Reflexion users have access to a broad range of email defenses, which can be blended to provide exceptional inbox control. Default and custom configurations simplify deployment, while providing the versatility that is needed to address the widest range of user requirements.
More info at: http://www.reflexion.net/services/email-security/
Applies to the following Sophos products and versions Reflexion Total Control (RTC) Email Security
Reflexion uses its LDAP sync capabilities to maintain a database of known users at each customer domain. This database enables the system to deny delivery of mail to unknown users after receiving the “To:” address from the message envelope. This approach provides protection against directory-harvest and denial-of-service attacks (DHA and DoS, respectively), and saves considerable bandwidth.
In cases in where Reflexion has not been provided with a list of users for an enterprise, the system automatically queries the customer’s MTA to determine if a recipient is legitimate.
Users can get started by using Reflexion’s Outlook Contact Harvester to build a list of their email correspondents. This utility collects Outlook contacts and addresses from messages in the Sent Items folder. Automated “Allow List on first outbound” and “Allow List on reply” features keep one’s Allow List current over time. Allow Lists can include individual addresses or entire domains, and support enterprise-wide entries.
The Block List is used to block email from specific addresses or domains. A Block List entry can be created through either the in-message User Control Panel or the Reflexion Message Center user interface. Enterprise-wide entries may be added to the Block List.
Reflexion may be deployed transparently by utilizing content filtering to screen messages from senders who are not on a recipient’s Allow List and which have passed prior tests, such as permitted countries and permitted languages. Filtering provides simple, transparent set-and-forget protection, although users may choose to inspect their quarantine or receive a daily summary of messages in the quarantine. Reflexion provides a simple means for the user to tailor the sensitivity of the filter for their specific preferences.
Reflexion makes it easy for users to employ multiple addresses for a single inbox. We refer to these addresses as Protective Addresses, because they provide both a means of protecting the integrity of one’s primary email address and of protecting access to one’s inbox. Reflexion’s Address-on-the-Fly enables users to spontaneously disclose a purpose-specific address on a website, in a discussion forum, in print or conversation without interacting with the system. These addresses take the form of a root name plus a suffix of the user’s own choosing. For example, to register on eBay, Jane Doe might disclose the address firstname.lastname@example.org, where the “.ebay” suffix serves as an “email PIN” that assures delivery of email sent to this address. Addresses are independently controllable by policy so that legitimate users of the address can be “locked down” in the event the address is ever harvested and abused by a spammer.
Reflexion’s granular inbox access control flows in part from the range of security states that can be applied to a specific sender and address. For example, if an Address-on-the-Fly starts to attract spam, the user can first identify who is sharing the email address and then exert varying degrees of control over future use of the address. The user can (a) block the specific abusing sender, (b) lock down the address, reserving its future use solely for the existing community of legitimate senders, (c) restrict future use to senders at the domain of the sender to which it was initially disclosed, (d) restrict use even further to just the party to which it was initially disclosed, or (e) disable the address, in which case all future incoming mail on the address will be blocked, flagged or challenged. These options are implemented very simply through the user control panel.
As an option, Reflexion automatically inserts a control panel at the bottom of incoming messages, and removes it on Forward or Reply. This control panel provides a means of communicating with users, for example, to inform them when one correspondent appears to have shared their address with a third party. It also provides a simple means for users to update their access preferences for a specific sender and address simply by clicking on the intuitive in-message links that are provided. Reflexion’s control panel is available in English, Spanish, French, German, Brazilian Portuguese, Dutch, Italian and Chinese, with Russian and Hebrew on the way.
This capability augments traditional content filtering by blocking messages in any language other than those specifically approved for delivery at the enterprise and individual user levels.
This capability further augments content filtering by blocking messages from any country other than those specifically approved for delivery at the enterprise and individual user levels. Delivery decisions are based on the IP address of the sending server. While some organizations with international clients may not use this capability, many domestic businesses may not ever want to receive email that can be determined to have originated outside their home countries or geographic areas of operation.
Total Control provides maximum control over access to one’s inbox. We believe there is no more powerful solution on the market today. In this mode, Reflexion expedites the creation of the user’s Allow List, then utilizes an automatic challenge-response for every new inbound correspondent, asking them to resend their message to a Protective Address with a suffix automatically assigned by Reflexion. By establishing correspondent-specific To-From address pairs, each controllable by policy, Reflexion deprives spammers of their primary technique. If they spoof the From address, they must associate it with the proper To address in order to reach the user’s inbox. The chances of this are negligible, hence the name Total Control.
Reflexion scans both incoming and outgoing email for viruses, worms, and other malware.
Reflexion enables users to mix and match various defenses to suit their specific preferences. Our experience shows that blending Protective Addresses with traditional methods produces a stronger defense that also avoids the pitfalls of traditional defenses used independently.
A variety of options exist to respond to individual or organizational preferences.
Users who don’t have a serious spam problem may elect to have spam delivered to their inbox with a spam tag in the subject line. This avoids the need to examine the daily spam digest or inspect the quarantine, and enables the recipient to identify a false-positive immediately.
Spam can be delivered to a web-based quarantine folder for periodic inspection by the intended recipient.
Users may elect to receive a daily summary of new mail diverted to their quarantine folder. The summary includes the sender, subject line, date and time, and contains links to either release a message to one’s inbox, or release the message and add the sender to the Allow List so that future mail from the sender will be delivered directly to the recipient’s inbox.
After becoming comfortable with the accuracy of Reflexion’s protection, some users elect to vaporize spam rather than quarantining it. Alternatively, one may elect to vaporize only those messages with a score that exceeds a pre-specified threshold while everything else goes into the quarantine. When utilizing Address-on-the-Fly, users may find that specific merchants or websites share their address. When this happens, the user may “lock down” the AOTF, reserving its use for senders at the domain to which it was originally disclosed while vaporizing all other mail arriving on the address, thereby removing it from their quarantine.
In order to minimize the risk of false-positives, users may elect to send a challenge to the sender of any incoming message that fails a delivery test (with the exception of the unknown user and virus tests). While spammers generally don’t respond to challenges (creating the presumption that their email can be properly quarantined or vaporized), this precaution gives legitimate senders the opportunity to identify themselves and have their message delivered. The challenge may take two forms: it can give the sender a means of adding themselves to the user’s Allow List by clicking on a link, or it can direct them to resend their message to a new Protective Address automatically created for their use. This approach dramatically reduces the amount of “backscatter” because challenges are triggered by a small fraction of the overall volume of incoming email. (While some users love the effectiveness of Challenge-Response, others are concerned about sending challenges to innocent parties whose email addresses have been hijacked by spammers. We see this as a choice for the user to make.)
When a customer’s local email server experiences an outage — as would occur when there is a power failure, for instance — Reflexion automatically queues all incoming mail for up to seven days until the server comes back on line, at which point all queued mail is delivered.
Reflexion provides the ability to add a disclaimer or custom signature block to outgoing messages without having to interact with the local email server.
By using a Protective Address for responses to a marketing campaign, Reflexion makes it simple to determine the source of incoming leads.
Solution providers and ISPs have full on-demand configuration control for their customers and subscribers. Each customer can be deployed separately depending on the nature of their spam problem. Four basic modes are recommended for rapid deployment:
This mode provides more information and interactivity for users that seek a more robust email experience. Reflexion provides step-by-step instructions and some automated support for users of this mode.
Maximum performance and full forensics; ideal for users who cannot tolerate the limitations of content filtering.
Any combination of the available options.
Reflexion includes a range of tools to help email administrators, solution providers and ISPs manage the email environment and troubleshoot issues.
Reflexion’s LDAP exporter can be run on any LDAP server to synchronize the configuration of users and domains automatically on the Reflexion server.
The unified log consolidates information from various sources to simplify the process of diagnosing a potential delivery issue.
The Reflexion Message Center provides an extensive history system with searchable and sortable pages to identify sharing events or to enforce policies, such as who can use a particular Protective Address or who is part of a community Allow List that’s able to send email to a specific address.
“Recipient To” and “Filter Score =, Result =” headers are available to users and solution providers for special email handling.
Reflexion’s outbound mail auditing capability enables the system to block mail to and from the same user, which is indicative of an open relay condition.
The Reflexion Message Center provides the capability to graph various email statistics over time, such as the volume of mail sent to unknown users, spam, and legitimate outgoing mail.
Reflexion has been designed specifically to address the needs of IT solution providers and ISPs.
Reflexion is fully brandable. Partners can put their logo on the Message Center, the welcome message for new users, the daily spam digest, and all other customer-facing messages in order to reinforce their brand identity with their clients and subscribers.
Reflexion’s data model supports the hierarchy of distributor, solution provider/ISP, client, user/subscriber, and address. Reflexion’s partners can use the Reflexion Message Center to provision new users and manage their clients without Reflexion’s intervention.
Reflexion is incredibly configurable, providing partners with the high degree of user control that they need to respond to the widest range of client requirements.
Reflexion has been integrated with leading MSP platforms to provide more centralized infrastructure management and important email operating and hygiene statistics.
“Address-on-the-Fly” is a registered trademark of Sophos Limited or one of its affiliates. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.