emails released from the spam quarantine.



Report Item

Description

Inbound Virus

Release Summary Information about the emails that were quarantined because of viruses

and then released.

• Total Viruses Identified – The total number of viruses detected in

incoming emails that were quarantined.

• Total Virus Released – The total number of emails released from the

virus quarantine.

• Release Percent – The percent of emails released from the virus

quarantine vs. the total number of emails that were quarantined

because of viruses.


emails released from the virus quarantine.

Inbound Content

Release Summary Information about the emails that were quarantined because of content

and then released.

• Total Content Policy Violations – The total number of quarantined

emails that violated content policies.

• Total Content Released – The total number of emails released from

the content quarantine.

• Release Percent – The percent of emails released from the content

quarantine vs. the total number of emails that was quarantined

because of content.


emails released from the content quarantine.

Inbound

Attachment

Release Summary

Information about the emails that were quarantined because of

attachments and then released.

• Total Attachment Policy Violations – The total number of

quarantined emails that violated attachment policies.

• Total Attachment Released – The total number of emails released

from the attachment quarantine.

• Release Percent – The percent of emails released from the

attachment quarantine vs. the total number of emails that were

quarantined because of attachments.


emails released from the attachment quarantine.

Quarantine: Release Log

The Quarantine: Release Log displays detailed information about emails that were

released from all the quarantine areas within Secure Email Gateway (SEG) for the

designated domain.




Report Item

Description

Display Designates which type of quarantine release events to display.

• All Events – Displays release events for all the quarantines.

• Spam – Displays release events for the spam quarantine.

• Attachments – Displays release events for the attachment quarantine.

• Content – Displays release events for the content quarantine.

• Viruses – Displays release events for the virus quarantine.

Type The reason why this email was quarantined.

• Spam – Email violated spam policies.

• Virus – Email contained a known virus.

• Attach – Email‘s attachment violated the attachment policies.

• Content – Email contained content that violated the content policies,

including keywords and HTML.


To The email address to which this email was sent (―recipient email address‖).


Release Date The date, time, and time zone when this email was released from quarantine in

Secure Email Gateway (SEG).

Size The total file size of this email, including all attachments.

Additional

Feature Position your cursor anywhere over a log item and the Item Pop-up window

appears, displaying more information about the item.



View Details of Log Items

You can view detailed information about a log item when the cursor is positioned over it.

The specific information differs depending on which report you are viewing.


Report Item

Description

Type The reason why the email was quarantined.

• Spam – Email was quarantined because it violated spam policies.

• Viruses – Email was quarantined because it violated virus policies.

• Attachments – Email was quarantined because it violated

attachment policies.

• Content – Email was quarantined because it violated content

policies.

Subject The contents of the Subject line of the email.

To The email address to which this email was addressed (―recipient email

address‖).

Sender IP The IP address of the server that sent the email.

From The email address from which this email was sent (―sender email

address‖).

Released by The user account of the user who released the email from the quarantine.

Quarantine Depending on the reason why the email was quarantined, this description

indicates the specific reason why the email was quarantined:

• Score – Indicates the spam likelihood score that was assigned to the

email.

• Attachment Type – Indicates the name of the attachment that

caused the email to be quarantined.

• Virus – Indicates the name of the virus that caused the email to be

quarantined.

• Content Keyword – Indicates the specific content keyword that

caused the email to be quarantined.

Size The total file size of the email, including attachments.



Report Item

Description

Release Date The date, time, and time zone when the email was released from the

quarantine.

Quarantine Date The date, time, and time zone when the email was quarantined.

Timestamp The date, time, and time zone when the logged item was processed (for

example, when an email was processed by SEG.

Details Additional information about the logged item (for example, the name of

the virus in the email).

Actions The email action that was performed on the email.

Server The name or IP address of the inbound server.

Registered on The DNS Authorized Name Server where the inbound server is

registered.

Status The status of the inbound server.

Preference The preference level assigned to the inbound server.

Domain(s) d The domains that are using this inbound server in Secure Email Gateway

(SEG).

User Activity

The User Activity report displays the user accounts that have received the most inbound

emails and have sent the most outbound emails for the designated domain.




Report Item

Description

Top Inbound Users area

Email Addresses The recipient email addresses that received the most inbound email, in

order of volume.

Messages The total number of emails received by each email address.

Size The size of the largest email, including attachments, received by each

email address.

Top Outbound Users area

Email Addresses The sender email addresses that sent the most outbound email, in order of

volume.

Messages The total number of emails sent by each email address.

Size The size of the largest email, including attachments, sent by each email

address.



Event Log

The Event Log displays the event log items for actions performed for emails that were

determined to violate content, spam content, virus, or attachment policies for the

designated Domain and date range, including actions performed automatically by

Secure Email Gateway (SEG) and performed manually by the users.

The following table lists the report items in the report

Report Item

Description

Display Designates which set of event log items to display.

• All Events – Displays event log items for actions performed for all

the quarantines.

• Attachments – Displays only event log items for actions performed

on emails that had attachments that violated the attachment policies.

• Content – Displays only event log items for actions performed on

emails that violated the content policies.

• Spam Keyword – Displays only event log items for actions

performed on emails that violated the spam content keyword

policies.

• Viruses – Displays only event log items for actions performed on

emails that contained known viruses.



Report Item

Description

Direction Designates whether event log items for inbound emails or outbound

emails are displayed.

• Inbound Only – Designates that only inbound emails are display.

• Outbound Only – Designates that only outbound emails are

displayed.

• Inbound & Outbound – Designates that both inbound and

outbound emails are displayed.

Type The type of policy that the filtered email violated.

Timestamp The date, time, and time zone when the action was performed on the

filtered email.


To The email address to which this email was sent (―recipient email

address‖).


Details The reason for the action (for example, if the email contained a virus, the

virus name is shown).

Action The action that was applied to the email.

Additional Feature Position your cursor anywhere over a log item and the Item Pop-up

window appears, displaying more information about the item.

Audit Trail

The Audit Trail report displays the audit log items for all actions performed by users of

Report Managers or higher level roles within the Control Console for the designated

domain and date range, including user names and configuration changes.



The following table lists the report items in the report


Timestamp

column The date, time, and time zone when the action was performed in the

Control Console.

Domain column The domain where the action was performed.

Details column A description of the action that was performed, including the role and user

account of the user that performed the action.

Inbound Server Connections

The Inbound Server Connections report displays information about the connections

made to the inbound email servers (a.k.a. Customer MTAs) during processing. This report

may be useful in determining down times or connection issues.




Report Item

Description

Display Volume

Trends For Designate which inbound server(s) to display.

• All Servers – Display information for all the inbound servers

configured for the selected Domain.

• Inbound Server – Display information about the selected inbound

server only.

Connection

Volume Trends

for All Servers

The total number of successful and unsuccessful connections to the

designated server(s).

• Green – Indicates successful connections.

• Purple – Indicates failed connection attempts.

Optionally, select one of the graphic display type icons to change the

appearance of the graph.

Overall Failure

Rate The percentage of connection failures to the designated server(s).

Total Successes The total number of successful connections to the designated server(s).

Total Failures The total number of unsuccessful attempts to connect to the designated

server(s).

Server:Port The server address and port being reported.



Report Item

Description

Failure Rate % The percentage of connection failures to this server and port.

Success The total number of successful connections to this server and port.

Fail The total number of unsuccessful attempts to connect to this server and

port.

Disaster Recovery: Overview

The Disaster Recovery: Overview report displays information about emails that were

spooled and unspooled by the disaster recovery service, which can be either FailSafe or

Message Continuity.




Report Item

Description

Disaster

Recovery Trends

– Messages

The total number of spooled and unspooled emails processed by the

disaster recovery service over the designated time period.



Disaster

Recovery

Summary -

Messages

The numbers of emails processed by the disaster recovery service.

• Spooled Messages – Indicates the number of emails that were

spooled, either automatically or manually.

• Unspooled Messages – Indicates the number of emails that were

unspooled, either automatically or manually.

Disaster

Recovery Trends

– Bytes

The amount of spool storage used by spooled and unspooled emails

processed by the disaster recovery service over the designated time

period.



Disaster

Recovery

Summary – Bytes

Details of the file size of spooled and unspooled emails processed by the

disaster recovery service over the designated time period.

• Spooled Bytes – Indicates the amount of spool storage used by

spooled emails.

• Unspooled Messages – Indicates the amount of spool storage freed

by unspooled emails.

Disaster Recovery: Event Log

The Disaster Recovery: Event Log displays the event log items for actions performed

within the disaster recovery service, which can be either FailSafe or Message Continuity.

Actions include those performed automatically by Secure Email Gateway (SEG) and

those performed manually by the users.




Report Item

Description

Timestamp The date, time, and time zone when the action was performed in disaster

recovery.

Event The event log items for disaster recovery actions performed for the

designated domain and date range.

Initiated By The responsible party that performed the disaster recovery action. If an

action was manually performed, indicates the role and user account of the

person who performed the action.



Administer Performance Reports

Performance Reports are pdf files, delivered only via email, that provide graphs and

charts that visually present statistical information regarding your Secure Email Gateway

(SEG). Your Performance Report information can be set to report weekly and/or

monthly data. You may copy this statistical report for your company's use.

Note: Performance Reports are also available for Web Protection Service.

The report period for weekly reports is 12:00 a.m. Monday until 11:59 p.m. Sunday.

The report period for monthly reports is the first day of the month at 12:00 a.m. until the

last day of the month at 11:59 p.m.

Some of the data within this report is subject to variables such as:

• Time zone settings

• Message delivery timing (may be briefly queued)

• Quarantine releases

• Reporting period



To administer Performance Reports, perform the following steps:

1. If necessary, click Account Management > Customers > Distribution Lists to set

up a distribution list to which you want to sent the reports..

2. Click Account Management > Customers > Performance Reports.

The Customer Performance Reports screen is displayed.

3. From the Deliver To drop-down menu, select the distribution list containing the

recipient(s) for the Performance Reports.

4. From the Time Zone drop-down menu, select the time zone for the Performance

Reports.

5. Click either or both of the Frequency checkboxes to specify how often a report is

sent and what data is included:

• Weekly — The report is sent at the beginning of the week and shows data for the

previous week, from Monday through Sunday.

• Monthly — The report is sent at the beginning of the month and shows data for

the previous month, from the first day through the last day of the month.

6. Click Save.

Note: You can also click Send Now to immediately email the Performance Report from

the last reporting period to the distribution list.

Performance Report Descriptions

The following tables reflect either weekly or monthly reports depending on the customer‘s

request.



Inbound Messages Report, Weekly or Monthly

The Inbound Messages Overview reflects the total number of Inbound Messages that were

processed and delivered.

This includes:

• Inbound Threats

• Inbound Message Actions

• Disaster Recovery reports

Field Description

Total Inbound Messages The total number of all inbound messages processed. When users have the

same filtering options, the message is counted only one time. When a user has a

specific filtering option, the message is counted for particular each user config-

uration.

Inbound Messages Delivered The total number of all inbound messages successfully delivered.

Spam Detected The total number of all inbound messages counted as SPAM



Field Description

Virus Detected The total number of all inbound messages counted as Viruses.

Attachment Violations The total number of all inbound messages with attachments that violated the

policy rules for attachments.

Content Violations The total number of all the inbound messages with words that violated the pol-

icy rules for content groups.

Normal Delivery The total number of all inbound messages delivered that did not have the policy

action Clean, Quarantine, Strip, Tag, or Deny applied to the message.

Cleaned The total number of all inbound messages that violated the policy rules for

virus and had the policy action Clean applied to the message.

Denied The record of all the inbound messages refused because they violated the pol-

icy rules for spam, virus, content, or attachments or is on a deny list.

Quarantined The total number of all inbound messages that violated the policy rules for

spam, virus, content, or attachments and had the policy action Quarantine

applied to the message.

Stripped The total number of all inbound messages that violated the policy rules for

attachments or virus and had the policy action Strip applied to the message.

Tagged The total number of all inbound messages that violated the policy rules for

spam or content and had the policy action Tag applied to the message.

Spooled Messages The total number of all messages spooled, either automatically or manually.

Unspooled Messages The total number of all messages unspooled, either automatically or manually.



Outbound Messages Overview

The Outbound Messages Overview reports on the number of messages processed and

successfully delivered.

This includes:

• Outbound Threats

• Outbound Message Actions



11. Tips and Frequently Asked

Questions

FAQs

User Management

Question: Can a user see another user’s quarantined emails?

Answer: Sign in access to the Control Console is user-specific. Unless the user has logged

in as an Administrator or Quarantine Manager, the user will not be able to see quarantined

emails or any other data for any other user. The exception is that Report Managers will be

able to see data in the reports if it is user-specific (for example in the User Activity

Report window.

Question: I see email addresses in the User Management window that aren’t real or that I didn’t add.

Answer: Secure Email Gateway (SEG) delivers all email that is addressed to your

Domains, unless the email is rejected by your inbound servers or the email has been

filtered because it violated a defined policy. This type of email delivery is known as

―proxy service.‖

If the User Creation field is set to SMTP Discovery, Secure Email Gateway (SEG)

will auto-create user accounts for new email addresses if all the following are true:

• A specified number (default is 3) emails that were not quarantined or denied have

been received within a day for the new email address.

• Emails that had content stripped, but were sendable can still trigger automatic user

account creation.

• Emails that would have been quarantined, but were received before the user

account was created, will be denied.

• Your inbound server accepted delivery of the emails.

• A user account does not already exist for the new email address.

• The new email address was not sent to an alias domain name.

Thus, you will see email addresses in the User Management window that may be invalid

in your system, but that your inbound server accepted. You can either manually delete

these user accounts or they will be automatically deleted after a default time period if no

sign-ins or user-level configurations are detected for these user accounts. Sign-ins from

the Spam Quarantine Report are included.

Because user accounts might be continually created and deleted, both manually and

automatically, and that a single user may use multiple email addresses, billing is not

determined by the number of user accounts in a Domain. Billing is determined by the

value entered in the Total Billed Users Qty field during Domain creation or edit.

If you want to disable the automatic creation of user accounts, do one of the following:




• Set the User Creation field to Explicit.

• Configure your inbound email servers to deny emails received for invalid recipients.

Question: How does the user log into the Control Console for the auto- created email address?

Answer: One of the following must occur before a user can log into the Control Console:

• The user must receive a Spam Quarantine Report and click one of its links before they

expire.

• The user must request a Set Password email in the Sign in window.

• An Administrator can manually set the password for the user in the Control Console.

Question: Why does a Web browser open when I try to do anything on my Spam Quarantine Re port?

Answer: The Spam Quarantine Report provides an easy-to-use connection into the

appropriate feature in the Control Console. The Control Console is a Web-based graphical

user interface and is the primary interface to Secure Email Gateway (SEG).

When a user clicks a link in the Spam Quarantine Report, it causes the default Web

browser to open, automatically logs the user into the Control Console, and performs the

action designated in the clicked link.

Email Filtering

Question: I’ve just made a change to my policies; how long does it take before it is active?

Answer: Typically, most configuration changes in the Control Console, including policy

configurations, Allow and Deny lists, and changes to entity configurations, will take

approximately 10-15 minutes before the configuration is effective. Depending on the

system architecture, the changes must be stored and then propagated to multiple MTAs

performing the processing for Secure Email Gateway (SEG). Some changes may take

longer, such as deleting an entire domain with all its related data.

Question: There are emails in my quarantine that I want to always receive. I clicked the “Always Allow” button, but the emails still get

caught – What am I doing wrong?

Answer: The user-level Allow list does not disable virus, content, or attachment filtering;

it only disables the spam filtering. If the email violated any of the enabled policies, it

would be filtered even if its sender address was added to the user-level Allow list.

In addition, companies often send items in a format that looks like spam that a user may

have opted to receive, such as electronic newsletters or emails, causing the email to be

quarantined. When a user clicks the Always Allow link in the Spam Quarantine Report or

the Spam Message Quarantine window, the sending email address is added to the user-

level Allow list. However, for various reasons, emails of this nature may not always come

from the same address every day. Because senders often rotate the address of these types

of emails, the same item could be delivered the very next day and still be blocked because

the sender address does not match the previous entry in the Allow list.



To help prevent this situation, you can use wildcards to designate an entire domain or part

of an email address (if there is a common pattern) to be added in the Allow list, thus

accepting all mail from the domain or email addresses that matched the designated pattern.

Question: What are the default email policies?

Answer: You can view the current default policy configurations in the Policy

Configurations set of windows. The default settings are designed to minimize the

possibility that email will be blocked while still providing reasonable protections against

attacks and viruses.

Question: How does Secure E-mail Gateway (SEG) score spam? What about “false positives”?

Answer: The Anti-Spam filtering technology detects the likelihood that an email is spam

by processing the email through thousands of heuristics, rules, and tests, as well as

sophisticated statistical classification techniques, as part of its Stacked Classification

Framework®. Each test provides a weighted score that is added to the overall ―spam

score.‖ We have pre-defined two threshold scores for your Anti-Spam policy, ―high‖ and

―medium.‖ You can designate a separate action to be performed for each threshold.

It is important to note that some emails might be marked as spam when in fact they are

legitimate emails (―false positive‖). While we believe that this false positive tagging will

not be a frequent occurrence, it may happen occasionally, especially to mailing-list and

newsletter traffic. In such cases, we ask that you help us ―tune‖ our spam thresholds and

rules by sending a forwarded copy of the email with all content and attachments to seg-

[email protected] .

Using the Control Console, you can quarantine, tag, or block emails based on the

corresponding threshold levels. Additionally, you can construct enterprise-level Allow and

Deny lists that override spam threshold levels. Finally, you can enable or disable the

Realtime Blackhole List (RBL).

Question: What exactly does “deny delivery” do? Will we add to email volume by generating bounce messages if we set our policies to

“Deny”?

Answer: To satisfy standard SMTP protocol, if an email is denied for any reason, the

Secure Email Gateway (SEG) MTA sends a 5xx Deny message to the sender MTA. At

that point, the standard configuration for the sender MTA is to send a bounce email to the

sender address. It is possible that the sender MTA will just drop the message, but this is

atypical. Secure Email Gateway (SEG) has no control over the actions of the sender

MTA.

The exception to this processing is if the Recipient Shield policy is set to Deny. In this

case, Secure Email Gateway (SEG) will generate the bounce email and send it directly

to the sender address.

Use the Accept and Silent Discard email action for the relevant policies if you want to

minimize email volume caused by 5xx Deny messages or if you do not want the sender to

be notified that the email was denied. This email action accepts the email as if it was valid,

and then discards it without notification to the sender or recipient. 135 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011


Question: I’m receiving spam email from my own email address and I know I didn’t send it. What’s happening and how do I stop it?

Answer: A spammer has ―spoofed‖ your email address. Spoofing means that the ―From:‖

address in emails has been falsified to be an address other than the real source of the

emails. The intent is to trick the recipient into opening the email because it appears to be

from a trusted source. In your case, they made the mistake of using your own email

address as the spoofed address and you realized that you had not sent the email. Spoofing

is illegal according to the CAN-SPAM Act of 2003; however, it is still a common tactic

used by spammers.

You can do any of the following in Secure Email Gateway (SEG) to block these types of

emails.

• Confirm that your own email address is not in an Allow list.

It is possible that the spoofed email would be caught by normal spam filtering;

however, if your email address is in an Allow list, spam filtering will be disabled. If

necessary, remove your email address from any Allow lists to make sure spam

filtering is performed.

• Add your own email address to your user-level Deny list

This policy will automatically deny any emails received from your email address. It

will apply to all emails received from the Internet into Secure Email Gateway

(SEG) that are filtered and then sent to you. It will affect only emails sent to your

address.

• Add your own email address or entire Domain name to your policy set Sender Deny

list

This policy will do the same as above, but will apply all user accounts subscribed to that

policy set. If the Domain name is used, then all emails from that Domain will be filtered.

Note: Using a Deny list as a filtering tactic in this situation will succeed only if your

corporate email is not sent into the Internet cloud before delivery to other addresses in

your Domain name. The assumption is that your corporate email is delivered within your

internal network without filtering by Secure Email Gateway (SEG).

If your organization does deliver your corporate email using a delivery method that

includes sending it into the Internet, it is possible that valid corporate emails will be

filtered if you make the above policy changes.

System Configuration

Question: I just redirected my MX Record. How can I make sure that my email is coming through Secure Email Gateway (SEG)?

Answer: Once the MX Record has been redirected and the service has been configured,

emails can be sent from a sender outside of the system to a user provisioned on the

Domain. To see if the email was received in your system from Secure Email Gateway

(SEG), monitor email processing flow in the Overview window.

You should be aware that email servers do not always accept changes immediately after

the redirection of the MX Record. This means that some email servers may still send email

directly to your inbound servers and not to the redirected MX Record for the first 2-3 days

after the redirection.



It is also highly recommended that you block the acceptance of email traffic from any

source other than Secure Email Gateway (SEG) into your inbound servers to help

prevent the possibilities of hackers directly connecting your servers. These addresses

are specified in your Service Launch Guide.

Question: Why am I redirecting the MX Record and how does my email get back to me?

Answer: The MX Record is the method of telling all the other email servers on the

Internet who you are (your domain names) and where you are (your inbound server

addresses). When any email is sent, the sending email server looks at the MX Record to

verify the email server to which the email should be delivered.

By redirecting your MX Record to point to the server where Secure Email Gateway

(SEG) is installed, you are sending your email to Secure Email Gateway (SEG). Secure

Email Gateway (SEG) captures your domain‘s email traffic by acting as the email server

for the Domain, routing the traffic through Secure Email Gateway (SEG) filters, and then

delivering the acceptable emails to your email servers. You configure your email servers

in the Inbound Servers Setup window.

In a similar way, if you have enabled outbound email filtering, you would configure your

sending email server to send your email to Secure Email Gateway (SEG). Secure Email

Gateway (SEG) filters your email and then sends it to the Internet cloud.

One advantage of redirecting your MX Record is that the addresses of your email servers

are now no longer published, which helps to protect your email servers from direct email

attacks and bad email.

Question: My server went down for a short period of time – what happened to our company’s emails?

Answer: Secure Email Gateway (SEG) attempts to connect to all the servers configured

for your domain in the Inbound Servers Setup window in the order designated in the

Preference column, from the lowest number to the highest number. It will start spooling

email if your servers are unavailable and unspooling when they become available again.

Most email servers are set to keep trying to deliver the email for an extended period of

time before they finally stop and permanently fail the email. Secure Email Gateway

(SEG) cannot control the length of time or the frequency at which the sender‘s email server

will continue to attempt deliver these emails.

Question: How does Secure Email Gateway (SEG) affect my MTA?

Answer: SEG architecture naturally provides high-level redundancy and disaster

recovery by leveraging a secondary MX record set to your internal mail servers. The

service is currently configured to deliver your inbound email traffic to the Message Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 137


Transfer Agent (MTA) servers (a.k.a. inbound servers) on your premises configured in

each domain. if you change the addressing in your network for your inbound servers, you

must update the configurations in Secure Email Gateway (SEG).

At any time in Secure Email Gateway (SEG), you may change configuration of the IP

address of your inbound servers. Be prudent when making changes to your delivery MTA

configuration as any applied modifications will be enabled instantly and affect inbound

SMTP routing.

Question: Why is SEG refusing connections from my inbound

email servers?

Answer: If Secure Email Gateway (SEG) received a minimum of 20 attempted

connections from an IP address where more than 60% of the recipients are invalid, it adds

the IP address to a temporary ―global blacklist‖ for 4 hours. After the time period has

passed, SEG will remove the IP address from the temporary global blacklist and again

accept connections from it.

This process helps protect against Dictionary Harvest Attacks, where spammers are

attempting all combinations of email addresses to glean valid email addresses for

subsequent spamming. It also helps protect against Denial of Service attacks.

Question: The Internet Explorer Content Advisor keeps blocking the

Control Console. How do I prevent that?

Answer: You must disable the Content Advisor feature of the Internet Explorer to be able

to use the Control Console. Do the following to disable the Content Advisor feature if it is

enabled:

1 In the Internet Explorer window, click Tools > Internet Options.

2 In the Internet Options window, click the Content tab.

3 In the Content Advisor area in the Content tab, click the Disable button.

If there is an Enable button, but no Disable button, this means that Content Advisor is

already disabled. Click the Cancel button until you return to the browser window.

4 Enter the password in the Supervisor Password Required dialog.

5 Click the OK button.

6 Continue clicking the OK button until you return to the Internet Explorer window.


Question: When I click a command in the Control Console, nothing

seems to happen.

Answer: If you‘ve set your Web browser to not accept cookies or Javascript, the Control

Console will not work. ―Cookies‖ are mini-applications that run in your Web browser to

communicate with the originator of the cookie through the Internet. The Control Console

downloads cookies to your computer to allow it to send and receive data from the Secure

Email Gateway (SEG) data center as you perform actions and navigate between the

windows.

If you are concerned about security, you can configure your Web browser to allow cookies

only for a single session. This means that only while you have that specific instance of

your Web browser open, cookies will be accepted. If you close the Web browser and then

reopen it, cookies will not be accepted. Do the following to configure Internet Explorer to

accept cookies:


2 In the Internet Options window, click the Privacy tab.

3 In the Settings area in the Privacy tab, do one of the following:

A Move the slider to select Medium.

B Click the Sites button.

4 In the Per Site Privacy Actions window, enter the URL for your Control Console in

the Address of Web Site field

5 Click the Allow button.

6 Click the OK button until you return to your browser.

Do the following to configure Internet Explorer to accept Javascript:


8 In the Internet Options window, click the Security tab.

9 In the Security tab, click the Internet (globe) icon and then click the Custom Level

button.

10 Confirm that the items under the Scripting section in the list are all set to Enabled.

11 Click the OK button until you return to the browser window.

Tips/Techniques

Change Zip File Attachment Policy

We regularly receive a large zipped file as an email attachment from a trusted source,

but it is automatically denied before we see it. How do we get that file without

turning off attachment filtering altogether?

The default settings in Secure Email Gateway (SEG) are to deny automatically emails

with zipped files whose content cannot be analyzed because they are encrypted or if the

content file type is restricted by the attachment policy.


If you want to receive such files, but not turn off attachment filtering, you have two

options.

Option 1

Modify Message contains a high risk zip attachment field in the Additional Policies

subtab and save the policy change. This method affects emails for all user accounts

associated with the policy set.

Option 2

If the attachment filename is always the same or contains the same string (for example, if

the filename always contains ―monthly_report‖), you can designate a policy specific to

that filename. In this case, create a custom filename policy in the Filename Policies

subtab.

Caution: This policy would allow any attachment file that contains the designated string

in its name to potentially bypass email filtering.

Wrong Email Got Past Filter

What do we do if spam email, virus email, etc., was delivered anyway?

If you or an email recipient in your system has received email that you feel should have

been filtered, do the following:

1. Check that the email addresses were not added to an Allow list by either the email

recipient or by an Administrator.

2. Check your policy settings in the Control Console to confirm that you have not

changed any settings to allow these emails to bypass filtering.

3. If you have determined that Secure Email Gateway (SEG) or your email system was

not configured to let these emails bypass filtering, forward the email with all content,

header information, and attachments to [email protected]

Service personnel will analyze the email information to refine the filtering engines for

subsequent release, and if necessary, post any urgent updates to virus scanners, etc., to

support filtering these emails properly. 140 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011