Report as Spam

RE: Report as Spam

Red_Warrior — Fri, 16 Nov 2018 15:35:04 GMT

There are 2 reasons to run puremessage for exchange with an email appliance.

#1 it offers anti-virus mail box scanning after the message has arrived to the mail box. (ie if a virus is 0 day at the SEA and a detection comes out 3hrs later, store scanning would quarantine those messages after the fact)

just make sure you install the AV only version, its best NOT to install the full version with anti-spam as this well because this will give you 2 quarantines to manage.. (major pita)

#2 puremessage can scan mail destined to other internal email boxes. so if you wanted to spam scan between mail boxes, or have key word filters you could do that with all mail been delivered internally.

I highly recommend an AV only install on the mailbox servers as this will give you some extra protection in the event a virus is 0 day at the smtp gateway and later detected.. if the mailbox server trys to serve an email with a virus .. it would be blocked. in the AV/AS game.. every second counts.

RE: Report as Spam

LRSpartan — Fri, 16 Nov 2018 13:32:29 GMT

Thank ya again RW. I will take a deeper look at your response.

Quick question, would there be any benefit of us installing PureMessage on our Exchange server? More specifically, can a user block an email in PureMessage? Click a button or whatever. So while something might get passed the SEA, PM would see the block and stop it.

RE: Report as Spam

Red_Warrior — Fri, 16 Nov 2018 12:16:17 GMT

interesting problem and very unique usecase. You may need to think outside the box a bit.

couple notes on your categories.

VR: Virus - done via antivirus rules under threat protection, the appliance at best will automatically quarantine a virus as such, in turn only an administrator can release it. or the sample is destroyed.. there is no scenario where a non administrator can allow a virus nor can you disable AV scanning.
BC: Blocked by Customer - done via the portal, a user would need to specifically say block x domain.. per-user block lists are run against any message addressed to a user that has a list.. there is no way to automate this via a 1 touch solution (i would recommend a feature request) otherwise policy would have to be created in the admin ui.
DM: Direct Marketing - this is covered via a bulk mail rule.. simply create a rule under additional policy for bulk mail and delete it
FD: Fraud - fraud messages are covered under anti spam rules and will automatically trigger a high spam rule to ensure it is deleted

FG: From a Foreign Domain - not specicially covered but if you wanted to make a rule to drop all mail from Russia .. see my kb here and add as many countries as you wish : community.sophos.com/.../370052 List-Server - you could create a list of servers / mtas or domains with regular expressions.. see below for links and samples.NL: Newsletter - covered under bulk mail
SP: Spam - as rules
VA: Virus Alert - we do not alert, we automatically quarantine / destroy viruses on sight
YG: Yahoo Groups - you may need an allow rule for this specific domain..
CL: Chain Letter - covered under AS rules.

the report as spam does not append rules to the appliance, it sends the email to labs where it is automatically added to data updates.. those updates are pushed out and mail is dropped as spam.

some things you could try .. (I do NOT recommend ANY of these options)

create a rule to drop ALL mail and create a rule to exclude white listed domains. ie: **@**.com or **@**.net etc.

you could also create outbound rules to append X-headers on sent mail, then create a rule to look for that header

your exclusions would go above your delete all mail.

keep in mind, there is NO recycle bin.. destroyed mail is gone forever.

as you pointed out the more policy you have, the slower mail is processed as each message that is accepted is compared line by line, this drop all policy aims to reduce policy by only searching for the white-listed domains.

if there is other more specific issues or rules you need to make, you can do so, but there is no way for the appliance to magically figure out who wants what mail, and it can only identify items as bulk mail and spam based on the universally accepted criteria of such .. ie: blacklists, known bulk mailers and similar.

in regards to regular expressions have a look here under the pmx documentation for accepted regex

https://docs.sophos.com/msg/pmx/help/en-us/msg/pmx/concepts/AdmDevRegex.html

some notes:

**@**.com would drop all mail from any domain.com

or **@subdomain.mydomain.com$ would mean it must end in this exact domain.

* means 1 word.. ** means any number of words

do NOT use sub-string matches with wild cards.

RE: Report as Spam

LRSpartan — Fri, 16 Nov 2018 09:36:24 GMT

Hi RW!

I always appreciate your help! I think I am mis-communicating about our user's experience. To us, spam is basically any email that we do not want. It is unsolicited, and therefore we do not want it. So what we call spam might not technically be spam or bulk as defined by the SEA.

Our old provider had the following categories they checked. If it was any of these, it quarantined or discarded them. Please don't take this wrong, but we went from having maybe one or two emails per user per week come through that should have been stopped to now twenty or thirty a day per user.

Types:
VR: Virus BC: Blocked by Customer DM: Direct Marketing FD: Fraud	FG: From a Foreign Domain LS: List-Server NL: Newsletter SP: Spam	VA: Virus Alert YG: Yahoo Groups CL: Chain Letter

Then the second issue is even if we mark it as spam and don't want to see it again, that is not happening automatically. I am having to go in to a rule and add each host name and I am doing that for our entire domain. So if someone wants some direct marketing material from some store but someone else has said it is spam, then the one wanting it will not get it. There is no easy automatic way to ban email at the user level. The web portal is to cumbersome on a good day.

Example of rule that I have built for emails that we identify as spam. This is a manual process and impacts the entire domain. I suspect it will really hurt performance as it grows.

So that is my problem. We define spam differently and there is no easy automated way to block email. Yes, the RAS button removes the email, but it isn't communicate back to our appliance and blocking it regardless if Sophos thinks it is spam or not. All to often, our users click the RAS and the emails keep pouring in. The web portal way to block is inefficient. Our old provider put a link at the bottom of the email if we wanted to block it. Click on it and it was blocked.

We like some many other features of the SEA but blocking unwanted emails has become an issue for us. I figure there is much that can be done now, but I just wanted to make sure I wasn't missing some feature that would be more like our old experience.

Thank you,

John

RE: Report as Spam

Red_Warrior — Fri, 16 Nov 2018 08:49:43 GMT

Hi John

If you are deleting medium and high spam then what you are probally having issues with is bulk mail. I would create a policy for bulk and set the action to tag subject or if you really wish delete.

Please note that setting medium and bulk mail to delete is not recomended.

In the case of the applaince , the only thing in your quarantine would be virus or if you have rules that quarantine mail.

If you wish to install the outlook plugin that will gove you 1 touch spam submission and remove the message.. again tho if your deleting spam than chances are what is arriving is either not spam, bulkmail or unknown spam.

If you are getting spam in thr inbox with it set to delete you may wish to ensure your settings match my kb on recomended spam settings .. other things that can cause fp or unidentified spam scores are pix mailguard, upstream load balancers and other ips products that block mta’s from connecting to the appliance.

community.sophos.com/.../120802