Spam / Phishing - Spam Scanning

Updated

This article explains how to configure email spam scanning definitions and policies, which will filter for key phrases and identifiers commonly used by spammers. It is intended for Administrators.

Overview

Our defense layer aims to reject unwanted spam and malware in the protocol. Mimecast's multiple scanning engines examine the content of inbound mail by searching for key phrases and identifiers commonly used by spammers. These scanning checks can use:

  • Content matching rules.
  • DNS-based filtering.
  • Checksum-based filtering.
  • Statistical filtering.

However, there are occasions when we cannot determine if a message is wanted by an end user or not. You can configure spam scanning to examine the content of all inbound mail and apply different sensitivity and actions.

How Mimecast Spam Scanning Works

Mimecast employs a layered spam scanning approach that combines proprietary technology with third-party partners. The spam scanning engine evaluates multiple email characteristics, including:

  • Body content.
  • Formatting.
  • Source.
  • Headers.
  • URIs.

Each email is assigned a spam score based on various patterns and characteristics. This score determines how the email is handled by the system.

Considerations

Consider the following before configuring a definition or policy:

  • Spam Scoring System: Mimecast uses a Spam Score to evaluate emails, with different scanning levels determining how emails are categorized:
    • Messages with a Spam Scores of 28 or higher are automatically rejected in protocol and logged in the Rejection Viewer. This happens regardless of whether a spam scanning policy is configured.
    • Messages with Spam Scores 7-27, emails are held (in relaxed settings).
    • Messages with Spam Scores 5-27, emails are held (in moderate settings).
    • Messages with Spam Scores 3-27, emails are held (in aggressive settings).
      The scanning considers various factors beyond just SPF records and sender authentication.
  • If an email address, domain name, or IP address is added as a permitted sender, the inbound message still undergoes spam scanning, but the spam scanning definition action is not applied.
  • If a DNS Authentication policy applies to a message, but the permitted sender fails the DNS checks (e.g., SPF), the message is still subjected to spam scanning.
Consider the following relating to Auto Allow Spam Detection Level configuration:
  • The default setting for this field will be set to Relaxed.
  • Email IDs that are part of a Permitted Senders Policy/List will not be added to the auto-allow list, and will therefore take precedence over the Auto-Allow configuration.
  • Auto Allow Creation Policies will be unaffected by this change. 

Spam scanning of Auto Allow emails can be enabled in your Spam Scanning Definitions. Please see the configurations below on how to do this

Configuring a Spam Scanning Definition

You can configure a Spam Scanning definition by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies | Spam Scanning.
  3. Click on Definitions.
  4. Click on the Scan Definitions definition type from the list.

  5. Click on a Folder in the navigator.

    A definition cannot be created in the Root folder.

  6. Either click on the:
  • Definition to be changed.
  • New Message Scan Definition button to create a definition.
  1. Complete the Spam Scanner Settings section as follows:
Field / Option Description
Description Enter a description for the definition.
Spam Detection Level

Specify the level of spam detection to be used by selecting one of the following:
• Relaxed: Sets the triggering threshold of the spam definitions to 7 points. This setting is recommended for users that receive some junk email.
• Moderate: Sets the triggering threshold of the spam definitions to 5 points. This setting is recommended for users actively targeted by promotional and junk emails.
• Aggressive: Sets the triggering threshold of the spam definitions to 3 points. This setting is recommended for users who do not want to receive any possible spam or junk emails.

We recommend starting with a Relaxed level and adjusting it according to the results and feedback from end users. Moderate and Aggressive Spam Detection levels should be applied to selected groups of users that still receive spam, as opposed to applying Aggressive checks to all internal users. This will help to reduce false positives generated in the held queue.
Spam Detection Action

Specify the action to be taken if spam is detected:
• Tag Headers: This doesn't affect the delivery of a message but inserts an "X-Mimecast-Spam-Signature: yes" tag into the message headers. Alternatively, a rule can also be configured in Microsoft Outlook to move any messages with the header tag to another folder for review by the end user.
• Hold for Review: This is the recommended option, as message delivery will be halted in the held queue. The digest can inform the user of held messages, at which point they can be released or blocked.
• Reject to Sender: The protocol rejects the message, and we don't retain the content. If the sender is legitimate, they must re-transmit the message once the spam checks have been bypassed.
• None: This action supports customers applying their spam filtering upstream who want to use our graymail filtering. If this option is selected, no action will be taken on spam messages.

See Spam / Phishing - Spam to the Microsoft Outlook Junk Folder for more info.
Auto Allow Spam Detection Level

Specify the level of spam detection on emails received by senders on the Auto Allow list by selecting one of the following:

• None: No spam scanning will be performed. 
• Relaxed: Sets the definition triggering threshold to 28 points. 
• Moderate: Sets the definition triggering threshold to 28 points and also targets high confidence phishing and malicious emails (emails that belong to phishing or malicious category and have a spam score of >= 20).
• Aggressive: Sets the definition triggering threshold to 28 points and also targets medium confidence phishing and malicious emails (emails that belong to phishing or malicious category and have a spam score >= 14). This setting significantly reduced potential phishing and malicious emails but may lead to false positives.

While there is shared terminology for the RelaxedModerateand Aggressive levels between this and the Spam Detection Level option, the spam score threshold differs substantially between the two.  
Enable Graymail Control Enable this option to treat bulk mail differently from regular mail. Graymail is typically defined as "mail you want, but not in your Inbox right now."

Examples are subscribed newsletters and marketing emails, which are not person-to-person communication. Actions for graymail control are defined using the graymail detection action setting.
Graymail Detection Action

Enables you to select a different action for graymail control:
• Same as Spam Detection Action: Bulk mail is treated as per the spam handling configuration options above. This is the default action.
• Tag Headers as Spam: Adds the following SMTP header to graymail, so they are treated as spam - X-Mimecast-Spam-Signature: yes
• Tag Headers as Graymail: Adds the following SMTP header to Graymails - X-Mimecast-Bulk-Signature: yes

With this header enabled, users can define a rule in their email client to take action on graymail.
For example, if a folder called "Graymail" is created under the Inbox, a message rule can automatically be configured to move messages into this folder. This removes email noise from the Inbox and allows users to browse the bulk mail in their own time.
End users can prevent emails from being classified as graymail by adding senders to their Managed Senders list using a Mimecast end-user application. See Spam / Phishing - Graymail to the Microsoft Outlook Junk Folder for more info

• Hold for Review: Graymail will be placed in a hold queue. The digest email informs the user of messages on hold and allows the graymail to be released or blocked.
• Reject to Sender: The protocol rejects the message, and we do not retain the content. If the sender is legitimate, they must retransmit the message once spam checks are bypassed. If a message is classified as spam and graymail, and both the spam and graymail detection actions can be applied, both actions will trigger. If this is not possible, more severe action takes priority. If you use an external third-party email marketing service to send marketing emails on behalf of your domain, these emails may be identified as graymail as they pass inbound through the Mimecast Gateway.
Auto Allow Spam Detection Action Senders on the Auto Allow list can bypass the usual IP reputation and spam checks applied to inbound mail. Auto Allow sender entries are created automatically when the user sends a message to an external recipient. If an email from a sender on the Auto Allow breaches the threshold set by the Auto Allow Spam Detection Level, one of the following actions can be taken: Do Nothing, Hold For Review (based on the Hold Type selected in the Hold Notification Options below), or Reject.
  1. Complete the Hold Notification section as follows:
Field / Option Description
Hold Type Select the applicable audience that held messages should be visible to via a Mimecast end-user application:
• User: Messages held by the policy are available in the user's Personal On Hold view (default setting).
• Moderator: Moderators can see the held messages in the Moderated On Hold view.
• Administrator: Only Administrators can view messages triggered by the policy.
Moderator Group This field is displayed if the Hold Type field is "Moderator" or "User." The field selects an appropriate group by selecting the Lookup button.
Notification Options

Select if any additional notifications should be sent. For any message where the attachment is stripped, the recipient will receive the notification discussed previously:
 

A group of users.
Select the relevant checkbox Notify (Internal) Sender or Notify (Internal) Recipient to enable internal senders or recipients to receive a notification for any attachments that match the definition.
Select the relevant checkboxes to notify external senders or recipients using Notify (External) Sender or Notify (External) Recipient.
A group of Overseers.
  1. Click on Save and Exit.

Configuring a Spam Scanning Policy

You can configure a Spam Scanning policy, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies
  3. Click on Spam Scanning.
  4. Either click on the:
  • Policy to be changed.
  • New Policy button to create a policy.
  1. Complete the Options section as required:
Field / Option Description
Policy Narrative Describe the policy to allow you to identify it in the future easily.
Select Message Scan Definition Use the Lookup button to select the required Message Scanning definition for the policy.
Field / Option Description
Addresses Based On Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section:
• The Return Address: This default setting applies the policy to the SMTP address match based on the message's envelope or true address (i.e., the address used during SMTP transmission).
Applies From /To Specify the Sender characteristics the policy is based on. You should apply multiple policies from the most to least specific. The options are:
• Everyone: Includes all email users (i.e., internal and external). This option is only available in the "Emails From" section.
• Internal Address: Includes only internal organization addresses.
• External Address: Includes only external organization addresses. This option is only available in the "Emails From" section.
• Email Domain: This enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
• Address Groups: This enables you to specify a directory or local group. If this option is selected, click the Lookup button to select a group from the Profile Group field. Once a group has been selected, click the Show Location field to display the group's path.
• Address Attributes: This enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
• Individual Email Address: This enables you to specify an SMTP address. The email address is entered in the Specifically field. Complete the Email From and Emails To sections as required.
  1. Complete the Validity section as required:
Field / Option Description
Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
Bi-Directional If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
Policy Override Select this to override the default order in that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
Set Policy as Perpetual Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
Date Range Specify a start and end date for the policy. This automatically deselects the "Eternal" option.
Enable / Disable Use this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it is automatically disabled.
  1. Click on Save and Exit.

See Also...

Related to

Was this article helpful?
4 out of 12 found this helpful

Comments

0 comments

Please sign in to leave a comment.