This document contains information that is
proprietary and confidential to McAfee. No
part of this document may be reproduced,
stored in a retrieval system, or transmitted, in
any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise) without prior written permission
from McAfee. All copies of this document
are the sole property of McAfee and must be
returned promptly upon request.
McAfee, Inc.
9781 South Meridian Blvd., Suite 400
Englewood, CO 80112 USA
Direct +1 720-895-5700
Fax +1 720-895-5757
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission2
November 2012Proprietary: Not for use or disclosure outside McAfee without written permissionviii
Email Protection Administrator GuideDifferences in Administration for Service
1. Overview
McAfee® Saas Email Protection provides security services that safeguard corporations
from unsolicited spam email (junk mail), viruses, worms, and unwanted content at the
network perimeter before they can enter the internal network.
Multiple layers of McAfee Saas Email Protection provide secure and complete email
filtering to protect your users. You can enable or disable specific layers by changing the
licensed packages of features and/or through configuring the specific email policies in the
Control Console, the comprehensive graphical interface into McAfee Saas Email
Protection.
This document describes the tasks necessary to configure and maintain your McAfee Saas
Email Protection.
Differences in Administration for
Service Providers
This document is for use by Enterprise customers only. Service Provider customers do not
administer groups for Email Protection and therefore, do not assign groups to email
filtering policies. Instead, Service Provider customers assign policies directly to domains.
The capabilities for managing policies and groups, as described in this document, apply
only to Enterprise customers.
Account Management Necessary for
Email Protection
Account Management is a set of administrative windows you use to configure and manage
the entities that use or are affected by Email Protection (Email Protection), as well as the
Web Protection Service (WDS) and Message Archiving products. These entities include:
•Domains
•Users
•Other administrators, including other Customer Administrators, Domain
Administrators, Quarantine Managers, and Reports Managers
In addition, for Email Protection only, you use Account Management to administer groups
of users that share a common email filtering policy.
For more information, see Account Management Administrator Guide.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission1
Auto-creation of UsersEmail Protection Administrator Guide
MX Record Validation
You can validate that the MX Records that are configured for your domain are properly
redirected by entering the specific DNS and/or IP address for your MTA server. The
Control Console displays the MX Record configuration as reported by the authoritative
DNS server.
See Check Your MX Record.
Alias Domain Names
You can configure alias domain names that act as virtual domains using the configurations
and email addresses defined in the primary Domain name. Email addresses are created
automatically for alias domains (for example, jsmith@yourcompanyalias.com is
automatically created for jsmith@yourcompany.com), allowing the single user to receive
email for both addresses.
For more information, see Account Management Administrator Guide.
Auto-creation of Users
The Email Protection automatically creates new user accounts if all the following is true:
•SMTP Discovery is enabled. SMTP Discovery, which is enabled by default, is a
convenient way to add users to your service. However, this capability might also add
users who are not real users at your company and not add users who are real.
•SMTP discovery creates users that receive eight valid emails within a 24 hour period.
•A user account does not exist for the email address in the designated Domain.
•The emails were not addressed to an alias domain name.
For more information, see Set up User Creation Mode — SMTP Discovery or Explicit.
Email Filtering Policies
Email Protection has default inbound and outbound mail filters to block and clean
malicious email and to quarantine email that might be malicious. The filters are
configured by using policies, which are the parameters for the filters default policies are
automatically assigned to each of your domains.
You can customize the default inbound policy for any and each domain, or any and each
group, to fit your business Email Protection.
For more information, see Customize Inbound Mail Filters.
2Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection can filter both inbound and outbound email. Inbound filtering that is
available to be configured is as follows:
•Anti-Spam Filtering
•Real-time Blackhole List
•Anti-Virus Filter
•Content Filtering and ClickProtect
•Attachment Filtering
•Multi-Level Allow and Deny Lists
Anti-Spam Filtering
Spam is usually defined as unsolicited (and usually unwanted) and commercial email sent
to a large number of addresses. However, what one recipient may consider as spam,
another recipient would consider as legitimate email.
In addition, spam has become a tool of hackers and electronic terrorists who deliberately
attempt to gather proprietary information from computer systems and/or attempt to cause
harm to a company’s email system. Typically, these types of spammers deliberately use
naming standards, hijacked From: addresses, scrambled content, etc., to bypass spam
filters such as blacklists and keyword lists.
Using Stacked Classification Framework®, Email Protection provides the most
comprehensive and effective spam-blocking product on the market today—blocking 98%
of spam and providing an industry-leading low false positive rate (legitimate email
marked as spam).
The Stacked Classification Framework aggregates the most effective spam filters and
techniques in the industry into a spam likelihood. As appropriate, email is assigned a high
or medium likelihood of being spam. A separate email action can be assigned to each
likelihood.
The spam classification techniques include the following:
Spam FilterTypeDescription
IP Reputation
Connection Manager
Bayesian Statistical
Filtering
This filter operates at the front of the Stacked Classification
Framework. It rates the reputation of every incoming email, based
on IP reputation data collected by your Email Protection provider
on an on-going basis. Connections are dropped for all messages
which originate from IP addresses that are determined to carry a
reputation for sending spam.
Statistical algorithms built by your Email Protection provider
identify and quantify the possibility that an email is spam based on
how often elements in that email have appeared in identified spam
emails.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission3
Industry HeuristicsEmail Protection incorporates thousands of successful industry-
wide spam-fighting rules to recognize characteristics of spam.
Proprietary HeuristicsEmail Protection experts write and update thousands of proprietary
rules to block spam, including fraudulent phishing spam, using
real-time data from your service provider’s Threat Center.
URL FilteringURL filtering works by comparing embedded links found in emails
with URLs associated with identified spam.
Reputation AnalysisEmail Protection constantly monitors inbound email to build a list
of IP addresses and domain names to rate the reputation of the
sender based upon the percentage of spam emails received from
that address in the past.
Reputation-Based RBL
Filtering
Sender Policy
Framework (SPF)
Using up to 31 real-time blackhole lists (RBLs) of known
spammers provided by the industry, Email Protection creates a
single RBL indicator to help gauge the likelihood of an email being
sent by a known spammer. By using multiple black lists to create a
single vote and by rating the reputation of each RBL based on its
accuracy at distinguishing spammers from senders of legitimate
email helps to minimize the possibility of a non-spammer being
blocked by mistake.
The SPF classifier helps identify and block fraudulent spoofing
emails – those sent by spammers with forged “From” addresses –
from entering your email network. For each inbound email, the SPF
classifier will look up the sending domain’s Domain Naming
System (DNS) record and its list of authorized IP addresses.
Emails that carry an IP address not found on the authorized list will
be included within the Stacked Framework Classification System
for the detection of spam. By determining whether or not the
relationship between the DNS record and the IP address is
legitimate, Email Protection is able to more accurately filter out
fraudulent spoofed emails. As a result, Email Protection reduces
risk for users who might be duped by the email into divulging
confidential personal information.
Real-time Blackhole List
The Real-time Blackhole List (RBL) is a system for creating intentional network outages
(blackholes) for the purpose of limiting the transport of known-to-be-unwanted mass
email. The RBL is a database of IP addresses that are reported to be spam sources.
4Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection provides highly effective, organization-wide virus and worm protection.
By identifying viruses and worms at your network perimeter—before they enter or leave
your messaging infrastructure— Email Protection minimizes outbreak and infection risks
to your enterprise messaging infrastructure. You can configure whether infected emails are
quarantined, denied, or stripped of infection.
•Provides maximum protection using multiple, industry-leading anti-virus engines to
allow Email Protection to customize the protection to meet the latest threats.
•Virus definition updates every 5 minutes provide up-to-the-minute defense against the
latest threats.
•Provides safe, external virus scanning and quarantine management for protection
against viruses before they reach your network. Protects your users, networks, and
data from harm
Content Filtering and ClickProtect
Email Protection protects your organization and reduces liability and risk by automatically
identifying unwanted and malicious content before it enters or leaves your network.
You can enable any of the following types of content filtering:
Content Filter TypeDescription
Predefined Content
Keyword Groups
Customized Content
Keyword Groups
Multiple Levels of
HTML Filtering
Graphic Image
Replacement
You can enable or disable predefined content keyword groups
provided by Email Protection:
•Profanity
•Sexual Overtones
•Racially Insensitive
You can define customized content keyword groups containing
terms and phrases to satisfy the business and security Email
Protection of your organization.
You can designate the level of HTML filtering to be used (low,
medium, or high), with predefined actions for each level.
Depending on the level, malicious HTML tags and scripting
options embedded in email are stripped.
You can enable or disable the automatic replacement of images
with a transparent 1x1 pixel GIF within HTML emails.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission5
Spam beacons and web bugs are typically transparent, 1x1 pixel
graphics embedded in HTML content that send information about
your system to the source (usually a URL) of the spam beacon or
web bug. Typically, web bugs are used on Web sites to monitor
surfing behavior, but now spammers are hiding them in their mass
mailings as spam beacons. If the graphic is not removed before an
email is opened, the spam beacon sends a signal back to the
spammer’s URL that lets the spammer know whether the email
was opened and if the recipient’s email address is valid. If the
spammer gets this signal, the recipient is marked as a valid email
address and is guaranteed to receive more spam in the future.
You can enable or disable the auto
matic stripping of spam beacons
or Web bugs within HTML emails.
Disabling hyperlinks
within email
ClickProtect
with
SM
ClickProtect allows you to monitor and disable or enable whether
Web hyperlinks received in emails can be clicked and followed by
the user. With multiple levels of ClickProtect policy control,
Administrators can customize the desired level of protection. This
feature supports blocking phishing sites and accidental downloads
of viruses and worms.
Attachment Filtering
Email Protection provides you the ability to control the types and sizes of allowed
attachments entering your email network. You can control attachment filtering using any
of the following:
Attachment Filter
Type
Attachment Filtering
File Type
by
Attachment Filtering
Size
by
Custom Attachment
Rules by
Filename
Filtering for Files
ained within a Zip
Cont
File Attachment
Encrypted or “High
Risk” Zip
File
Attachment Rules
Description
You can enable or disable filtering of attachments by file type. File
type is determined using the file extension, MIME content type,
and binary composition.
You can designate a maximum allowed size for each enabled
attachment type.
You can configure custom rules using filenames that override the
global settings for an attachment file type. You can designate that
the rule use the entire filename or any part of the filename.
You can configure custom rules to cause Email Protection to
analyze the files within a zip file attachment, if possible, to
determine if a file in the zip file violates attachment policies. If the
zip file cannot be analyzed, you can designate the email action to
be applied.
You can configure custom rules for emails with encrypted zip files
and/or zip files that are considered high risk (too large, too many
nested levels, etc.).
6Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection allows you to define lists of emails that will always be denied (blacklists)
or will always be accepted (whitelists) at multiple levels. In addition, you can enable thirdparty Real-time Blackhole List to be used to filter unwanted emails.
The administrator-level lists override the user-level lists in a top-down manner: global lists
first, policy set lists next, and lastly user-level lists. For example, if the same address is
added to a user-level Allow list and the policy set Deny list, the address is always denied.
At the same level, the Allow list overrides the Deny list. For example, if you designate a
range of email addresses (for example, by designating an entire domain) in the Deny list,
but then designate a single email address from that domain in the Allow list, the email
from that single address will be always accepted while the email from any other address in
the domain in the Deny list will be always denied.
The same address string cannot be added multiple times in the same list or added to both
the Allow and Deny lists.
Be aware that emails that have been quarantined by Email Protection may not need to be
added to Deny lists because they are already being blocked from entering your email
network.
Following are the types of Allow and Deny lists that are available in Email Protection:
Allow/Deny List
Type
Global Deny ListIf your Email Protection provider determines that a Sending
SMTP has sent too many invalid incoming emails within a
specified time period, it will add the IP address for that Sending
SMTP to a Global Deny List for a designated time period (default
is 2 hours). During the denial period, all emails received from that
Sending SMTP will be automatically denied. This process helps to
protect against dictionary harvest and Denial of Service attacks.
This process can be disabled at the system level.
Policy set-level
Sender Deny Lists
and Sender Allow
Lists
Sender Deny lists indicate sender addresses from which email is
denied automatically. Sender Allow lists indicate sender addresses
from which email is allowed without spam, content, or attachment
filtering (virus filtering is always enabled unless specifically
disabled).
You can designate a single email address, entire domains or IPs, or
use wildcards to designate ranges of addresses. Optionally, you
can save these lists to a spreadsheet file.
Each policy set affects the email filtering for all user accounts in
the groups that are subscribed to that policy set.
Description
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission7
Recipient Shield ListYou can define a list of recipient em
Maintained by you and/or the user, Deny lists indicate sender
addresses from which email is denied automatically. Allow lists
indicate sender addresses from which email is allowed without
spam filtering (all other enabled filtering will be applied).
You can designate a single email address, entire domains or IPs, or
se wildcards to designate ranges of addresses. Optionally, you
u
can save these lists to a spreadsheet file.
These lists affect only the emails received for the designated user
account
want to specify special email actions (for example, you want to
deny all emails for a user who is an ex-employee). You can also
specify the email action to take if the recipient email address is
invalid in your system (permfailed by your email server as an
invalid recipient).
and its alias addresses (user-level lists).
Description
ail addresses for which you
Types of Outbound Email Filtering
You can add outbound filtering to each package, helping to ensure the safety and
appropriateness of information being sent from your corporate email system to valued
customers or business partners.
Filter TypeDescription
Content
Filtering
Attachment
Filtering
Virus
canning
S
This feature automatically prevents inappropriate,
confidential content from leaving your corporate email system,
allowing you to monitor and enforce your corporate email
policies.
Outbound attachments can be filtered by size, by MIME content
type, or by
policies.
Outbound virus scanning stops viruses and worms from leaving
your corporate email system, preventing your enterprise from
being the source of email-borne viruses to customers, suppliers,
and partners.
binary content, according to your corporate email
malicious, or
Configurable Actions for Filtered Email
In Email Protection, email filtering policies control how emails are filtered within a
specific Domain and how Email Protection will respond during email filtering and
reporting. Depending on the feature package that is licensed for a domain, specific email
filters will be available to be enabled and configured. Also, depending on the enabled
email filter, various actions must be configured that define how Email Protection will
respond if an email violates the specific filter policy.
8Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Based on the defined policy configuration, each email that violated the specified policy
can have any of the following actions taken, depending on the type of policy:
ActionDescription
QuarantineThe email is added to the respective quara
ntine area and is not sent to
the recipient email address. If the email violated a spam policy, the
email is reported in the user’s Spam Quarantine Report.
TagThe subject line of the email has a descri
ptive phrase (for example,
“[SPAM]”) added to the beginning of the subject text and the email is
sent to the recipient email address.
Deny DeliveryThe email is blocked automatically. Depending on the sending system’s
nfiguration, the email sender may or may not be notified with a 5xx
co
Deny email.
Do Nothing or Allow
elivery
D
The email is forwarded to the recipient email address with no
processing applied. The values in the reports and the
Overview
window will be incremented for the relevant email policy to indicate
that an email did trigger the specific policy.
Silent CopyA copy of the email is forwarded to a list of designated email address
es
with no notification to the sender or recipient.
Strip AttachmentIf the email had an attachment that vi
olated configured policies, this
action causes that attachment to be removed from the email and the
email is be sent to the recipient email address. Text is inserted into the
email notifying the recipient that an attachment has been stripped. Only
the attachment that violated the policy is stripped.
CleanIf the email had an attachment that
contained a virus or worm, this
action attempts to remove the virus or worm and preserve the
attachment. If the clean is successful, text is inserted into the email
notifying the recipient that an attachment had contained a virus and
was cleaned. If this action is selected, a second fall-back action also
must be designated in case the Clean action fails. This action is specific
to the virus filtering policies.
Custom X-HeaderIf the email was determined to have a high or medium likelihood of
Disable FilterA non-administrator user cannot disable virus filtering if it is licensed
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission9
spam, you can configure that a custom X-header be inserted into
being
the email. This X-header can be used by your email servers to perform
additional actions within your network, such as redirecting the email.
Each spam likelihood can have a different custom X-header. This
action is specific to the spam filtering policies.
and enabled
for a specific Domain or policy set. Only Administrators
can enable or disable virus filtering for a specific Domain or policy set.
You can designate that Email Protection first attempts to remove the
from an infected attachment, and if the clean fails, perform
virus
another action. You can designate that only the infected attachment is
stripped. and the remaining email contents and attachments are sent to
the recipient.
You can enable or disable email notifications to the sender and/or recipient email
addresses of email that was filtered because of virus, content keywords, or attachment.
For more information, see one of the following:
•Set Email Protection to Notify Users about Emails with Viruses
•Notify Users about Spam Content
•Notify Users about Attachment Violations
User-level Policy Configurations
By default, policy configurations are defined for each domain and group. All emails
received for all user accounts within a domain or group are processed using the same
policy configurations.
Optionally, user-level policy configurations can be defined for individual users that
override the Domain/Group policies. Thus, if there is a conflict between a user-level
policy and any of the other types of policy configurations, the user-level policy setting will
be used. These user-level policy configurations allow customization of email actions for
each user.
User-level policies are confined to the following policies:
•Enable or disable email processing for spam, virus, content keyword, attachments,
and/or HTML content.
•Specify actions to take for emails if they are determined to have a high or medium
likelihood of being spam.
•Configure the spam quarantine reporting
To manage the policy for an individual user, see User-Level Policy Configuration.
To establish user control of policies, see Set up Spam Quarantine Reports.
User also can have some control over their policies.
Quarantine
Email Protection provides multiple quarantine areas with different security accesses to
store and support review of suspect email outside of your email network.
Emails that violate configured policies and that have the Quarantine action applied are
sorted into multiple quarantines to ease email management and support security levels:
•Spam Quarantined Messages – Accessible to all users, with users with role of User or
Reports Manager allowed to access only their own personal spam quarantine
10Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideCustomizing the Interface
•Virus Quarantined Messages – Accessible to only Administrators and Quarantine
Managers
•Attachment Quarantined Messages – Accessible to only Administrators and
Quarantine Managers
•Content Keyword Quarantined Messages – Accessible to only Administrators and
Quarantine Managers
Within each quarantine, you can do any of the following:
•Delete selected emails or all emails
•Release selected emails or all emails for delivery to the recipient
•View selected email in a Safe View window
•Add the sender email addresses to the recipients’ user-level Allow list and release the
emails (available only for quarantined spam emails)
Emailed Reports of Quarantined Spam Emails
Optionally, emails are sent to users to indicate that spam emails that have been
quarantined, using either of the following types of emails:
•Spam Quarantine Report
Spam Quarantine Reports are HTML-based email notifications of quarantined spam
emails that sent to users. Multiple links in the Reports allow management of
quarantined spam email based on policy set-level and user-level configurable control
settings. When the user clicks a link, the designated action is performed and the user is
automatically logged into the Control Console.
•Spam Quarantine Summary
Spam Quarantine Summaries are optional text-based email notifications of
quarantined spam email sent to users, to support email applications that are not
HTML-compatible. The user clicks the link provided in the email and is automatically
logged into the Control Console. Once logged in, the user can navigate to the relevant
window to manage the spam quarantine and modify personal settings.
Customizing the Interface
Licensed Branding
There are multiple branding levels that control the appearance and URL addresses used
within the Control Console and Spam Quarantine Reports and Summaries:
•Standard – Branding uses images and addresses provided by your service provider.
•Private – You control the images and addresses.
•Cobrand – Branding uses images provided by you and your service provider., and
addresses provided by you.
•White Label – Branding uses no identifying images and uses addresses provided by
you.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission11
Customizing the InterfaceEmail Protection Administrator Guide
Branding levels other than Standard must be licensed separately.
For more information, see Rebrand Your User Interface in Account Management Administrator Guide.
Language Localization
Within the Control Console, windows and features available to the non-administrative
user (whose role is User) can be provided in translated form supporting multiple
languages. When the user logs in via the log on window, he or she can select the desired
language in the Language field. Thereafter, all spam quarantine reporting emails and
window and field labels will be provided in the designated language.
The following languages are supported:
•Brazilian Portuguese
•Chinese Simplified
•Chinese Traditional
•Danish
•Dutch
•English
•Finnish
•French
•German
•Italian
•Japanese
•Korean
•Norwegian
•Portuguese
•Russian
•Spanish
•Swedish
•Turkish
This feature is available only to non-administrative user accounts. This feature must be
enabled at the system level to be available.
As a Customer Administrator, you can set the language for a user on the user’s Preferences
window. See Set User Display Preferences, Including Your Own in Account Management Administrator Guide.
Outbound Disclaimer
You can define text that will be appended to the email content to support liability or legal
requirements for your organization. Every email that was sent from your organization to
Email Protection for email filtering will have the designated text added to the end of the
email content. This feature requires that outbound filtering be licensed.
12Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideMonitoring and Reporting
See Add an Outbound Email Disclaimer.
Notifications
You can customize the content of the notification email for each combination of the type
of filter and each type of email action (quarantine, deny, or strip).
See Define the Format and Text of Notifications to Users.
Monitoring and Reporting
Email Protection provides near-real-time monitoring for most reports of system usage,
email filtering, etc., for the designated Domain and date or date range. Report data is
available to be downloaded to Microsoft Excel spreadsheet file (*.csv).
There are multiple reports available for viewing in the Control Console:
For more information, see System Reports.
Optional Utilities
Your service provider provides additional, free tools that provide additional support for
your email network.
Spam Control for Outlook®
If you receive email that you feel should have been filtered as spam, you can use the Spam
®
Control for Outlook
packages the email data, forwards it to your service provider’s Threat Center, and then
deletes it from your Microsoft Outlook mailbox. This utility only works for the Outlook
mail client.
You can download this utility at the following location:
The Fail Safe Disaster Recovery Service provides protection against lost emails in the case
when your inbound email server (a.k.a. Customer MTA server) may be unavailable to
receive email. If you have multiple inbound servers configured in Email Protection, all of
these servers must be unavailable before Fail Safe is invoked.
When your inbound servers becomes unavailable, Fail Safe begins spooling email, which
means Fail Safe stores your emails in a temporary location until your inbound server
becomes available. Once any of your inbound servers become available, Fail Safe begins
unspooling the emails. That is, Fail Safe restores these stored emails to the inbound server
using the first in, first out order.
The messages Fail Safe stores are not available until the messages have been unspooled.
Fail Safe has an unlimited amount of storage capacity but removes messages that have
been in Fail Safe storage for more than 5 days.
For more information, see Administer Disaster Recovery Services.
Email Continuity
Email Continuity saves messages for later delivery if your mail server becomes
unavailable. When your mail server becomes available, Email Continuity delivers the
messages. Users can access their messages through a Web-based interface while messages
are in Email Continuity only.
Email Continuity also has unlimited storage capacity and removes messages that have
been in Email Continuity storage for more than 60 days.
For more information, see Administer Disaster Recovery Services.
14Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideWho Can Access Email Protection Admin-
2. Access Email Protection
Administration
As a customer of Email Protection, you can have administrators who access the Control
Console with different levels of privileges within Account Management and Email
Protection.
Who Can Access Email Protection
Administration windows
The levels of administrative users you can add are as follows:
Administrative levelDescription
Reports ManagerThe Reports Manager can view, for an assigned domain, reports
available with Email Protection. The Reports Manager can also
manage his or her own user preferences and all other tasks a user
can perform.
Group AdministratorThe Group Administrator can add and remove members from one
re groups if assigned to those groups. A Group Administrator
or mo
can also create, edit, and modify Email Protection policies for the
assigned groups. Finally, a Group Administrator can view user lists
and user details. A Group Administrator does not need to be a
member of a group in order to have these capabilities.
Note: A Group
edit user information
Quarantine ManagerThe Quarantine Manager, for an assigned domain, can manage the
same areas as
domain, all users’ Quarantine for spam and other problematic
messages, only if Email Protection is enabled.
Domain AdministratorThe Domain Administrator, for an assigned domain, can manage
same areas as a Quarantine Manager, plus manage server setup
the
and authentication rules for the domain.
Customer AdministratorThe Customer Administrator can manage
customer’s Account Management for all domains.
Group AdsministratorThe Group Administrator can, within the Group Administrator’s
assigned
groups if assigned to those groups. A Group Administrator can also
create and modify Email Protection policies for the assigned
groups. A Group Administrator does not need to be a member of a
group in order to have these capabilities.
Administrator cannot add or remove a group nor
a Report Manager, plus manage, for the assigned
all aspects of the
domain, add and remove members from one or more
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission15
Who Can Access Email Protection Administration windowsEmail Protection Administrator Guide
The following figure summarizes the levels of administrators, plus users, in an
Email Protection configuration.
16Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
NoYe sNoNoYe s
Email Protection Administrator GuideWho Can Access Email Protection Admin-
Window AccessFeature
Enablement
Required
Content: Custom
Content Groups
Content:
Notifications
Content: HTML
Shield
Content: Click
Protect
Attachments: File
Types
Attachments: File
Name Policies
Attachments:
Additional Policies
Attachments:
Additional
Notifications
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
Customer
Administrator
Ye sNoNoYe s
Domain
Administrator
Quarantine
Manager
Admnistrator
Group
Allow/Deny:
Sender Allow
Allow/Deny:
Sender Deny
Allow/Deny:
Recipient Shield
Enforced TLS:
Actions
Enforced TLS:
Notifications
Notifications:
Content
Notifications:
Attachment
Group
Subscriptions
Disaster RecoveryYe sNoNoYe s
Quarantine TabNoYe sYe sYesNo
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
NoYe sNoNoYe s
SetupTabNo
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission17
Who Can Access Email Protection Administration windowsEmail Protection Administrator Guide
Window AccessFeature
Enablement
Required
Inbound Servers
Setup
Outbound Servers
Setup
Outbound
Disclaimer
Disaster Recovery
Setup
NoYe sYe sNoNo
Ye s.
Depending on
your purchased
package, this
service might
need to be
enabled.
Ye s.
Depending on
your purchased
package, this
service might
need to be
enabled.
Yes. Either
FailSafe or
Email
Continuity
must be
enabled or
included in
your package.
Customer
Administrator
Ye sYe sNoNo
Ye sYe sNoNo
Ye sYe sNoNo
Domain
Administrator
Quarantine
Manager
Admnistrator
Group
MX Records SetupNoYesYe sNoNo
User Creation
Settings
Reports tab
Traffic OverviewNoYe sYe sYe sNo
Threats OverviewNoYe sYe sYe sNo
Threats: VirusesNoYe sYe sYe sNo
Threats: SpamNoYe sYe sYe sNo
Threats: ContentNoYe sYe sYe sNo
Threats:
Attachments
ClickProtect:Over
view
ClickProtect:
Click Log
NoYe sNoNoNo
NoYe sYe sYe sNo
NoYe sYe sYe sNo
NoYe sYe sYe sNo
18Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideOther Documents You Might Need
Window AccessFeature
Enablement
Customer
Administrator
Domain
Administrator
Quarantine
Manager
Admnistrator
Required
Quarantine:
Release Overview
Quarantine:
Release Log
User ActivityNoYe sYe sYe sNo
Event LogNoYe sYe sYe sNo
Audit TrailNoYe sYe sYesNo
Inbound Server
Connections
Disaster Recovery:
Overview
Disaster Recovery:
Event Log
NoYe sYe sYe sNo
NoYe sYe sYe sNo
NoYe sYe sYe sNo
Yes. Either
FailSafe or
Email
Continuity
must be
enabled.
Yes. Either
FailSafe or
Email
Continuity
must be
enabled.
Ye sYe sYe sNo
Ye sYe sYe sNo
Group
Other Documents You Might Need
Account Management is a self-contained subset of windows you access on the Control
Console. You use it in conjunction with the administration windows for the previouslymentioned products. For information on administering these products, see the online help
in the Control Console or the documentation as listed below.
Email Protection Documents
•Email Protection Concepts Guide
•Email Protection Quick Start
•Intelligent Routing User Guide
•Email Continuity Administrator Quick Start Guide
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission19
Ensure You Can Receive Email from Your Service ProviderEmail Protection Administrator Guide
Web Protection Service Documents
•Web Protection Service Quick Start
•WDS Connector Installation Guide
Message Archiving Documents
•Message Archiving Administrator Guide
•Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2000
•Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2003
•Message Archiving Quick Setup Guide for Microsoft® Exchange® Server 2007
User Guides
In addition, a variety of guides for your users are available. These are:
•Email Protection User Guide
•Message Archiving User Guide
•Spam Control for Outlook
•Email Continuity User Quick Start Guide
Ensure You Can Receive Email from
Your Service Provider
If you had or still have a different email security or filtering service and your network is
administered so that you can receive email only from IP addresses associated with that
security service, you must administer your network to allow incoming email from the
Control Console servers. For example, a port in your company’s firewall may need to be
enabled to receive email from the IP addresses of the Control Console servers.
This enablement is necessary in order for you and your users to set the initial password for
access to the Control Console.
Log on to the Control Console
To manage your account, you must log on to the Control Console with the following steps.
Note: The first time you log on, you might need to create your password. If so, see Reset
Your Password from the log on window.
1Open a browser on your computer and enter the URL for the Control Console.
20Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideLog on to the Control Console
The URL should be identified in the Service Activation Guide you received from your
provisioner. If you don’t have the URL, contact your sales representative or Customer
Support.
2At the Control Console log on window, enter your email address and password.
3Click Sign in.
If you have not previously entered an answer to a security question, the Security
Question window pops up.
The answer to the security question is used is used to validate you, the user, if you
forget your password.
You can later change your security question and/or security answer on the Preferences
window of your user account. See Set User Display Preferences, Including Your Own
in Account Management Administrator Guide.
4Select a security question and type the answer. Your answer is not case-sensitive.
Note: If
from a Spam Quarantine Report.
you also use the Email Protection, you can also log onto the Control Console
Reset Your Password from the log on
window
Note: This capability may not be available if the user authentication method is set to
LDAP, POP3, or IMAP or if the ability to change passwords has been disabled at the
system level.
If you forget your password or want to rese
1On the log on window, click the
The following window is displayed.
t it, perform the following steps:
Forgot your password or need to create a password? link.
2In the Username field, type your email address.
3Do one of the following:
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission21
Log on to the Control ConsoleEmail Protection Administrator Guide
•If your email address is working and you are already receiving email, select
Email password information to me.
•If your email address is not working, select Email password information to my
Domain Contact.
Your Domain Contact might be your administrator or another person your
administrator defined for your domain within the Control Console. Check with
your administrator on who that person is.
4Click Next.
If you selected the option for your email, your email application receives an email
momentarily with further instructions. Continue with Step 5.
If you selected the option to email a Domain Contact, that person receives an email
from which the person can reset your password. The person can also forward the
message to an alternative email address you might have. Contact that person for the
password, then try to log on again. You are finished with this procedure.
5If you selected the option to email information to you, open the email in your email
application. The email subject line says Control Console Sign in Information.
The email is similar to the following:
6Click the link in the email. The link is active for only a limited time after the email is
sent (typically, 60 minutes).
22Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideLog on to the Control Console
7If you previously had selected a security question, the security question is displayed.
If you had not previously selected a security question, select a question from the
Security Question drop-down menu.
8Type the answer to the question in the Security Answer field.
9For the Security Question field, click Change if you need to change the security
question or answer. You must answer this question when you forget your password or
need to reset it.
The Security Question and Security Answer fields are displayed. Select a question
from the Security Question drop-down menu, then type an answer.
10 In the Password field, type a password. The password must comply with the
following rules:
•Length must be a minimum of 8 characters.
•Alphabetical, numeric, and special character types are allowed.
•There must be at least one character that differs in character type (alphabetical,
numeric, or special) from the majority of characters. Thus, if the password
contains mostly alphabetical characters, then at least one character must be either
a special character or numeric. For example, majordude is invalid, but
majordude9 is valid.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission23
Log on to the Control ConsoleEmail Protection Administrator Guide
•Passwords are case-sensitive (for example, Password, password, and PASSword
would be different passwords).
Make sure you can remember your password, but do not use obvious passwords (for
example, password, your name, or a family member’s name). Keep your password
safe and private.
11 Retype your password in the Confirm Password field.
12 Click Save.
24Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator Guide
3. Check the Status of Email
Protection on the Overview
The Overview window provides the following high-level information about the email
traffic to your domain over the previous 24 hours:
•Disaster recovery information
•News and update information
Customer Administrators will see the information for all the domains in the customer
where the role was defined. Domain Administrators will see the information for only the
domain where the role was defined.
1Select Email Protection | Overview.
The Overview window is displayed with the initial view.
2Click Display Statistics.
The Overview window is displayed with the complete view.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission25
Email Protection Administrator Guide
The sections on the window provide the following information:
SectionDescription
Inbound 24-Hour Snap Shot Displays a 24-hour snapshot of inbound email
Messages
Avg Size – A
– Number of inbound messages processed
verage size of inbound messages, including
attachments
Bandwidth
Viruses – Num
Spam
– Average bandwidth used by inbound messages
ber of inbound emails that contained viruses
– Number of inbound emails that were potentially
spam
Quarantined
– Total number of inbound emails that were
quarantined for any reason, including spam, virus, etc.
26Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
traffic:
Email Protection Administrator Guide
SectionDescription
Outbound 24-Hour Snap
Shot
Traffic (Last 24 Hours –
{timezone})
Policy Enforcement (Last 24
Hours – {timezone})
Displays a 24-hour snapshot of the domain’s or Customer’s
outbound email traffic:
Messages – Number of outbound messages processed
Avg Size – Average size of outbound messages, including
attachments
Bandwidth – Average bandwidth used by outbound
messages
Avg Size – Average size of outbound messages, including
attachments
Viruses – Number of outbound emails that contained viruses
Quarantined – Total number of outbound emails that were
quarantined for any reason, including viruses.
Displays a graph of traffic volume for the last 24 hours of the
designated time zone.
Optionally, select one of the graphic display type icons to
change the appearance of the graph.
Displays the percentage of messages that had the different
email actions applied (for example, stripped, blocked, tagged,
quarantined, cleaned, or normally delivered) over the past 24
hours of the designated time zone.
Optionally, select one of the graphic display type icons to
change the appearance of the graph.
Disaster Recovery Current
Status
Displays domains that are currently in Disaster Recovery. The
Email Protection is currently spooling the specified domain's
email
Disaster Recovery Activity
(Last 24 Hours)
Displays how many emails were spooled and unspooled by
Fail Safe for all domains in the indicated Customer during the
last 24 hours of the designated time zone.
Spooled Messages – Indicates the number of emails that were
spooled by Fail Safe in the last 24 hours and how much spool
storage was used by them.
Unspooled Messages – Indicates the number of emails that
were spooled by Fail Safe in the last 24 hours and how much
spool storage was used by them.
What’s NewDisplays a list of new information available about Email
Protection. Depending on the configuration, this section may
be blank or may contain different information.
NewsDisplays any updates on current email threats and other
important email security news (links). Click the desired link
to view the complete information. Depending on the
configuration, this section may be blank or may contain
different information.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission27
Email Protection Administrator Guide
28Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfirm Your Inbound Servers Setup
4. Set up Your Servers
This section describes how to ensure your inbound and outbound servers are set up
correctly for Email Protection.
Confirm Your Inbound Servers Setup
Email Protection filters email destined for your inbound Simple Mail Transfer Protocol
(SMTP) email server or servers. Your provisioner should have already defined one or
more SMTP servers in the Control Console. To confirm that these servers are defined,
perform the following steps:
1Click Email Protection | Setup.
2From the domain drop-down menu on the Setup window, select the domain whose
SMTP server you want to check.
The SMTP Host Address field displays the domain name(s) or IP address(es) for the
domain’s SMTP server. In our example, domain denver.acme.com has an SMTP
server with a domain name of mail1.denver.acme.com.
The Inbound Servers Setup window is displayed.
3Ensure the SMTP server listed are valid and correct.
4Ensure that all other information on the window is correct, and select Save.
5Repeat steps 2 through 4 for any other domains in your network.
Set up Additional Inbound Servers
You can configure additional inbound servers to receive inbound email from Email
Protection for the designated domain. All servers for a domain that receive inbound email
from Email Protection must be configured on the Inbound Servers Setup window.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission29
Set up Additional Inbound ServersEmail Protection Administrator Guide
Any server addresses designated here must be valid and available to connection from
Email Protection. After the Save Changes button is clicked, the Email Protection
immediately routes email to the active servers.
1Click Email Protection | Setup.
2From the domain drop-down menu, select the domain whose SMTP server you want
to add.
3Click Add New Host.
A new set of fields appears for the server
4In the SMTP Host Address field, type the fully qualified DNS or IP address of the
server host being configured. CIDR notation is not allowed.
If you do not have a registered and valid DNS name for your email servers, you must
enter the IP addresses of each server.
5In the Port field, type the port on the server to which the Email Protection will
connect. The default value is 25.
6In the Preference field, type the number indicating order of connection preference
between multiple servers. Email Protection attempts to connect first to the server with
the lowest preference number. If that server is not available (either down or too busy),
Email Protection tries the server with the next lowest preference number, and so on. If
multiple servers have the same preference number, Email Protection will randomly
route the email delivery between them.
7Click the Active checkbox to allow the server is immediately start accepting email
traffic.
Caution: If all servers are set to inactive, all emails received for this domain will
be tempfailed.
8Click Save.
Delete an Inbound Server
To delete an inbound server, perform the following steps:
1Access the appropriate domain on the Inbound Server Setup window
2Click the Delete checkbox next to the server you want to delete.
3Click Save.
30Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideAdd IP Address of Outbound Server, If
Add IP Address of Outbound Server, If
Necessary
If your service includes Outbound Message filtering, you must identify one or more
outbound mail servers through which your users send outgoing mail. While your outbound
server might use a Domain Name Server (DNS) name within your network (for example,
lewisoutbound.acme.com), you identify the outbound sever within Email Protection with
an IP address (for example,
Inter-domain Routing (CIDR) address for a range of outbound servers (for example,
111.222.111.0/27) only. The address must be a public address.
Any server addresses designated here must be valid and available for a connection. After
the Save Changes button is clicked, Email Protection immediately accepts email traffic
from the active servers.
Note: If email is received from an outbound server that is not configured in the Email
Protection system, it will be refused. If no outbound package has been designated for the
selected domain, this window is unavailable.
111.222.111.0). Alternatively, you can specify a Classless
The Outbound Server Setup window is displayed.
2Click Add New Address, and add the address of the outbound server.
3Click Save Changes.
4Record the address listed under Recommended Smart Host Server Settings. You
should use this address to perform the next task,
Defense is Turned on).
Important: You or your network administrator should also do the following before or
immediately after adding your outbound server(s):
•Update Sender Policy Framework (SPF) records on your mail server(s) to ensure
only authorized sources are sending outbound email.
•Scan your network for open relays, viruses and malware.
•Refer to the Accepted Use Policy (AUP) at http://www.mxlogic.com/terms/aup/
index.cfm for information on bulk mail.
Set up a Smart Host (If Outbound Mail
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission31
Add IP Address of Outbound Server, If NecessaryEmail Protection Administrator Guide
Delete an Outbound Server
To delete an outbound server, perform the following steps:
1Access the appropriate domain on the Outbound Server Setup window
2Click the Delete checkbox next to the server you want to delete.
3Click Save Changes.
Set up a Smart Host (If Outbound Mail
Defense is Turned on)
To ensure that your outbound email is filtered, you must designate, for each of your
outbound mail servers, an Email Protection server as your Smart Host. Your outbound
email is then relayed through Email Protection before continuing to its final destinations.
The outbound Smart Host address is listed at the bottom of the Outbound Server Setup
window, or you can refer to your Service Activation Guide for more details.
Note: This task is performed on your outbound email server or servers, on your network
router, or on some other server, depending on your network’s configuration.
Add an Outbound Email Disclaimer
You can create and assign text that will be appended to all outgoing emails that are filtered
by Email Protection for the designated domain. For example, you might want to specify
that the email sent from your company is the property of your company with all right
reserved.
Note: If no outbound package has been designated for the selected Domain, this window
is unavailable.
32Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideRedirect Your MX Records
The Outbound Server Setup window is displayed.
2Click Display disclaimer in outbound email messages.
3In the Disclaimer Text field, type the text of the disclaimer. A maximum of 1000
characters is allowed.
4Click Save.
Redirect Your MX Records
The Mail Exchange (MX) record for each of your mail servers is a specification within a
Domain Name Server (DNS Server) operated by your Internet Service Provider (ISP).
Each MX record specifies a host name and preference that determines where and how
your ISP routes your company’s email.
Your MX record or records at your ISP must be changed to fully-qualified domain names
(for example, denver.acme.com) within the Email Protection network. These changes
allow Email Protection to filter your email before it arrives at your company’s mail
servers.
Your Network Administrator or Domain Registrar is typically the individual responsible
for making these changes.
The information necessary for your company to make these changes is provided in your
Email Protection Activation Guide, which you receive when you first sign up for service.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission33
Check Your MX RecordEmail Protection Administrator Guide
Check Your MX Record
Be aware that because of the nature of the Internet, it may take several days for your MX
record redirect to propagate to all the email servers that may be sending email to your
email server. During that time, your email server may still receive email directly from
those email servers until they are updated with your latest MX record information.
The MX Record Analysis window allows you to query Email Protection or your
company’s Authoritative DNS Name Server for the MX Records that are recognized for
the SMTP server names for a domain. You can then confirm that all the IP records that are
configured for your domain’s MX Records are correctly redirected to Email Protection.
The analysis indicates the following:
•All Authoritative Name Servers for the entered DNS name
•All MX Records that are recognized by the Authoritative Name Servers – this process
retrieves all the MX Records for a given domain
•Whether the hostname for each MX Record is a valid hostname, an outdated hostname
that will work but should be updated, or an unrecognized hostname which may be
allowing email to be routed around Email Protection
This window also indicates the recommended values (using the default values configured
at the system level for Email Protection) to assist you in determining whether your MX
Records are redirected correctly. For example, if all the SMTP servers defined for a
domain do not show the same information, this can indicate that your MX Records are not
defined correctly.
Note: This feature must be enabled at the system level to be available in Email Protection.
1Click Email Protection | Setup| MX Records.
The MX Record Analysis window is displayed.
34Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideCheck Your MX Record
By default, the window shows the results of a DNS lookup by Email Protection on the
IP addresses you submitted to your Internet Service Provider. The column headings
show the following:
FieldDescription
MX Record Analysis Results
for
MX Records returned by
The domain for which a DNS lookup was performed.
The name of the DNS server, which can be the DNS
server of your Email Protection provider or a DNS
server from your company, if selected.
Under each MX
by your Internet Service Provider, along with the priority preference of the record, and the
status of the MX record.
•Valid –
•V
alid – recommend update – MX Record uses an older hostname standard. It still
works, but it is recommended that you update to the current hostname standard.
•Unrec
enter your system bypassing Email Protection. This situation, if occurring within 72
hours of the MX Record change, may indicated the changes are not yet complete.
Records returned by heading, MX records should be listed that were set
MX Record is current and fully authenticated.
ognized – MX Record could not be authenticated and may be allowing email to
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission35
Set up User Creation Mode — SMTP Discovery or ExplicitEmail Protection Administrator Guide
2Check the Recommended MX Record Settings. This section indicates a list of
typical MX Record configurations using the system-defined default values and the
currently selected domain name. Note that this list may not match your actual MX
Record configurations. These values are configured at the system level.
You can alternatively enter a fully-qualified DNS Server name at your company in the
Target Authoritative Name Server field, then click Analyze. This capability is helpful if
the default display of MX records appears to be incomplete or in error.
Similar results to those returned by Email Protection provider’s DNS Server might occur.
Note: You can also select the View only this name server link to reduce the number of
DNS server lists of MX Records. Click the View all name servers link list all DNS
servers again.
Set up User Creation Mode — SMTP
Discovery or Explicit
Note: This procedure applies only if your service includes Email Protection.
Explicit user creation means that you must add user email addresses using one of the
methods that are described later. SMTP Discovery means that users are created
automatically based on SMTP transactions. That is, several incoming email messages to a
user indicate that the user exists for the customer. As a result, Email Protection creates that
user in the Control Console.
SMTP Discovery is the default setting for a new customer, such that at initial startup of
service, users might be created in the Control Console without any administration by you,
the Customer Administrator.
Note: Only messages delivered to recipient email addresses in a primary domain are
counted for the purpose of user creation. Messages sent to recipient email addresses in
alias domains are not counted. When the action is deny, the email is rejected and an error
message is displayed to the sender.
If you use Directory Integration, explicit user creation is highly-recommended.
To turn on Explicit User Creation, perform the following steps:
1Click Email Protection | Setup.
2Click User Creation Settings.
36Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideSet up User Creation Mode — SMTP Dis-
3Under the User Creation Mode heading, select Explicit.
4Click Save.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission37
Set up User Creation Mode — SMTP Discovery or ExplicitEmail Protection Administrator Guide
38Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideEnterprise or Service Provider Customer
5. Customize Inbound Mail
Filters
Email Protection has default inbound and outbound mail filters to block and clean
malicious email and to quarantine email that might be malicious. The filters are
configured by using policies, which are the parameters for the filters Default policies are
automatically assigned to each of your domains.
You can customize the default inbound policy for any and each domain, or any and each
group, to fit your business needs.
To change customers, select the link in the upper right of the opened window. In the Select
window, begin entering the name of the entity you want and select that entity when a list
of entities appears.
Enterprise or Service Provider
Customer
Important: This document is for use by Enterprise customers only.
The way in which custom policies are applied to your users varies depending on whether
you are classified as a service provider or enterprise customer. If you are a service
provider customer, each domain can have one custom policy (see Figure 7). If you are an
enterprise customer, a single default policy applies to all domains. Thus, for an enterprise
customer, you must create a group or groups of users, and for each group, you can create a
custom policy. A group can be created according to domain membership (see Figure
according to any other user characteristics that may apply across multiple domains (see
Figure
Guide.
Note: Because a group defined by an enterprise customer can contain users from different
domains, a group policy does not apply to a domain, but rather to the group of users to
which it is defined. A custom group policy supersedes the default policy that is assigned to
all domains.
9). For procedures, see Create a Group in Account Management Administrator
8) or
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission39
Enterprise or Service Provider CustomerEmail Protection Administrator Guide
Figure 6: Service Provider Custom Policy Assignment
Figure 7: Enterprise Custom Policy Assignment (Groups by Domain)
40Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideCreate a Custom Policy (Enterprise Cus-
Figure 8: Enterprise Custom Policy Assignment (Groups by Other Attributes)
Create a Custom Policy (Enterprise
Customer Only)
Important Note: It is assumed that all domains within an Enterprise Customer will have
the same package assigned to them. If some domains have different packages, unexpected
results may occur. when a policy is applied to a group in which members reside within
different domains.
1Click Email
2Click Ne
The New Policy Set fields are displayed.
Protection | Policies | Inbound Policies link.
w to launch the New Policy window.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission41
Create a Custom Policy (Enterprise Customer Only)Email Protection Administrator Guide
FieldDescription
NameEnter a name for the policy set you are creating. The
name should reflect
the name or purpose for the group or groups that you will assign to the
policy.
OwnerThe Owner heading indicates who can edit the policy
. If the owner is
Customer, only Customer Administrators can edit the policy. If the owner
is Group, then Group Administrators assigned to that group, as well as
Customer Administrators, can view or edit the policy.
DescriptionEnter a description of the new policy set.
DirectionFrom the drop-down menu, select the direction of email, in
bound SMTP
or outbound SMTP, for which this policy will be configured.
Copy FromFrom the drop-down menu, select an existing policy set whose settings
want to copy to the new policy set. Most settings are copied based on
you
this selection. However, you must choose to copy some settings from the
existing policy separately by selecting the following fields.
Copy Sender
Allow List
Copy Sender Deny
List
Copy Recipient
ield List
Sh
Select to copy the Sender Allow list
Copy From field.
Selectto copy the Sender Deny list from the policy set selected in the
Copy Fr
om field.
Select to copy the Recipient Shield list from the policy set selected in the
Copy From field.
from the policy set selected in the
Copy ClickProtect
Allow List
3Click Save.
The Policy Sets list is updated
policy to meet your business needs.
42Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Select to copy the ClickProtect Allow list
the Copy From field.
with the new policy. You can now modify the new
from the policy set selected in
Email Protection Administrator GuideConfigure a Virus Filter
Configure a Virus Filter
Email Protection uses multiple virus scanning applications to analyze email to determine
if a virus may be present. In your custom policy, you can configure how Email Protection
handles an email that contains a known virus.
Important Note: If an email is detected that contains a wide-spread worm or virus (for
example, SoBig or MyDoom), Email Protection may automatically block that email,
regardless of the settings in your custom policy.
To create a new policy content filter, perform the following steps:
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Virus.
The Actions window is displayed.
4Complete the fields as described in the following table.
FieldDescription
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission43
Configure a Virus FilterEmail Protection Administrator Guide
If a Message
Contains a Virus
If a Message
Cannot be Cleaned
Select an action Email Protection should take if an email contains a virus:
•Do nothing – Email Protection sends the email to the recipient with
no filtering or notification.
— Caution: This action is potentially hazardous because the email
will still contain the virus.
•Quarantine the message after attachment is stripped – Email
Protection strips an infected attachment from the email and sends the
email to quarantine with the message that an attachment had been
stripped. Email Protection does not send a separate notification to the
recipient.
•Strip the attachment – Email Protection strips the infected
attachment from the email and sends the email to the recipient. Email
Protection inserts text into the email to notify the recipient that an
attachment has been stripped.
•Deny delivery – Email Protection denies delivery of the email.
•Clean the message – Email Protection attempts to remove the virus
content and save the remainder of the message. If successful, Email
Protection sends the email to the recipient with the message that the
email had been cleaned of a virus. If you select this action, you must
also select an action for the If a Message Cannot be Cleaned field.
If you previously selected Clean the message, select an action Email
Protection should take if Email Protection fails to clean an infected email:
•Quarantine the message after attachment is stripped – The
infected attachment is stripped from the email and the email is sent to
the recipient’s virus quarantine area without notification to the
recipient. Text is inserted into the email indicating that an attachment
has been stripped.
•Strip the attachment – The infected attachment is stripped from the
email and the email is sent to the recipient. Text is inserted into the
email notifying the recipient that an attachment has been stripped.
•Deny delivery – The email is denied delivery.
5Click Save or click on the Notifications under the Virus tab.
Set Email Protection to Notify Users about
Emails with Viruses
You can direct Email Protection to send notification emails to the recipient and/or sender
when an email is filtered because it contained a known virus. You can see the content of
notifications and change it in the Notifications tabs. See Define the Format and Text of
Notifications to Users.
Note: Virus notifications will not be sent out for emails that are infected with widespread
viruses or worms (for example, SoBig or MyDoom). These notifications will be
automatically disabled by the Email Protection.
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Virus.
44Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Spam Filter
4Click Notifications.
5Complete the following fields:
FieldDescription
To the sender when
a message is … due
to a virus infection
To the recipient
when a message is
… due to a virus
infection
Select one or more conditions that will cause Email Protection to send a
notification email to the sender.
•Quarantined – The infected email was quarantined.
•Denied delivery – The infected email was denied delivery.
•Stripped – The infected attachment was stripped and the email sent
to the recipient.
Select one or more conditions that will cause Email Protection to send a
notification email to the recipient.
•Quarantined – The infected email was quarantined.
•Denied delivery – The infected email was denied delivery.
•Stripped – The infected attachment was stripped and the email sent
to the recipient.
Configure a Spam Filter
Email Protection spam filtering uses a large number of filtering processes, as well as
sophisticated statistical classification techniques, as part of its Stacked Classification
Framework® to determine if email is spam. Based on this analysis, Email Protection give
each email a score.
There are three scores are used to determine the likelihood
should be taken. Those scores are:
• Medi
um likelihood if default settings are used. This email is normally quarantined for
review.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission45
of spam and what actions
Configure a Spam FilterEmail Protection Administrator Guide
• High likelihood if default settings are used. This email is normally quarantined for
review.
•Critical likelihood. This spam is blocked.
If you specified an additional Realtime Blackhole List (RBL) in the Spam window of the
assigned policy, the RBL can influence the spam score as well.
Note: Occasionally, some emails might be marked as spam when in fact they are
legitimate emails. For these “false positive” email messages, you can help Email
Protection “tune” the spam thresholds and rules by sending a forwarded copy of the email
with all content and attachments to falsepositive@mxlogic.com
To configure a spam filter, you can perform the following tasks
•Define the Action to Take on Spam
•Spam – Content Groups Subtab
•Spam – Reporting Subtab
Define the Action to Take on Spam
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Spam.
The Classification window is displayed.
4Complete the following fields:
FieldDescription
46Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Spam Filter
If a Message is
Probably Spam
(Medium
likelihood) area
If a Message is
Probably Spam
(High likelihood)
area
Select an action Email Protection should take if an email has a spam score
of 90% or higher:
•Tag the message subject with “[SPAM]” – Email Protection adds
the phrase “[SPAM]” to the beginning of the email’s subject text and
sends the email to the recipient.
•Quarantine the message – Email Protection sends the email to
quarantine.
•Deny delivery – Email Protection denies delivery of the email.
Note: Emails that have the following actions applied will be
reported as Other in the Threats: Spam report.
•Do nothing – Email Protection sends the email to the recipient with
no filtering or notification.
Select an action Email Protection should take if an email has a spam score
of 99.9% or higher. These actions are the same as those for Medium
likelihood.
5Click More Options if you want to enable a Real-time Black Hole List. Otherwise, go
to step 8.
Multiple real-time blackhole lists (RBLs) of known spammers are provided by the
industry, from which Email Protection creates a single RBL indicator to assess the risk
of an email originating from a known spammer. The use of multiple blackhole lists to
create a single vote and rate the reputation of each RBL for accuracy helps to
minimize the possibility of blocking a non-spammer by mistake.
6If you clicked More Options, click the Enable Real Time Blackhole List (RBL)
checkbox.
Note: You can also block spammers by completing a Sender Deny List under the
policy’s Allow/Deny option.
7Click Save or click on Content Groups under Virus.
Define Additional Words That Indicate
Spam
Email Protection spam content filtering controls spam by comparing the content (subject
and body) of an email against predefined lists of keywords or phrases (spam content groups).
You can define a custom spam content group that contains additional lists of keywords
that are used to filter email as spam. For each content group, you also define the action to
take on email that contains a keyword. If the action is to send spam matches to quarantine,
users who receive Spam Quarantine Reports can view the matching messages in the
quarantine.
Note: A spam content group does not analyze the content within attachments.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission47
Configure a Spam FilterEmail Protection Administrator Guide
The action for a content group you define overrides spam actions for Email Protection
default spam filters. For example, if Email Protection determines that an email has a
medium likelihood of being spam and also contains a keyword that is in your spam content
group, the action defined for your spam content group is applied.
However, if you also define content filtering
on the Content – Content Groups window
(see Configure a Content Filter, that content filter overrides the keyword filtering you
define on the following Spam – Content Groups window. In addition, spam identified by
the Content – Content Groups filter is accessible only by Quarantine Managers or higher
level administrators. Users cannot view this spam.
1Click Email
Protection | Policies.
2Select the policy you want to change.
3Click the Spam.
4Click Content Groups.
5Double-click the Content Group you wish to modify.
6In the Group Name field, type the name of your spam content group.
This name should summarize the kind of keywords you want Email Protection to look
for. For example, you might want to identify musical terms, such as concert, music, rock, jazz, and so on, as spam. In this case, your group name might be music.
7From the Action drop-down menu, select an action to take if an email matches a
keyword:
•None – The email is forwarded to the recipient email address.
•Quarantine the message – The email is sent to the recipient's domain content
quarantine area.
•Deny Delivery – The email is denied delivery.
•Allow – The email is sent to the recipient email address.
Note: The Allow option is useful if you want to override standard Email Protection spam content
filtering for particular keywords.
48Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Spam Filter
Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam
report.
•Tag the message subject with "[SPAM]"– The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to the
recipient email address.
•Encrypt Message– is also available for Outbound content groups, if the Customer
has subscribed to Encryption.
•Silent Copy – allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
8Content List the content keywords needed to define your Custome Content Group.In
the Content field, type any keywords you want to search for in email. Use the
following rules for entering keywords.
•Each entry must be on its own line (separated by a hard return).
•If an entry contains multiple words, the entire phrase is used as a literal string (as is).
•If individual words are desired, each word must be on its own line.
•Letter-case (for example, upper case or lower case) is ignored.
•The wildcards question mark (?) and asterisk (*) can be used to designate the
following:
— ? – designates any single character, including white space characters (for
example, menu, space, line break, etc.).
— For example, w?y would catch way, why, and w y.
— * – at the end of the string designates multiple characters until a white space
character is encountered.
For example, refi* would catch refinance, refinancing and refine.
— * – followed by a literal character designates multiple characters, including
white space characters, until the designated character is encountered.
For example, refi*d would catch refinanced, but would also catch refinishing
is a great way to save d.
— If the literal asterisk or question mark is desired, it must be preceded by a
backslash (for example, \* or \?).
9For example, why\? (without quotes) would catch the string why? and the question
mark would not be used as a wildcard.Click the Enable checkbox to turn on the spam
content group.
10 Click Save for the new spam content group.
11 Click Save for the policy or continue to the Reporting tab.
To change a policy’s existing spam content group, click Edit.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission49
Configure a Spam FilterEmail Protection Administrator Guide
Set up Spam Quarantine Reports
When Email Protection scores email and determines that email might be problematic, but
the email is not clearly a security risk, Email Protection place the email into quarantine.
You can set up quarantine reports so that users can see which of their messages were
filtered and placed in quarantine. You can also determine how much control users have
over these reports, including:
•How reports are formatted.
•How often reports are sent
•
How Spam is filtered
•What actions users can take on quarantined email
See the E
To set up quarantine reports for use
1Click Email
mail Protection User Guide on how users might manage quarantine reports.
rs, perform the following steps:
Protection | Policies.
2 Select a policy set for which the quarantine reports will apply.
3Click Spam | Reporting.
4Under the Enable Spam
Quarantine Reporting for heading, select one of the
following options:
• All users –
Quarantine Reports.
Note: Users
quarantine areas.
•Selected users – Only those user accounts configured for Spam Quarantine
Reports on the User Management windows receive the reports.
•No use
Reports.
50Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
All user accounts associated with the policy set receive Spam
must be able to log into the Control Console to manage their spam
rs – No users associated with this policy set receive Spam Quarantine
Email Protection Administrator GuideConfigure a Spam Filter
5Under the Default Settings heading, complete the following field:
FieldDescription
Frequency
From the Frequency drop-down menu, select
how often users
receive Spam Quarantine Reports if they have email in spam
quarantine.
Report TypeFrom the Report Type drop-down menu, select the content that
each Spam Quarantine Report should contain:
HTML – All Quarantined – All emails in your spam quarantine
area are listed in the Spam Quarantine Report.
HTML – New Items Since Last Report – Only those emails
received since the previous Spam Quarantine Report are listed in
the Spam Quarantine Report.
Text – Summary – A text-only email notification is sent to you
with a link to your spam quarantine, instead of the Spam
Quarantine Report. This option supports users with email
applications that do not support HTML content.
Text – New Items Since Last Report – A text-only email report is
sent to you that indicates how many new emails have been
quarantined as spam since the last report and the total number of
spam emails in your spam quarantine. The report also lists the
email messages that have been quarantined since the last report.
HTML Format From the HTML Format drop-down menu, select one of the
following:
HTML with Actions – The links Allow, Deny, and Release are
enabled in the Spam Quarantine Reports.
HTML without Actions – The links Allow, Deny, and Release are
disabled in the Spam Quarantine Reports. Users must log into the
Control Console to perform these actions.
Note: This field is ignored if the Report Type field is set to Textonly Summary.
6Under the Spam Quarantine Report Security Settings heading, complete the
following fields:
FieldDescription
Report LinksFrom the Report Links drop-down menu, select the number of days
after which the links in the Spam Quarantine Report become
inactive.
A low value may not give the users enough time to review their
Spam Quarantine Report and perform any spam management. A
high value might increase the security risk of unauthorized access
into the Control Console using an old Spam Quarantine Report.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission51
Configure a Spam FilterEmail Protection Administrator Guide
FieldDescription
Restrict user rights
when accessing
quarantine from spam
quarantine report
Select this field Selectso that administrator-level users will be
logged in with role of User when accessing the Spam Quarantine
Reports. If you leave the checkbox blank, administrator-level users
will be logged as their administrative role.
Note: Selecting this option is recommended to provide additional
security for the Control Console. This option applies to all
administrative levels, including Reseller Administrators, Customer
Administrators, Domain Administrators, Quarantine Managers,
and Reports Managers.
7Under the Other Options heading, select any or all of the following options:
FieldDescription
Allow users to
personalize
spam filtering
actions
Allow users to
personalize
delivery
frequency
Select to allow users to customize actions that Email Protection takes on
email that is likely to be spam. Users actually select the actions on spam
from the Preferences window on the Control Console.
Select to allow users to change the frequency with which they receive
Spam Quarantine Reports. Users select the frequency of reports from the
Preferences window on the Control Console.
Allow users to
personalize
report type
Allow users to
“opt out” of
spam filtering
Enable “Always
Deny” shortcut
from spam
quarantine
report
Show spam
score on spam
quarantine
report
Allow users to
download Spam
Control For
Outlook®
Select to allow users to change the default settings you set in the Report
Type field on this window. Users can change the Report Type from the
Preferences windowwindow on the Control Console.
Select to allow users to turn filters for spam on or off. Users can turn off
spam filtering from the Preferences window on the Control Console.
Select to enable the Always Deny link in user’s Spam Quarantine
Reports, the Message Quarantine windows, and the Safe Message View
window.
If you leave the checkbox blank, users must go to the Allow/Deny Sender Lists window to change their Allow or Deny lists.
Select to display the spam likelihood score for each quarantined message
in the Spam Quarantine Reports.
Select to display a link in Spam Quarantine Reports, from which users can
download the Spam Control For Outlook utility. The location from which
the utility is downloaded is configured in the Branding Settings window.
Note: This feature can be enabled or disabled at the system level.
52Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Content Filter
FieldDescription
Allow nonadmin users to
sign in directly
to the Control
Console
Display message
content in Safe
Message View
Display user
email addresses
in spam
quarantine
report
Allow users to
configure
alternate email
address for
spam report
delivery
Select to allow users to log into the Control Console using the Sign in
window.
Note: This feature does not affect the ability of users to log in by clicking
a link in a Spam Quarantine Report. If Control Console access is not
enabled and users do not receive the Spam Quarantine Report, the
Quarantine Manager or higher level roles must perform any changes to
the user settings, maintenance of the users’ spam quarantine, etc.
Select to allow users to view the body content of an email in the Safe Message View window.
If you leave the checkbox blank, the user must release the email to see
what it contains in the body content.
Select to enable the view of user addresses in the HTML SQR report so
that users do not have to scroll through multiple addresses before they get
to the quarantine items.
Select to allow users to choose an alternate email address to reroute their
Spam Quarantine Report if needed. Users may go to Account
Management | User | Preferences to add their email alternate.
Alert! – Please be advised that redirecting a user's SQR allows the chosen
alternate recipient to have full access to their Control Console account,
including access to that user's Preferences. Therefore; please encourage
the user to choose their alternate email address carefully.
8Click Save.
Configure a Content Filter
You can create a custom content filter. The content filter does the following:
•Blocks or quarantines the email that contains prohibited keywords.
•Notifies the sender or recipient when an email has been quarantined or blocked.
•Blocks HTML malicious tags or prohibited images.
•Manages the ability for users to click on links in email.
Note: Content filtering does not analyze the content within attachments.
Note: You also define content filtering on the Spam – Content Groups window (see
Configure a Spam Filter, the Content – Content Groups overrides the keyword filtering
you define on the following Spam – Content Groups window. In addition, spam
identified by the Content – Content Groups filter is accessible only by Quarantine
Managers or higher level administrators. Users cannot view this spam.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission53
Configure a Content FilterEmail Protection Administrator Guide
Note: Due to the nature of the content filtering, the window images may contain offensive
material.
To create a new policy content filter, perform the following steps:
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Content.
The Content Groups window is displayed, showing the default content groups.
• Profanity
•Racially Insensitive
•Sexual Overtones
You cannot change the keywords in these groups.
The Content Group Policy fields are displayed.
Email Protection also provides predefined content groups that contain valid and
acceptable personal identifiable information that is allowed in email messages due to
specific policies. You cannot edit these content groups, but can designate whether or not
they are used. Following are the two types of predefined content groups:
•Credit Card Number
•Social Security Number
The Credit Cards that are supported include AMEX, VISA, MC, and DISC.
Note: Credit Card Numbers and Social Security Numbers can be represented or formatted in
various ways and Email Protection may not be able to capture all messages that contain
this information.
More Options
If a Customer or Domain subscribes to Email Encryption, then selecting this option can be
used to enforce Email Encryption if the outbound message contains the word [encrypt].
The word, [encrypt] can reside in the message subject line or the body of the outbound
message.
54Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Content Filter
Note: This option is only available on the Outbound Policy Content Group window.
1Click Edit or double-click on your selected Content Group, you may perform the
following:
•Group Name This defaults to the name of your selected group.
•Content This field is disabled for Content Groups
2From the drop-down Action list, the following actions may be applied to a Content
Group
•None – The email is forwarded to the recipient email address.
•Quarantine the message – The email is sent to the recipient's domain content
quarantine area.
•Deny Delivery – The email is denied delivery.
•Allow – The email is sent to the recipient email address.
•Tag the message subject with "[SPAM]" – The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to
the recipient email address.
•Encrypt Message is also available for Outbound content groups, if the Customer
has subscribed to Encryption.
3Silent Copy allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
4Click Save
Turn Off a Default Content Filter
You can deactivate any of the Email Protection default content filters if you want to allow
email containing those keywords to be delivered or you want to replace the list of
keywords with your own list.
Note: Instead of turning off the content filter, you can also choose the action None for the
filter. In this case, Email Protection filters email, but delivers matching email to users with
no other notifications or marking.
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Content.
The Content Groups window is displayed, showing the default content groups.
• Profanity
•Racially Insensitive
•Sexual Overtones
4Double-click one of the default content groups.
5Uncheck the Enable checkbox.
6Click Save.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission55
Configure a Content FilterEmail Protection Administrator Guide
Custom Content Group
The Custom Content Groups subtab allows customers to define their own custom
content keyword group and assist in monitoring their email. By configuring a Content
Group, the customer can determine how the system reacts if it receives an email that
contains text that violated that content policy. Customers can also define a different action
for each content group.
Note: If the content group is enabled, then email will be filtered for that content.
1Click New or double-click your selected Custom Content Group,and perform the
following:
2Gr
oup Name: select and type of your Custom Content Group.
3Content List the content keywords needed to define your Custome Content Group.In
the Content field, type any keywords you want to search for in email. Use the
following rules for entering keywords.
•Each entry must be on its own line (separated by a ha
•If an entry contains multiple words, the entire phrase
rd return).
is used as a literal string (“as
is”).
•If individual words are desired, each word must be on its own line.
•Letter-case (for example, upper case or lower case) is ignored.
•The wildcards question mark (?) and asterisk (*) can be used to designate the
following:
— ? – designates any single character,
including white space characters (for
example, menu, space, line break, etc.).
— For example, w?y wou
— * (without quotes) at the end of the string designates multi
ld catch way, why, and w y.
ple characters until
a white space character is encountered.
For example, r
— * – followed by a literal character designates multiple
efi* would catch refinance, refinancing and refine.
characters, including
white space characters, until the designated character is encountered.
56Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Content Filter
For example, refi*d would catch refinanced, but would also catch refinishing
is a great way to save d.
— If the literal asterisk or question mark is desired, it must be preceded by a
backslash (for example, \* or \?).
For example, why\? (without quotes) would catch the string why? and the
question mark would not be used as a wildcard.
Caution: It is possible to create wildcard combinations that will filter valid email,
including all email, and/or will substantially slow email processing. Be very careful if you
use wildcards to ensure that only the desired content is filtered.
4From the Action drop-down menu, select an action to take if an email matches a
keyword:
•None – The email is forwarded to the recipient email address.
•Quarantine the message – The email is sent to the recipient's domain content
quarantine area.
•Deny Delivery – The email is denied delivery.
•Allow – The email is sent to the recipient email address.
Note: The Allow option is useful if you want to override standard Email Protection spam content
filtering for particular keywords.
Note: Emails that match keywords but are allowed will be reported as Other in the Threats: Spam
report.
•Tag the message subject with "[SPAM]"– The phrase "[SPAM]" is added to the
subject line of the email at the beginning of the subject text and the email is sent to the
recipient email address.
•Encrypt Message– is also available for Outbound content groups, if the Customer
has subscribed to Encryption.
•Silent Copy – allows you to forward a copy of the original message. To send a copy,
select a predefined distribution list from the drop-down.
5Click the Enable checkbox to turn on the spam content group.
6Click Save for the new spam content group.
7Click Save for the policy or continue to the Notifications tab.
Notify Users about Spam Content
You can direct Email Protection to send notification emails to the recipient and/or sender
when an email is filtered because it contained spam content. You can see the content of
notifications and change it in the Notifications tabs. See Define the Format and Text of
Notifications to Users.
Note: Virus notifications will not be sent out for emails that are infected with widespread
viruses or worms (for example, SoBig or MyDoom). These notifications will be
automatically disabled by the Email Protection.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission57
Configure a Content FilterEmail Protection Administrator Guide
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Content.
4Click Notifications.
Complete the following fields:
FieldDescription
To the sender
when a
is … due to a
content group
violation
To the recipient
when a
is … due to a
content group
violation
message
message
Select one or more conditions that will
notification email to the sender.
•Q
uarantined – The infected email was quarantined.
•Denied delivery – The
Select one or more conditions that will
notification email to the recipient.
•Q
uarantined – The infected email was quarantined.
•Denied delivery – The
infected email was denied delivery.
infected email was denied delivery.
cause Email Protection to send a
cause Email Protection to send a
Configure a Filter for HTML, Java Script,
ActiveX, and Spam Beacons
You can configure how Email Protection filters email for HTML attachments or various
forms of HTML coding within email.
1Click Em
ail Protection | Policies.
2Select the policy you want to change.
3
Click Content.
4Click HTML Shield.
58Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideConfigure a Content Filter
5Under HTML Shield Protection, select one of the following options:
FieldDescription
LowSelect this option to remove only malicious HTML tags from the email
and forward the email to the recipient. Text is added to the email to
indicate that HTML content was removed.
MediumSelect this option to remove the following HTML content from the email
and forward the email to the recipient:
•Malicious HTML tags
•HTML comments and attributes
•All Java, Javascript, and ActiveX code
Text is added to the email to indicate that HTML content was removed.
HighSelect this option to remove all HTML content, including scripts as in the
Medium option, from the email and to forward the email to the recipient.
Text is added to the email to indicate that HTML content was removed.
NoneSelect this option to not perform HTML filtering on email.
6Under Options for Low and Medium Setting
, sSelectelect Enable spam “beacon”
and web bug blocking to block spam beacons and web bugs.
A spam beacon can reveal user activity to spammers while flagging the recipient’s
address as active. A Web bug is any one of a number of techniques used to track who
is reading a Web window or e-mail, when, and from what computer. A Web bug can
also be used to see if an e-mail was read or forwarded to someone else, or if a Web
window was copied to another Website.
Note: This option is available only if you picked the Low or Medium options for
HTML filtering.
7Select Replace all image links with a default transparent image to eliminate
objectionable images in email.
This option replaces
pixel.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission59
links to images in email with links to an image with one transparent
Configure a Content FilterEmail Protection Administrator Guide
Note: This option is available only if you picked the Low or Medium options for
HTML filtering.
8Click Save or continue to ClickProtect.
Configure Web Hyperlink Filters
(ClickProtect)
You can configure whether Web hyperlinks in email are blocked or can be clicked and
followed by the user. You can also designate a ClickProtect Allow List of URL addresses
that are excluded from the ClickProtect processing (for example, your corporate URLs).
As another option, you can set tracking of links that are clicked so that they are reported in
the ClickProtect: Click Log Report.
Caution:
which include HTML or Rich Text
1Click Email
2Select the policy you want to change.
3Click Content.
4Click ClickProtect.
ClickProtect only processes links in emails with accepted message formats,
Protection | Policies.
5Click one of the following options:
•Disabl
click and access Web hyperlinks in the emails without logging information in the
system.
•Display warning me
customizable warning message. Users can then either stop the click-through
process or continue to the Web site.
•Display warnin
with a customizable warning message and does not allow users to continue with
the click-through process.
60Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
e ClickProtect — Disables this feature completely and allows users to
ssage before redirecting — Displays a dialog box with a
g message and deny click-throughs — Displays a dialog box
Email Protection Administrator GuideConfigure a Content Filter
6If you clicked one of the last two options above, overtype the text in the Warning
Message text box. You can also leave the default text if desired
7In the Allow URL or IP field, type URL or IP addresses that you want to allow users
to access and bypass ClickProtect processing.
The following values are allowed:
•IP Address — Complete address (for example, 10.10.10.1) or partial address with
wild cards (for example, 10.10.10.*).
•Domain Name — Qualified domain name (for example, xyz.com) or subdomains
(for example, *@*.xyz.com denies emails from any subdomain of the XYZ
domain, such as user@abc.xyz.com). If you know you want to allow all emails
from this domain, then use this option instead of typing in each email address
associated with the domain. The following list provides some examples of
allowable URLs.
The value is added to the list box.
Note: (This step is only available to certain user roles, when a user-defined policy set
is selected.) If you want to include the values listed for the Default Inbound policy set,
select the check box located beneath the list.
Upload a List of Allowed URLs
You can create a list of allowed URLs and upload that list to the Control Console. To
upload a list, perform the following steps:
1Create a file with a predefined list of URLs. The predefined list must be in the
following format:
•Must be a text file
•One entry per line
•File must be available for your browser to access
2On the ClickProtect window, go to the More Options section.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission61
Define an Attachment FilterEmail Protection Administrator Guide
Additional fields are displayed.
3To upload the file, click Browse next to the Upload List field and locate the file.
4Click Upload Allow List.
The contents are added to the ClickProtect Allow List box.
5Click Save.
Download a List of Allowed URLs from the
Control Console
If you want to download the list of allowed URLs to your local drive, click Download
ClickProtect Allow List. The downloaded list is a file in CSV format. You can open it in
Microsoft Excel.
Define an Attachment Filter
You can create a customer attachment filter. You can filter email for attachments based on
the following criteria:
•Filter by Attachment File Types, including file size.
•Filter by Attachment File Name
•Filter Zip File Attachments
Filter by Attachment File Types
To filter email by file type, you must define the following:
•What file types are allowed to be received
•File size restrictions on the allowed file types
62Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideDefine an Attachment Filter
•The email action that will be used if an email violates any of the file type attachment
policies
To create a new policy content filter, perform the following steps:
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Attachments.
The Attachments: File Types window is displayed.
4For each file type in the Allowed Attachment Types section, select one of the
following options from the drop-down menu:
•Disallow — All email containing this file type are blocked.
•A file size, such that an email with a file of this file type that exceeds the file size
is blocked.
— Max 500 KB
— Max 1 MB
—2 MB
—5 MB
—10 MB
—15 MB
•Any size — Email with this file type is allowed and delivered.
Note: By default, each listed attachment file type is allowed unless you specifically
select it to be disallowed, except for the types Executables and Scripts. These two
file types are relatively easy to self-invoke from an email, and thus increase the
security risk of a self-running virus or worm.
The following table lists the file extensions associated with each file type:
File TypeExample File Extensions
Microsoft Word
Documents
*.doc, *.dot, *.rtf, *.wiz
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission63
Define an Attachment FilterEmail Protection Administrator Guide
File TypeExample File Extensions
Microsoft Powerpoint
*.pot, *.ppa, *.pps, *.ppt, *.pwz
Documents
Microsoft Excel
*.xla, *.xlb, *.xlc, *.xlk, *.xls, *.xlt, *.xlw
Documents
Microsoft Access Files *.adp, *.ldb, *.mad, *.mda, *.mdb, *.mdz, *.snp
All Other Files Any file extensions that are not included in the other
file types
5In the Action to take for Disallowed Attachments section, select one of the
following options:
•Do nothing – Email Protection sends the email to the recipient with no filtering or
notification.
•Deny delivery – Email Protection denies delivery of the email.
64Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideDefine an Attachment Filter
•Strip the attachment – Email Protection strips the attachment from the email and
the email is sent to the recipient. Text is inserted into the email notifying the
recipient that an attachment has been stripped.
•Quarantine the message – Email Protection sends
the email to quarantine.
6Click Save
or continue to the Filename tab.
Filter by Attachment File Name
You can create custom filter to filter email for specific file names. This filter overrides any
conflicting file type policies you may have defined.
To define a filter for attachment file name, perform the following steps:
1Click Email
2Select the policy you want to change.
3Click Attachments.
The Attachments: File Types window is displayed.
4Click Filename Policies.
The Filename Policies window is displayed.
5Click New.
The New Attachment Filename Policy section is displayed.
Protection | Policies.
6From the Filter drop-down menu, select one of t
•Is –
Email Protection filters for file names that have an exact match to the text in
the Val ue field. For example, if you want to filter for the file name config.exe and
no others, you must select Is and then type config.exe in the Value field. For this
example,, the Is option has the meaning “File name IS config.exe.”
•Contains – Email
Va lu e description anywhere within the filename string. For example, if you want
to filter for any file that contains config in its name, like postconfig or config.ini,
select this option.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission65
he following:
Protection filters for file names that contain the text in the
Define an Attachment FilterEmail Protection Administrator Guide
•Ends with – Email Protection filters for file names that end with the text in the
Va lu e description. For example, if you want to filter for any executable files
ending with .exe, select this option.
7In the Value field, type the name or partial name with
which Email Protection should
search incoming email. For example, if you want Email Protection to search for any
file containing the text config, type config.
8From the Action drop-down menu, select one of the following options:
•Do nothing – Email Protection sends the email to the recipient with no filtering or
notification.
•Deny delivery – Email Protection denies delivery of the email.
•S
trip the attachment – Email Protection strips the attachment from the email and
the email is sent to the recipient. Text is inserted into the email notifying the
recipient that an attachment has been stripped.
•Quarantine the message – Email Protection sends
9Ignore the Silent Copy drop-down list.
10 Click Save
11 Click Save for the
to save the new filename filter.
policy or continue to the Additional Policies tab to filter for zip file
No silent copy will be sent.
the email to quarantine.
attachments.
Filter Zip File Attachments
You can create a custom filter for zipped file or compressed file attachments. These
policies are ignored unless the Compressed or Archived Files filetype is allowed in the
Attachments: File Types window.
To define a filter for attachment file name, perform the following steps:
1Click Email
Protection Policies.
2Select the policy you want to change.
3Click Attachments.
The Attachments: File Types window is displayed.
4Click Additional Policies.
The Additional Attachment Policies window is displayed.
66Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideDefine an Attachment Filter
5From the Message contains high-risk attachment drop-down menu, select one of the
following options:
•Allow delivery – Email Protection sends the email to the recipient with no
filtering or notification.
•Quarantine the message – Email Protection sends the email to quarantine.
•Deny delivery – Email Protection denies delivery of the email.
This action applies if an email has an attachment that is a zipped file and that violates
any of the following rules:
•The zip file itself is too large ( > 500MB).
•A file contained in the zip file is too large ( > 100MB).
•The zip file contains too many files ( > 1500 files).
•The compression rate is too high ( > 95% compressed).
•The zip file contains too many levels of nesting ( > 3 levels).
6From the Message contains an encrypted zip attachment drop-down menu, select
one of the following options:
•Allow delivery – Email Protection sends the email to the recipient with no
filtering or notification.
•Quarantine the message – Email Protection sends the email to quarantine.
•Deny delivery – Email Protection denies delivery of the email.
The action applies if an email message has an attachment that is a zipped file and is
encrypted and password-protected. This format is commonly used to prevent scanning
for viruses in zipped files.
7From the File in zip attachment violates attachment policy drop-down menu, select
one of the following options.
•Attachment policy action – The action for the specific policy that was violated
will be performed on the entire attachment. If multiple policies were violated, the
policies defined in the Attachment – Filename Policies subtab override the
policies defined in this subtab.
•Do nothing – The email is sent to the recipient with no filtering applied.
The action applies if an email that has an attachment that is a zipped file and the
zipped file contains files that violate the previously-defined filters for attachments.
Notify Users about Attachment Violations
You can direct Email Protection to send notification emails to the recipient and/or sender
when an email is filtered because it contained an attachment violation. You can see the
content of notifications and change it in the Notifications tabs. See
Text of Notifications to Users.
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Attachments.
Define the Format and
4Click Notifications.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission67
Allow or Deny Email to or from Specific AddressesEmail Protection Administrator Guide
5Complete the following fields:
FieldDescription
To the sender
when a message
is … due to an
attachment
policy violation
To the recipient
when a message
is … due to an
attachment
policy violation
Select one or more conditions that will cause Email Protection to send a
notification email to the sender.
•Quarantined – The email that contained an attachment violation was
quarantined.
•Denied delivery – The email that contained an attachment violation
was denied delivery.
•Stripped – The infected attachment was stripped and the email sent to
the recipient.
Select one or more conditions that will cause Email Protection to send a
notification email to the recipient.
•Quarantined – The email that contained an attachment violation was
quarantined.
•Denied delivery – The email that contained an attachment violation
was denied delivery.
•Stripped – The violating attachment was stripped and the email sent to
the recipient.
6Click Save.
Allow or Deny Email to or from
Specific Addresses
You can define lists of sender email addresses, domain names, or IP addresses whose
email is always delivered to your users, or conversely, whose email is always denied
delivery. In addition, you can define lists of recipient email addresses that are always
denied receiving email.
68Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideAllow or Deny Email to or from Specific
The Sender Allow and Sender Deny lists are used in combination with the user-level
Allow and Deny lists that can be defined for specific user accounts. In the case of a
conflicting entry (for example, the same email address is in the user-level Allow list and
the SenderDeny list at the policy set level), the lists defined in these tabs override the
user-level lists.
The allowed maximum of items for each list is defined at the system level and may vary
for different installations of Email Protection.
Allow Email from a Specific Address
You can define a list of sender addresses whose email will always be accepted without
email filtering. The exception is that virus filtering is always applied if licensed for that
policy set, unless overridden by the user-level policy configurations. In addition, the userlevel Deny list will override the policy set-level Sender Allow list.
You can add individual addresses one a time or you can add them with a batch file. See
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Allow/Deny.
The Sender Allow window is displayed.
4In the Add Address field, type the address of a sender whose email should be
delivered without filtering.
The following values are allowed in the list entries:
•Email addresses – Complete sender email address or partial address with
wildcards (for example, gsmith@domain.com or g*@domain.com)
•Domain names – Complete domain name or partial name with wildcards (for
example, “domain.com”)
•IP addresses – Complete IP address or partial address with wildcards (for
example, 123.123.12.3 or 123.123.12.*)
Note: CIDR notation is not allowed. Each IP address must be designated separately.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission69
Allow or Deny Email to or from Specific AddressesEmail Protection Administrator Guide
5Click Add.
The address is added to the allowed address box on the right.
6Repeat steps 4 and 5 for each address you want to add.
7Click Save.
You can save a copy of the list you created. See
Shield List.
Save a Copy of an Allow, Deny, or Recipient
Sender Policy Framework (SPF)
You are able to whitelist a specific email addess or domain and assign an SPF check to that
address. Subsequent mail coming from the whitelisted domain is then checked against
SPF records. Should the SPF check fail, the mail is denied.
The following conditions apply to an SPF verification:
•If the record can be verified, then content and spam filtering is skipped for the
sender’s inbound messages.
•If the record cannot be verified, then filtering is not skipped for the sender’s inbound
messages.
Note: If a sender on the allow list does not have an SPF record the inbound message is still
allowed.
Deny Email from a Specific Address
You can define a list of sender addresses whose email will always be denied regardless of
email filtering. This Deny list overrides the user-level Allow list.
You can add individual addresses one a time or you ca
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1Click Email
Protection | Policies.
2Select the policy you want to change.
Click Allow/Deny.
3
n add them with a batch file. See
70Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideAllow or Deny Email to or from Specific
The Sender Allow window is displayed.
4Click Sender Deny.
The Sender Deny window is displayed.
5In the Add Address field, type the address of a sender whose email should be denied
without filtering.
The following values are allowed in the list entries:
•Email addresses – Complete sender email address or partial address with
wildc
ards (for example, gsmith@domain.com or g*@domain.com)
•Domain names – Complete domain name or partial
name with wildcards (for
example, domain.com)
•IP addresses – Complete IP address or partial address with wildcards (for
example, 12
Note: CIDR notation is not allow
3.123.12.3 or 123.123.12.*)
ed. Each IP address must be designated separately.
6Click Add.
The address is added to the denied address box on the right.
7Repeat steps 4 and 5 for each address you want to add.
8
In the If the Sender is on the Sender Deny List section, select one of the following
options:
•Accept and silently discard th
e message – The email is accepted, but is
discarded without notification.
•Deny de
livery – The email is denied delivery.
9Click Save.
You can save a copy of the list you created. See
Shield List.
Save a Copy of an Allow, Deny, or Recipient
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission71
Allow or Deny Email to or from Specific AddressesEmail Protection Administrator Guide
Deny Email to a Specific Recipient
You can define a list of recipient user addresses whose incoming email will always be
denied, regardless of email filtering. For example, you can designate that emails received
to an ex-employee’s user account are always denied. Email received for all alias email
addresses for the designated user account is also included in the Recipient Shield
processing.
You can add individual addresses one a time or you can add them with a batch file. See
Add Allow, Deny, or Recipient Shield Addresses with a Batch File.
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Allow/Deny.
The Sender Allow window is displayed.
4Click Recipient Shield.
The Recipient Shield window is displayed.
5In the Add Address field, type the address of a recipient whose email should be
denied.
You can type a complete recipient email address or partial address with wildcards (for
example, “gsmith@domain.com” or “g*@domain.com”).
Note: The email addresses must be defined in the primary Domain. Alias domain
names are not allowed.
6Click Add.
The address is added to the recipient address box on the right.
7Repeat steps 4 and 5 for each address you want to add.
8In the If the Recipient is on the Recipient Shield List section, select one of the
following options:
•Accept and silently discard the message – The email is accepted, but is
discarded without notification.
72Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
•Do nothing – The email is forwarded to the recipient email address with no
processing applied.
9Click Save.
You can save a copy of the list you created. See Save a Copy of an Allow, Deny, or Recipient
Shield List.
Save a Copy of an Allow, Deny, or Recipient
Shield List
You can download the allow or deny list you have created so you can store a copy. To
download a copy, perform the following steps.
1On the Allow, Deny, or Recipient Shield window, click More Options.
2Click Download [] List.
A download window is displayed. Email Protection automatically creates a Microsoft
Excel spreadsheet (*.csv file) containing the address list. You can choose to save the
file or open it directly.
Add Allow, Deny, or Recipient Shield
Addresses with a Batch File
1Using a text editor, create a text file that contains one email address per line, and save
it to your computer.
2On the Allow, Deny, or Recipient Shield window, click More Options.
Additional fields are displayed.
3Click Browse and search for the text file you created.
4Click Upload [] List.
5Click Save.
Email Authentication
Transport Layer Security
Transport Layer Security (TLS) has routinely been supported and is still supported by our
Email Protection system. If a TLS connection can be negotiated between the sender and
the recipient MTAs, then the system delivers the email over TLS. If a TLS connection
CANNOT be established between the sender or the recipient MTA, then the mail transfer
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission73
agent delivers, via SMTP, without encryption. Therefore, it is recommended that you
specify a Sender’s domain and/or sub-domain for this policy so that TLS is enforced.
Thus, if TLS cannot be established, then the message will not be delivered and a bounce
message will be generated to the sender, recipient, or both depending on the Notifications.
Note:Enforced TLS requires a negotiation between our mail transfer agent and yours
to be successful. You must have TLS turned on at your end to accomodate this
transaction. Refer to your MTA software manual on “How to enable/turn-on TLS”
to ensure TLS is implemented in your system prior to setting up your domain lists.
From the Policy Set window select Email Authentication | Enforce TLS tab and complete
the following steps.
Add Domain
6To enter values into the TLS domain list enter the full address of the Sender/
Recipient’s domain and/or sub-domain.
NOTE:To enter values into the TLS domain list enter the full address of the Sender/
Recipient's domain and/or sub-domain. Any Sender/Recipient's domain or
subdomain must be explicitly specified for enforced TLS. Specifying a Sender/
Recipient's domain doesn't automatically include any sub-domains of that domain.
7Click the Add » button. The value is added to the list box.
NOTE:The maximum number of values allowed in the Add Domain list is specified. This
limit is defined at the system level (see the online help for the specific count). Any
duplicate or invalid values are discarded automatically.
74Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
•Upload Enforced TLS List (appends to existing list): To Upload a file with a
predefined list, click the Browse button. After you select the file and it's path appears
in the text field, click the Upload button. The contents are added to the Add Domain
box above.
•Download Enforced TLS List (be sure to save changes first): To Download a domain
list in a csv file, click the Download button, select the list you wish to download and
click Save.
8Subscribe to Default TLS List By checking the subscription to the TLS default list you
will be adding the appropriate Inbound/Outbound Default domain policy to your
customized Enforced TLS domain list. The default list can be viewed by clicking the
corresponding Inbound/Outbound Default selection under the Policies tab. This option
is only available in custom (non-default) policy sets.
NOTE:If the default list changes, your subscription to the default is updated to reflect
those changes.
Save
9Click the Save button to save your information.
Download
To Download a domain list in a csv file, click the Download button, select the list you
wish to download and click Save.
Enforced SPF
Sender Policy Framework (SPF) can be used by email recipients to determine if the
messages they receive were sent from someone authorized by the domain owner, which
can help detect spoofing. SPF only works when domain owners implement and maintain it
voluntarily.
To implement SPF, domain owners must create special DNS entries which list the IP
addresses that are authorized to send email from their domain. Email recipients must
compare an email's source IP address to the IP address in the domain owner's DNS SPF
records. If they match, it is reasonable to assume that the message was sent by the domain
owner or an authorized third party.
Important SPF information:
• SPF implementation is voluntary and many domain owners have not implemented
DNS SPF records, including many well-known commercially used domains.
• Even those that have implemented SPF might have outdated or inaccurate records,
resulting in false positives. The only way to resolve this is to contact the domain
owner and ask them to correct the issue.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission75
• Nothing prevents spammers and hackers from implementing SPF, so it is not a
reliable spam indicator - Many organizations allow third parties to send mail on behalf
of their domain (authorized spoofing). These third parties must be authorized by the
domain owner as part of their SPF records in order for recipients to successfully
validate the third party messages.
•Hosted email providers often give the same SPF records to all their customers, making
it impossible to distinguish one customer from the another, thus reducing usefulness
of the technology.
• Even when SPF is implemented and enforced, it is still possible for spammers to
create very convincing spoofed emails; therefore, continued user training and caution
is advised.
Create an Enforced SPF Domain
Go to the Email Authentication | Enforced SPF tab and complete the following
information to implement an SPF domain.
To enter values for the SPF domain list, enter the full address of the Sender domain and/or
sub-domain, or use part of the domain using wildcards. Any Sender domain or subdomain
must be explicitly specified for enforced SPF. Specifying a Sender domain doesn't
automatically include any sub-domains of that domain. Examples of Wildcard use include
any of the following:
•*.example.com
•e
xample.*
•mysubdomain.*.*
•subdomain.*.example.com
1Click the Add » button. T
Note: The maximum number of values allowed in the Add Domain list is 1500. This limit is defined
at the system level. Any duplicate or invalid values are discarded automatically.
he value is added to the list box.
2To remove a value from the list, select it in the list box and click the « Remove button.
Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry
you want to remove, and then click the « Remove button.
76Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
•Upload Enforced SPF List (appends to existing list): – To Upload a file with a
predefined list, click the Upload Browse button. After you select the file and it's path
appears in the text field, click the Upload button. The contents are added to the Add
Domain box above.
•Download Enforced SPF List (be sure to save changes first): – To Download a
domain list in a csv file, click the Download button, select the list you wish to
download and click Save.
NOTE:If the default list changes, your subscription to the default is updated to reflect
those changes.
Enforced DKIM
DomainKeys Identified Mail (DKIM) is part of the Email Authentication suite designed to
verify the email sender and the message integrity. The DomainKeys specification has
adopted aspects of Identified Internet Mail to create an enhanced protocol called
DomainKeys Identified Mail.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission77
Complete the following information to implement a DKIM domain.
Add Domain To enter values for the DKIM domain li
st, enter the full address of the sender
domain and/or sub-domain, or use part of the domain using wildcards. Specifying a sender
domain does not automatically include any sub-domains of that domain. The following list
demonstrates different examples of entries using a wildcard (*).
•*.example.com
xample.*
•e
•mysubdomain.*.*
•subdomain.*.example.com
If the sub-domain is not going to be entered usi
ng the wildcard character, the sub-domain
must be explicitly defined.
1Click the Add » button. The value is added to the list box.
Note: The maximum number of values allowed in the Add Domain list is 1500. This limit is
defined at the system level. Any duplicate or invalid values are discarded automatically.
2To remove a value from the list, select it in the list box and click the « Remove button.
Note: To select more than one value from the list, press Ctrl on your keyboard, click each entry
you want to remove, and then click the « Remove button.
Note: All entries are removed when clicking the button Remove All
More Options
Regardless of Sender Domain From the drop-down lists, select the appropriate DKIM
action (Deliver, Deny, Tag Subject) for the following criteria:
78Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Upload Enforced DKIM List (appends to existing list):
3To Upload a file with a predefined list, click t
he Upload Browse button. After you
select the file and it's path appears in the text field, click the Upload button. The
contents are added to the Add Domain box above.
Download Enforced DKIM List (be
4To Download a domain list in a csv file, click the Download
sure to save changes first):
button, select the list you
wish to download and click Save.
5 Click the Save button to save your information.
By checking the Subscribe to Default Inbound
policy Enforced DKIM list subscription,
you will be adding the appropriate Inbound/Outbound Default domain policy to your
customized Enforced DKIM domain list. The default list can be viewed by clicking the
corresponding Inbound Default selection under the Policies tab. This option is only
available in custom (non-default) policy sets.
NOTE: If the default list changes, your subscription to the default is updated to reflect those
changes.
Email Authentication Notifications tab
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission79
Define the Format and Text of Notifications to UsersEmail Protection Administrator Guide
Send Email Notifications
6Check the box “Denied Delivery “regarding the heading “To the sender when a
message is” to notify the sender is unable to send their message due to an Email
Authentication violation.
7Click Save
8Check the box “Denied Delivery “regarding the heading “To the recipient when a
message is” to notify the recipient is unable to receive their message due to a Email
Authentication violation
9Click Save
View your selection Click the Notifications Tab in the Policy Set window.
Define the Format and Text of
Notifications to Users
You can configure templates for the notification emails that are sent to the sender and/or
recipient when an email message is filtered for:
•Viruses
•Content
•Attachments
Default notification templates are provided for all the notification scenarios. You can
change these templates if you wish.
One notification email template is defined for each combination of the following:
•Filtering type — For viruses, content, or attachments
•Destination of the notification — Sender or recipient
•Email Action — Deny, strip, or quarantine
Variables within a Notification
Within the notification emails, variables automatically insert content from the system. For
example, the variable $(DATE) inserts the date when the notification email was sent.
Default variables already exist for the default notifications. If you want to use a different
variable, you must manually type the variable as shown below and the variables are casesensitive.
$(SUBJECT)
$(FROM)
80Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Inserts a variable that automatically indicates the subject of the email that
violated the policy.
Inserts a variable that automatically indicates the sender’s email address
(From: address) from the email that violated the policy. This variable
inserts the From: address that is displayed in the email.
Email Protection Administrator GuideDefine the Format and Text of Notifica-
$(SENDER)
$(TO)
$(DATE)
$(REASON)
$(ACTION)
$(DOMAIN)
$(MSG_HEAD
ER)
$(SIZE)
$(POSTMAST
ER)
Inserts a variable that automatically indicates the sender’s email address
(From: address) from the email that violated the policy. This variable
inserts the SMTP envelope From: address received from the sending email
server.
Inserts a variable that automatically indicates the recipient’s email address
(To: address) from the email that violated the policy.
Inserts a variable that automatically indicates the date when the email was
received that violated the policy.
Inserts a variable that automatically indicates the reason why the email
violated the policy.
Inserts a variable that automatically indicates the action that was applied
to the email that violated the policy.
Inserts a variable that automatically indicates the domain that received the
email that violated the policy.
Inserts a variable that automatically indicates the email header information
from the email that violated the policy.
Inserts a variable that automatically indicates the size, including
attachments, of the email that violated the policy.
Inserts the contact email address configured for the domain.
The set of Notifications tabs includes the following subtabs:
•Notifications – Virus Notifications subtab (see window 1)
•Notifications – Content Notifications subtab
•Notifications – Attachment Notifications subtab
In addition, each subtab will have a separate Edit area for each of its notification
templates.
Because all the individual notification templates offer the same functionality, only one set
of subtabs in the Notifications tabs will be described to reduce redundancy. Be aware that
the same features are used to modify the remaining notification templates, the only
difference being the combinations of filter type, destinations, and email actions. Be sure to
modify the navigation and information accordingly.
Define the Format and Text of Virus
Notifications
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Notifications.
The Notifications: Virus window is displayed.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission81
Define the Format and Text of Notifications to UsersEmail Protection Administrator Guide
4Click on a notification in the Virus Notifications box.
5Either double-click on a subject or highlight a subject and click Edit.
The Edit section of the window is displayed.
6Change, if desired, the text or variables in any or all of the following fields:
FromDesignates what email address is listed as the From: address in the
notification email. Optionally, you can type variables that insert system
information into this content.
Reply-ToDesignates what email address is used
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
SubjectType the text to be used as the subject
Optionally, you can type variables that insert system information into this
content.
BodyType the text to be used as the body text for the notification email
plate. Optionally, you can type variables that insert system information
tem
into this content.
82Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
if the recipient of the notification
for the notification email template.
Email Protection Administrator GuideDefine the Format and Text of Notifica-
7Click Save.
Define the Format and Text of Content
Violation Notifications
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Notifications.
The Virus Notifications window is displayed.
4Click Content.
The Content Notifications window is displayed.
5Click on a notification in the Content Notifications box.
6Either double-click on a subject or highlight a subject and click Edit.
The Edit section of the window is displayed.
7Change, if desired, the text or variables in any or all of the following fields:
FromDesignates what email address is listed as the From: address in the
Reply-ToDesignates what email address is used if the recipient of the notification
SubjectType the text to be used as the subject for the notification email template.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission83
notification email. Optionally, you can type variables that insert system
information into this content.
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
Optionally, you can type variables that insert system information into this
content.
Define the Format and Text of Notifications to UsersEmail Protection Administrator Guide
BodyType the text to be used as the body text for the notification email
template. Optionally, you can type variables that insert system information
into this content.
8Click Save.
Define the Format and Text of Attachment
Violation Notifications
1Click Email Protection | Policies.
2Select the policy you want to change.
3Click Notifications.
The Virus Notifications window is displayed.
4Click Attachment.
The Attachment Notifications window is displayed.
5Click on a notification in the Attachment Notifications box.
6Either double-click on a subject or highlight a subject and click Edit.
The Edit section of the window is displayed.
7Change, if desired, the text or variables in any or all of the following fields:
FromDesignates what email address is listed as the From: address in the
notification email. Optionally, you can type variables that insert system
information into this content.
Reply-ToDesignates what email address is used if the recipient of the notification
84Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
email clicks the Reply button in his/her email application. Optionally, you
can type variables that insert system information into this content.
Email Protection Administrator GuideDefine the Format and Text of Notifica-
SubjectType the text to be used as the subject for the notification email template.
Optionally, you can type variables that insert system information into this
content.
BodyType the text to be used as the body text for the notification email
plate. Optionally, you can type variables that insert system information
tem
into this content.
8Click Save.
Email Authentication
The Notifications | Email Authentication subtab allows you to configure a template of
how the notification email will appear that is sent to the sender and/or recipient.
Within the notification emails, there
are available variables that will automatically insert
content from the system. For example, the variable $(DATE) will insert the date when the
notification email was sent. You must manually type the variables as shown below and the
variables are case-sensitive.
9Highlight the message you wish to review and Click Edit to launch the edit template.
Variables within the template include:
$(SUBJECT) – The Subject field is blank because the message was blocked before the
email content
message, edit the Subject: field, otherwise the Subject appears as: 'Delivery Notification
had been sent. If you wish to have a Subject value for the Notification
'.
$(FROM) – Inserts a variable that automatic
(From: address) from the email that violated the policy. This variable inserts the From:
address that is displayed in the email.
$(SENDER) – Inserts a variable that automatically
(From: address) from the email that violated the policy. This variable inserts the SMTP
envelope From: address received from the sending email server.
$(TO) – Inserts a variable that automatically indica
address) from the email that violated the policy.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission85
ally indicates the sender's email address
indicates the sender's email address
tes the recipient's email address (To:
Define the Format and Text of Notifications to UsersEmail Protection Administrator Guide
$(DATE) – Inserts a variable that automatically indicates the date when the email was
received that violated the policy.
$(REASON) – Inserts a variable that automatically indicates
the reason why the email
violated the policy.
$(ACTION) – Inserts a variable that automatically
indicates the action that was applied to
the email that violated the policy.
$(DOMAIN) – Inserts a variable
that automatically indicates the Domain that received
with the predefined variable name (without the curly brackets).
Email Authentication Subject Headers
As mentioned, the Subject field in the Email Authentication Email Subject Line, the Email
Authentication Email Header, and the Email Authentication Notification Message Body
will not contain Subject data since the email was denied and no data was retrieved.
The following examples demonstrate the Subject Field
displaying Delivery Notification. Again, this is because the $(SUBJECT) variable is an
empty variable.
Email Subject Line
or Subject Notification only
86Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Disaster Recovery allows you to specify what actions to take when email cannot be
delivered. There are three available options:
•Defer to domain-based Email Continuity access control configured under Disaster
Recovery Setup
Select this option to use the configuration settings from the Disaster Recovery Setup
window.
•Allow users to use the Email Continuity webmail client
Select this option to allow users to use the Email Continuity webmail client when
email cannot be delivered.
•Do not allow users to use the Email Continuity webmail client
Select this option if you do not wish to allow users to use the Email Continuity
webmail client when email cannot be delivered.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission87
Assign a Group to the Custom PolicyEmail Protection Administrator Guide
Assign a Group to the Custom Policy
To perform this task, you must first create the group of users who are to be assigned to the
policy. See “Managing Groups” in Account Management Administrator Guide.
1Click Email Protection |
2Select the custom policy to which
3Click Group Subscriptions.
The Policy Configuration Groups window is displayed.
4Select the group you want to assign.
5Click Ad
d.
Policies.
you want to assign a group.
88Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Email Protection Administrator GuideCreate a Custom Outbound Policy
6. Customize Outbound Mail
Filters
You can customize the default outbound policy for any and each domain, or any and each
group, to fit your business needs.
Note: Outbound email i
lists for outbound email. You can, however, copy allow or deny lists from an existing
inbound policy.
s not filtered for spam. You also can not customize allow or deny
Create a Custom Outbound Policy
Important Note: It is assumed that all domains within an Enterprise Customer will have
the same package assigned to them. If some domains have different packages, unexpected
results may occur. when a policy is applied to a group in which members reside within
different domains.
1Click Email
2Click New.
The New Policy Set fields are displayed.
Protection | Policies | Outbound Policies link.
FieldDescription
NameEnter a name for the policy set you are creating. The
DescriptionEnter a description of the new policy set.
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission89
name should reflect
the name or purpose for the group or groups that you will assign to the
policy.
Configure a Virus FilterEmail Protection Administrator Guide
DirectionFrom the drop-down menu, select the direction of email, outbound
SMTP, for which this policy will be configured.
Copy FromFrom the drop-down menu, select an existing policy set whose settings
you want to copy to the new policy set. Most settings are copied based on
this selection. However, you must choose to copy some settings from the
existing policy separately by selecting the following fields.
Copy Sender
Allow List
Copy Sender Deny
List
Copy Recipient
Shield List
Copy ClickProtect
Allow List
Select to copy the Sender Allow list from the policy set selected in the
Copy From field.
Select to copy the Sender Deny list from the policy set selected in the
Copy From field.
Select to copy the Recipient Shield list from the policy set selected in the
Copy From field.
Select to copy the ClickProtect Allow list from the policy set selected in
the Copy From field.
3Click Save.
The Policy Sets list is updated with the new policy. You can now modify the new
policy to meet your business needs.
Configure a Virus Filter
You configure a virus filter for outbound email in the same way as that for inbound email.
For more information, see
Configure a Virus Filter Policy
Configure a Content Filter
You can create a custom content filter for outbound email. You can only set up Content
Groups and Notifications. HTML Shield and ClickProtect are not available for outbound
email. You set up content groups and notifications in the same way as that for inbound
email. For more information, see
90Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Create a Custom Policy.
Email Protection Administrator GuideConfigure a Content Filter
Email Encryption for Content Groups
Group Names
You are able to send regular email based on your selected policies but, you may also
encrypt messages for a specific Group Name under Content Groups if desired. Select the
group name you wish to encrypt, from the Action drop-down list select to have that Group
encrypted.
More Options
If a Customer or Domain subscribes to Email Encryption, t
used to enforce Email Encryption if the outbound message contains the word ‘[encrypt]’.
This word, [encrypt] can reside in the message Subject line or the body of the outbound
message.
This option can be found under Emai
Content |Content Groups.
l Protection | Policies | Outbound (default) |
hen selecting this option can be
November 2012Proprietary: Not for use or disclosure outside McAfee without written permission91
Define an Attachment FilterEmail Protection Administrator Guide
Define an Attachment Filter
You configure an attachment filter for outbound email in the same way as that for inbound
email. For more information, see
Define an Attachment Filter Policy.
Define the Format and Text of
Notifications to Users
You configure notifications for outbound email in the same way as that for inbound email.
For more information, see
Define the Format and Text of Notifications to Users Policy.
Assign a Group to the Custom Policy
You assign a group to a policy for outbound email in the same way as that for inbound
email. For more information, see
Disaster Recovery.
92Proprietary: Not for use or disclosure outside McAfee without written permission.November 2012
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.