This article contains information on setting up alerts for Outbound Spam Holds using Regular Expressions and Content Examination in Mimecast, detailing configuration steps for policies and notifications.
To protect all customers from the impact of individual compromised accounts being used to send spam, Mimecast scans all outbound emails. A highly targeted rule is used to identify outbound spam and add them to your hold queue under the reason "Outbound MSOC check."
This article outlines how a Regular Expression and Content Examination can be used to set up alerts for Outbound Spam Holds.
Configure a Content Examination Definition
- Log in to the Mimecast Administration Console.
- Navigate to Policies | Gateway Policies | Definitions | Content Definitions.
- Select a folder to add the definition to.
- Click on the New Content Definition button.
- Under the Policy Definition section:
-
- Enter a Description of "Outbound MSOC check".
- Set the Activation Score to 1.
- Leave all other Policy Definition options as the default.
- Complete the relevant options under the Scanning Options section as per the table below:
| Field / Option |
Description |
| Word/Phrase Match List |
To insert a Regular Expression:
- Click the Insert drop-down at the top of the page.
- Select the Regular Expression item.
- In the Regular Expression field, enter:
X-Mimecast-Spam-Score : (2[8-9]|3\d|4\d|5\d|6\d|7\d|8\d|9[0-2])
|
| Scan Message Headers |
Enable by ticking the box. |
- Complete the relevant options of the Policy Override section under Inbound and Outbound Settings as per the table below:
| Field / Option |
Description |
| Policy Action |
Select None - An action is not required because these messages are already on hold. |
- Complete the Notification Options section according to who you want to notify when the Outbound MSOC Check policy is triggered:
| Field / Option |
Description |
| Notify Group |
Use the Lookup button to select a group of users to be notified that action must be taken on the message. |
| Notify (Internal) Sender |
Notifies the internal sender if an outbound message triggers the definition. |
| Notify (Internal) Recipient |
Notifies the internal recipient if an inbound message triggers the definition. |
| Notify Overseers |
Notifies the Content Overseers to notify them that a message has triggered the definition. |
| Notify (External) Sender |
Notifies the external sender if an inbound message triggers the definition. |
| Notify (External) Recipient |
Notifies the external recipient if an outbound message triggers the definition. |
Configure Content Examination Policies
- Log in to the Mimecast Administration Console.
- Navigate to Policies | Gateway Policies | Content Examination.
- Click on the New Policy button.
- Complete the Options section as below:
| Field / Option |
Description |
| Policy Narrative |
Outbound MSOC check |
| Select Option |
Select the Outbound MSOC Check definition:
- Click on the Lookup button.
- Click on the word Select next to the Outbound MSOC Check the definition entry.
|
- Complete the Emails From section as below:
| Field / Option |
Description |
| Addresses Based On |
Both. |
| Applies From |
Internal Address. |
| Specifically |
Applies to all Internal Senders. |
- Complete the Emails To section as below:
| Field / Option |
Description |
| Applies To |
External Addresses. |
| Specifically |
Applies to all External Recipients. |
- Complete the Validity section as desired:
| Field / Option |
Description |
| Enable/Disable |
Enables (default) or disables the policy. If a date range is specified, the policy is automatically disabled when the end of the date range is reached. |
| Set policy as perpetual |
If the policy's date range has no end date, this field displays "Always On," meaning the policy never expires. |
| Date Range |
Specify a start and/or end for the policy. If Eternal is selected, no date is required. |
| Policy Override |
This overrides the default order in which policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override. |
| Bi-Directional |
If selected, the policy is applied when the policy's recipient is the sender, and the sender is the recipient. |
| Source IP Ranges (n.n.n.n/x) |
Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation |
- Click on the Save and Exit button.
See Also...
Comments
Please sign in to leave a comment.