Upload
dobao
View
219
Download
0
Embed Size (px)
Citation preview
SEG Administrator Guide
RESTRICTION ON USE, PUBLICATION, OR DISCLOSURE OF PROPRIETARY INFORMATION. Copyright © 2011
AT&T Information in this and other associated documents is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. This document is confidential and proprietary. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of AT&T. The software described in this document is furnished under a license agreement and may be used or copied only in accordance with the terms of such license and with the inclusion of the AT&T copyright notice. This publication could include technical inaccuracies or typographical errors. This publication is provided "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission ii
SEG Administrator Guide
Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Account Management Necessary for Secure Email Gateway (SEG) . . . . . . . . . . . . . . . . . . . . . . 1
Auto-creation of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Email Filtering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Types of Inbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Anti-Spam Filtering.. ...........................................................................................................3
Real-time Blackhole List . ....................................................................................................4
Anti-Virus Filter ..... ..............................................................................................................5
Content Filtering and ClickProtect . .....................................................................................5
Attachment Filtering ... ........................................................................................................6
Multi-Level Allow and Deny Lists... .....................................................................................7
Types of Outbound Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Configurable Actions for Filtered Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Notifications for Filtered Email..... .....................................................................................10
User-level Policy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Emailed Reports of Quarantined Spam Emails .. ..............................................................11
Customizing the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Outbound Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Message Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
2. Secure Email Gateway (SEG) Administration.. . . . . . . . . . . . . . . . . .15
Who Can Access Secure Email Gateway (SEG) Administration Screens . . . . . . . . . . . . . . . . 15
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission iii
SEG Administrator Guide
Ensure You Can Receive Email from Your Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Sign into the Control Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Reset Your Password from the Sign in Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
3. Status of Secure Email Gateway (SEG) on the Overview . . . . . . . . .25
4. Set up Your Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Confirm Your Inbound Servers Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Set up Additional Inbound Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Delete an Inbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Add IP Address of Outbound Server, If Necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Delete an Outbound Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Set up a Smart Host (If Outbound Mail Defense is Turned on) . . . . . . . . . . . . . . . . . . . . . . .32
Add an Outbound Email Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Redirect Your MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Set up User Creation Mode — SMTP Discovery or Explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
5. Customize Inbound Mail Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Create a Custom Policy . … … … … … … … … … … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Set Secure Email Gateway (SEG) to Notify Users about Emails with Viruses . . . . . . . . . . . 40
Configure a Spam Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Define the Action to Take on Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Define Additional Words That Indicate Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Set up Spam Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission iv
SEG Administrator Guide
Turn Off a Default Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Custom Content Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Notify Users about Spam Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Configure a Filter for HTML, Java Script, ActiveX, and Spam Beacons . . . . . . . . . . . . . . . .54
Configure Web Hyperlink Filters (ClickProtect) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Upload a List of Allowed URLs ........................................................................................ 57
Download a List of Allowed URLs from the Control Console .......................................... 58
Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Filter by Attachment File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Filter by Attachment File Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Filter Zip File Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Notify Users about Attachment Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Allow or Deny Email to or from Specific Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Allow Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Sender Policy Framework (SPF) ....... ..............................................................................66
Deny Email from a Specific Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Deny Email to a Specific Recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Save a Copy of an Allow, Deny, or Recipient Shield List . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Add Allow, Deny, or Recipient Shield Addresses with a Batch File . . . . . . . . . . . . . . . . . . . .69
Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Enforced TLS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Notifications Subtab .........................................................................................................72
Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Variables within a Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Define the Format and Text of Virus Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Define the Format and Text of Content Violation Notifications . . . . . . . . . . . . . . . . . . . . . . .75
Define the Format and Text of Attachment Violation Notifications . . . . . . . . . . . . . . . . . . . .76
Enforced TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Enforced TLS Subject Headers …………………. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
6. Customize Outbound Mail Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Create a Custom Outbound Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Configure a Virus Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Configure a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Email Encryption for Content Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Group Names ....... ............................................................................................................83
Define an Attachment Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Define the Format and Text of Notifications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission v
SEG Administrator Guide
Assign a Group to the Custom Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
7. Managing Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Set up Quarantine Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Monitor Users’ Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Primary Email Addresses, Aliases, and Public Domain Addresses . . . . . . . . . . . . . . . . . . .86
Search for Quarantined Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Interpret the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Sort the Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Delete Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Release Quarantined Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
View Quarantines Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Monitor Your Own Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
8. Set up Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Administer Disaster Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Set up Spooling for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Set up Notifications of Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
9. System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Secure Email Gateway (SEG) Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
View an Secure Email Gateway (SEG) Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Change the Graphic Display of the Report... ...................................................................96
Download a Report.......................................................................................................... 96
Traffic Overview. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Traffic: TLS Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Traffic Summary …............................................................................................................98
Bandwidth Summary ........................................................................................................99
Traffic: Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Email Encryption Summary .... ........................................................................................100
Email Encryption Bandwidth Summary ..........................................................................100
Threats: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Threats: Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Threats: Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Threats: Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Threats: Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Enforced TLS Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission vi
SEG Administrator Guide
Traffic Summary .............................................................................................................111
ClickProtect: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
ClickProtect: Click Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Quarantine: Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Quarantine: Release Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
View Details of Log Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Inbound Server Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Disaster Recovery: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Disaster Recovery: Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Administer Performance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Performance Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Inbound Messages Report, Weekly or Monthly..............................................................130
Outbound Messages Overview ......................................................................................132
10. Tips and Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . 133
FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
User Management ..........................................................................................................133
Email Filtering. ................................................................................................................133
System Configuration .. ...................................................................................................134
Tips/Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Change Zip File Attachment Policy ................................................................................139
Wrong Email Got Past Filter...........................................................................................140
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission vii
SEG Administrator Guide
This page intentionally left blank.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission viii
SEG Administrator Guide
1. Overview
Secure Email Gateway (SEG) provides security services that safeguard corporations from
unsolicited spam email ("junk mail"), viruses, worms, and unwanted content at the
network perimeter before they can enter the internal network.
Multiple layers of Secure Email Gateway (SEG) provide secure and complete email
filtering to protect your users. You can enable or disable specific layers by changing the
licensed packages of features and/or through configuring the specific email policies in the
Control Console, the comprehensive graphical interface into Secure Email Gateway
(SEG).
This document describes the tasks necessary to configure and maintain your Secure Email
Gateway (SEG) Service.
Account Management Necessary for
Secure Email Gateway (SEG)
Account Management is a set of administrative screens you use to configure and manage
the entities that use or are affected your Secure Email Gateway Service (SEG).
• Domains
• Users
• Other administrators, including other Customer Administrators, Domain
Administrators, Quarantine Managers, and Reports Managers
In addition, you use Account Management to administer groups of users that share a
common email filtering policy.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 1
SEG Administrator Guide
Alias Domain Names
You can configure ―alias‖ domain names that act as virtual domains using the
configurations and email addresses defined in the primary Domain name. Email addresses
are created automatically for alias domains (for example,
―[email protected]‖ is automatically created for
―[email protected]‖), allowing the single user to receive email for both
addresses.
Auto-creation of Users
Secure Email Gateway (SEG) automatically creates new user accounts if all the following
is true:
• SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a
convenient way to add users to your service. However, this capability might also add
users who are not real users at your company and not add users who are real.
• Three to six emails for that email address have been received, passed filtering, and
accepted by your email server within a configured time period (typically, a single
day).
• A user account does not exist for the email address in the designated Domain.
• The emails were not addressed to an alias domain name.
Email Filtering Policies
Secure Email Gateway (SEG) has default inbound and outbound mail filters to block and
clean malicious email and to quarantine email that might be malicious. The filters are
configured by using policies, which are the parameters for the filters Default policies are
automatically assigned to each of your domains.
You can customize the default inbound policy for any and each domain, or any and each
group, to fit your business needs.
2 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Types of Inbound Email Filtering
Secure Email Gateway (SEG) can filter both inbound and outbound email. Inbound
filtering that is available to be configured is as follows:
Anti-Spam Filtering
Real-time Blackhole List
Anti-Virus Filter
Content Filtering and ClickProtect
Attachment Filtering
Multi-Level Allow and Deny Lists
Anti-Spam Filtering
Spam is usually defined as unsolicited (and usually unwanted) and commercial email sent
to a large number of addresses. However, what one recipient may consider as spam,
another recipient would consider as legitimate email.
In addition, spam has become a tool of hackers and ―electronic terrorists‖ who deliberately
attempt to gather proprietary information from computer systems and/or attempt to cause
harm to a company‘s email system. Typically, these types of spammers deliberately use
naming standards, hijacked ―From:‖ addresses, scrambled content, etc., to bypass spam
filters such as blacklists and keyword lists.
Using Stacked Classification Framework®, Secure Email Gateway (SEG) provides the
most comprehensive and effective spam-blocking product on the market today—blocking
98% of spam and providing an industry-leading low false positive rate (legitimate email
marked as spam).
The Stacked Classification Framework aggregates the most effective spam filters and
techniques in the industry into a spam likelihood. As appropriate, email is assigned a
―high‖ or ―medium‖ likelihood of being spam. A separate email action can be assigned to
each likelihood.
The spam classification techniques include the following:
Spam FilterType Description
IP Reputation
Connection Manager This filter operates at the front of the Stacked Classification
Framework. It rates the reputation of every incoming email, based
on IP reputation data collected by Secure Email Gateway (SEG)
on an on-going basis. Connections are dropped for all messages
which originate from IP addresses that are determined to carry a
reputation for sending spam.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 3
SEG Administrator Guide
Spam FilterType Description
Bayesian Statistical
Filtering Statistical algorithms built by your Secure Email Gateway (SEG)
identify and quantify the possibility that an email is spam based on
how often elements in that email have appeared in identified spam
emails.
Industry Heuristics Secure Email Gateway (SEG) incorporates thousands of
successful industry- wide spam-fighting rules to recognize
characteristics of spam. Proprietary Heuristics Secure Email Gateway (SEG) experts write and update thousands
of proprietary rules to block spam, including fraudulent ―phishing‖
spam, using real-time data from your service provider‘s Threat
Center. URL Filtering URL filtering works by comparing embedded links found in emails
with URLs associated with identified spam.
Reputation Analysis Secure Email Gateway (SEG) constantly monitors inbound email
to build a list of IP addresses and domain names to rate the
reputation of the sender based upon the percentage of spam
emails received from that address in the past.
Reputation-Based RBL
Filtering Using up to 31 real-time blackhole lists (RBLs) of known
spammers provided by the industry, Secure Email Gateway (SEG)
creates a single RBL indicator to help gauge the likelihood of an
email being sent by a known spammer. By using multiple black
lists to create a single vote and by rating the reputation of each
RBL based on its accuracy at distinguishing spammers from
senders of legitimate email helps to minimize the possibility of a
non-spammer being blocked by mistake.
Sender Policy
Framework (SPF) The SPF classifier helps identify and block fraudulent ―spoofing‖
emails – those sent by spammers with forged ―From‖ addresses –
from entering your email network. For each inbound email, the SPF
classifier will look up the sending domain‘s Domain Naming
System (DNS) record and its list of authorized IP addresses.
Emails that carry an IP address not found on the authorized list will
be included within the Stacked Framework Classification System
for the detection of spam. By determining whether or not the
relationship between the DNS record and the IP address is
legitimate, Secure Email Gateway (SEG) is able to more accurately
filter out fraudulent spoofed emails. As a result, this reduces the
risk for users who might be duped by the email into divulging
confidential personal information.
Real-time Blackhole List
The Real-time Blackhole List (RBL) is a system for creating intentional network outages
("blackholes") for the purpose of limiting the transport of known-to-be-unwanted mass
email. The RBL is a database of IP addresses that are reported to be spam sources.
4 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Anti-Virus Filter
Secure Email Gateway (SEG) provides highly effective, organization-wide virus and
worm protection. By identifying viruses and worms at your network perimeter—before
they enter or leave your messaging infrastructure— Secure Email Gateway (SEG)
minimizes outbreak and infection risks to your enterprise messaging infrastructure. You
can configure whether infected emails are quarantined, denied, or stripped of infection.
• Provides maximum protection using multiple, industry-leading anti-virus engines to
allow Secure Email Gateway (SEG) to customize the protection to meet the latest
threats.
• Virus definition updates every 5 minutes provide up-to-the-minute defense against the
latest threats.
• Provides safe, external virus scanning and quarantine management for protection
against viruses before they reach your network. Protects your users, networks, and
data from harm
Content Filtering and ClickProtect
Secure Email Gateway (SEG) protects your organization and reduces liability and risk by
automatically identifying unwanted and malicious content before it enters or leaves your
network.
You can enable any of the following types of content filtering:
Content Filter Type Description
Predefined Content
Keyword Groups You can enable or disable predefined content keyword groups
provided by Secure Email Gateway (SEG):
• Profanity
• Sexual Overtones
• Racially Insensitive
Customized Content
Keyword Groups You can define customized content keyword groups containing
terms and phrases to satisfy the business and security
requirements of your organization.
Multiple Levels of
HTML Filtering You can designate the level of HTML filtering to be used (low,
medium, or high), with predefined actions for each level.
Depending on the level, malicious HTML tags and scripting
options embedded in email are stripped.
Graphic Image
Replacement You can enable or disable the automatic replacement of images
with a transparent 1x1 pixel GIF within HTML emails.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 5
SEG Administrator Guide
Content Filter Type Description
Stripping of Spam
Beacons or Web bugs ―Spam beacons‖ and ―web bugs‖ are typically transparent, 1x1
pixel graphics embedded in HTML content that send information
about your system to the source (usually a URL) of the spam
beacon or web bug. Typically, web bugs are used on Web sites to
monitor surfing behavior, but now spammers are hiding them in
their mass mailings as spam beacons. If the graphic is not removed
before an email is opened, the spam beacon sends a signal back to
the spammer‘s URL that lets the spammer know whether the email
was opened and if the recipient‘s email address is valid. If the
spammer gets this signal, the recipient is marked as a ―valid‖
email address and is guaranteed to receive more spam in the
future.
You can enable or disable the automatic stripping of spam beacons
or Web bugs within HTML emails.
Disabling hyperlinks
within email with
ClickProtectSM
ClickProtect allows you to monitor and disable or enable
whether Web hyperlinks received in emails can be clicked
and followed by the user. With multiple levels of
ClickProtect policy control, Administrators can customize
the desired level of protection. This feature supports
blocking phishing sites and accidental downloads of viruses
and worms.
Attachment Filtering
Secure Email Gateway (SEG) provides you the ability to control the types and sizes of
allowed attachments entering your email network. You can control attachment filtering
using any of the following:
Attachment Filter
Type
Description
Attachment Filtering
by File Type You can enable or disable filtering of attachments by file type. File
type is determined using the file extension, MIME content type,
and binary composition.
Attachment Filtering
by Size You can designate a maximum allowed size for each enabled
attachment type.
Custom Attachment
Rules by Filename You can configure custom rules using filenames that override the
―global‖ settings for an attachment file type. You can designate that
the rule use the entire filename or any part of the filename.
Filtering for Files
Contained within a Zip
File Attachment
You can configure custom rules to cause Secure Email Gateway
(SEG) to analyze the files within a zip file attachment, if possible,
to determine if a file in the zip file violates attachment policies. If
the zip file cannot be analyzed, you can designate the email action
to be applied.
6 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Attachment Filter
Type
Description
Encrypted or ―High
Risk‖ Zip File
Attachment Rules
You can configure custom rules for emails with encrypted zip files
and/or zip files that are considered ―high risk‖ (too large, too many
nested levels, etc.).
Aggregate Message
Size
You can limit the aggregate size of e-mails in 10MB increments up to the maximum
100 MB limit.
Multi-Level Allow and Deny Lists
Secure Email Gateway (SEG) allows you to define lists of emails that will always be
denied (―blacklists) or will always be accepted (―whitelists‖) at multiple levels. In
addition, you can enable third-party Real-time Blackhole List to be used to filter
unwanted emails.
The administrator-level lists override the user-level lists in a top-down manner: global lists
first, policy set lists next and lastly user-level lists. For example, if the same address is
added to a user-level Allow list and the policy set Deny list, the address is always denied.
At the same level, the Allow list overrides the Deny list. For example, if you designate a
range of email addresses (for example, by designating an entire domain) in the Deny list,
but then designate a single email address from that domain in the Allow list, the email
from that single address will be always accepted while the email from any other address in
the domain in the Deny list will be always denied.
The same address string cannot be added multiple times in the same list or added to both
the Allow and Deny lists.
Be aware that emails that have been quarantined by Secure Email Gateway (SEG) may
not need to be added to Deny lists because they are already being blocked from entering
your email network.
Following are the types of Allow and Deny lists that are available in Secure Email Gateway (SEG):
Allow/Deny List
Type
Description
Global Deny List If your Secure Email Gateway (SEG) provider determines that a
Sending SMTP has sent too many invalid incoming emails within
a specified time period, it will add the IP address for that Sending
SMTP to a Global Deny List for a designated time period (default
is 2 hours). During the denial period, all emails received from that
Sending SMTP will be automatically denied. This process helps to
protect against dictionary harvest and Denial of Service attacks.
This process can be disabled at the system level.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 7
SEG Administrator Guide
Allow/Deny List
Type
Description
Policy set-level
Sender Deny Lists
and Sender Allow
Lists
Sender Deny lists indicates sender addresses from which email is
denied automatically. Sender Allow lists indicate sender addresses
from which email is allowed without spam, content, or attachment
filtering (virus filtering is always enabled unless specifically
disabled).
You can designate a single email address, entire domains or IPs, or
use wildcards to designate ranges of addresses. Optionally, you
can save these lists to a spreadsheet file.
Each policy set affects the email filtering for all user accounts in
the groups that are subscribed to that policy set.
User-level Deny Lists
and Allow Lists Maintained by you and/or the user, Deny lists indicate sender
addresses from which email is denied automatically. Allow lists
indicate sender addresses from which email is allowed without
spam filtering (all other enabled filtering will be applied).
You can designate a single email address, entire domains or IPs, or
use wildcards to designate ranges of addresses. Optionally, you
can save these lists to a spreadsheet file.
These lists affect only the emails received for the designated user
account and its alias addresses (―user-level‖ lists).
Recipient Shield List You can define a list of recipient email addresses for which you
want to specify special email actions (for example, you want to
deny all emails for a user who is an ex-employee). You can also
specify the email action to take if the recipient email address is
invalid in your system (permfailed by your email server as an
―invalid recipient‖).
Types of Outbound Email Filtering
You can add outbound filtering to each package, helping to ensure the safety and
appropriateness of information being sent from your corporate email system to valued
customers or business partners.
Filter Type Description
Content
Filtering This feature automatically prevents inappropriate, malicious, or
confidential content from leaving your corporate email system,
allowing you to monitor and enforce your corporate email
policies.
Attachment
Filtering Outbound attachments can be filtered by size, by MIME content
type, or by binary content, according to your corporate email
policies.
8 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Filter Type Description
Virus
Scanning Outbound virus scanning stops viruses and worms from leaving
your corporate email system, preventing your enterprise from
being the source of email-borne viruses to customers, suppliers,
and partners.
Configurable Actions for Filtered Email
In Secure Email Gateway (SEG), email filtering policies control how emails are filtered
within a specific Domain and how Secure Email Gateway (SEG) will respond during
email filtering and reporting. Depending on the feature package that is licensed for a
domain, specific email filters will be available to be enabled and configured. Also,
depending on the enabled email filter, various actions must be configured that define
how Secure Email Gateway (SEG) will respond if an email violates the specific filter
policy.
Based on the defined policy configuration, each email that violated the specified policy
can have any of the following actions taken, depending on the type of policy:
Action Description
Quarantine The email is added to the respective quarantine area and is not sent to
the recipient email address. If the email violated a spam policy, the
email is reported in the user‘s Spam Quarantine Report.
Tag The subject line of the email has a descriptive phrase (for example,
―[SPAM]‖) added to the beginning of the subject text and the email is
sent to the recipient email address.
Deny Delivery The email is blocked automatically. Depending on the sending system‘s
configuration, the email sender Oct. or may not be notified with a 5xx
Deny email.
Do Nothing or Allow
Delivery The email is forwarded to the recipient email address with no
processing applied. The values in the reports and the Overview window will be incremented for the relevant email policy to indicate
that an email did trigger the specific policy.
Silent Copy A copy of the email is forwarded to a list of designated email addresses
with no notification to the sender or recipient.
Strip Attachment If the email had an attachment that violated configured policies, this
action causes that attachment to be removed from the email and the
email is be sent to the recipient email address. Text is inserted into the
email notifying the recipient that an attachment has been stripped. Only
the attachment that violated the policy is stripped.
Clean If the email had an attachment that contained a virus or worm, this
action attempts to remove the virus or worm and preserve the
attachment. If the clean is successful, text is inserted into the email
notifying the recipient that an attachment had contained a virus and
was cleaned. If this action is selected, a second ―fall-back‖ action also
must be designated in case the Clean action fails. This action is specific
to the virus filtering policies.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 9
SEG Administrator Guide
Action Description
Custom X-Header If the email was determined to have a high or medium likelihood of
being spam, you can configure that a custom X-header be inserted into
the email. This X-header can be used by your email servers to perform
additional actions within your network, such as redirecting the email.
Each spam likelihood can have a different custom X-header. This
action is specific to the spam filtering policies.
Disable Filter A non-administrator user cannot disable virus filtering if it is licensed
and enabled for a specific Domain or policy set. Only Administrators
can enable or disable virus filtering for a specific Domain or policy set.
You can designate that SEG first attempts to remove the virus from an
infected attachment, and if the clean fails, perform another action. You
can designate that only the infected attachment is stripped. and the
remaining email contents and attachments are sent to the recipient.
Notifications for Filtered Email
You can enable or disable email notifications to the sender and/or recipient email
addresses of email that was filtered because of virus, content keywords, or attachment.
For more information, see one of the following:
• Set Secure Email Gateway (SEG) to Notify Users about Emails with Viruses
• Notify Users about Spam Content
• Notify Users about Attachment Violations
User-level Policy Configurations
By default, policy configurations are defined for each domain and group. All emails
received for all user accounts within a domain or group are processed using the same
policy configurations.
Optionally, user-level policy configurations can be defined for individual users that
override the Domain/Group policies. Thus, if there is a conflict between a user-level
policy and any of the other types of policy configurations, the user-level policy setting will
be used. These user-level policy configurations allow customization of email actions for
each user.
User-level policies are confined to the following policies:
• Enable or disable email processing for spam, virus, content keyword, attachments,
and/or HTML content.
• Specify actions to take for emails if they are determined to have a high or medium
likelihood of being spam.
• Configure the spam quarantine reporting
10 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
To manage the policy for an individual user, see User-Level Policy Configuration.
To establish user control of policies, see Set up Spam Quarantine Reports.
User also can have some control over their policies.
Quarantine
Secure Email Gateway (SEG) provides multiple quarantine areas with different
security accesses to store and support review of suspect email outside of your email
network.
Emails that violate configured policies and that have the Quarantine action applied are
sorted into multiple quarantines to ease email management and support security levels:
• Spam Quarantined Messages – Accessible to all users, with users with role of User or
Reports Manager allowed to access only their own personal spam quarantine
• Virus Quarantined Messages – Accessible to only Administrators and Quarantine
Managers
• Attachment Quarantined Messages – Accessible to only Administrators and
Quarantine Managers
• Content Keyword Quarantined Messages – Accessible to only Administrators and
Quarantine Managers
Within each quarantine, you can do any of the following:
• Delete selected emails or all emails
• Release selected emails or all emails for delivery to the recipient
• View selected email in a Safe View window
• Add the sender email addresses to the recipients‘ user-level Allow list and release the
emails (available only for quarantined spam emails)
Emailed Reports of Quarantined Spam Emails
Optionally, emails are sent to users to indicate that spam emails that have been
quarantined, using either of the following types of emails:
• Spam Quarantine Report
Spam Quarantine Reports are HTML-based email notifications of quarantined spam
emails that sent to users. Multiple links in the Reports allow management of
quarantined spam email based on policy set-level and user-level configurable control
settings. When the user clicks a link, the designated action is performed and the user is
automatically logged into the Control Console.
• Spam Quarantine Summary
Spam Quarantine Summaries are optional text-based email notifications of
quarantined spam email sent to users, to support email applications that are not
HTML-compatible. The user clicks the link provided in the email and is automatically
logged into the Control Console. Once logged in, the user can navigate to the relevant
window to manage the spam quarantine and modify personal settings. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 11
SEG Administrator Guide
Customizing the Interface
Language Localization
Within the Control Console, windows and features available to the non-administrative
user (whose role is User) can be provided in translated form supporting multiple
languages. When the user logs in via the Sign in window, he or she can select the desired
language in the Language field. Thereafter, all spam quarantine reporting emails and
window and field labels will be provided in the designated language.
The following languages are supported:
• English
• French
• German
• Italian
• Japanese
• Spanish
This feature is available only to non-administrative user accounts. This feature must be
enabled at the system level to be available.
.
Outbound Disclaimer
You can define text that will be appended to the email content to support liability or legal
requirements for your organization. Every email that was sent from your organization to
Secure Email Gateway (SEG) for email filtering will have the designated text added to
the end of the email content. This feature requires that outbound filtering be licensed.
12 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Notifications
You can customize the content of the notification email for each combination of the type
of filter and each type of email action (quarantine, deny, or strip).
See Define the Format and Text of Notifications to Users.
Monitoring and Reporting
Secure Email Gateway (SEG) provides near-real-time monitoring for most reports of
system usage, email filtering, etc., for the designated Domain and date or date range.
Report data is available to be downloaded to Microsoft Excel spreadsheet file (*.csv).
There are multiple reports available for viewing in the Control Console:
For more information, see System Reports.
Oct 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 13
SEG Administrator Guide
Disaster Recovery Services
Message Continuity
Message Continuity saves messages for later delivery if your mail server becomes
unavailable. When your mail server becomes available, Message Continuity delivers the
messages. Users can access their messages through a Web-based interface while messages
are in Message Continuity only.
Message Continuity also has unlimited storage capacity and removes messages that have
been in Message Continuity storage for more than 60 days.
For more information, see Administer Disaster Recovery Services.
14 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
2. Secure Email Gateway
(SEG) Administration
Who Can Access SEG
Administration Screens
As a customer of Secure Email Gateway (SEG), you can have administrators who access the
Control Console with different levels of privileges within Account Management.
The levels of administrative users you can add are as follows:
Administrative level Description
Reports Manager The Reports Manager can view, for an assigned domain, reports
available with Secure Email Gateway (SEG). The Reports
Manager can also manage his or her own user preferences and all
other tasks a user can perform.
Group Administrator The Group Administrator can add and remove members from one
or more groups if assigned to those groups. A Group Administrator
can also create, edit, and modify Secure Email Gateway (SEG)
policies for the assigned groups. Finally, a Group Administrator
can view user lists and user details. A Group Administrator does
not need to be a member of a group in order to have these
capabilities.
Note: A Group Administrator cannot add or remove a group nor
edit user information
Quarantine Manager The Quarantine Manager, for an assigned domain, can manage the
same areas as a Report Manager, plus manage, for the assigned
domain, all users‘ Quarantine for spam and other problematic
messages.
Domain Administrator The Domain Administrator, for an assigned domain, can manage
the same areas as a Quarantine Manager, plus manage server setup
and authentication rules for the domain.
Customer Administrator The Customer Administrator can manage all aspects of the
customer‘s Account Management for all domains.
Group Administrator
The Group Administrator can, within the Group Administrator‘s
assigned domain, add and remove members from one or more
groups if assigned to those groups. A Group Administrator can also
create and modify Secure Email Gateway (SEG) policies for the
assigned groups. A Group Administrator does not need to be a
member of a group in order to have these capabilities.
Oct 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 15
SEG Administrator Guide
The following figure summarizes the levels of administrators, plus users, in an
Secure Email Gateway (SEG) configuration.
Table 1: Secure Email Gateway (SEG) Screen Access Privileges Screen Access Feature
Enablement
Required
Customer
Administrator
Domain
Administrator
Quarantine
Manager
Group
Administrator
Overview No Yes Yes No No
Policies tab
Policy Sets No Yes No No Yes
Anti-virus: Action No Yes No No Yes
Anti-virus:
Notifications No Yes No No Yes
Anti-SPAM:
Classification No Yes No No Yes
Anti-SPAM:
Content Groups No Yes No No Yes
Anti-SPAM:
Reporting No Yes No No Yes
Content: Content
Groups No Yes No No Yes
16 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Screen Access Feature
Enablement
Required
Customer
Administrator
Domain
Administrator
Quarantine
Manager
Group
Administrator
Content: Custom
Content Groups No Yes No No Yes
Content:
Notifications No Yes No No Yes
Content: HTML
Shield No Yes No No Yes
Content: Click
Protect Yes No No Yes
Attachments: File
Types No Yes No No Yes
Attachments: File
Name Policies No Yes No No Yes
Attachments:
Additional Policies No Yes No No Yes
Attachments:
Additional
Notifications
No Yes No No Yes
Allow/Deny:
Sender Allow No Yes No No Yes
Allow/Deny:
Sender Deny No Yes No No Yes
Allow/Deny:
Recipient Shield No Yes No No Yes
Enforced TLS:
Actions No Yes No No Yes
Enforced TLS:
Notifications No Yes No No Yes
Notifications:
Content No Yes No No Yes
Notifications:
Attachment No Yes No No Yes
Group
Subscriptions No Yes No No Yes
Disaster Recovery Yes No No Yes
Quarantine Tab No Yes Yes Yes No
Setup Tab No
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 17
SEG Administrator Guide
Screen Access Feature
Enablement
Required
Customer
Administrator
Domain
Administrator
Quarantine
Manager
Group
Administrator
Inbound Servers
Setup No Yes Yes No No
Outbound Servers
Setup Yes.
Depending on
your purchased
package, this
service might
need to be
enabled.
Yes Yes No No
Outbound
Disclaimer Yes.
Depending on
your purchased
package, this
service might
need to be
enabled.
Yes Yes No No
Disaster Recovery
Setup Yes. Either
FailSafe or
Message
Continuity
must be
enabled or
included in
your package.
Yes Yes No No
MX Records Setup No Yes Yes No No
User Creation
Settings No Yes No No No
Reports tab
Traffic Overview No Yes Yes Yes No
Threats Overview No Yes Yes Yes No
Threats: Viruses No Yes Yes Yes No
Threats: Spam No Yes Yes Yes No
Threats: Content No Yes Yes Yes No
Threats:
Attachments No Yes Yes Yes No
ClickProtect:
Over view
No Yes Yes Yes No
ClickProtect:
Click Log No Yes Yes Yes No
18 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Screen Access Feature
Enablement
Required
Customer
Administrator
Domain
Administrator
Quarantine
Manager
Group
Administrator
Quarantine:
Release Overview No Yes Yes Yes No
Quarantine:
Release Log No Yes Yes Yes No
User Activity No Yes Yes Yes No
Event Log No Yes Yes Yes No
Audit Trail No Yes Yes Yes No
Inbound Server
Connections No Yes Yes Yes No
Disaster Recovery:
Overview Yes. Either
FailSafe or
Message
Continuity
must be
enabled.
Yes Yes Yes No
Disaster Recovery:
Event Log Yes. Either
FailSafe or
Message
Continuity
must be
enabled.
Yes Yes Yes No
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 19
SEG Administrator Guide SEG Administrator Guide
Ensure You Can Receive Email from
Your Service Provider
If you had or still have a different email security or filtering service and your network is
administered so that you can receive email only from IP addresses associated with that
security service, you must administer your network to allow incoming email from the
networks specified in your Service Launch Guide.
Sign into the Control Console
To manage your account, you must sign into the Control Console with the following steps.
Note: The first time you sign in, you might need to create your password. If so, see Reset
Your Password from the Sign in Page.
1. Open a browser on your computer and enter the URL for the Control Console, which is https://access.seg.att.com
2. At the Control Console Sign in page, enter your email address and
password.
3. Click Sign-in
If you have not previously entered an answer to a security question, the Security
Question screen pops up.
The answer to the security question is used is used to validate you, the user, if you
forget your password.
4. Select a security question and type the answer. Your answer is not
case-sensitive.
Reset Your Password from the Sign in
Page
Note: This capability may not be available if the user authentication method is set to
LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the
system level.
If you forget your password or want to reset it, perform the following steps:
1. On the Sign in page, click the Forgot your password or need to create a password? link.
The following screen is displayed.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 20
SEG Administrator Guide SEG Administrator Guide
2. In the Username field, type your email address.
3. Do one of the following:
If your email address is working and you are already receiving email, select
Email password information to me.
If your email address is not working, select Email password information to my
Domain Contact.
Your Domain Contact might be your administrator or another person your
administrator defined for your domain within the Control Console. Check with
your administrator on who that person is.
4. Click Next.
If you selected the option for your email, your email application receives an email
momentarily with further instructions. Continue with Step 5.
If you selected the option to email a Domain Contact, that person receives an email
from which the person can reset your password. The person can also forward the
message to an alternative email address you might have. Contact that person for the
password, then try to sign in again. You are finished with this procedure.
5. If you selected the option to email information to you, open the email in your email
application. The email subject line says Control Console Sign in Information.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 21
SEG Administrator Guide SEG Administrator Guide
The email is similar to the following:
22 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
6. Click the link in the email. The link is active for only a limited time after the email is
sent (typically, 60 minutes.
7. If you previously had selected a security question, the security question is displayed.
If you had not previously selected a security question, select a question from the
Security Question drop-down menu.
8. Type the answer to the question in the Security Answer field.
9. For the Security Question field, click Change if you need to change the security
question or answer. You must answer this question when you forget your password or
need to reset it.
The Security Question and Security Answer fields are displayed. Select a question
from the Security Question drop-down menu, then type an answer.
10. In the Password field, type a password.
• The password must comply with the following rules:
• Length must be a minimum of 8 characters.
• Alpha, numeric, and special character types are allowed.
• There must be at least one character that differs in character type (alpha, numeric,
or special) from the majority of characters. Thus, if the password contains mostly
alpha characters, then at least one character must be either a special character or
numeric. For example, majordude is invalid, but majordude9 is valid.
left parenthesis ( ( ) ampersand ( & ) right bracket ( ] )
right parenthesis ( ) ) asterisk ( * ) colon ( : )
apostrophe ( `) hyphen ( - ) semicolon ( ; )
tilde ( ~ ) plus sign ( + ) double quotes ( " )
exclamation ( ! ) equals sign ( = ) single quotes ( ' )
@ bar ( | ) less than sign ( < )
hash ( # ) backslash ( \ ) greater than sign ( > )
dollar sign ( $ ) left curly bracket ( { ) period ( . )
percentage sign ( % ) right curly bracket ( }) question mark ( ? )
caret ( ^ ) left bracket ( [ )
• Spaces are not allowed.
• Passwords are case-sensitive (for example, ―Password‖, ―password‖, and
―PASSword‖ would be different passwords).
Make sure you can remember your password, but do not use obvious passwords (for
example, ―password‖, your name, or a family member‘s name). Keep your password
safe and private.
11. Retype your password in the Confirm Password field.
12. Click Save. 23 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
This page intentionally left blank.
24 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
3. Check the Status of Email
Protection on the Overview
The Overview window provides the following high-level information about the email
traffic to your domain(s) over the previous 24 hours:
• Disaster recovery information
• News and update information
Customer Administrators will see the information for all the Domains in the Customer
where the role was defined. Domain Administrators will see the information for only the
Domain where the role was defined.
1. Click Email Protection > Overview.
The Overview page is displayed with the initial view.
2. Click Display Statistics.
The Overview page is displayed with the complete view.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 25
SEG Administrator Guide
The sections on the screen provide the following information:
26 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Section Description
Inbound 24-Hour Snap Shot This box displays a 24-hour snapshot of inbound email
traffic:
Messages – Number of inbound messages processed
Avg Size – Average size of inbound messages, including
attachments
Bandwidth – Average bandwidth used by inbound messages
Viruses – Number of inbound emails that contained viruses
Spam – Number of inbound emails that were potentially
spam
Quarantined – Total number of inbound emails that were
quarantined for any reason, including spam, virus, etc.
Outbound 24-Hour Snap
Shot This box displays a 24-hour snapshot of the Domain‘s or
Customer‘s outbound email traffic:
Messages – Number of outbound messages processed
Avg Size – Average size of outbound messages, including
attachments
Bandwidth – Average bandwidth used by outbound
messages
Avg Size – Average size of outbound messages, including
attachments
Viruses – Number of outbound emails that contained viruses
Quarantined – Total number of outbound emails that were
quarantined for any reason, including viruses.
Traffic (Last 24 Hours –
{timezone}) This box shows a graph of traffic volume for the last 24 hours
of the designated time zone.
Optionally, select one of the graphic display type icons to
change the appearance of the graph.
Policy Enforcement (Last 24
Hours – {timezone}) This section shows the percentage of messages that had the
different email actions applied (for example, stripped,
blocked, tagged, quarantined, cleaned, or normally delivered)
over the past 24 hours of the designated time zone.
Optionally, select one of the graphic display type icons to
change the appearance of the graph.
Disaster Recovery Current
Status This section lists domains that are currently in Disaster
Recovery. SEG is currently spooling the specified
domain's email
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 27
SEG Administrator Guide
Section Description
Disaster Recovery Activity
(Last 24 Hours) This box shows how many emails were spooled and
unspooled by Fail Safe for all Domains in the indicated
Customer during the last 24 hours of the designated time
zone.
Spooled Messages – Indicates the number of emails that were
spooled by Fail Safe in the last 24 hours and how much spool
storage was used by them.
Unspooled Messages – Indicates the number of emails that
were spooled by Fail Safe in the last 24 hours and how much
spool storage was used by them.
28 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
4. Set up Your Servers
This section describes how to ensure your inbound and outbound servers are set up
correctly for Secure Email Gateway (SEG).
Confirm Your Inbound Servers Setup
Secure Email Gateway (SEG) filters email destined for your inbound Simple Mail
Transfer Protocol (SMTP) email server or servers. Your Service Implementation
Manager (SIM) should have already defined one or more SMTP servers in the Control
Console. To confirm that these servers are defined, perform the following steps:
1. Click Email Protection > Setup.
2. From the Domain drop-down menu on the Setup page, select the domain whose
SMTP server you want to check.
The SMTP Host Address field displays the domain name(s) or IP address(es) for the
domain‘s SMTP server. In our example, domain denver.acme.com has an SMTP
server with a domain name of mail1.denver.acme.com.
The Inbound Servers Setup page is displayed.
3. Make sure the SMTP server(s) listed are valid and correct.
4. Ensure that all other information on the page is correct, and select Save.
5. Repeat steps 2 through 4 for any other domains in your network.
Set up Additional Inbound Servers
You can configure additional inbound servers to receive inbound email from Secure Email
Gateway (SEG) for the designated domain. All servers for a domain that receive inbound
email from Secure Email Gateway (SEG) must be configured on the Inbound Servers
Setup screen. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 29
SEG Administrator Guide
Any server addresses designated here must be valid and available to connection from
Secure Email Gateway (SEG). After the Save Changes button is clicked, the Secure
Email Gateway (SEG) immediately routes email to the active servers.
1 Click Email Protection > Setup.
2 From the Domain drop-down menu, select the domain whose SMTP server you want
to add.
3 Click Add New Host.
A new set of fields appears for the server
4 In the SMTP Host Address field, type the fully qualified DNS or IP address of the
server host being configured. CIDR notation is not allowed.
If you do not have a registered and valid DNS name for your email servers, you must
enter the IP addresses of each server.
5 In the Port field, type the port on the server to which the Secure Email
Gateway (SEG) will connect. The default value is 25.
6 In the Preference field, type the number indicating order of connection preference
between multiple servers. Secure Email Gateway (SEG) attempts to connect first to
the server with the lowest preference number. If that server is not available (either
down or too busy), Secure Email Gateway (SEG) tries the server with the next lowest
preference number, and so on. If multiple servers have the same preference number,
Secure Email Gateway (SEG) will randomly route the email delivery between them.
7 Click the Active checkbox to allow the server is immediately start accepting email
traffic.
Caution: If all servers are set to inactive, all emails received for this Domain will
be tempfailed.
8 Click Save.
Delete an Inbound Server
To delete an inbound server, perform the following steps:
1 Access the appropriate domain on the Inbound Server Setup screen
2 Click the Delete checkbox next to the server you want to delete.
3 Click Save.
30 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Add IP Address of Outbound Server, If
Necessary
If your service includes Outbound Message filtering, you must identify one or more
outbound mail servers through which your users send outgoing mail. While your outbound
server might use a Domain Name Server (DNS) name within your network (for example,
lewisoutbound.acme.com), you identify the outbound sever within Secure Email
Gateway (SEG) with an IP address (for example, 111.222.111.0). Alternatively, you can
specify a Classless Inter-domain Routing (CIDR) address for a range of outbound servers
(for example,
111.222.111.0/27) only. The address must be a public address.
Any server addresses designated here must be valid and available for a connection. After
the Save Changes button is clicked, Secure Email Gateway (SEG) immediately accepts
email traffic from the active servers.
Note: If email is received from an outbound server that is not configured in the Secure
Email Gateway (SEG) system, it will be refused. If no outbound package has been
designated for the selected domain, this window is unavailable.
1 Click Email Protection > Setup> Outbound Servers.
The Outbound Server Setup page is displayed.
2 Click Add New Address, and add the address of the outbound server.
3 Click Save Changes.
4 Record the address listed under Recommended Smart Host Server Settings. You
should use this address to perform the next task, Set up a Smart Host (If Outbound Mail
Defense is Turned on).
Important: You or your network administrator should also do the following before or
immediately after adding your outbound server(s):
• Update Sender Policy Framework (SPF) records on your mail server(s) to ensure
only authorized sources are sending outbound email.
• Scan your network for open relays, viruses and malware.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 31
SEG Administrator Guide
Delete an Outbound Server
To delete an outbound server, perform the following steps:
1 Access the appropriate domain on the Outbound Server Setup screen
2 Click the Delete checkbox next to the server you want to delete.
3 Click Save Changes.
Set up a Smart Host (If Outbound Mail
Defense is Turned on)
To ensure that your outbound email is filtered, you must designate, for each of your
outbound mail servers, a Secure Email Gateway (SEG) server as your Smart Host. Your
outbound email is then relayed through Secure Email Gateway (SEG) before continuing
to its final destinations. The outbound Smart Host address is listed at the bottom of the
Outbound Server Setup screen, or you can refer to your SEG Service Launch Guide for
more details.
Note: This task is performed on your outbound email server or servers, on your network
router, or on some other server, depending on your network‘s configuration.
Add an Outbound Email Disclaimer
You can create and assign text that will be appended to all outgoing emails that are filtered
by Secure Email Gateway (SEG) for the designated domain. For example, you might
want to specify that the email sent from your company is the property of your company
with all right reserved.
Note: If no outbound package has been designated for the selected Domain, this window
is unavailable.
1 Click Email Protection > Setup> Outbound Servers.
32 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The Outbound Server Setup page is displayed.
2 Click Display disclaimer in outbound email messages.
3 In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000
characters is allowed.
4 Click Save.
Redirect Your MX Records
The Mail Exchange (MX) record for each of your mail servers is a specification within a
Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP).
Each MX record specifies a host name and preference that determines where and how
your ISP routes your company‘s email.
Your MX record or records at your ISP must be changed to fully-qualified domain names
(for example, denver.acme.com) within the Secure Email Gateway (SEG) network.
These changes allow Secure Email Gateway (SEG) to filter your email before it arrives at
your company‘s mail servers.
Your Network Administrator or Domain Registrar is typically the individual responsible
for making these changes.
The information necessary for your company to make these changes is provided in your
SEG Service Launch Guide, which you receive when you first sign up for service.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 33
SEG Administrator Guide
This page intentionally left blank.
34 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Set up User Creation Mode — SMTP
Discovery or Explicit
Explicit user creation means that you must add user email addresses using one of the
methods that are described later. SMTP Discovery means that users are created
automatically based on SMTP transactions. That is, several incoming email messages to a
user indicate that the user exists for the customer. As a result, Secure Email Gateway
(SEG) creates that user in the Control Console.
SMTP Discovery is the default setting for a new customer, such that at initial startup of
service, users might be created in the Control Console without any administration by you,
the Customer Administrator.
Note: Only messages delivered to recipient email addresses in a primary domain are
counted for the purpose of user creation. Messages sent to recipient email addresses in
alias domains are not counted.
If you use Directory Integration, explicit user creation is highly-recommended.
To turn on Explicit User Creation, perform the following steps:
1. Click Email Protection > Setup.
2. Click User Creation Settings.
3. Under the User Creation Mode heading, select Explicit.
4. Click Save. 35 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. Customize Inbound Mail
Filters
Secure Email Gateway (SEG) has default inbound and outbound mail filters to block and
clean malicious email and to quarantine email that might be malicious. The filters are
configured by using policies, which are the parameters for the filters Default policies are
automatically assigned to each of your domains.
You can customize the default inbound policy for any and each domain, or any and each
group, to fit your business needs.
Create a Custom Policy
1. Click Email Protection > Policies.
2. Click the New button to launch the New Policy screen.
36 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The New Policy Set fields are displayed.
Field Description
Name Enter a name for the policy set you are creating. The name should reflect
the name or purpose for the group or groups that you will assign to the
policy.
Owner The Owner heading indicates who can edit the policy. If the owner is
Customer, only Customer Administrators can edit the policy. If the owner
is Group, then Group Administrators assigned to that group, as well as
Customer Administrators, can view or edit the policy.
Description Enter a description of the new policy set.
Direction From the drop-down menu, select the direction of email, inbound SMTP
or outbound SMTP, for which this policy will be configured.
Copy From From the drop-down menu, select an existing policy set whose settings
you want to copy to the new policy set. Most settings are copied based on
this selection. However, you must choose to copy some settings from the
existing policy separately by selecting the following fields.
Copy Sender
Allow List Click the checkbox to copy the Sender Allow list from the policy set
selected in the Copy From field.
Copy Sender Deny
List Click the checkbox to copy the Sender Deny list from the policy set
selected in the Copy From field.
Copy Recipient
Shield List Click the checkbox to copy the Recipient Shield list from the policy set
selected in the Copy From field.
Copy ClickProtect
Allow List Click the checkbox to copy the ClickProtect Allow list from the policy set
selected in the Copy From field.
37 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
3. Click Save.
The Policy Sets list is updated with the new policy. You can now modify the new
policy to meet your business needs.
38 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Configure a Virus Filter
Secure Email Gateway (SEG) uses multiple virus scanning applications to analyze email
to determine if a virus may be present. In your custom policy, you can configure how
Secure Email Gateway (SEG) handles an email that contains a known virus.
Important Note: If an email is detected that contains a wide-spread worm or virus (for
example, SoBig or MyDoom), Secure Email Gateway (SEG) may automatically block
that email, regardless of the settings in your custom policy.
To create a new policy content filter, perform the following steps:
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Virus.
The Actions screen is displayed.
39 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
4. Complete the fields as described in the following table.
Field Description
If a Message
Contains a Virus Select an action SEG should take if an email contains a virus:
• Do nothing – SEG sends the email to the recipient with no filtering
or notification.
— Caution: This action is potentially hazardous because the email
will still contain the virus.
• Quarantine the message after attachment is stripped – Email
Protection strips an infected attachment from the email and sends the
email to quarantine with the message that an attachment had been
stripped. SEG does not send a separate notification to the recipient.
• Strip the attachment – SEG strips the infected attachment from the
email and sends the email to the recipient. SEG inserts text into the
email to notify the recipient that an attachment has been stripped.
• Deny delivery – SEG denies delivery of the email.
• Clean the message – SEG attempts to remove the virus content and
save the remainder of the message. If successful, SEG sends the
email to the recipient with the message that the email had been
cleaned of a virus. If you select this action, you must also select an
action for the If a Message Cannot be Cleaned field.
If a Message
Cannot be Cleaned If you previously selected Clean the message, select an action Email
Protection should take if CSEG fails to clean an infected email:
• Quarantine the message after attachment is stripped – The
infected attachment is stripped from the email and the email is sent to
the recipient‘s virus quarantine area without notification to the
recipient. Text is inserted into the email indicating that an attachment
has been stripped.
• Strip the attachment – The infected attachment is stripped from the
email and the email is sent to the recipient. Text is inserted into the
email notifying the recipient that an attachment has been stripped.
• Deny delivery – The email is denied delivery.
5. Click Save or click on the Notifications under the Virus tab.
39 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Set Secure Email Gateway (SEG) to Notify
Users about Emails with Viruses
You can direct Secure Email Gateway (SEG) to send notification emails to the recipient
and/or sender when an email is filtered because it contained a known virus. You can see
the content of notifications and change it in the Notifications tabs. See Define the
Format and Text of Notifications to Users.
Note: Virus notifications will not be sent out for emails that are infected with widespread
viruses or worms (for example, SoBig or MyDoom). These notifications will be
automatically disabled by the Secure Email Gateway (SEG).
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Viruss
4. Click Notifications.
40 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. Complete the following fields:
Field Description
To the sender when
a message is … due
to a virus infection
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the sender.
• Quarantined – The infected email was quarantined.
• Denied delivery – The infected email was denied delivery.
• Stripped – The infected attachment was stripped and the email sent
to the recipient.
To the recipient
when a message is
… due to a virus
infection
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the recipient.
• Quarantined – The infected email was quarantined.
• Denied delivery – The infected email was denied delivery.
• Stripped – The infected attachment was stripped and the email sent
to the recipient.
Configure a Spam Filter
Secure Email Gateway (SEG) spam filtering uses a large number of filtering processes, as
well as sophisticated statistical classification techniques, as part of its Stacked
Classification Framework® to determine if email is spam. Based on this analysis, SEG
gives each email a score.
• A spam score of .9 to .99999 is considered ―medium‖ likelihood.
If default settings are used, if default settings are used this e-mail is quarantined.
• A spam score of .999999 to .99999999 is considered ―high‖ likelihood.
If default settings are used, if default settings are used this e-mail is denied • A spam score of greater than .99999999 is considered ―critical‖ likelihood.
These emails will always be denied
Note: Occasionally, some emails might be marked as spam when in fact they are
legitimate emails. These ―false positive‖ email messages can be reported to seg-
To configure a spam filter, you can perform the following tasks
• Define the Action to Take on Spam
• Spam – Content Groups Subtab
• Spam – Reporting Subtab
Define the Action to Take on Spam
1. Click Email Protection > Policies.
2. Click the policy you want to change.
41 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
3. Click Spam.
The Classification screen is displayed.
4. Complete the following fields:
Field Description
If a Message is
Probably Spam
(Medium
likelihood) area
Select an action Secure Email Gateway (SEG) should take if an email has
a spam score of 90% or higher:
• Tag the message subject with ―[SPAM]‖ – Secure Email Gateway
(SEG) adds the phrase ―[SPAM]‖ to the beginning of the email‘s
subject text and sends the email to the recipient.
• Quarantine the message – Secure Email Gateway (SEG) sends
the email to quarantine.
• Deny delivery – SEG denies delivery of the email.
Note: Emails that have the following actions applied will be
reported as Other in the Threats: Spam report.
• Do nothing – Secure Email Gateway (SEG) sends the email to the
recipient with no filtering or notification.
If a Message is
Probably Spam
(High likelihood)
area
Select an action Secure Email Gateway (SEG) should take if an email has
a spam score of 99.9% or higher. These actions are the same as those for
Medium likelihood.
5. Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go
to step 8.
Multiple real-time blackhole lists (RBLs) of known spammers are provided by the
industry, from which Secure Email Gateway (SEG) creates a single RBL indicator to
assess the risk of an email originating from a known spammer. The use of multiple
blackhole lists to create a single vote and rate the reputation of each RBL for accuracy
helps to minimize the possibility of blocking a non-spammer by mistake.
42 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
6. If you clicked More Options, click the Enable Real Time Blackhole List (RBL)
checkbox.
Note: You can also block spammers by completing a Sender Deny List under the
policy‘s Allow/Deny option.
7. Click Save or click on Content Groups under Virus.
Define Additional Words That Indicate
Spam
Secure Email Gateway (SEG) spam content filtering controls spam by comparing the
content (subject and body) of an email against predefined lists of keywords and/or phrases
(―spam content groups‖).
You can define a custom spam content group that contains additional lists of keywords
that are used to filter email as spam. For each content group, you also define the action to
take on email that contains a keyword. If the action is to send spam matches to quarantine,
users who receive Spam Quarantine Reports can view the matching messages in the
quarantine.
Note: A spam content group does not analyze the content within attachments.
The action for a content group you define overrides spam actions for Secure Email
Gateway (SEG) default spam filters. For example, if Secure Email Gateway (SEG)
determines that an email has a medium likelihood of being spam and also contains a
keyword that is in your spam content group, the action defined for your spam content
group is applied.
However, if you also define content filtering on the Content – Content Groups screen
(see Configure a Content Filter, that content filter overrides the keyword filtering you
define on the following Spam – Content Groups screen. In addition, spam identified by
the Content – Content Groups filter is accessible only by Quarantine Managers or higher
level administrators. Users cannot view this spam.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click the Spam.
4. Click Content Groups
43 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. Double-click the Content Group you wish to modify.
6. In the Group Name field, type the name of your spam content group.
This name should summarize the kind of keywords you want Secure Email Gateway
(SEG) to look for. For example, you might want to identify musical terms, such as
concert, music, rock, jazz, and so on, as spam.
7. From the Action drop-down menu, select an action to take if an email matches a
keyword:
• None - The email is forwarded to the recipient email address.
• Quarantine the message - The email is sent to the recipient's domain content
quarantine area.
• Deny Delivery - The email is denied delivery.
• Allow - The email is sent to the recipient email address.
Note: The Allow option is useful if you want to override standard Secure Email Gateway (SEG)
spam content filtering for particular keywords.
Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam
report.
• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to the
recipient email address.
• Encrypt Message- is also available for Outbound content groups, if the Customer has
subscribed to Encryption.
• Silent Copy - allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
44 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
8. Content List the content keywords needed to define your Customer Content Group.
In the Content field, type any keywords you want to search for in email. Use the
following rules for entering keywords.
• Each entry must be on its own line (separated by a hard return).
• If an entry contains multiple words, the entire phrase is used as a literal string (―as
is‖).
• If individual words are desired, each word must be on its own line.
• Letter-case (for example, upper case or lower case) is ignored.
• The wildcards question mark (―?‖) and asterisk (―*‖) can be used to designate the
following:
— ―?‖ (without quotes) designates any single character, including white space
characters (for example, menu, space, line break, etc.).
— For example, ―w?y‖ would catch ―way‖, ―why‖, and ―w y‖.
— ―*‖ (without quotes) at the end of the string designates multiple characters
until a white space character is encountered.
For example, ―refi*‖ would catch ―refinance‖, ―refinancing‖ and ―refine‖.
— ―*‖ (without quotes) followed by a literal character designates multiple
characters, including white space characters, until the designated character is
encountered.
For example, ―refi*d‖ would catch ―refinanced‖, but would also catch
―refinishing is a great way to save d‖.
— If the literal asterisk or question mark is desired, it must be preceded by a
backslash (for example, ―\*‖ or ―\?‖).
9. For example, ―why\?‖ (without quotes) would catch the string ―why?‖ and the
question mark would not be used as a wildcard. Click the Enable checkbox to turn on
the spam content group.
10. Click Save for the new spam content group
11. Click Save for the policy or continue to the Reporting tab.
.
45 Proprietary Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Set up Spam Quarantine Reports
When Secure Email Gateway (SEG) scores email and determines that email might be
problematic, but the email is not clearly a security risk, SEG places the email into
quarantine. You can set up quarantine reports so that users can see which of their
messages were filtered and placed in quarantine. You can also determine how much
control users have over these reports, including:
• How reports are formatted.
• How often reports are sent
• How Spam is filtered
• What actions users can take on quarantined email
To set up quarantine reports for users, perform the following steps:
1. Click Email Protection> Policies.
2. Select a policy set for which the quarantine reports will apply.
3. Click Spam > Reporting.
4. Under the Enable Spam Quarantine Reporting for heading, select one of the
following options:
• All users – All user accounts associated with the policy set receive Spam
Quarantine Reports.
Note: Users must be able to log into the Control Console to manage their spam
quarantine areas.
• Selected users – Only those user accounts configured for Spam Quarantine
Reports on the User Management screens receive the reports.
• No users – No users associated with this policy set receive Spam Quarantine
Reports.
46 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. Under the Default Settings heading, complete the following field:
Field Description
Frequency From the Frequency drop-down menu, select how often users
receive Spam Quarantine Reports if they have email in spam
quarantine.
Report Type From the Report Type drop-down menu, select the content that
each Spam Quarantine Report should contain:
HTML – All Quarantined – All emails in your spam quarantine
area are listed in the Spam Quarantine Report.
HTML – New Items Since Last Report – Only those emails
received since the previous Spam Quarantine Report are listed in
the Spam Quarantine Report.
Text – Summary – A text-only email notification is sent to you
with a link to your spam quarantine, instead of the Spam
Quarantine Report. This option supports users with email
applications that do not support HTML content.
Text – New Items Since Last Report – A text-only email report is
sent to you that indicates how many new emails have been
quarantined as spam since the last report and the total number of
spam emails in your spam quarantine. The report also lists the
email messages that have been quarantined since the last report.
HTML Format From the HTML Format drop-down menu, select one of the
following:
HTML with Actions – The links Allow, Deny, and Release are
enabled in the Spam Quarantine Reports.
HTML without Actions – The links Allow, Deny, and Release are
disabled in the Spam Quarantine Reports. Users must log into the
Control Console to perform these actions.
Note: This field is ignored if the Report Type field is set to Text-
only Summary.
6. Under the Spam Quarantine Report Security Settings heading, complete the
following fields:
Field Description
Report Links From the Report Links drop-down menu, select the number of days
after which the links in the Spam Quarantine Report become
inactive.
A low value may not give the users enough time to review their
Spam Quarantine Report and perform any spam management. A
high value might increase the security risk of unauthorized access
into the Control Console using an old Spam Quarantine Report.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 47
SEG Administrator Guide
Field Description
Restrict user rights
when accessing
quarantine from spam
quarantine report
Click the checkbox so that administrator-level users will be logged
in with role of User when accessing the Spam Quarantine Reports.
If you leave the checkbox blank, administrator-level users will be
logged as their administrative role.
Note: Selecting this option is recommended to provide additional
security for the Control Console. This option applies to all
administrative levels, including Reseller Administrators, Customer
Administrators, Domain Administrators, Quarantine Managers,
and Reports Managers.
7. Under the Other Options heading, select any or all of the following options:
Field Description
Allow users to
personalize
spam filtering
actions
Click the checkbox to allow users to customize actions that Secure Email
Gateway (SEG) takes on email that is likely to be spam. Users actually
select the actions on spam from the Preferences screen on the Control
Console.
Allow users to
personalize
delivery
frequency
Click the checkbox to allow users to change the frequency with which
they receive Spam Quarantine Reports. Users select the frequency of
reports from the Preferences screen on the Control Console.
Allow users to
personalize
report type
Click the checkbox to allow users to change the default settings you set in
the Report Type field on this screen. Users can change the Report Type
from the Preferences screen on the Control Console.
Allow users to
―opt out‖ of
spam filtering
Click the checkbox to allow users to turn filters for spam on or off. Users
can turn off spam filtering from the Preferences screen on the Control
Console.
Enable ―Always
Deny‖ shortcut
from spam
quarantine
report
Click the checkbox to enable the Always Deny link in user‘s Spam
Quarantine Reports, the Message Quarantine windows, and the Safe
Message View window.
If you leave the checkbox blank, users must go to the Allow/Deny Sender
Lists window to change their Allow or Deny lists.
Show spam
score on spam
quarantine
report
Click the checkbox to display the spam likelihood score for each
quarantined message in the Spam Quarantine Reports.
Allow users to
download Spam
Control For
Outlook®
Click the checkbox to display a link in Spam Quarantine Reports, from
which users can download the Spam Control For Outlook utility. The
location from which the utility is downloaded is configured in the
Branding Settings window.
Note: This feature can be enabled or disabled at the system level.
48 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Field Description
Allow non-
admin users to
sign in directly
to the Control
Console
Click the checkbox to allow users to log into the Control Console using
the Sign in window.
Note: This feature does not affect the ability of users to log in by clicking
a link in a Spam Quarantine Report. If Control Console access is not
enabled and users do not receive the Spam Quarantine Report, the
Quarantine Manager or higher level roles must perform any changes to
the user settings, maintenance of the users‘ spam quarantine, etc.
Display message
content in Safe
Message View
Click the checkbox to allow users to view the body content of an email in
the Safe Message View window.
If you leave the checkbox blank, the user must release the email to see
what it contains in the body content.
Display user
email addresses
in spam
quarantine
report
Click the checkbox to enable the view of user addresses in the HTML
SQR report so that users do not have to scroll through multiple addresses
before they get to the quarantine items.
Allow users to
configure
alternate email
address for
spam report
delivery
Click the checkbox to allow users to choose an alternate email address to
reroute their Spam Quarantine Report if needed. Users may go to Account
Management>User>Preferences to add their email alternate.
Alert! – Please be advised that redirecting a user's SQR allows the chosen
alternate recipient to have full access to their Control Console account,
including access to that user's Preferences. Therefore; please encourage
the user to choose their alternate email address carefully.
8. Click Save.
Configure a Content Filter
You can create a custom content filter. The content filter does the following:
• Blocks or quarantines the email that contains prohibited keywords.
• Notifies the sender or recipient when an email has been quarantined or blocked.
• Blocks HTML malicious tags or prohibited images.
• Manages the ability for users to click on links in email.
Note: Content filtering does not analyze the content within attachments.
Note: You also define content filtering on the Spam – Content Groups screen (see
Configure a Spam Filter, the Content – Content Groups overrides the keyword filtering
you define on the following Spam – Content Groups screen. In addition, spam identified
by the Content – Content Groups filter is accessible only by Quarantine Managers or
higher level administrators. Users cannot view this spam.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 49
SEG Administrator Guide
Note: Due to the nature of the content filtering, the screen images may contain offensive
material.
To create a new policy content filter, perform the following steps:
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Content.
The Content Groups screen is displayed, showing the default content groups.
• Profanity
• Racially Insensitive
• Sexual Overtones
You cannot change the keywords in these groups..
The Content Group Policy fields are displayed.
Secure Email Gateway (SEG) also provides predefined content groups that contain valid
and acceptable personal identifiable information that is allowed in email messages due
to specific policies. You cannot edit these content groups, but can designate whether or
not they are used. Following are the two types of predefined content groups:
• Credit Card Number
• Social Security Number
The Credit Cards that are supported include AMEX, VISA, MC, and DISC.
Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in
various ways and Secure Email Gateway (SEG) may not be able to capture all
messages that contain this information.
More Options...
If a Customer or Domain subscribes to Email Encryption, then selecting this option can be
used to enforce Email Encryption if the outbound message contains the word '[encrypt]'.
The word, [encrypt] can reside in the message subject line or the body of the outbound
message.
50 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Note: This option is only available on the Outbound Policy Content Group page.
1. Click Edit or double-click on your selected Content Group, you may perform the
following:
• Group Name This defaults to the name of your selected group.
• Content This field is disabled for Content Groups
2. From the drop-down Action list, the following actions may be applied to a Content
Group
• None - The email is forwarded to the recipient email address.
• Quarantine the message -The email is sent to the recipient's domain content
quarantine area.
• Deny Delivery -The email is denied delivery.
• Allow -The email is sent to the recipient email address.
• Tag the message subject with "[SPAM]" -The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to
the recipient email address.
• Encrypt Message is also available for Outbound content groups, if the Customer
has subscribed to Encryption.
3. Silent Copy allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
4. Click Save
Turn Off a Default Content Filter
You can deactivate any of the Secure Email Gateway (SEG) default content filters if you
want to allow email containing those keywords to be delivered or you want to replace the
list of keywords with your own list.
Note: Instead of turning off the content filter, you can also choose the action None for the
filter. In this case, Secure Email Gateway (SEG) filters email, but delivers matching email
to users with no other notifications or marking.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Content.
The Content Groups screen is displayed, showing the default content groups.
• Profanity
• Racially Insensitive
• Sexual Overtones
4. Double-click one of the default content groups.
5. Uncheck the Enable checkbox.
6. Click Save.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 51
SEG Administrator Guide
Custom Content Group
The Custom Content Groups subtab allows customers to define their own custom
content keyword group and assist in monitoring their email. By configuring a Content
Group, the customer can determine how the system reacts if it receives an email that
contains text that violated that content policy. Customers can also define a different action
for each content group.
Note: If the content group is enabled, then email will be filtered for that content.
1. Click New or double-click your selected Custom Content Group, and perform the
following:
2. Group Name: select and type of your Custom Content Group.
3. Content List the content keywords needed to define your Customer Content Group.
In the Content field, type any keywords you want to search for in email. Use the
following rules for entering keywords.
• Each entry must be on its own line (separated by a hard return).
• If an entry contains multiple words, the entire phrase is used as a literal string (―as
is‖).
• If individual words are desired, each word must be on its own line.
• Letter-case (for example, upper case or lower case) is ignored.
• The wildcards question mark (―?‖) and asterisk (―*‖) can be used to designate the
following:
— ―?‖ (without quotes) designates any single character, including white space
characters (for example, menu, space, line break, etc.).
— For example, ―w?y‖ would catch ―way‖, ―why‖, and ―w y‖.
— ―*‖ (without quotes) at the end of the string designates multiple characters
until a white space character is encountered.
For example, ―refi*‖ would catch ―refinance‖, ―refinancing‖ and ―refine‖.
52 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
— ―*‖ (without quotes) followed by a literal character designates multiple
characters, including white space characters, until the designated character is
encountered.
For example, ―refi*d‖ would catch ―refinanced‖, but would also catch
―refinishing is a great way to save d‖.
— If the literal asterisk or question mark is desired, it must be preceded by a
backslash (for example, ―\*‖ or ―\?‖).
For example, ―why\?‖ (without quotes) would catch the string ―why?‖ and the
question mark would not be used as a wildcard.
Caution: It is possible to create wildcard combinations that will filter valid email,
including all email, and/or will substantially slow email processing. Be very careful if you
use wildcards to ensure that only the desired content is filtered.
4. From the Action drop-down menu, select an action to take if an email matches a
keyword:
• None - The email is forwarded to the recipient email address.
• Quarantine the message - The email is sent to the recipient's domain content
quarantine area.
• Deny Delivery - The email is denied delivery.
• Allow - The email is sent to the recipient email address.
Note: The Allow option is useful if you want to override standard Secure Email Gateway (SEG)
spam content filtering for particular keywords.
Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam
report.
• Tag the message subject with "[SPAM]"- The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to the
recipient email address.
• Encrypt Message- is also available for Outbound content groups, if the Customer has
subscribed to Encryption.
• Silent Copy - allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
5. Click the Enable checkbox to turn on the spam content group.
6. Click Save for the new spam content group.
7. Click Save for the policy or continue to the Notifications tab.
Notify Users about Spam Content
You can direct Secure Email Gateway (SEG) to send notification emails to the recipient
and/or sender when an email is filtered because it contained spam content. You can see
the content of notifications and change it in the Notifications tabs. See Define the
Format and Text of Notifications to Users.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 53
SEG Administrator Guide
Note: Virus notifications will not be sent out for emails that are infected with widespread
viruses or worms (for example, SoBig or MyDoom). These notifications will be
automatically disabled by the Secure Email Gateway (SEG).
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Content.
4. Click Notifications.
Complete the following fields:
Field Description
To the sender
when a message
is … due to a
content group
violation
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the sender.
• Quarantined – The infected email was quarantined.
• Denied delivery – The infected email was denied delivery.
To the recipient
when a message
is … due to a
content group
violation
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the recipient.
• Quarantined – The infected email was quarantined.
• Denied delivery – The infected email was denied delivery.
Configure a Filter for HTML, Java Script,
ActiveX, and Spam Beacons
You can configure how Secure Email Gateway (SEG) filters email for HTML
attachments or various forms of HTML coding within email.
1. Click Email Protection > Policies.
54 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
2. Click the policy you want to change.
3. Click Content.
4. Click HTML Shield.
5. Under HTML Shield Protection, select one of the following options:
Field Description
Low Select this option to remove only malicious HTML tags from the email
and forward the email to the recipient. Text is added to the email to
indicate that HTML content was removed.
Medium Select this option to remove the following HTML content from the email
and forward the email to the recipient:
• Malicious HTML tags
• HTML comments and attributes
• All Java, Javascript, and ActiveX code
Text is added to the email to indicate that HTML content was removed.
High Select this option to remove all HTML content, including scripts as in the
Medium option, from the email and to forward the email to the recipient.
Text is added to the email to indicate that HTML content was removed.
None Select this option to not perform HTML filtering on email.
6. Under Options for Low and Medium Setting, click the checkbox Enable spam
―beacon‖ and web bug blocking to block spam beacons and web bugs.
A spam beacon can reveal user activity to spammers while flagging the recipient‘s
address as active. A Web bug is any one of a number of techniques used to track who
is reading a Web page or e-mail, when, and from what computer. A Web bug can also
be used to see if an e-mail was read or forwarded to someone else, or if a Web page
was copied to another Website.
Note: This option is available only if you picked the Low or Medium options for
HTML filtering.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 55
SEG Administrator Guide
7. Click the checkbox Replace all image links with a default transparent image to
eliminate objectionable images in email.
This option replaces links to images in email with links to an image with one transparent
pixel.
Note: This option is available only if you picked the Low or Medium options for
HTML filtering.
8. Click Save or continue to ClickProtect.
Configure Web Hyperlink Filters
(ClickProtect)
You can configure whether Web hyperlinks in email are blocked or can be clicked and
followed by the user. You can also designate a ClickProtect Allow List of URL addresses
that are excluded from the ClickProtect processing (for example, your corporate URLs).
As another option, you can set tracking of links that are clicked so that they are reported in
the ClickProtect: Click Log Report.
Caution: ClickProtect only processes links in emails with accepted message formats,
which include HTML or Rich Text
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Content.
4. Click ClickProtect.
5. Click one of the following options:
• Disable ClickProtect — Disables this feature completely and allows users to
click and access Web hyperlinks in the emails without logging information in the
system.
56 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
• Display warning message before redirecting — Displays a dialog box with a
customizable warning message. Users can then either stop the click-through
process or continue to the Web site.
• Display warning message and deny click-throughs — Displays a dialog box
with a customizable warning message and does not allow users to continue with
the click-through process.
6. If you clicked one of the last two options above, overtype the text in the Warning
Message text box. You can also leave the default text if desired
7. In the Allow URL or IP field, type URL or IP addresses that you want to allow users
to access and bypass ClickProtect processing.
The following values are allowed:
• IP Address — Complete address (for example, 10.10.10.1) or partial address with
wild cards (for example, 10.10.10.*).
• Domain Name — Qualified domain name (for example, xyz.com) or subdomains
(for example, *@*.xyz.com denies emails from any subdomain of the XYZ
domain, such as [email protected]). If you know you want to allow all emails
from this domain, then use this option instead of typing in each email address
associated with the domain. The following list provides some examples of
allowable URLs.
— www.domainname.com
— www.domainname.n*
— www.domainname.*
— www.domainname.example.com
— www.domainname.*.com
— www.domainname.xxx.xxx.xxx.xxx.com
— domainname.com
The following are not accepted in domain names:
— http://
— slashes
— IP addresses.
8. Click Add.
The value is added to the list box.
Note: (This step is only available to certain user roles, when a user-defined policy set
is selected.) If you want to include the values listed for the Default Inbound policy set,
select the check box located beneath the list.
Upload a List of Allowed URLs
You can create a list of allowed URLs and upload that list to the Control Console. To
upload a list, perform the following steps:
1. Create a file with a predefined list of URLs. The predefined list must be in the
following format:
• Must be a text file
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 57
SEG Administrator Guide
• One entry per line
• File must be available for your browser to access
2. On the ClickProtect screen, click More Options.
Additional fields are displayed.
3. To upload the file, click Browse next to the Upload List field and locate the file.
4. Click Upload Allow List.
The contents are added to the ClickProtect Allow List box.
5. Click Save.
Download a List of Allowed URLs from the
Control Console
If you want to download the list of allowed URLs to your local drive, click Download
ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in
Microsoft Excel.
Define an Attachment Filter
You can create a customer attachment filter. You can filter email for attachments based on
the following criteria:
• Filter by Attachment File Types, including file size.
• Filter by Attachment File Name
• Filter Zip File Attachments
58 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Filter by Attachment File Types
To filter email by file type, you must define the following:
• What file types are allowed to be received
• File size restrictions on the allowed file types
• The email action that will be used if an email violates any of the file type attachment
policies
To create a new policy content filter, perform the following steps:
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Attachments.
The Attachments: File Types screen is displayed.
4. For each file type in the Allowed Attachment Types section, select one of the
following options from the drop-down menu:
• Disallow — All email containing this file type are blocked.
• A file size, such that an email with a file of this file type that exceeds the file size
is blocked.
— Max 500 KB
— Max 1 MB
— 2 MB
— 5 MB
— 10 MB
— 15 MB
• Any size — Email with this file type is allowed and delivered.
Note: By default, each listed attachment file type is allowed unless you specifically
select it to be disallowed, except for the types Executables and Scripts. These two
file types are relatively easy to self-invoke from an email, and thus increase the
security risk of a self-running virus or worm.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 59
SEG Administrator Guide
The following table lists the file extensions associated with each file type:
File Type Example File Extensions
Microsoft Word
Documents *.doc, *.dot, *.rtf, *.wiz
Microsoft Powerpoint
Documents *.pot, *.ppa, *.pps, *.ppt, *.pwz
Microsoft Excel
Documents *.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw
Microsoft Access Files *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp
Other Microsoft Office
Files *.cal, *.frm, *.mbx, *.mif, *.mpc, *.mpd, *.mpp, *.mpt,
*.mpv, *.win, *.wmf
Adobe Acrobat (PDF)
Files *.abf, *.atm, *.awe, *.fdf, *.ofm, *.p65, *.pdd, *.pdf
Macintosh Files *.a3m, *.a4m, *.bin, *.hqx, *.rs_
Compressed or Archived
Files *.arj, *.bz2, *.cab, *.gz, *.gzip, *.jar, *.lah, *.lzh, *.rar,
*.rpm, *.tar, *.tgz, *.z, *.zip
Audio Files *.aff, *.affc, *.aif, *.aiff, *.au, *.m3u, *.mid, *.mod,
*.mp3, *.ra, *.rmi, *.snd, *.voc, *.wav
Video/Movie Files *.asf, *.asx, *.avi, *.lsf, *.lsx, *.m1v, *.mmm, *.mov,
*.movie, *.mp2, *.mp4, *.mpa, *.mpe, *.mpeg, *.mpg,
*.mpv2, *.qt, *.vdo
Image Files *.art, *.bmp, *.dib, *.gif, *.ico, *.jfif, *.jpe, *.jpeg,
*.jpg, *.png, *.tif, *.tiff, *.xbm
Executables Note: This file type defaults to Disallow.
*.bat, *.chm, *.class, *.cmd, *.com, *.dll, *.dmg, *.drv,
*.exe, *.grp, *.hlp, *.lnk, *.ocx, *ovl, *.pif, *.reg, *.scr,
*.shs, *.sys, *.vdl, *.vxd
Scripts Note: This file type defaults to Disallow.
*.acc, *.asp, *.css, *.hta, *.htx, *.je, *.js, *.jse, *.php,
*.php3, *.sbs, *.sct, *.shb, *.shd, *.vb, *.vba, *.vbe,
*.vbs, *.ws, *.wsc, *.wsf, *.wsh, *.wst
ASCII Text Files *.cfm, *.css, *.htc, *.htm, *.html, *.htt, *.htx, *.idc,
*.jsp, *.nsf, *.plg, *.txt, *ulx, *.vcf, *.xml, *.xsf
Postscript Files *.cmp, *.eps, *.prn, *.ps
All Other Files Any file extensions that are not included in the other
file types
5. In the Action to take for Disallowed Attachments section, select one of
the following options:
60 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
• Do nothing – Secure Email Gateway (SEG) sends the email to the recipient with
no filtering or notification.
• Deny delivery – Secure Email Gateway (SEG) denies delivery of the email.
• Strip the attachment – Secure Email Gateway (SEG) strips the attachment from
the email and the email is sent to the recipient. Text is inserted into the email
notifying the recipient that an attachment has been stripped.
• Quarantine the message – Secure Email Gateway (SEG) sends the email to
quarantine.
6. Click Save or continue to the Filename tab.
Filter by Attachment File Name
You can create custom filter to filter email for specific file names. This filter overrides any
conflicting file type policies you may have defined.
To define a filter for attachment file name, perform the following steps:
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Attachments.
The Attachments: File Types screen is displayed.
4. Click Filename Policies.
The Filename Policies screen is displayed.
5. Click New.
The New Attachment Filename Policy section is displayed.
6. From the Filter drop-down menu, select one of the following:
• Is – Secure Email Gateway (SEG) filters for file names that have an exact match
to the text in the Value field. For example, if you want to filter for the file name
config.exe and no others, you must select Is and then type config.exe in the Value
field. For this example,, the Is option has the meaning ―File name IS config.exe.‖ Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 61
SEG Administrator Guide
• Contains – Secure Email Gateway (SEG) filters for file names that contain the
text in the Value description anywhere within the filename string. For example, if
you want to filter for any file that contains config in its name, like postconfig or
config.ini, select this option.
• Ends with – Secure Email Gateway (SEG) filters for file names that end with
the text in the Value description. For example, if you want to filter for any
executable files ending with .exe, select this option.
7. In the Value field, type the name or partial name with which Secure Email Gateway
(SEG) should search incoming email. For example, if you want Secure Email
Gateway (SEG) to search for any file containing the text config, type config.
8. From the Action drop-down menu, select one of the following options:
• Do nothing – Secure Email Gateway (SEG) sends the email to the recipient with
no filtering or notification.
• Deny delivery – Secure Email Gateway (SEG) denies delivery of the email.
• Strip the attachment – Secure Email Gateway (SEG) strips the attachment from
the email and the email is sent to the recipient. Text is inserted into the email
notifying the recipient that an attachment has been stripped.
• Quarantine the message – Secure Email Gateway (SEG) sends the email to
quarantine.
9. Ignore the Silent Copy drop-down list. No silent copy will be sent.
10. Click Save to save the new filename filter.
11. Click Save for the policy or continue to the Additional Policies tab to filter for zip
file attachments.
Filter Zip File Attachments
You can create a custom filter for zipped file or compressed file attachments. These
policies are ignored unless the Compressed or Archived Files filetype is allowed in the
Attachments: File Types screen.
To define a filter for attachment file name, perform the following steps:
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Attachments.
The Attachments: File Types screen is displayed.
4. Click Additional Policies.
The Additional Attachment Policies screen is displayed.
62 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. From the Message contains high-risk attachment drop-down menu, select one of the
following options:
• Allow delivery – Secure Email Gateway (SEG) sends the email to the
recipient with no filtering or notification.
• Quarantine the message – Secure Email Gateway (SEG) sends the email to
quarantine.
• Deny delivery – Secure Email Gateway (SEG) denies delivery of the email.
This action applies if an email has an attachment that is a zipped file and that violates
any of the following rules:
• The zip file itself is too large ( > 500MB).
• A file contained in the zip file is too large ( > 100MB).
• The zip file contains too many files ( > 1500 files).
• The compression rate is too high ( > 95% compressed).
• The zip file contains too many levels of nesting ( > 3 levels).
6. From the Message contains an encrypted zip attachment drop-down menu, select
one of the following options:
• Allow delivery – Secure Email Gateway (SEG) sends the email to the
recipient with no filtering or notification.
• Quarantine the message – Secure Email Gateway (SEG) sends the email to
quarantine.
• Deny delivery – Secure Email Gateway (SEG) denies delivery of the email.
The action applies if an email message has an attachment that is a zipped file and is
encrypted and password-protected. This format is commonly used to prevent scanning
for viruses in zipped files.
7. From the File in zip attachment violates attachment policy drop-down menu,
select one of the following options.
• Attachment policy action – The action for the specific policy that was violated
will be performed on the entire attachment. If multiple policies were violated, the
policies defined in the Attachment – Filename Policies subtab override the
policies defined in this subtab.
• Do nothing – The email is sent to the recipient with no filtering applied.
The action applies if an email that has an attachment that is a zipped file and the
zipped file contains files that violate the previously-defined filters for attachments.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 63
SEG Administrator Guide
Notify Users about Attachment Violations
You can direct Secure Email Gateway (SEG) to send notification emails to the recipient
and/or sender when an email is filtered because it contained an attachment violation. You
can see the content of notifications and change it in the Notifications tabs. See Define the
Format and Text of Notifications to Users.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Attachments.
4. Click Notifications.
5. Complete the following fields:
Field
Description
To the sender
when a message
is … due to an
attachment
policy violation
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the sender.
• Quarantined – The email that contained an attachment violation was
quarantined.
• Denied delivery – The email that contained an attachment violation
was denied delivery.
• Stripped – The infected attachment was stripped and the email sent to
the recipient.
To the recipient
when a message
is … due to an
attachment
policy violation
Select one or more conditions that will cause Secure Email Gateway
(SEG) to send a notification email to the recipient.
• Quarantined – The email that contained an attachment violation was
quarantined.
• Denied delivery – The email that contained an attachment violation
was denied delivery.
• Stripped – The violating attachment was stripped and the email sent to
the recipient.
6. Click Save.
64 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Allow or Deny Email to or from
Specific Addresses
You can define lists of sender email addresses, domain names, or IP addresses whose
email is always delivered to your users, or conversely, whose email is always denied
delivery. In addition, you can define lists of recipient email addresses that are always
denied receiving email.
The Sender Allow and Sender Deny lists are used in combination with the user-level
Allow and Deny lists that can be defined for specific user accounts. In the case of a
conflicting entry (for example, the same email address is in the user-level Allow list and
the Sender Deny list at the policy set level), the lists defined in these tabs override the
user-level lists.
The allowed maximum of items for each list is defined at the system level and may vary
for different installations of Secure Email Gateway (SEG).
Allow Email from a Specific Address
You can define a list of sender addresses whose email will always be accepted without
email filtering. The exception is that virus filtering is always applied if licensed for that
policy set, unless overridden by the user-level policy configurations. In addition, the user-
level Deny list will override the policy set-level Sender Allow list.
You can add individual addresses one a time or you can add them with a batch file. See
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Allow/Deny.
The Sender Allow screen is displayed.
4. In the Add Address field, type the address of a sender whose email should be
delivered without filtering.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 65
SEG Administrator Guide
The following values are allowed in the list entries:
• Email addresses – Complete sender email address or partial address with
wildcards (for example, ―[email protected]‖ or ―g*@domain.com‖)
• Domain names – Complete domain name or partial name with wildcards (for
example, ―domain.com‖)
• IP addresses – Complete IP address or partial address with wildcards (for
example, ―123.123.12.3‖ or ―123.123.12.*‖)
Note: CIDR notation is not allowed. Each IP address must be designated separately.
5. Click Add.
The address is added to the allowed address box on the right.
6. Repeat steps 4 and 5 for each address you want to add.
7. Click Save.
You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient
Shield List.
Sender Policy Framework (SPF)
You are able to whitelist a specific email addess or domain and assign an SPF check to that
address. Subsequent mail coming from the whitelisted domain is then checked against
SPF records. Should the SPF check fail, the mail is denied.
The following conditions apply to an SPF verification:
• If the record can be verified, then content and spam filtering is skipped for the
sender‘s inbound messages.
• If the record cannot be verified, then filtering is not skipped for the sender‘s inbound
messages.
Note: If a sender on the allow list does not have an SPF record the inbound message is still
allowed.
66 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Deny Email from a Specific Address
You can define a list of sender addresses whose email will always be denied regardless of
email filtering. This Deny list overrides the user-level Allow list.
You can add individual addresses one a time or you can add them with a batch file. See
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Allow/Deny.
The Sender Allow screen is displayed.
4. Click Sender Deny.
The Sender Deny screen is displayed.
5. In the Add Address field, type the address of a sender whose email should be denied
without filtering.
The following values are allowed in the list entries:
• Email addresses – Complete sender email address or partial address with
wildcards (for example, ―[email protected]‖ or ―g*@domain.com‖)
• Domain names – Complete domain name or partial name with wildcards (for
example, ―domain.com‖)
• IP addresses – Complete IP address or partial address with wildcards (for
example, ―123.123.12.3‖ or ―123.123.12.*‖)
Note: CIDR notation is not allowed. Each IP address must be designated separately.
6. Click Add.
The address is added to the denied address box on the right.
7. Repeat steps 4 and 5 for each address you want to add.
8. In the If the Sender is on the Sender Deny List section, select one of the following
options:
• Accept and silently discard the message – The email is accepted, but is
discarded without notification.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 67
SEG Administrator Guide
• Deny delivery – The email is denied delivery.
9. Click Save.
You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient
Shield List.
Deny Email to a Specific Recipient
You can define a list of recipient user addresses whose incoming email will always be
denied, regardless of email filtering. For example, you can designate that emails received
to an ex-employee‘s user account are always denied. Email received for all alias email
addresses for the designated user account is also included in the Recipient Shield
processing.
You can add individual addresses one a time or you can add them with a batch file. See
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Allow/Deny.
The Sender Allow screen is displayed.
4. Click Recipient Shield.
The Recipient Shield screen is displayed.
5. In the Add Address field, type the address of a recipient whose email should be
denied.
You can type a complete recipient email address or partial address with wildcards (for
example, ―[email protected]‖ or ―g*@domain.com‖).
Note: The email addresses must be defined in the primary Domain. Alias domain
names are not allowed.
6. Click Add.
The address is added to the recipient address box on the right.
68 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
7. Repeat steps 4 and 5 for each address you want to add.
8. In the If the Recipient is on the Recipient Shield List section, select one of the
following options:
• Accept and silently discard the message – The email is accepted, but is
discarded without notification.
• Deny delivery – The email is denied delivery.
• Do nothing – The email is forwarded to the recipient email address with no
processing applied.
9. Click Save.
You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient
Shield List.
Save a Copy of an Allow, Deny, or Recipient
Shield List
You can download the allow or deny list you have created so you can store a copy. To
download a copy, perform the following steps.
1. On the Allow, Deny, or Recipient Shield screen, click More Options.
2. Click Download [] List.
A download window is displayed. Secure Email Gateway (SEG) automatically
creates a Microsoft Excel spreadsheet (*.csv file) containing the address list. You can
choose to save the file or open it directly.
Add Allow, Deny, or Recipient Shield
Addresses with a Batch File
1. Using a text editor, create a text file that contains one email address per line, and save
it to your computer.
2. On the Allow, Deny, or Recipient Shield screen, click More Options.
Additional fields are displayed.
3. Click Browse and search for the text file you created.
4. Click Upload [] List.
5. Click Save.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 69
SEG Administrator Guide
Transport Layer Security
Transport Layer Security (TLS) has routinely been supported and is still supported by our
Secure Email Gateway (SEG) system. If a TLS connection can be negotiated between the
sender and the recipient MTAs, then the system delivers the email over TLS. If a TLS
connection CANNOT be established between the sender or the recipient MTA, then the
mail transfer agent delivers, via SMTP, without encryption. Therefore, it is recommended
that you specify a Sender‘s domain and/or sub-domain for this policy so that TLS is
enforced. Thus, if TLS cannot be established, then the message will not be delivered and a
bounce message will be generated to the sender, recipient, or both depending on the
Notifications.
Note: Enforced TLS requires a negotiation between our mail transfer agent and yours
to be successful. You must have TLS turned on at your end to accommodate this
transaction. Refer to your MTA software manual on “How to enable/turn-on TLS”
to ensure TLS is implemented in your system prior to setting up your domain lists.
From the Policy Set screen Select the Enforce TLS tab and complete the following steps.
Subscribe to Default TLS List
By checking the subscription to the TLS default list you will be adding the appropriate
Inbound/Outbound Default domain policy to your customized Enforced TLS domain list.
The default list can be viewed by clicking the corresponding Inbound/Outbound Default
selection under the Policies tab.
NOTE: This option is only available in custom (non-default) policy sets.
NOTE: If the default list changes, your subscription to the default is updated to reflect
those changes.
70 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Add Domain
6. To enter values into the TLS domain list enter the full address of the Sender/
Recipient‘s domain and/or sub-domain.
NOTE: To enter values into the TLS domain list enter the full address of the Sender/
Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or
subdomain must be explicitly specified for enforced TLS. Specifying a Sender/
Recipient's domain doesn't automatically include any sub-domains of that domain.
7. Click the Add » button. The value is added to the list box.
NOTE: The maximum number of values allowed in the Add Domain list is specified. This
limit is defined at the system level (see the online help for the specific count). Any
duplicate or invalid values are discarded automatically.
More Options
8. To Upload a file with a predefined list, click the Browse button. After you select the
file and it's path appears in the text field, click the Upload button. The contents are
added to the Add Domain box above.
9. To remove a value from the list, select it in the list box and click the « Remove button.
NOTE: To select more than one value from the list, press Ctrl on your keyboard, click
each entry you want to remove, and then click the « Remove button.
Save
10. Click the Save button to save your information.
Download
To Download a domain list in a csv file, click the Download button, select the list you
wish to download and click Save.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 71
SEG Administrator Guide
Enforced TLS tab
The Notifications subtab under Enforced TLS allows you to configure whether the sender
and/or recipient is notified if an email can not be sent via a TLS connection.
Notifications Subtab
Send Email Notifications
11. Check the box ―Denied Delivery ―regarding the heading ―To the sender when
a message is.....‖ to notify the sender is unable to send their message due to a
TLS violation.
12. Click Save
13. Check the box ―Denied Delivery ―regarding the heading ―To the recipient when a
message is.....‖ to notify the recipient is unable to receive their message due to a TLS
violation.
14. Click Save
View your selection Click the Notifications Tab in the Policy Set screen
72 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Define the Format and Text of
Notifications to Users
You can configure templates for the notification emails that are sent to the sender and/or
recipient when an email message is filtered for:
• Viruses
• Content
• Attachments
Default notification templates are provided for all the notification scenarios. You can
change these templates if you wish.
One notification email template is defined for each combination of the following:
• Filtering type — For viruses, content, or attachments
• Destination of the notification — Sender or recipient
• Email Action — Deny, strip, or quarantine
Variables within a Notification
Within the notification emails, variables automatically insert content from the system. For
example, the variable $(DATE) inserts the date when the notification email was sent.
Default variables already exist for the default notifications. If you want to use a different
variable, you must manually type the variable as shown below and the variables are case-
sensitive.
$(SUBJECT) Inserts a variable that automatically indicates the subject of the email that
violated the policy.
$(FROM) Inserts a variable that automatically indicates the sender‘s email address
(From: address) from the email that violated the policy. This variable
inserts the From: address that is displayed in the email.
$(SENDER) Inserts a variable that automatically indicates the sender‘s email address
(From: address) from the email that violated the policy. This variable
inserts the SMTP envelope From: address received from the sending email
server.
$(TO) Inserts a variable that automatically indicates the recipient‘s email address
(To: address) from the email that violated the policy.
$(DATE) Inserts a variable that automatically indicates the date when the email was
received that violated the policy.
$(REASON) Inserts a variable that automatically indicates the reason why the email
violated the policy.
$(ACTION) Inserts a variable that automatically indicates the action that was applied
to the email that violated the policy.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 73
SEG Administrator Guide
$(DOMAIN) Inserts a variable that automatically indicates the domain that received the
email that violated the policy.
$(MSG_HEAD
ER)
Inserts a variable that automatically indicates the email header information
from the email that violated the policy.
$(SIZE) Inserts a variable that automatically indicates the size, including
attachments, of the email that violated the policy.
$(POSTMAST
ER)
Inserts the contact email address configured for the domain.
The set of Notifications tabs includes the following subtabs:
• Notifications – Virus Notifications subtab (see page 1)
• Notifications – Content Notifications subtab
• Notifications – Attachment Notifications subtab
In addition, each subtab will have a separate Edit area for each of its notification
templates.
Because all the individual notification templates offer the same functionality, only one set
of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that
the same features are used to modify the remaining notification templates, the only
difference being the combinations of filter type, destinations, and email actions. Be sure to
modify the navigation and information accordingly.
Define the Format and Text of Virus
Notifications
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Notifications.
The Notifications: Virus screen is displayed.
4. Click on a notification in the Virus Notifications box.
74 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
5. Click Edit.
The Edit section of the screen is displayed.
6. Change, if desired, the text or variables in any or all of the following fields:
From Designates what email address is listed as the From: address in the
notification email. Optionally, you can type variables that insert system
information into this content.
Reply-To Designates what email address is used if the recipient of the notification
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
Subject Type the text to be used as the subject for the notification email template.
Optionally, you can type variables that insert system information into this
content.
Body Type the text to be used as the body text for the notification email
template. Optionally, you can type variables that insert system information
into this content.
7 Click Save.
Define the Format and Text of Content
Violation Notifications
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Notifications.
The Virus Notifications screen is displayed.
4. Click Content.
The Content Notifications screen is displayed.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 75
SEG Administrator Guide
5. Click on a notification in the Content Notifications box.
6. Click Edit.
The Edit section of the screen is displayed.
7. Change, if desired, the text or variables in any or all of the following fields:
From Designates what email address is listed as the From: address in the
notification email. Optionally, you can type variables that insert system
information into this content.
Reply-To Designates what email address is used if the recipient of the notification
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
Subject Type the text to be used as the subject for the notification email template.
Optionally, you can type variables that insert system information into this
content.
Body Type the text to be used as the body text for the notification email
template. Optionally, you can type variables that insert system information
into this content.
8. Click Save.
Define the Format and Text of Attachment
Violation Notifications
1. Click Email Protection > Policies.
2. Click the policy you want to change.
3. Click Notifications.
The Virus Notifications screen is displayed.
76 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
4. Click Attachment.
The Attachment Notifications screen is displayed.
5. Click on a notification in the Attachment Notifications box.
6. Click Edit.
The Edit section of the screen is displayed.
7. Change, if desired, the text or variables in any or all of the following fields:
From Designates what email address is listed as the From: address in the
notification email. Optionally, you can type variables that insert system
information into this content.
Reply-To Designates what email address is used if the recipient of the notification
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
Subject Type the text to be used as the subject for the notification email template.
Optionally, you can type variables that insert system information into this
content.
Body Type the text to be used as the body text for the notification email
template. Optionally, you can type variables that insert system information
into this content.
8. Click Save.
Enforced TLS
The Notifications > TLS subtab allows you to configure a template of how the
notification email will appear that is sent to the sender and/or recipient.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 77
SEG Administrator Guide
Within the notification emails, there are available variables that will automatically insert
content from the system. For example, the variable $(DATE) will insert the date when the
notification email was sent. You must manually type the variables as shown below and the
variables are case-sensitive.
9. Highlight the message you wish to review and Click Edit to launch the edit template.
Variables within the template include:
$(SUBJECT) - The Subject field is blank because the message was blocked before the
email content had been sent. If you wish to have a Subject value for the Notification
message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification'.
$(FROM) - Inserts a variable that automatically indicates the sender's email address
(From: address) from the email that violated the policy. This variable inserts the From:
address that is displayed in the email.
$(SENDER) - Inserts a variable that automatically indicates the sender's email address
(From: address) from the email that violated the policy. This variable inserts the SMTP
envelope From: address received from the sending email server.
$(TO) - Inserts a variable that automatically indicates the recipient's email address (To:
address) from the email that violated the policy.
$(DATE) - Inserts a variable that automatically indicates the date when the email was
received that violated the policy.
$(REASON) - Inserts a variable that automatically indicates the reason why the email
violated the policy.
$(ACTION) - Inserts a variable that automatically indicates the action that was applied to
the email that violated the policy.
$(DOMAIN) - Inserts a variable that automatically indicates the Domain that received the
email that violated the policy.
$(POSTMASTER) - Inserts postmaster (ex. [email protected]) email address for
the Domain.
Variable syntax requires $({name_of_variable}), where {name_of_variable} is replaced
with the predefined variable name (without the curly brackets).
78 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Enforced TLS Subject Headers
As mentioned, the Subject field in the TLS Email Subject Line, the TLS Email Header,
and the TLS Notification Message Body will not contain Subject data since the email was
denied and no data was retrieved.
The following examples demonstrate the Subject Field or Subject Notification only
displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an
empty variable.
Email Subject Line
Email Subject Header
TLS Notification Subject Header Response
Disaster Recovery
Disaster Recovery allows you to specify what actions to take when email cannot be
delivered. There are three available options:
• Defer to domain-based Message Continuity access control configured under Disaster
Recovery Setup
Select this option to use the configuration settings from the Disaster Recovery Setup
window.
• Allow users to use the Message Continuity webmail client
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 79
SEG Administrator Guide
Select this option to allow users to use the Message Continuity webmail client when
email cannot be delivered.
• Do not allow users to use the Message Continuity webmail client
Select this option if you do not wish to allow users to use the Message Continuity
webmail client when email cannot be delivered.
Assign a Group to the Custom Policy
To perform this task, you must first create the group of users who are to be assigned to the
policy. See ―Managing Groups‖ in Account Management Administrator Guide.
1. Click Email Protection > Policies.
2. Select the custom policy to which you want to assign a group.
3. Click Group Subscriptions.
The Policy Configuration Groups screen is displayed.
4. Select the group you want to assign.
5. Click Add.
80 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
6. Customize Outbound Mail
Filters
You can customize the default outbound policy for any and each domain, or any and each
group, to fit your business needs.
Note: Outbound email is not filtered for spam
Create a Custom Outbound Policy
1. Click Email Protection > Policies.
2. Click New.
The New Policy Set fields are displayed.
Field Description
Name Enter a name for the policy set you are creating. The name should reflect
the name or purpose for the group or groups that you will assign to the
policy.
Description Enter a description of the new policy set.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 81
SEG Administrator Guide
Direction From the drop-down menu, select the direction of email, outbound
SMTP, for which this policy will be configured.
Copy From From the drop-down menu, select an existing policy set whose settings
you want to copy to the new policy set. Most settings are copied based on
this selection. However, you must choose to copy some settings from the
existing policy separately by selecting the following fields.
3. Click Save.
The Policy Sets list is updated with the new policy. You can now modify the new
policy to meet your business needs.
Configure a Virus Filter
You configure a virus filter for outbound email in the same way as that for inbound email.
For more information, see Configure a Virus Filter.
Configure a Content Filter
You can create a custom content filter for outbound email. You can only set up Content
Groups and Notifications. HTML Shield and ClickProtect are not available for outbound
email. You set up content groups and notifications in the same way as that for inbound
email. For more information, see Configure a Content Filter.
82 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Email Encryption for Content Groups
This feature requires subscription to SEG Premium
Group Names
You are able to send regular email based on your selected policies but, you may also
encrypt messages for a specific Group Name under Content Groups if desired. Select the
group name you wish to encrypt, from the Action drop-down list select to have that Group
encrypted.
More Options …
If a Customer or Domain subscribes to Email Encryption, then selecting this option can be
used to enforce Email Encryption if the outbound message contains the word ‗[encrypt]‘.
This word, [encrypt] can reside in the message Subject line or the body of the outbound
message.
This option can be found under Email Protection > Policies > Outbound (default) >
Content >Content Groups. Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 83
SEG Administrator Guide
Define an Attachment Filter
You configure an attachment filter for outbound email in the same way as that for inbound
email. For more information, see Define an Attachment Filter.
Define the Format and Text of
Notifications to Users
You configure notifications for outbound email in the same way as that for inbound email.
For more information, see Define the Format and Text of Notifications to Users.
Assign a Group to the Custom Policy
You assign a group to a policy for outbound email in the same way as that for inbound
email. For more information, see Disaster Recovery.
84 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
7. Managing Quarantine
Reports
Set up Quarantine Reports
When Secure Email Gateway (SEG) scores email and determines that email might be
problematic, but the email is not clearly a security risk, Secure Email Gateway (SEG)
place the email into quarantine. You can set up quarantine reports so that users can see
which of their messages were filtered and placed in quarantine. You can also determine
how much control users have over these reports, including:
• How reports are formatted.
• How often reports are sent
• How Spam is filtered
• What actions users can take on quarantined email
To set up quarantine reports for users, see Set up Spam Quarantine Reports.
Monitor Users’ Quarantined Email
Email is quarantined based the filtering for spam, viruses, content, and attachments, as
designated on your domains‘ or groups‘ policies. To monitor quarantined email, you can
perform the following tasks:
• Search for Quarantined Email
• Interpret the Search Results
• Sort the Search Results
• Delete Quarantined Messages
• Release Quarantined Messages
• View Quarantines Messages
As an administrator, you can also directly access your own quarantined email within the
Control Console. See Monitor Your Own Quarantine.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 85
SEG Administrator Guide
Primary Email Addresses, Aliases, and
Public Domain Addresses
Most quarantined emails show the primary email address as the recipient email address.
However, if Intelligent Routing is used, quarantined email to a public domain address
continues to be shown as a public domain address. If an email that was sent to an alias
email address is quarantined, the recipient email address is changed to be the associated
primary email address. Any emails released out of any of the quarantine areas are sent to
the primary email address. Thus, no alias email addresses will be listed in these windows.
Search for Quarantined Email
To search quarantined email, perform the following steps:
1 Click Email Protection > Quarantine.
2 If necessary, click Quarantine Search.
3 Complete any or all of the following fields to define your search:
86 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Note: All fields are used in the search. If your search finds a large number of
messages, narrow your search by narrowing the scope within one or more fields.
Field
Description
From Enter a full sender email address. The address must include the recipient
name and the domain name, for example [email protected].
To Enter a recipient email address. The address must include the recipient name
and the domain name.
Threat From the drop-down menu, select one of the following:
• Spam
• Virus
• Attachment
• Content
• All Threats
Day list From the drop-down menu, select the day, from the past week, whose
messages you want to see. You can also select All Days.
Note: The date of a message is determined by the time, according to the
user‘s timezone, the message was placed in quarantine.
Inbound/
Outbound From the drop-down menu, select one of the following:.
• View inbound only
• View outbound only
• View inbound & outbound
Note: This field is available only if the selected Domain has both inbound
and outbound packages associated with it.
4 Click Search.
A list of messages is displayed at the bottom of the screen.
Interpret the Search Results
The Search Results section of the Quarantine Search screen displays the following
information for each email message:
• Date — The date the message was quarantined, according to the local timezone of the
recipient.
• From — The sender of the message.
• To — The recipient of the message.
• Subject — The subject of the message.
• Size — The size of the message, in kilobytes, including any attachments.
Also, a sixth column displays information that varies, depending on the type of threats you
searched for: The following table lists the type of information that might be contained in
this column.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 87
SEG Administrator Guide
Threat Type
Selected
Column
Label
Description
Virus Virus Displays the type of virus detected in the email
Spam Spam Score Displays a score that indicates how likely that the email is spam.
• A spam score of 90% - 98.9% is considered ―medium‖
likelihood if default settings are used.
• A spam score of 99% or higher is considered ―high‖ likelihood
if default settings are used.
Secure Email Gateway (SEG) anti-spam filtering uses a large
number of filtering processes, as well as sophisticated statistical
classification techniques, as part of its Stacked Classification
Framework® to determine the score. If you specified an additional
Realtime Blackhole List (RBL) in the Anti-Spam screen of the
assigned policy, the RBL can influence the spam score as well.
Note: Occasionally, some emails might be marked as spam when in
fact they are legitimate emails. For these ―false positive‖ email
messages, you can help SEG ―tune‖ the spam thresholds and rules
by sending a forwarded copy of the email with all content and
attachments to [email protected] .
Attachment Attachment Displays the name of an attachment that was included in the email
message and violates attachment rules (size, file typ, zip file
attachments) as defined on the Attachment screens of the assigned
policy. If a message contains more than one delinquent attachment,
the first attachment found in the message is listed. You can check to
see all attachments by opening the message.
Content Keyword Displays Content to indicate that the email that violated a content
policy, as defined in the Content Groups screen for the assigned
policy. You can see what keywords were violated by opening the
message and checking the Status line.
All Threats Type Displays the type of threat filtering that the email violated.
Sort the Search Results
You can sort the search results according to any of the columns in the Search Results
section.
1. Click on the heading of the column you want to sort.
You have the choice of sorting the messages in ascending or descending order of the
values in the column.
2. Click Sort Ascending or Sort Descending.
88 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
3. To hide columns in the results, move your cursor over the Columns menu item and
click the checkboxes to select or deselect the columns you want to display in your
sorted list.
4. To move columns around so they are displayed in a different left-to-right sequence,
perform the following steps:
A. Place your cursor on the column you want to move.
B. Click and hold the mouse button.
C. Drag the column to a different location.
Delete Quarantined Messages
Secure Email Gateway (SEG) deletes each message automatically if the messages stays
in quarantine for more than seven days. However, you can immediately delete
quarantined email listed in the Quarantine Search Results in one of two ways:
• Highlight each email in the list and click Delete.
• Click Delete All, which deletes all email in the Search Results list.
Release Quarantined Messages
By releasing a quarantined email message, you remove the message from quarantine and
send the email to the mailbox of the recipient‘s primary email address. You can release
email in one of two ways:
• Click the checkbox for each email you want to release, and click Release.
The email is removed from quarantine and sent to the recipient mailbox or mailboxes.
• Click the checkbox for each email you want to release, and click the Always Allow
for User.
The email is removed from quarantine and sent to the recipient mailbox or mailboxes.
This option also adds the sender address of each selected message to the Allow list of
the associated recipient.
Caution: Releasing emails that contained worms or viruses can potentially allow the
recipients‘ machines to be infected.
View Quarantines Messages
Secure Email Gateway (SEG) allows you to view a quarantined message without risk of
infection by any malicious virus or attachments. To view a message in the quarantine:
1 Double-click the message you want to view.
The message opens in a new tab with the subject heading.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 89
SEG Administrator Guide
2 Check the email for any of the following, depending on the Threat type:
If the Threat type is Spam, check the subject line and body of the message, as well as
the Status line for the spam score.
If the Threat type is Content, check the Status line for the word or words that violated
the content filter.
If the Threat type is Attachment, check the Attachments list for size and/or type of
file or for html code violations. The Content Type is based on the MIME protocol.
If the Threat type is Virus, check the Virus list for the viruses found.
3 Note the IP address listed in the message. This address is the last hop the message took
prior to delivery to Secure Email Gateway (SEG). The IP address can be useful in
tracking the path of a message and can help identify spoofed senders.
4 After checking a message, do one of the following:
• Delete the message as described in Delete Quarantined Messages.
90 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 201
SEG Administrator Guide
• Release the message as described in Release Quarantined Messages.
• Close the message by clicking the X in the tab at the top of the message.
Monitor Your Own Quarantine
You can check your own messages in quarantine and take the same actions on those
messages that you do on other users. To access your own quarantined messages, perform
the following steps:
1 Click Email Protection > Quarantine.
2 Click My Spam.
Your message quarantine is displayed.
3 Perform any of the following tasks:
• Search for Quarantined Email
• Interpret the Search Results
• Sort the Search Results
• Delete Quarantined Messages
• Release Quarantined Messages
• View Quarantines Messages
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 91
SEG Administrator Guide
8. Set up Disaster Recovery
Services
Administer Disaster Recovery
Services
.
• Message Continuity — Message Continuity saves messages for later delivery if your
mail server becomes unavailable. When your mail server becomes available, Message
Continuity delivers the messages. Users can access their messages through a Web-
based interface while messages are in Message Continuity only.
Message Continuity also has unlimited storage capacity and removes messages that
have been in Message Continuity storage for more than 60 days.
Set up Spooling for Disaster Recovery
1 Click Email Protection > Setup > Disaster Recovery.
2 From the Domain drop-down menu, select the domain you want to set up for Disaster
Recovery.
3 In the Configuration Settings section, select one of the following options:
• Automatic — This option automatically spools all incoming email when Secure
Email Gateway (SEG) detects a loss of connectivity with your email server(s).
With this option, you must also specify how long Secure Email Gateway (SEG)
should wait after connectivity is lost to begin spooling.
Note: Be aware that it may take several minutes to determine that your inbound
server is unavailable. During this time, and during the time delay, received emails
can be tempfailed if your inbound server is unavailable
• Manual — This option allows you to start and stop Disaster Recovery spooling
manually for planned email server outages such as server maintenance.
When necessary, you then select Start Spooling to initiate manual spooling; and
select Stop Spooling to stop it.
Note: It may take a few minutes for manual spooling of incoming mail to start and
stop.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 92
SEG Administrator Guide
4 If you selected the Manual option, check the Deliver spooled email when
connectivity is available box to deliver spooled email when connectivity to the email
server(s) is restored.
5 If your service includes Message Continuity, check the checkbox Allow users to use
Message Continuity to set the default permission for users to get messages through
Message Continuity. This setting applies to the domain. You can override this setting
on the Disaster Recovery screen under Policies if you have some groups that you don‘t
want to allow access.
Set up Notifications of Disaster Recovery
You can specify that notifications are emailed automatically to designated recipients,
typically yourself or other administrators, when the following Disaster Recovery events
occur:
• Automatic spooling has started
• Automatic unspooling has started
• Automatic or manual unspooling has completed.
1 Under the Notifications section of the Disaster Recovery Setup screen, type, in the
Recipient Email Address field, the email address of a person who should receive
notification of a disaster recovery event.
Note: In order to minimize the possibility that Disaster Recovery notifications cannot
be delivered to listed recipients, it is recommended that notifications be sent to email
addresses associated with cell phones or pagers.
2 Click Add.
3 Repeat steps 1 and 2 for up to three more notification recipients.
93 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
9. System Reports
Secure Email Gateway (SEG) Reports
Secure Email Gateway (SEG) provides a large number of reports with which to monitor your service.
Report Description
Traffic Overview Information about all Inbound and Outbound email traffic and bandwidth for
the designated domain(s) during the selected date or date range.
Threat: TLS Information about all TLS Inbound and Outbound email traffic, percentages
and bandwidth for the designated Domain(s) during the selected date or date
range.
Threats: Overview Information about email violations by policy type for the designated
domain(s) during the selected date or date range.
Threats: Viruses Information about all Inbound and Outbound emails that violated the virus
policies for the designated domain(s) during the selected date or date range,
Threats: Spam Information about emails that violated the spam policies for the designated
domain(s) during the selected date or date range.
Threats: Content Information about emails that violated the content keyword policies for the
designated domain(s) during the selected date or date range.
Threats: Attachments Information about emails that had attachments that violated the attachment
policies for the designated Domain(s) during the selected date or date range.
Enforced TLS Details Information about all Enforced TLS Inbound and Outbound email traffic,
including the number of messages and bandwidth for the designated
Domain(s) during a selected timeframe. The report also includes a count of
Inbound and Outbound messages that were denied due to an Enforced TLS
Policy violation.
ClickProtect: Overview Information about ClickProtect processing. ClickProtect processing tracks
Web hyperlinks received in emails that can be clicked and followed by the
user or that can be blocked, depending on the ClickProtect policy
configurations for the designated domain(s) during the selected date or date
range.
ClickProtect: Click Log Information about Web hyperlinks in emails that were clicked by the
recipient for the designated domain(s) during the selected date or date range.
Quarantine: Release Overview Information about emails that were quarantined and released from all
quarantine areas within the Secure Email Gateway (SEG) for the
designated domain(s) during the selected date or date range.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 94
SEG Administrator Guide
Report Description
Quarantine: Release Log Information about emails that were released from all quarantine areas within
the Secure Email Gateway (SEG) for the designated domain(s) during the
selected date or date range.
User Activity Information about all Inbound and Outbound email traffic and bandwidth for
the designated domain(s) during the selected date or date range.
Event Log Displays messages that have had actions performed based on the content,
spam content, virus, or attachment policy definitions. Messages can be
sorted per domain, and Inbound direction, Outbound direction or both.
Messages that are identified as threats by the Secure Email Gateway
(SEG) are also included.
Audit Trail Displays the audit log items for all actions performed by users at Report
Manager, or higher level, roles within the Control Console for the
designated domain(s) during the selected date or date range, including sign
ins and configuration changes.
Inbound Server Connections Displays information about the connections made to the Inbound email
servers during processing
Disaster Recovery: Overview Information about emails that were spooled and unspooled by the disaster
recovery service for the designated domain(s) during the selected date or
date range.
Disaster Recovery: Event Log Displays the event log items for actions performed within the disaster
recovery service. Included are actions performed automatically by the
Secure Email Gateway (SEG) and performed manually by the
administrator.
View a Secure Email Gateway Report
To view an Email Protection Report, perform the following steps:
1. Click Email Protection > Reports.
2. From the Domain drop-down menu, select the domain for which you want the report.
The Traffic Overview report is displayed.
3. From the Reports drop-down menu, select the report you want.
4. Click the Period field to display the Calendar selector.
5. From the Calendar selector, do one of the following:
A Select Today for data on the current day.
B Select a specific date, within the last 7 days, to display data only for that date.
C Select the name of the month that appears at the bottom of the calendar.
D Select a month and date in the drop-down lists.
E Position cursor over the week number (to the left of the first date in a week) and
click to display data for the entire week beginning with that date.
95 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Note: You can select only the current month or click the down arrow at the top of the
calendar to select the previous month. You cannot retrieve data from a timeframe
beyond the previous month.
Change the Graphic Display of the Report
You can display some of the information in a report as a bar graph, as a line graph, or as a
pie chart.
To select a graphic display type, select the appropriate icon on the upper right corner of
each graphic, if available. The icons are as follows:
This icon displays the graphic as a bar graph.
This icon displays the graphic as a line graph.
This icon displays the graphic as a solid (filled) line graph.
Download a Report
To download textual report information into a Microsoft Excel spreadsheet (*.csv), click
Download on any report, then follow the instructions.
Traffic Overview
The Traffic: Overview window displays overview information about the inbound and
outbound email traffic for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 96
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Traffic Trends The number of inbound and outbound emails for the designated Domain
and date range.
• Green – Inbound data
• Purple – Outbound data
Traffic Summary Information about inbound and outbound email traffic for the designated
Domain and date range as follows:
• Inbound Messages – Indicates the total number of inbound emails
received.
• Average Inbound Messages/Hour – Indicates the average number of
inbound emails received each hour.
• Outbound Messages – Indicates the total number of outbound emails
sent.
• Average Outbound Messages/Hour – Indicates the average number
of outbound emails sent each hour.
Bandwidth Trends The bandwidths, in kilobytes, used by inbound and outbound email for the
designated Domain and date range.
• Green – Inbound data
• Purple – Outbound data
97 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Bandwidth
Summary Information about the bandwidth used by inbound and outbound email for
the designated domain and date range as follows:
• Inbound Total Bandwidth – The total bandwidth used by received
inbound emails.
• Average Inbound Message Size – The average size of inbound
emails.
• Outbound Total Bandwidth – The total bandwidth used by sent
outbound emails.
• Average Outbound Message Size – The average size of sent
outbound emails.
Traffic: TLS Report
The Traffic: TLS Report window displays information about all TLS Inbound and
Outbound email traffic, percentages and bandwidth for the designated Domain(s) during
the selected date or date range.
.
Reporting Period: All report data is viewable on either a day, week, or month basis for the
current month, or the previous month.
You can use the Download button to save a copy of the currently displayed report results
in spreadsheet format.
Report Purpose
Identifies Inbound and Outbound email messages that were delivered via a TLS
connection and any email messages that were denied due to an Enforced TLS Policy
violation.
Traffic Summary
TLS Inbound Messages - The total of TLS inbound messages that were processed via a
TLS connection.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 98
SEG Administrator Guide
% Inbound Messages sent via TLS - The percentage of incoming email messages
processed via a TLS connection
Inbound Messages blocked by Enforced TLS - The total of inbound email messages
blocked by an Enforced TLS policy
TLS Outbound Messages - The total of TLS outbound messages that were processed via
a TLS connection.
% Outbound Messages sent via TLS - The percentage of outgoing email messages
processed via a TLS connection.
Outbound Messages blocked by Enforced TLS - The total of outgoing email messages
blocked by an Enforced TLS policy.
Bandwidth Summary
TLS Inbound Total Bandwidth - The quantity of data transferred via TLS,
measured in bytes.
% Inbound Bytes sent via TLS - The percentage of Inbound mail sent via TLS,
measured in bytes
Outbound Total Bandwidth - The quantity of data transferred via TLS, measured
in bytes
% Outbound Bytes sent via TLS - The percentage of Outbound mail sent via TLS,
measured in bytes.
Traffic: Encryption
Report only available to SEG Premium customers
The Traffic: Encryption report displays information about all Outbound email traffic,
percentages and bandwidth for the designated Domain(s) during the selected date or date
range sent out to be encrypted.
99 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Selecting the checkbox for Email Encryption on both the Create/Edit Customer page
and Create/Edit Domain page allows customers to use the ‗Encrypt Message‘ action
when working with Outbound policy Content Groups.
When the ‗Encrypt Message‘ action is selected for a Content Group, then any message
that contains that content is routed to an encryption server and available to the recipient.
Email Encryption is only available for a selected Outbound package.
Email Encryption Summary
Outbound Messages blocked by Email Encryption - The total outbound messages to be
delivered for encryption.
% Outbound Messages sent via Encryption - The percentage of outgoing email
messages sent out to be encrypted.
Email Encryption Bandwidth Summary
Outbound Total Bandwidth - The total bandwidth of outgoing email messages
sent for encryption.
% Outbound Bytes sent via TLS - The percentage of outgoing bytes messages sent out
to be encrypted.
Threats: Overview
The Threats: Overview report displays overview information about email violations by
policy type for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 100
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Inbound Threat
Trends The total number of inbound emails that violated each policy type for the
designated Domain and date range. Data for each policy type is color-
coded as indicated in the legend below the graphic.
Inbound Threat
Summary Information about the number of inbound emails that violated each policy
type for the designated Domain and date range.
• Total Viruses – The total number of inbound emails that contained
known worms and viruses.
• Infection Rate – The percentage of inbound emails that contained
known viruses vs. the total number of received inbound emails.
• Total Spam Identified – The total number of inbound emails filtered
for potential spam.
• Spam Volume – The percentage of inbound emails that were filtered
for potential spam.
• Spam Beacons Detected – The total number of spam beacons
detected in inbound emails. Note that each email may contain multiple
spam beacons.
• Content Keyword Violations – The total number of inbound emails
that violated the content keyword policies.
• Attachment Policy Violations – The total number of inbound emails
that had attachments that violated the attachment policies.
101 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item Description
Outbound Threat
Trends The total number of outbound emails that violated each policy type for the
designated domain and date range. Data for each policy type is color-coded
as indicated in the legend below the graphic.
Outbound Threat
Summary Information about the number of outbound emails that violated each policy
type for the designated Domain and date range as follows:
• Total Viruses – The total number of outbound emails that contained
known viruses.
• Infection Rate – The percentage of outbound emails that contained
known viruses vs. the total number of sent outbound emails.
• Content Keyword Violations – The total number of outbound emails
that violated the content keyword policies.
• Attachment Policy Violations – The total number of outbound
emails that had attachments that violated the attachment policies.
Threats: Viruses
The Threats: Viruses report displays information about emails that violated the virus
policies for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 102
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Virus Volume
Trends The total number of emails that contained known viruses.
• Green – Inbound data
• Purple – Outbound data
103 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Virus Detection
Summary Indicates information about the emails that contained worms or viruses:
• Total Viruses Inbound – The total number of inbound emails that
contained known viruses (―infected emails‖).
• Inbound Infection Rate – The percentage of infected inbound
emails vs. the total number of received inbound emails.
• Total Viruses Outbound – The total number of infected outbound
emails.
• Outbound Infection Rate – The percentage of infected outbound
emails vs. the total number of sent outbound emails.
• Disinfected (cleaned) – The total number of infected emails that had
their viruses successfully removed and the emails were forwarded to
their destinations.
• Stripped – The total number of infected emails that had the infected
attachments stripped and then were forwarded to their destinations.
Top Inbound
Viruses The most frequently encountered viruses in inbound emails, in the order
of most frequent to less frequent, and the total number of encounters for
each virus.
Virus Policy
Actions The percentage of policy actions applied to infected emails.
Top Outbound
Viruses The most frequently encountered viruses in outbound emails, in the order
of most frequent to less frequent, and the total number of encounters for
each virus.
Threats: Spam
The Threats: Spam window displays information about emails that violated the spam
policies for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 104
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Spam Volume
Trends The total number of emails that violated spam policies.
• Green – Inbound data
• Purple – Outbound data
105 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Spam Detection
Summary Information about the emails that violated spam policies:
• Total Inbound Spam Identified – The total number of inbound
emails that violated spam policies.
• Inbound Spam Volume – The percentage of inbound emails that
violated spam policies vs. the total number of received inbound
emails.
• Spam Beacons Detected – The total number of spam beacons
detected in emails. Note that each email may contain multiple spam
beacons.
• RBL – The total number of emails that were filtered by the Real-time
Blackhole List (RBL).
• DUL – The total number of emails that were filtered by the Dial-up
User List (DUL).
• RSS – The total number of emails that were filtered by the Relay
Spam Stopper (RSS).
• Spam Content Group – The total number of emails that contained
keywords from the content groups that were created in the Anti-
Spam > Content Group subtab; in this example, the group named
―Viagra.‖
Spam Policy
Actions The percentage of policy actions applied to the emails that violated spam
policies.
Threats: Content
The Threats: Content window displays information about emails that violated the
content keyword policies for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 106
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Content Policy
Violation Trends The total number of emails that violated the content keyword policies.
• Green – Inbound data
• Purple – Outbound data
107 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Top Inbound and
Outbound Content
Group Violations
Both the Top Inbound Content Group Violations and the Top Outbound
Content Group Violations reports measure the number of messages found
to violate the top ten inbound / outbound customer email content policies
for both global policies and custom policies.
Information about the emails that violated content keyword policies:
• Credit Card - The total number of emails that contained keywords
and phrases from the Credit Card predefined content group.
• Profanity – The total number of emails that contained keywords from
the Profanity content group.
• Racially Insensitive – The total number of emails that contained
keywords from the Racially Insensitive content group.
• Sexual Overtones – The total number of emails that contained
keywords from the Sexual Overtones content group.
• Social Security - The total number of emails that contained keywords
and phrases from the Social Security predefined content group.
• Custom Content Groups – The total number of emails that contained
keywords from the content groups that were created in the Current
Content Groups window; in this example, ―HIPPA Compliance.‖
Content Policy
Actions The percentage of policy actions applied to the emails that violated content
keyword policies.
Threats: Attachments
The Threats: Attachments window displays information about emails that had
attachments that violated the attachment policies for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 108
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Attachment Policy
Violation Trends The total number of emails that had attachments that violated the
attachment policies.
• Green – Inbound data
• Purple – Outbound data
109 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Attachment
Summary Information about the emails that had attachments that violated the
attachment policies:
• Average Attachment Size – The average size of attachments
encountered in emails.
• Executables – The total number of executables (for example, *.exe
or *.com) received as attachments.
• Scripts – The total number of script files received as attachments.
• Office Documents – The total number of Microsoft Office
documents (for example, *.doc or *.xls files) received as
attachments.
• Audio – The total number of audio files (for example, *.wav or
*.mp3 files) received as attachments.
• Images – The total number of graphic files (for example, *.gif or
*.bmp files) received as attachments.
• Compressed Archives – The total number of archive files (for
example, *.zip or *.tar files) received as attachments.
Attachment Policy
Actions The percentage of policy actions applied to the emails that had
attachments that violated the attachment policies.
Enforced TLS Details
The Enforced TLS Details report displays information about all Enforced TLS Inbound
and Outbound email traffic, including the number of messages and bandwidth for the
designated Domain(s) during a selected timeframe. The report also includes a count of
Inbound and Outbound messages that were denied due to an Enforced TLS Policy
violation.
Reporting Period: All report data is viewable on either a day, week, or month basis for the
current month, or the previous month.
You can use the Download button to save a copy of the currently displayed report results
in a spreadsheet format.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 110
SEG Administrator Guide
Select your customer to manage.
• Field
• Description
• Customer
From the drop-down list select the Customer. (If needed)
Domain
From the drop-down list select the Domain or "All Domains". (If needed)
Note: When there are 1000 domains listed in the drop-down a Find button will display to
assist the user in locating the correct domain.
Depending on how your system is configured, you may run a report for a primary domain,
a domain alias, or a public domain. A Public Domain is a registered domain with a public
MX record that is used for uniform email addresses across multiple primary domains. A
public domain name will have the primary domain appended to it with brackets ―[primary
domain]‖, and a Domain Alias is appended with brackets ―[alias]‖.
The following examples demonstrate this feature:
• acme.com [acme-denver.com] is the public domain [primary domain] respectively.
• acme.com [alias]
Traffic Summary
Enforced TLS Accepted - Inbound Messages - The total number of TLS inbound
messages that were processed via an Enforced TLS connection for a given domain.
Enforced TLS Accepted - Outbound Messages - The total number of TLS outbound
messages that were processed via an Enforced TLS connection for a given domain.
Enforced TLS Accepted - Inbound Bandwidth - The quantity of data transferred via
Enforced TLS for inbound messages, measured in bytes, for a given domain.
Enforced TLS Accepted - Outbound Bandwidth - The quantity of data transferred via
Enforced TLS for outbound messages, measured in bytes for a given domain.
Enforced TLS Denied - Inbound Messages - The total of incoming email messages
blocked by an Enforced TLS policy for a given domain.
Enforced TLS Denied - Outbound Messages - The total of outgoing email messages
blocked by an Enforced TLS policy for a given domain.
111 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
ClickProtect: Overview
The ClickProtect: Overview window displays overview information about ClickProtect
processing. ClickProtect processing tracks Web hyperlinks received in emails that can be
clicked and followed by the user or that were blocked, depending on the ClickProtect
policy configurations.
The following table lists the report items in the report.
Report Item
Description
ClickProtect
Trends The numbers of emails that contained hyperlinks and that contained
hyperlinks that were clicked by the recipients.
• Green – Total number of emails that contained hyperlinks.
• Purple – Number of emails that contained hyperlinks that were
clicked by the recipients.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 112
SEG Administrator Guide
Report Item
Description
ClickProtect
Statistics Information about the emails that contained hyperlinks that were
processed by ClickProtect:
• Messages with links – The total number of emails that contained
hyperlinks.
• Messages with multiple links – The total number of emails that
contained multiple hyperlinks.
• Total clicks – The total number of times that a recipient clicked a
hyperlink in an email.
• Total allowed click throughs – The total number of times that a
recipient was allowed to access the destination designated in a
clicked hyperlink.
• Total denied click throughs – The total number of times that a
recipient was prevented from accessing the destination designated in
a clicked hyperlink.
• Number of individual users that clicked – The total number of
recipients that attempted to click a hyperlink in an email.
• Spam messages with clicks – The total number of spam emails that
contained hyperlinks clicked by recipients.
• Messages with links on the ClickProtect Allow List – The total
number of emails that contained hyerlinks that were listed on the
ClickProtect Allow list.
ClickProtect: Click Log
The ClickProtect: Click Log window displays information about hyperlinks in emails
that were clicked by recipients.
113 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The following table lists the report items in the report.
Report Item Description
Timestamp The date, time, and time zone when the hyperlink was clicked in the
filtered email.
From The email address that sent this email (―sender email address‖).
To The email address to which this email was sent (―recipient email
address‖).
Subject The text that was in the subject header of this email.
URL The URL destination defined in the clicked hyperlink (the URL to where
the recipient attempted and/or was successful in clicking through).
Score The spam likelihood score that was assigned to the email by Email
Protection.
Quarantine: Release Overview
The Quarantine: Release Overview displays overview information about emails that
were quarantined and released from all the quarantine areas within Secure Email
Gateway (SEG) for the designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 114
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Inbound
Quarantine
Release Trends
The total number of emails that were quarantined and then released in all
the quarantine areas. Data for each policy type is color-coded as indicated
in the legend below the graphic.
Inbound Spam
Release Summary Information about the emails that were quarantined as potential spam and
then released.
• Total Spam Identified – The total number of quarantined emails that
were identified as potential spam.
• Total Spam Released – The total number of emails released from the
spam quarantine.
• Release Percent – The percent of emails released from the spam
quarantine vs. the total number of emails that were quarantined as
potential spam.
• Total # of individuals – The total number of user accounts that had
emails released from the spam quarantine.
115 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Inbound Virus
Release Summary Information about the emails that were quarantined because of viruses
and then released.
• Total Viruses Identified – The total number of viruses detected in
incoming emails that were quarantined.
• Total Virus Released – The total number of emails released from the
virus quarantine.
• Release Percent – The percent of emails released from the virus
quarantine vs. the total number of emails that were quarantined
because of viruses.
• Total # of individuals – The total number of user accounts that had
emails released from the virus quarantine.
Inbound Content
Release Summary Information about the emails that were quarantined because of content
and then released.
• Total Content Policy Violations – The total number of quarantined
emails that violated content policies.
• Total Content Released – The total number of emails released from
the content quarantine.
• Release Percent – The percent of emails released from the content
quarantine vs. the total number of emails that was quarantined
because of content.
• Total # of individuals – The total number of user accounts that had
emails released from the content quarantine.
Inbound
Attachment
Release Summary
Information about the emails that were quarantined because of
attachments and then released.
• Total Attachment Policy Violations – The total number of
quarantined emails that violated attachment policies.
• Total Attachment Released – The total number of emails released
from the attachment quarantine.
• Release Percent – The percent of emails released from the
attachment quarantine vs. the total number of emails that were
quarantined because of attachments.
• Total # of individuals – The total number of user accounts that had
emails released from the attachment quarantine.
Quarantine: Release Log
The Quarantine: Release Log displays detailed information about emails that were
released from all the quarantine areas within Secure Email Gateway (SEG) for the
designated domain.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 116
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Display Designates which type of quarantine release events to display.
• All Events – Displays release events for all the quarantines.
• Spam – Displays release events for the spam quarantine.
• Attachments – Displays release events for the attachment quarantine.
• Content – Displays release events for the content quarantine.
• Viruses – Displays release events for the virus quarantine.
Type The reason why this email was quarantined.
• Spam – Email violated spam policies.
• Virus – Email contained a known virus.
• Attach – Email‘s attachment violated the attachment policies.
• Content – Email contained content that violated the content policies,
including keywords and HTML.
From The email address that sent this email (―sender email address‖).
To The email address to which this email was sent (―recipient email address‖).
Subject The text that was in the subject header of this email.
Release Date The date, time, and time zone when this email was released from quarantine in
Secure Email Gateway (SEG).
Size The total file size of this email, including all attachments.
Additional
Feature Position your cursor anywhere over a log item and the Item Pop-up window
appears, displaying more information about the item.
117 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
View Details of Log Items
You can view detailed information about a log item when the cursor is positioned over it.
The specific information differs depending on which report you are viewing.
The following table lists the report items in the report.
Report Item
Description
Type The reason why the email was quarantined.
• Spam – Email was quarantined because it violated spam policies.
• Viruses – Email was quarantined because it violated virus policies.
• Attachments – Email was quarantined because it violated
attachment policies.
• Content – Email was quarantined because it violated content
policies.
Subject The contents of the Subject line of the email.
To The email address to which this email was addressed (―recipient email
address‖).
Sender IP The IP address of the server that sent the email.
From The email address from which this email was sent (―sender email
address‖).
Released by The user account of the user who released the email from the quarantine.
Quarantine Depending on the reason why the email was quarantined, this description
indicates the specific reason why the email was quarantined:
• Score – Indicates the spam likelihood score that was assigned to the
email.
• Attachment Type – Indicates the name of the attachment that
caused the email to be quarantined.
• Virus – Indicates the name of the virus that caused the email to be
quarantined.
• Content Keyword – Indicates the specific content keyword that
caused the email to be quarantined.
Size The total file size of the email, including attachments.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 118
SEG Administrator Guide
Report Item
Description
Release Date The date, time, and time zone when the email was released from the
quarantine.
Quarantine Date The date, time, and time zone when the email was quarantined.
Timestamp The date, time, and time zone when the logged item was processed (for
example, when an email was processed by SEG.
Details Additional information about the logged item (for example, the name of
the virus in the email).
Actions The email action that was performed on the email.
Server The name or IP address of the inbound server.
Registered on The DNS Authorized Name Server where the inbound server is
registered.
Status The status of the inbound server.
Preference The preference level assigned to the inbound server.
Domain(s) d The domains that are using this inbound server in Secure Email Gateway
(SEG).
User Activity
The User Activity report displays the user accounts that have received the most inbound
emails and have sent the most outbound emails for the designated domain.
119 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Top Inbound Users area
Email Addresses The recipient email addresses that received the most inbound email, in
order of volume.
Messages The total number of emails received by each email address.
Size The size of the largest email, including attachments, received by each
email address.
Top Outbound Users area
Email Addresses The sender email addresses that sent the most outbound email, in order of
volume.
Messages The total number of emails sent by each email address.
Size The size of the largest email, including attachments, sent by each email
address.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 120
SEG Administrator Guide
Event Log
The Event Log displays the event log items for actions performed for emails that were
determined to violate content, spam content, virus, or attachment policies for the
designated Domain and date range, including actions performed automatically by
Secure Email Gateway (SEG) and performed manually by the users.
The following table lists the report items in the report
Report Item
Description
Display Designates which set of event log items to display.
• All Events – Displays event log items for actions performed for all
the quarantines.
• Attachments – Displays only event log items for actions performed
on emails that had attachments that violated the attachment policies.
• Content – Displays only event log items for actions performed on
emails that violated the content policies.
• Spam Keyword – Displays only event log items for actions
performed on emails that violated the spam content keyword
policies.
• Viruses – Displays only event log items for actions performed on
emails that contained known viruses.
121 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Report Item
Description
Direction Designates whether event log items for inbound emails or outbound
emails are displayed.
• Inbound Only – Designates that only inbound emails are display.
• Outbound Only – Designates that only outbound emails are
displayed.
• Inbound & Outbound – Designates that both inbound and
outbound emails are displayed.
Type The type of policy that the filtered email violated.
Timestamp The date, time, and time zone when the action was performed on the
filtered email.
From The email address that sent this email (―sender email address‖).
To The email address to which this email was sent (―recipient email
address‖).
Subject The text that was in the subject header of this email.
Details The reason for the action (for example, if the email contained a virus, the
virus name is shown).
Action The action that was applied to the email.
Additional Feature Position your cursor anywhere over a log item and the Item Pop-up
window appears, displaying more information about the item.
Audit Trail
The Audit Trail report displays the audit log items for all actions performed by users of
Report Managers or higher level roles within the Control Console for the designated
domain and date range, including user names and configuration changes.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 122
SEG Administrator Guide
The following table lists the report items in the report
Report Item Description
Timestamp
column The date, time, and time zone when the action was performed in the
Control Console.
Domain column The domain where the action was performed.
Details column A description of the action that was performed, including the role and user
account of the user that performed the action.
Inbound Server Connections
The Inbound Server Connections report displays information about the connections
made to the inbound email servers (a.k.a. Customer MTAs) during processing. This report
may be useful in determining down times or connection issues.
123 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Display Volume
Trends For Designate which inbound server(s) to display.
• All Servers – Display information for all the inbound servers
configured for the selected Domain.
• Inbound Server – Display information about the selected inbound
server only.
Connection
Volume Trends
for All Servers
The total number of successful and unsuccessful connections to the
designated server(s).
• Green – Indicates successful connections.
• Purple – Indicates failed connection attempts.
Optionally, select one of the graphic display type icons to change the
appearance of the graph.
Overall Failure
Rate The percentage of connection failures to the designated server(s).
Total Successes The total number of successful connections to the designated server(s).
Total Failures The total number of unsuccessful attempts to connect to the designated
server(s).
Server:Port The server address and port being reported.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 124
SEG Administrator Guide
Report Item
Description
Failure Rate % The percentage of connection failures to this server and port.
Success The total number of successful connections to this server and port.
Fail The total number of unsuccessful attempts to connect to this server and
port.
Disaster Recovery: Overview
The Disaster Recovery: Overview report displays information about emails that were
spooled and unspooled by the disaster recovery service, which can be either FailSafe or
Message Continuity.
125 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Disaster
Recovery Trends
– Messages
The total number of spooled and unspooled emails processed by the
disaster recovery service over the designated time period.
Optionally, select one of the graphic display type icons to change the
appearance of the graph.
Disaster
Recovery
Summary -
Messages
The numbers of emails processed by the disaster recovery service.
• Spooled Messages – Indicates the number of emails that were
spooled, either automatically or manually.
• Unspooled Messages – Indicates the number of emails that were
unspooled, either automatically or manually.
Disaster
Recovery Trends
– Bytes
The amount of spool storage used by spooled and unspooled emails
processed by the disaster recovery service over the designated time
period.
Optionally, select one of the graphic display type icons to change the
appearance of the graph.
Disaster
Recovery
Summary – Bytes
Details of the file size of spooled and unspooled emails processed by the
disaster recovery service over the designated time period.
• Spooled Bytes – Indicates the amount of spool storage used by
spooled emails.
• Unspooled Messages – Indicates the amount of spool storage freed
by unspooled emails.
Disaster Recovery: Event Log
The Disaster Recovery: Event Log displays the event log items for actions performed
within the disaster recovery service, which can be either FailSafe or Message Continuity.
Actions include those performed automatically by Secure Email Gateway (SEG) and
those performed manually by the users.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 126
SEG Administrator Guide
The following table lists the report items in the report.
Report Item
Description
Timestamp The date, time, and time zone when the action was performed in disaster
recovery.
Event The event log items for disaster recovery actions performed for the
designated domain and date range.
Initiated By The responsible party that performed the disaster recovery action. If an
action was manually performed, indicates the role and user account of the
person who performed the action.
127 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Administer Performance Reports
Performance Reports are pdf files, delivered only via email, that provide graphs and
charts that visually present statistical information regarding your Secure Email Gateway
(SEG). Your Performance Report information can be set to report weekly and/or
monthly data. You may copy this statistical report for your company's use.
Note: Performance Reports are also available for Web Protection Service.
The report period for weekly reports is 12:00 a.m. Monday until 11:59 p.m. Sunday.
The report period for monthly reports is the first day of the month at 12:00 a.m. until the
last day of the month at 11:59 p.m.
Some of the data within this report is subject to variables such as:
• Time zone settings
• Message delivery timing (may be briefly queued)
• Quarantine releases
• Reporting period
128 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
To administer Performance Reports, perform the following steps:
1. If necessary, click Account Management > Customers > Distribution Lists to set
up a distribution list to which you want to sent the reports..
2. Click Account Management > Customers > Performance Reports.
The Customer Performance Reports screen is displayed.
3. From the Deliver To drop-down menu, select the distribution list containing the
recipient(s) for the Performance Reports.
4. From the Time Zone drop-down menu, select the time zone for the Performance
Reports.
5. Click either or both of the Frequency checkboxes to specify how often a report is
sent and what data is included:
• Weekly — The report is sent at the beginning of the week and shows data for the
previous week, from Monday through Sunday.
• Monthly — The report is sent at the beginning of the month and shows data for
the previous month, from the first day through the last day of the month.
6. Click Save.
Note: You can also click Send Now to immediately email the Performance Report from
the last reporting period to the distribution list.
Performance Report Descriptions
The following tables reflect either weekly or monthly reports depending on the customer‘s
request.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 129
SEG Administrator Guide
Inbound Messages Report, Weekly or Monthly
The Inbound Messages Overview reflects the total number of Inbound Messages that were
processed and delivered.
This includes:
• Inbound Threats
• Inbound Message Actions
• Disaster Recovery reports
Field Description
Total Inbound Messages The total number of all inbound messages processed. When users have the
same filtering options, the message is counted only one time. When a user has a
specific filtering option, the message is counted for particular each user config-
uration.
Inbound Messages Delivered The total number of all inbound messages successfully delivered.
Spam Detected The total number of all inbound messages counted as SPAM
130 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Field Description
Virus Detected The total number of all inbound messages counted as Viruses.
Attachment Violations The total number of all inbound messages with attachments that violated the
policy rules for attachments.
Content Violations The total number of all the inbound messages with words that violated the pol-
icy rules for content groups.
Normal Delivery The total number of all inbound messages delivered that did not have the policy
action Clean, Quarantine, Strip, Tag, or Deny applied to the message.
Cleaned The total number of all inbound messages that violated the policy rules for
virus and had the policy action Clean applied to the message.
Denied The record of all the inbound messages refused because they violated the pol-
icy rules for spam, virus, content, or attachments or is on a deny list.
Quarantined The total number of all inbound messages that violated the policy rules for
spam, virus, content, or attachments and had the policy action Quarantine
applied to the message.
Stripped The total number of all inbound messages that violated the policy rules for
attachments or virus and had the policy action Strip applied to the message.
Tagged The total number of all inbound messages that violated the policy rules for
spam or content and had the policy action Tag applied to the message.
Spooled Messages The total number of all messages spooled, either automatically or manually.
Unspooled Messages The total number of all messages unspooled, either automatically or manually.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 131
SEG Administrator Guide
Outbound Messages Overview
The Outbound Messages Overview reports on the number of messages processed and
successfully delivered.
This includes:
• Outbound Threats
• Outbound Message Actions
132 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
11. Tips and Frequently Asked
Questions
FAQs
User Management
Question: Can a user see another user’s quarantined emails?
Answer: Sign in access to the Control Console is user-specific. Unless the user has logged
in as an Administrator or Quarantine Manager, the user will not be able to see quarantined
emails or any other data for any other user. The exception is that Report Managers will be
able to see data in the reports if it is user-specific (for example in the User Activity
Report window.
Question: I see email addresses in the User Management window that aren’t real or that I didn’t add.
Answer: Secure Email Gateway (SEG) delivers all email that is addressed to your
Domains, unless the email is rejected by your inbound servers or the email has been
filtered because it violated a defined policy. This type of email delivery is known as
―proxy service.‖
If the User Creation field is set to SMTP Discovery, Secure Email Gateway (SEG)
will auto-create user accounts for new email addresses if all the following are true:
• A specified number (default is 3) emails that were not quarantined or denied have
been received within a day for the new email address.
• Emails that had content stripped, but were sendable can still trigger automatic user
account creation.
• Emails that would have been quarantined, but were received before the user
account was created, will be denied.
• Your inbound server accepted delivery of the emails.
• A user account does not already exist for the new email address.
• The new email address was not sent to an alias domain name.
Thus, you will see email addresses in the User Management window that may be invalid
in your system, but that your inbound server accepted. You can either manually delete
these user accounts or they will be automatically deleted after a default time period if no
sign-ins or user-level configurations are detected for these user accounts. Sign-ins from
the Spam Quarantine Report are included.
Because user accounts might be continually created and deleted, both manually and
automatically, and that a single user may use multiple email addresses, billing is not
determined by the number of user accounts in a Domain. Billing is determined by the
value entered in the Total Billed Users Qty field during Domain creation or edit.
If you want to disable the automatic creation of user accounts, do one of the following:
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 133
SEG Administrator Guide
SEG Administrator Guide
• Set the User Creation field to Explicit.
• Configure your inbound email servers to deny emails received for invalid recipients.
Question: How does the user log into the Control Console for the auto- created email address?
Answer: One of the following must occur before a user can log into the Control Console:
• The user must receive a Spam Quarantine Report and click one of its links before they
expire.
• The user must request a Set Password email in the Sign in window.
• An Administrator can manually set the password for the user in the Control Console.
Question: Why does a Web browser open when I try to do anything on my Spam Quarantine Re port?
Answer: The Spam Quarantine Report provides an easy-to-use connection into the
appropriate feature in the Control Console. The Control Console is a Web-based graphical
user interface and is the primary interface to Secure Email Gateway (SEG).
When a user clicks a link in the Spam Quarantine Report, it causes the default Web
browser to open, automatically logs the user into the Control Console, and performs the
action designated in the clicked link.
Email Filtering
Question: I’ve just made a change to my policies; how long does it take before it is active?
Answer: Typically, most configuration changes in the Control Console, including policy
configurations, Allow and Deny lists, and changes to entity configurations, will take
approximately 10-15 minutes before the configuration is effective. Depending on the
system architecture, the changes must be stored and then propagated to multiple MTAs
performing the processing for Secure Email Gateway (SEG). Some changes may take
longer, such as deleting an entire domain with all its related data.
Question: There are emails in my quarantine that I want to always receive. I clicked the “Always Allow” button, but the emails still get
caught – What am I doing wrong?
Answer: The user-level Allow list does not disable virus, content, or attachment filtering;
it only disables the spam filtering. If the email violated any of the enabled policies, it
would be filtered even if its sender address was added to the user-level Allow list.
In addition, companies often send items in a format that looks like spam that a user may
have opted to receive, such as electronic newsletters or emails, causing the email to be
quarantined. When a user clicks the Always Allow link in the Spam Quarantine Report or
the Spam Message Quarantine window, the sending email address is added to the user-
level Allow list. However, for various reasons, emails of this nature may not always come
from the same address every day. Because senders often rotate the address of these types
of emails, the same item could be delivered the very next day and still be blocked because
the sender address does not match the previous entry in the Allow list.
134 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
To help prevent this situation, you can use wildcards to designate an entire domain or part
of an email address (if there is a common pattern) to be added in the Allow list, thus
accepting all mail from the domain or email addresses that matched the designated pattern.
Question: What are the default email policies?
Answer: You can view the current default policy configurations in the Policy
Configurations set of windows. The default settings are designed to minimize the
possibility that email will be blocked while still providing reasonable protections against
attacks and viruses.
Question: How does Secure E-mail Gateway (SEG) score spam? What about “false positives”?
Answer: The Anti-Spam filtering technology detects the likelihood that an email is spam
by processing the email through thousands of heuristics, rules, and tests, as well as
sophisticated statistical classification techniques, as part of its Stacked Classification
Framework®. Each test provides a weighted score that is added to the overall ―spam
score.‖ We have pre-defined two threshold scores for your Anti-Spam policy, ―high‖ and
―medium.‖ You can designate a separate action to be performed for each threshold.
It is important to note that some emails might be marked as spam when in fact they are
legitimate emails (―false positive‖). While we believe that this false positive tagging will
not be a frequent occurrence, it may happen occasionally, especially to mailing-list and
newsletter traffic. In such cases, we ask that you help us ―tune‖ our spam thresholds and
rules by sending a forwarded copy of the email with all content and attachments to seg-
Using the Control Console, you can quarantine, tag, or block emails based on the
corresponding threshold levels. Additionally, you can construct enterprise-level Allow and
Deny lists that override spam threshold levels. Finally, you can enable or disable the
Realtime Blackhole List (RBL).
Question: What exactly does “deny delivery” do? Will we add to email volume by generating bounce messages if we set our policies to
“Deny”?
Answer: To satisfy standard SMTP protocol, if an email is denied for any reason, the
Secure Email Gateway (SEG) MTA sends a 5xx Deny message to the sender MTA. At
that point, the standard configuration for the sender MTA is to send a bounce email to the
sender address. It is possible that the sender MTA will just drop the message, but this is
atypical. Secure Email Gateway (SEG) has no control over the actions of the sender
MTA.
The exception to this processing is if the Recipient Shield policy is set to Deny. In this
case, Secure Email Gateway (SEG) will generate the bounce email and send it directly
to the sender address.
Use the Accept and Silent Discard email action for the relevant policies if you want to
minimize email volume caused by 5xx Deny messages or if you do not want the sender to
be notified that the email was denied. This email action accepts the email as if it was valid,
and then discards it without notification to the sender or recipient. 135 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
SEG Administrator Guide
Question: I’m receiving spam email from my own email address and I know I didn’t send it. What’s happening and how do I stop it?
Answer: A spammer has ―spoofed‖ your email address. Spoofing means that the ―From:‖
address in emails has been falsified to be an address other than the real source of the
emails. The intent is to trick the recipient into opening the email because it appears to be
from a trusted source. In your case, they made the mistake of using your own email
address as the spoofed address and you realized that you had not sent the email. Spoofing
is illegal according to the CAN-SPAM Act of 2003; however, it is still a common tactic
used by spammers.
You can do any of the following in Secure Email Gateway (SEG) to block these types of
emails.
• Confirm that your own email address is not in an Allow list.
It is possible that the spoofed email would be caught by normal spam filtering;
however, if your email address is in an Allow list, spam filtering will be disabled. If
necessary, remove your email address from any Allow lists to make sure spam
filtering is performed.
• Add your own email address to your user-level Deny list
This policy will automatically deny any emails received from your email address. It
will apply to all emails received from the Internet into Secure Email Gateway
(SEG) that are filtered and then sent to you. It will affect only emails sent to your
address.
• Add your own email address or entire Domain name to your policy set Sender Deny
list
This policy will do the same as above, but will apply all user accounts subscribed to that
policy set. If the Domain name is used, then all emails from that Domain will be filtered.
Note: Using a Deny list as a filtering tactic in this situation will succeed only if your
corporate email is not sent into the Internet cloud before delivery to other addresses in
your Domain name. The assumption is that your corporate email is delivered within your
internal network without filtering by Secure Email Gateway (SEG).
If your organization does deliver your corporate email using a delivery method that
includes sending it into the Internet, it is possible that valid corporate emails will be
filtered if you make the above policy changes.
System Configuration
Question: I just redirected my MX Record. How can I make sure that my email is coming through Secure Email Gateway (SEG)?
Answer: Once the MX Record has been redirected and the service has been configured,
emails can be sent from a sender outside of the system to a user provisioned on the
Domain. To see if the email was received in your system from Secure Email Gateway
(SEG), monitor email processing flow in the Overview window.
You should be aware that email servers do not always accept changes immediately after
the redirection of the MX Record. This means that some email servers may still send email
directly to your inbound servers and not to the redirected MX Record for the first 2-3 days
after the redirection.
136 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2
SEG Administrator Guide
It is also highly recommended that you block the acceptance of email traffic from any
source other than Secure Email Gateway (SEG) into your inbound servers to help
prevent the possibilities of hackers directly connecting your servers. These addresses
are specified in your Service Launch Guide.
Question: Why am I redirecting the MX Record and how does my email get back to me?
Answer: The MX Record is the method of telling all the other email servers on the
Internet who you are (your domain names) and where you are (your inbound server
addresses). When any email is sent, the sending email server looks at the MX Record to
verify the email server to which the email should be delivered.
By redirecting your MX Record to point to the server where Secure Email Gateway
(SEG) is installed, you are sending your email to Secure Email Gateway (SEG). Secure
Email Gateway (SEG) captures your domain‘s email traffic by acting as the email server
for the Domain, routing the traffic through Secure Email Gateway (SEG) filters, and then
delivering the acceptable emails to your email servers. You configure your email servers
in the Inbound Servers Setup window.
In a similar way, if you have enabled outbound email filtering, you would configure your
sending email server to send your email to Secure Email Gateway (SEG). Secure Email
Gateway (SEG) filters your email and then sends it to the Internet cloud.
One advantage of redirecting your MX Record is that the addresses of your email servers
are now no longer published, which helps to protect your email servers from direct email
attacks and bad email.
Question: My server went down for a short period of time – what happened to our company’s emails?
Answer: Secure Email Gateway (SEG) attempts to connect to all the servers configured
for your domain in the Inbound Servers Setup window in the order designated in the
Preference column, from the lowest number to the highest number. It will start spooling
email if your servers are unavailable and unspooling when they become available again.
Most email servers are set to keep trying to deliver the email for an extended period of
time before they finally stop and permanently fail the email. Secure Email Gateway
(SEG) cannot control the length of time or the frequency at which the sender‘s email server
will continue to attempt deliver these emails.
Question: How does Secure Email Gateway (SEG) affect my MTA?
Answer: SEG architecture naturally provides high-level redundancy and disaster
recovery by leveraging a secondary MX record set to your internal mail servers. The
service is currently configured to deliver your inbound email traffic to the Message Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 137
SEG Administrator Guide
Transfer Agent (MTA) servers (a.k.a. inbound servers) on your premises configured in
each domain. if you change the addressing in your network for your inbound servers, you
must update the configurations in Secure Email Gateway (SEG).
At any time in Secure Email Gateway (SEG), you may change configuration of the IP
address of your inbound servers. Be prudent when making changes to your delivery MTA
configuration as any applied modifications will be enabled instantly and affect inbound
SMTP routing.
Question: Why is SEG refusing connections from my inbound
email servers?
Answer: If Secure Email Gateway (SEG) received a minimum of 20 attempted
connections from an IP address where more than 60% of the recipients are invalid, it adds
the IP address to a temporary ―global blacklist‖ for 4 hours. After the time period has
passed, SEG will remove the IP address from the temporary global blacklist and again
accept connections from it.
This process helps protect against Dictionary Harvest Attacks, where spammers are
attempting all combinations of email addresses to glean valid email addresses for
subsequent spamming. It also helps protect against Denial of Service attacks.
Question: The Internet Explorer Content Advisor keeps blocking the
Control Console. How do I prevent that?
Answer: You must disable the Content Advisor feature of the Internet Explorer to be able
to use the Control Console. Do the following to disable the Content Advisor feature if it is
enabled:
1 In the Internet Explorer window, click Tools > Internet Options.
2 In the Internet Options window, click the Content tab.
3 In the Content Advisor area in the Content tab, click the Disable button.
If there is an Enable button, but no Disable button, this means that Content Advisor is
already disabled. Click the Cancel button until you return to the browser window.
4 Enter the password in the Supervisor Password Required dialog.
5 Click the OK button.
6 Continue clicking the OK button until you return to the Internet Explorer window.
138 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011
Question: When I click a command in the Control Console, nothing
seems to happen.
Answer: If you‘ve set your Web browser to not accept cookies or Javascript, the Control
Console will not work. ―Cookies‖ are mini-applications that run in your Web browser to
communicate with the originator of the cookie through the Internet. The Control Console
downloads cookies to your computer to allow it to send and receive data from the Secure
Email Gateway (SEG) data center as you perform actions and navigate between the
windows.
If you are concerned about security, you can configure your Web browser to allow cookies
only for a single session. This means that only while you have that specific instance of
your Web browser open, cookies will be accepted. If you close the Web browser and then
reopen it, cookies will not be accepted. Do the following to configure Internet Explorer to
accept cookies:
1 In the Internet Explorer window, click Tools > Internet Options.
2 In the Internet Options window, click the Privacy tab.
3 In the Settings area in the Privacy tab, do one of the following:
A Move the slider to select Medium.
B Click the Sites button.
4 In the Per Site Privacy Actions window, enter the URL for your Control Console in
the Address of Web Site field
5 Click the Allow button.
6 Click the OK button until you return to your browser.
Do the following to configure Internet Explorer to accept Javascript:
7 In the Internet Explorer window, click Tools > Internet Options.
8 In the Internet Options window, click the Security tab.
9 In the Security tab, click the Internet (globe) icon and then click the Custom Level
button.
10 Confirm that the items under the Scripting section in the list are all set to Enabled.
11 Click the OK button until you return to the browser window.
Tips/Techniques
Change Zip File Attachment Policy
We regularly receive a large zipped file as an email attachment from a trusted source,
but it is automatically denied before we see it. How do we get that file without
turning off attachment filtering altogether?
The default settings in Secure Email Gateway (SEG) are to deny automatically emails
with zipped files whose content cannot be analyzed because they are encrypted or if the
content file type is restricted by the attachment policy.
Oct. 2011 Proprietary: Not for use or disclosure outside AT&T without written permission 139
If you want to receive such files, but not turn off attachment filtering, you have two
options.
Option 1
Modify Message contains a high risk zip attachment field in the Additional Policies
subtab and save the policy change. This method affects emails for all user accounts
associated with the policy set.
Option 2
If the attachment filename is always the same or contains the same string (for example, if
the filename always contains ―monthly_report‖), you can designate a policy specific to
that filename. In this case, create a custom filename policy in the Filename Policies
subtab.
Caution: This policy would allow any attachment file that contains the designated string
in its name to potentially bypass email filtering.
Wrong Email Got Past Filter
What do we do if spam email, virus email, etc., was delivered anyway?
If you or an email recipient in your system has received email that you feel should have
been filtered, do the following:
1. Check that the email addresses were not added to an Allow list by either the email
recipient or by an Administrator.
2. Check your policy settings in the Control Console to confirm that you have not
changed any settings to allow these emails to bypass filtering.
3. If you have determined that Secure Email Gateway (SEG) or your email system was
not configured to let these emails bypass filtering, forward the email with all content,
header information, and attachments to [email protected]
Service personnel will analyze the email information to refine the filtering engines for
subsequent release, and if necessary, post any urgent updates to virus scanners, etc., to
support filtering these emails properly. 140 Proprietary: Not for use or disclosure outside AT&T without written permission. Oct. 2011