TrendMicro™ Hosted Email Security · Chapter 1 1 Best Practice Configurations 1.1 Activating a...

TrendMicro™HostedEmailSecurity

BestPracticeGuide

TrendMicroIncorporatedreservestherighttomakechangestothisdocumentandtotheproductsdescribedhereinwithoutnotice.Thenamesofcompanies,products,people,characters,and/ordatamentionedhereinarefictitiousandareinnowayintendedtorepresentanyreal individual,company,product,orevent,unlessotherwisenoted.Complyingwithallapplicablecopyright lawsistheresponsibilityoftheuser.

Copyright©2016TrendMicroIncorporated.Allrightsreserved.TrendMicro,theTrendMicrot-balllogo,andTrendLabsaretrademarksorregisteredtrademarksofTrendMicro,Incorporated.Allotherbrandandproductnamesmaybetrademarksorregisteredtrademarksoftheirrespectivecompaniesororganizations.Nopartofthispublicationmaybereproduced,photocopied,storedinaretrievalsystem,ortransmittedwithouttheexpresspriorwrittenconsentofTrendMicroIncorporated.Authors :MichaelMortiz,JeffersonGonzagaEditorial :JasonZhangReleased :June2016

TableofContents1 BestPracticeConfigurations.................................................................................................................................8

1.1 Activatingadomain.......................................................................................................................................8

1.2 AddingApproved/BlockedSender................................................................................................................8

1.3 HESorderofevaluatingemails......................................................................................................................8

1.4 InboundEmails..............................................................................................................................................9

1.4.1 EnableValidRecipientcheck..............................................................................................................9

1.4.2 Makesuredefaultviruspolicyissettodelete....................................................................................9

1.4.3 Addfilterstodefaultspamandphishpolicy.......................................................................................9

1.4.4 AvoidlongandcomplexregularexpressioninKeywordExpression................................................10

1.5 OutboundEmail...........................................................................................................................................11

1.5.1 Addadditionaloutboundspamandphishpolicy..............................................................................11

1.6 SecuringyourEnvironment.........................................................................................................................12

1.6.1 SecuringyourMailServer.................................................................................................................12

1.6.2 SecuringyourUsers/Clients..............................................................................................................12

1.7 CommonThreatpreventions......................................................................................................................12

1.7.1 SpoofEmails......................................................................................................................................12

1.7.2 Backscatter(or"outscatter")spamandDirectoryHarvestAttacks(DHA)Emails............................18

1.7.3 ZerodayunknownThreats...............................................................................................................19

1.7.4 Ransomware/MacroVirusEmails.....................................................................................................19

2 ProductDescription.............................................................................................................................................20

2.1 MailFlow.....................................................................................................................................................21

2.1.1 InboundScanning..............................................................................................................................21

2.1.1.1 IPReputation-BasedFilteringattheMTAConnectionLevel........................................................22

2.1.1.1.1 Content-BasedFilteringattheMessageLevel.........................................................................22

2.1.1.2 GeneralOrderofEvaluation.........................................................................................................23

2.1.1.3 SenderFilterOrderofEvaluation.................................................................................................24

2.1.1.4 IPReputationOrderofEvaluation................................................................................................24

2.1.1.5 PolicyOrderofEvaluation............................................................................................................25

2.1.2 OutboundScanning...........................................................................................................................26

2.2 MessageRetention......................................................................................................................................27

3 Preparation..........................................................................................................................................................28

3.1 ServiceRequirements..................................................................................................................................28

3.2 DefaultHostedEmailSecuritySettings.......................................................................................................28

4 GettingStarted....................................................................................................................................................29

4.1 Registration.................................................................................................................................................29

4.2 StartingtheActivationProcess...................................................................................................................31

4.2.1 AddingOffice365InboundConnectors............................................................................................33

4.2.2 AddingOffice365OutboundConnectors.........................................................................................34

4.3 FinalizingActivation.....................................................................................................................................35

4.3.1 RepointingMXRecords(BestPractice).............................................................................................36

4.3.2 AboutMXRecordsandHostedEmailSecurity.................................................................................38

4.4 AccessingtheAdministratorConsole..........................................................................................................39

4.4.1 UsingCLPtoAccesstheAdministratorConsole................................................................................39

5 ManagementConsole.........................................................................................................................................42

5.1 WorkingwiththeDashboard......................................................................................................................42

5.1.1 SummaryChart.................................................................................................................................44

5.1.2 VolumeChart....................................................................................................................................45

5.1.3 BandwidthChart...............................................................................................................................46

5.1.4 ThreatsChart.....................................................................................................................................47

5.1.5 ThreatsDetailsChart.........................................................................................................................49

5.1.6 AdvancedAnalysisDetailsChart.......................................................................................................51

5.1.7 TopSpamChart.................................................................................................................................52

5.1.8 TopVirusChart.................................................................................................................................53

5.1.9 TopAnalyzedAdvancedThreats.......................................................................................................54

5.2 ConfiguringaPolicy.....................................................................................................................................56

5.2.1 ManagingPolicyRules......................................................................................................................56

5.2.2 SelectingUserAccountsforRules.....................................................................................................57

5.2.3 AboutRuleTargetCriteria................................................................................................................57

5.2.3.1 ConfiguringVirusorMaliciousCodeCriteria................................................................................58

5.2.3.1.1 AboutAdvancedThreatScanEngine.......................................................................................60

5.2.3.2 ConfiguringSpamCriteria.............................................................................................................60

5.2.3.3 ConfiguringPhishCriteria.............................................................................................................61

5.2.3.4 ConfiguringMarketingMessageCriteria......................................................................................61

5.2.3.5 ConfiguringSocialEngineeringAttackCriteria.............................................................................61

5.2.3.6 ConfiguringAdvancedCriteria......................................................................................................63

5.2.3.6.1 AboutKeywordExpressions.....................................................................................................66

5.2.3.6.1.1 UsingKeywordExpressions................................................................................................67

5.2.3.6.1.2 AddingKeywordExpressions.............................................................................................67

5.2.3.6.1.3 EditingKeywordExpressions.............................................................................................67

5.2.3.6.2 UsingAttachmentNameorExtensionCriteria........................................................................68

5.2.3.6.3 UsingAttachmentMIMEContent-typeCriteria.......................................................................69

5.2.3.6.4 UsingAttachmentTrueFileTypeCriteria................................................................................69

5.2.3.6.5 UsingMessageSizeCriteria......................................................................................................70

5.2.3.6.6 UsingSubjectMatchesCriteria................................................................................................70

5.2.3.6.7 UsingSubjectisBlankCriteria..................................................................................................71

5.2.3.6.8 UsingBodyMatchesCriteria....................................................................................................71

5.2.3.6.9 UsingSpecifiedHeaderMatchesCriteria.................................................................................71

5.2.3.6.10 UsingAttachmentContentMatchesKeywordCriteria...........................................................71

5.2.3.6.11 UsingAttachmentSizeCriteria...............................................................................................71

5.2.3.6.12 UsingAttachmentNumberCriteria........................................................................................72

5.2.3.6.13 UsingAttachmentisPasswordProtectedCriteria..................................................................72

5.2.3.6.14 UsingtheNumberofRecipientsCriteria................................................................................73

5.2.4 AboutRuleActions............................................................................................................................73

5.2.4.1 SpecifyingRuleActions.................................................................................................................74

5.2.4.2 "Intercept"Actions.......................................................................................................................74

5.2.4.2.1 UsingtheDeleteAction............................................................................................................75

5.2.4.2.2 UsingtheDeliverNowAction...................................................................................................75

5.2.4.2.3 UsingtheChangeRecipientAction..........................................................................................75

5.2.4.2.4 UsingtheQuarantineAction....................................................................................................76

5.2.4.3 "Modify"Actions...........................................................................................................................76

5.2.4.3.1 CleaningCleanableViruses.......................................................................................................76

5.2.4.3.2 DeletingMatchingAttachments..............................................................................................76

5.2.4.3.3 TaggingtheSubjectLine...........................................................................................................77

5.2.4.3.4 InsertingaStamp.....................................................................................................................77

5.2.4.3.4.4 ConfiguringStamps............................................................................................................78

5.2.4.3.5 RuleTokens/Variables..............................................................................................................78

5.2.4.4 "Monitor"Actions.........................................................................................................................79

5.2.4.4.1 AbouttheSendNotificationAction..........................................................................................79

5.2.4.4.1.5 ConfiguringSendNotificationActions...............................................................................80

5.2.4.4.1.6 DeletingNotificationsfromRuleActions...........................................................................80

5.2.4.4.1.7 DeletingNotificationsfromListsofMessages...................................................................80

5.2.4.4.2 UsingtheBccAction.................................................................................................................80

5.2.4.5 "ScanLimitations"Actions............................................................................................................80

5.2.4.5.1 RejectingMessages..................................................................................................................81

5.2.4.5.2 BypassingMessages.................................................................................................................81

5.2.4.6 EncryptingOutboundMessages...................................................................................................81

5.2.5 NamingandEnablingaRule.............................................................................................................81

5.3 ConfiguringSenderFilter.............................................................................................................................82

5.3.1 AddingSenders.................................................................................................................................83

5.3.2 EditingSenders.................................................................................................................................84

5.4 UnderstandingIPReputation......................................................................................................................85

5.4.1 AboutDynamicIPReputationSettings.............................................................................................85

5.4.2 AboutStandardIPReputationSettings.............................................................................................86

5.4.3 AboutApprovedandBlockedIPAddresses......................................................................................87

5.4.4 TroubleshootingIssues.....................................................................................................................88

5.5 UnderstandingAdvancedProtection..........................................................................................................88

5.5.1 AboutTransportLayerSecurity(TLS)................................................................................................88

5.5.1.1 TestingTLS....................................................................................................................................89

5.5.1.2 AddingTLSPeers...........................................................................................................................90

5.5.1.3 EditingTLSPeers...........................................................................................................................91

5.5.2 AboutSenderPolicyFramework(SPF)..............................................................................................91

5.5.2.1 EnablingorDisablingSenderPolicyFramework(SPF)..................................................................92

5.5.2.2 AddinganSPFPeertotheIgnoredList.........................................................................................93

5.5.2.3 EditinganSPFPeerintheIgnoredList.........................................................................................93

5.5.2.4 DeletingSPFPeersfromIgnoredList............................................................................................93

5.6 UnderstandingQuarantine..........................................................................................................................94

5.6.1 QueryingtheQuarantine..................................................................................................................94

5.6.2 AbouttheQuarantineDigest............................................................................................................96

5.6.2.1 ConfiguringtheQuarantineDigest...............................................................................................97

5.7 UnderstandingMailTracking......................................................................................................................99

5.7.1 AbouttheBlockedTrafficTab.........................................................................................................100

5.7.2 AbouttheAcceptedTrafficTab......................................................................................................101

5.7.3 AbouttheUnresolvedTrafficTab...................................................................................................102

5.7.4 SocialEngineeringAttackLogDetails.............................................................................................103

5.8 UnderstandingPolicyEvents.....................................................................................................................105

5.9 ConfiguringAdministrationSettings.........................................................................................................107

5.9.1 ManagingAdministratorAccounts.................................................................................................107

5.9.1.1 AboutAccountManagement.....................................................................................................107

5.9.1.2 AddingandConfiguringanAdministratorAccount....................................................................108

5.9.1.3 EditingAdministratorAccountConfiguration.............................................................................108

5.9.1.4 DeletingAdministratorAccounts................................................................................................109

5.9.1.5 ChangingAdministratorPasswords............................................................................................109

5.9.1.6 EnablingorDisablinganAdministratorAccount........................................................................109

5.9.2 ChangingEnd-UserPasswords........................................................................................................109

5.9.3 AboutEnd-UserManagedAccounts...............................................................................................110

5.9.3.1 RemovingEnd-UserManagedAccounts.....................................................................................111

5.9.4 AboutDirectoryManagement........................................................................................................111

5.9.4.1 ImportingUserDirectories.........................................................................................................112

5.9.4.2 SynchronizingUserDirectory.....................................................................................................114

5.9.4.3 VerifyingUserDirectories...........................................................................................................114

5.9.5 AboutDomainManagement..........................................................................................................115

5.9.5.1 AddingaDomain........................................................................................................................116

5.9.5.2 ManagingDomains.....................................................................................................................118

5.9.5.2.1 EnablingOutboundFilteringforaDomain.............................................................................118

5.9.6 AboutCo-Branding..........................................................................................................................119

5.9.6.1 AccessingtheCo-BrandedAdministratorConsoleandEndUserQuarantineWebsite..............120

5.9.7 InstallingWebServices...................................................................................................................121

5.9.8 ViewingYourServiceLevelAgreement...........................................................................................122

Chapter1

1 BestPracticeConfigurations

1.1 Activatingadomain

WhenactivatingadomaininHostedEmailSecurity,TrendMicrorecommendsmakingthesechangestoyourMXrecordtoreducethechanceofsecurityvulnerabilityoraninterruptionofservicewhilerepointingyourMXrecord.

SeeRepointingMXRecords(BestPractice)

1.2 AddingApproved/BlockedSender

• ApprovedSenders

Email messages from senders added to this list are not subject to IP reputation-based, spam, phish, ormarketingmessage filtering. Hosted Email Security still performsmalware and attachment scanning on allmessages received and takes the action configured in policy rules after detecting a malware threat or anattachmentpolicyviolation.GotoSenderFilter>ApprovedSenderstodisplaythisscreen.

• BlockedSenders

HostedEmailSecurityautomaticallyblocksmessagessent fromaddressesordomainsaddedto theblockedlistwithoutsubjectingthemessagestoanyscanning.GotoSenderFilter>BlockedSenderstodisplaythisscreen.

SeeConfiguringSenderFilter

1.3 HESorderofevaluatingemails

HostedEmailSecurityfollowacertainorderonhowitevaluateeachemailthatpassthroughitservers.

SeeGeneralOrderofEvaluation

1.4 InboundEmails

1.4.1 EnableValidRecipientcheck

HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.SeeUsingDirectoryManagement

1.4.2 Makesuredefaultviruspolicyissettodelete

Bydefault theviruspolicy isalready set todeletebut if itwasmodified tootheractionset itback todelete toavoidanyvirusenteringyoursystem.

1. LogintoHESmanagementconsole.2. GotoPolicyandlookforViruspolicy

3. Makesureactionissettodelete.

1.4.3 Addfilterstodefaultspamandphishpolicy

IncreasespamdetectionlevelandenableSocialEngineerattackincludingadvanceanalysistoidentifythreats.

1. LogintoHESmanagementconsole.2. GotoPolicyandlookforSpamandpolicy

3. Click“Andmessageattributematch”

4. CheckallboxesandsetSpamchecktoahigherlevel.Notethatsettingspamcheckhighermightleadtomorefalsepositivebutitcanalsoreducefalsenegativeemailsandavoidmaliciousemailsin.

Note:If advanced analysis is enabled, Hosted Email Security performs observation and analysis on samples in aclosedenvironment.Advancedanalysiscandelaythedeliveryofmessagesby5to30minutes.

1.4.4 AvoidlongandcomplexregularexpressioninKeywordExpression

Regularexpressions,oftencalledregexes,aresetsofsymbolsandsyntacticelementsusedtomatchpatternsoftext.HEScanuseregularexpression(regex)tofilteroutkeywordsintheemail.

Using longandcomplexregularexpressionaremorepronetoerrorsandfalsedetectionso itsrecommendedtosplitlongandcomplexkeywordexpressiontoseveralentries.

SeeAboutKeywordExpressions

1.5 OutboundEmail

1.5.1 Addadditionaloutboundspamandphishpolicy

HESGlobalOutboundPolicy isadefaultrule inHEStoavoidoutboundspamandpreventHESoutboundserversfrombeingblacklistedby third-partyReal-timeBlackhole Lists (RBLs). Thepolicy cannotbeeditedand they areactivatedbydefaultforalldomains.Defaultactionforthispolicyis“donotintercept”andemailsfilteredbythispolicywillbesenttoaspecialservertodelivertheemails.

To control your outbound spam and phish emails it’s recommended to create new outbound spam and phishpolicy.

1. LogintoHESmanagementconsole.2. GotoPolicyandclickAdd.

3. Changepolicyto“outgoingmessage”

4. ClickSenderandaddyourdomainthesave.ClickNext.5. Select“Messagedetectedas”andtickallboxes.ClickNextoncedone.

6. SelectyouractionandclickNext.7. InputpolicynameandclickSave.

1.6 SecuringyourEnvironmentTrend Micro Hosted Email Security prevents spam from entering your mail servers. However, there might beinstanceswhenyouwillstillreceivespamevenaftersubscribingtoHES.Thisoccurswhenthemailserverissettoacceptmailsfromanotherhost.Asaresult,spamgoesdirectlytothemailserverwithoutpassingthroughtheHES/HES-InboundFilteringservers.Toavoidthis,herearethebestpracticesinpreventingspam.

1.6.1 SecuringyourMailServer

1. Lockdownyourfirewall

MakesurethatallunnecessaryportsandIPaddressesareclosedandblocked. OnlyallowIPaddressesfromtrustedonessuchastheonesfromHES.

YoumayfindHESserverIPaddressesbelow: HESIPaddresses

2. InstallOn-premisemailserverAnti-Malware

Although most of the malware and spam are blocked by HES, there are a few instances when amalware/spamgetsthroughtoyourmailserver.ThismaybecausedbyhavingunnecessaryportsandIPaddresses open on your network, or it may not have been detected by the anti-spam/anti-malwarepatternsofHESatthattime.SoitwillbebesttohaveanOn-premisescannertocombatthis.

3. OnlyuseoneMXrecordforyourdomain

ThisMXrecordshouldbepointingtoHES. It’s tomakesurethatall inboundmailswillbeforcedtogothroughHESforfilteringbeforeitgoestoyourmailserver.SeeRepointingMXRecords(BestPractice)

4. Disableallopenmailrelayonyournetwork.

1.6.2 SecuringyourUsers/Clients

1. DoNOTclickunknownlinks

Anylinksinemailorontheinternetshouldnotbeclickedunlessit’sfromatrustedsite.

2. DoNOTsubscribetountrustednewsletters

Unlessit’sabsolutelynecessaryandyou’resurethatthesitecanbetrusted.

1.7 CommonThreatpreventions

1.7.1 SpoofEmails

Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitiveinformation(suchaspasswords).

Emailspoofingmayoccurindifferentforms,butallhaveasimilarresult:auserreceivesemailthatappearstohaveoriginatedfromalegitimatesourcewhenitactuallywassentfromamaliciousone.Tostopreceivingemailsfromspoofedsenders,asidefromSecuringyourMailServerandSecuringyourUsers/Clientsfollowinstructionsbelow:

1. Avoid putting managed email address and domain in the Sender Filter Approved Sender or EUQApprovedSenderasitwillbypassIPreputationcheckingandSpam/PhishRulescanningCheck if thespoofedsender is listedontheApprovedSendersListontheHES/HES- InboundFilteringconsole.Ifthespoofedsenderislisted,removethespoofedsenderfromtheApprovedSendersList.

Ifnot,checkiftheend-userisregisteredtotheHES/HES-InboundFilteringWebEUQ.IftheownerofthespoofedaddressisregisteredtoHESWebEUQ,makesurethattheaddressisalsonotlistedintheWeb-EUQApprovedSenderslist.Todothis,youcan:

• Asktheownerofthespoofedemailaddress.

• OntheHES/HES-InboundFilteringconsole,gotoAdministration>End-Userpasswordandthenquerytheemailaddress.

2. MakesurethatIncomingSpam/PhishRuleisenabledandproperlyconfigureSeeConfiguringSpamCriteria

3. IncreasetheaggressivenessoftheDynamicIPReputationSettings.

SeeUnderstandingIPReputation.

4. Createapolicyforfilteringspoofedemailsfromsamedomainasrecipient.

Warning:Makesureinter-domainemailsarenotroutedtotheinternet.

a. Onyourbrowser,logintoHESmanagementconsole

b. GotoPolicy>ClickAdd

c. OnThisrulewillapplyto>SelectIncomingmessage

d. ClickRecipients>Selectaddresses>MyDomains>Selectyourdomain

e. ClickAdd>ClickSave

f. ClickSender>Selectaddresses>MyDomains>Selectyourdomain

g. ClickAdd>ClickSave

h. ClickNext

i. SelectAdvanced>SelectAnyMatch

j. SelectSpecifiedheadermatches>Clickkeywordexpressions

k. ClickSave

Note:Normalspoofemailsspooftherecipientdomainandbestpractice isemails fromsamedomainshould not be routed out the internet. Create a policy to filter emails coming from your owndomain.

l. ClickNext

m. OnIntercept>SelectQuarantine

n. ClickNext.OnRuleName:SpoofedEmailFiltering

o. SelectEnable

p. ClickSave

5. EnableSPFchecking.

SPFisanopenstandardtopreventsenderaddressforgery.TheSPFprotectstheenvelopesenderaddressthat is used for the delivery of messages. HES enables you to configure SPF to ensure the sender'sauthenticity.TheSPFrequirestheownerofadomaintospecifyandpublishtheiremailsendingpolicyinanSPFrecordinthedomain'sDNSzone.Forexample,whichemailserverstheyusetosendemailfromtheirdomain.Whenanemailserverreceivesamessageclaimingtocomefromthatdomain,thereceivingserververifieswhetherthemessagecomplieswiththedomain'sstatedpolicyornot.If,forexample,themessagecomesfromanunknownserver,itcanbeconsideredasfake.FormoreinformationaboutSPF,refertoAboutSenderPolicyFramework(SPF).

• CreateSPFtxtrecordforyourdomainSeehttp://esupport.trendmicro.com/solution/en-US/1113466.aspx if you are using HESoutbound.

• EnableSPFcheckinginHESSeehttp://esupport.trendmicro.com/solution/en-US/1113466.aspx

• CreateapolicytotrackemailstaggedbyHESSPFchecking.

1. Onyourbrowser,logintoHESmanagementconsole

2. GotoPolicy>ClickAdd

3. OnThisrulewillapplyto>SelectIncomingmessage

4. ClickRecipients>Selectaddresses>MyDomains>Selectyourdomain

5. ClickAdd>ClickSave

6. ClickNext

7. OncriteriaselectAdvancethencheckSpecifiedheadermatches.

8. ClickKeywordexpressionsbesideheadermatch.

9. CheckalltheboxesandclickAdd.

10. TypeListname“ex.SPFmatch”andunderMatchselectAnyspecified.ClickAdd.

11. Addkeyword“X-TM-Received-SPF:SPFresult”thensave.Ex.X-TM-Received-SPF:FailSeeEnablingorDisablingSenderPolicyFramework(SPF)forSPFresults.

12. ClickSave.

13. SelectcreatedKeywordandclickaddthensave.

14. ClickNext.

15. SelectchosenActionsandclicknext.

16. TypeaRuleNameandsave.

1.7.2 Backscatter(or"outscatter")spamandDirectoryHarvestAttacks(DHA)Emails

HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.

• EnableDirectorymanagementtopreventthesetypesofmaliciousemails.SeeAboutDirectoryManagement

1.7.3 ZerodayunknownThreats

• EnableAdvanceThreatScanEngineandPerformadvancedanalysistoidentifyhighriskobjects.

HostedEmailSecurity (HES)nowsupportsDeepDiscoveryAnalyzerasaService (DDAaas). It isacloud-basedwebservicethatactsasanexternalanalyzer.Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends tosandboxandthentakesanaction.TointegrateHESwithDeepDiscoveryAnalyzerasaService(DDAaas):

1. LogintoHESmanagementconsole.

2. GotoPolicyandselectVirusesorMaliciousCode.

3. Under Specify advanced settings, tick the Enable Advance Threat Scan Engine andPerformadvancedanalysistoidentifyhighriskobjectsoptions.

4. ClickSave.HEScanperformadvancedanalysisonsamplesinaclosedenvironmenttoidentifysuspiciousobjectsthattraditional scanningmay not detect.When enabled, HES delays the delivery of themessages until theadvancedanalysiscompletes,whichmaytakeupto30minutes.

1.7.4 Ransomware/MacroVirusEmailsRansomwareisatypeofmalwarethatpreventsorlimitsusersfromaccessingtheirsystem.Thistypeofmalwareforces itsvictimstopaytheransomthroughcertainonlinepaymentmethods inordertorestoreaccesstotheirsystems,ortogettheirdataback.Ransomware can be downloaded by unwitting users who visit malicious or compromised websites. It can alsoarrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered asattachmentstospammedemail.IncreaseprotectionfromRansomwarethreatsinHESbyfollowingguidebelow.SeeRansomwareprotectionusingHostedEmailSecurity

Chapter2

2 ProductDescription

TrendMicro™HostedEmailSecurityisano-maintenancesolutionthatdeliverscontinuouslyupdatedprotectiontostopspam,phishing,andmalwarebeforetheyreachyournetwork.

UsingTrendMicroHostedEmailSecurity,mailadministratorscansetuprulestoremovedetectedvirusesandothermalwarefromincomingmessagesbeforetheyreachthecorporatenetwork.Administratorscanquarantinedetectedspamandotherinappropriatemessages.Then,intendedmessagerecipientsormailadministratorscanchoosetoreleaseordeletethequarantinedmessages.

2.1 MailFlow

2.1.1 InboundScanning

1. TheoriginatingMTAperformsaDNSlookupoftheMXrecordforexample.comtodeterminethelocationoftheexample.comdomain.

TheMX record for example.compoints to the IP address of theHosted Email SecurityMTA instead of theoriginalexample.comInboundServer.

2. TheoriginatingMTAroutesmessagestoHostedEmailSecurity.3. TheHostedEmailSecurityMTAacceptstheconnectionfromtheoriginatingmailserver.4. Hosted Email Security performs IP reputation-based filtering at theMTA connection level to decide on an

actiontotake.Actionsincludethefollowing:

§ HostedEmailSecurityterminatestheconnection,rejectingthemessages.

§ HostedEmailSecurityacceptsthemessagesandfiltersthemusingcontent-basedpolicyfiltering.

SeeIPReputation-BasedFilteringattheMTAConnectionLevel.5. HostedEmailSecurityexaminesthemessagecontentstodeterminewhetherthemessagecontainsmalware

suchasavirus,orifitisspam,andsoon.

SeeContent-BasedFilteringattheMessageLevel.6. Assumingthatamessageisslatedfordeliveryaccordingtothedomainpolicyrules,theHostedEmailSecurity

MTAroutesthemessagetotheoriginalexample.comInboundServer.

2.1.1.1 IPReputation-BasedFilteringattheMTAConnectionLevelWhen an originating or upstreamMTA attempts to connect to aHosted Email SecurityMTA, theHosted EmailSecurityMTAqueries TrendMicro Email Reputation Services (ERS) to determinewhether the IP address of theupstreamMTAhasa"trustworthy"reputationinthedatabase.BasedontheupstreamMTA'sreputationandtheselectionsontheHostedEmailSecurity IPReputationSettingsscreen,HostedEmailSecuritymayterminatetheconnection,rejectingthemessages.This is IPreputation-basedfilteringattheMTAconnectionlevel.HostedEmailSecurityterminatesupstreamMTAconnectionsinthefollowingways:§ If the sending IP address is a known source of spam, the IP address of the sending server is marked

"untrustworthy"accordingtothereputationdatabase.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).

§ If the sender’s computer is part of a botnet or is a zombie PC, the IP address can be found in the Email

ReputationServices(ERS)dynamicreputationdatabasethatidentifiesspamsourcesastheyemergeandforaslong as they are active. Hosted Email Security informs the sending server that Hosted Email Security istemporarilyunavailablebyrespondingwitha450error(atemporaryfailureoftherequestedconnection).Ifthesendingserverislegitimate,itwilltryagainlater.

HostedEmail Securityperforms this filteringprior to receiving theactualmessage; therefore thecontentof themessageisnotyetscanned.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.

2.1.1.1.1 Content-BasedFilteringattheMessageLevel

When an originating or upstreamMTA attempts to connect to aHosted Email SecurityMTA, theHosted EmailSecurityMTAqueries TrendMicro Email Reputation Services (ERS) to determinewhether the IP address of theupstreamMTAhasa"trustworthy"reputationinthedatabase.BasedontheupstreamMTA'sreputationandtheselectionsontheHostedEmailSecurity IPReputationSettingsscreen,HostedEmailSecuritymayterminatetheconnection,rejectingthemessages.This is IPreputation-basedfilteringattheMTAconnectionlevel.HostedEmailSecurityterminatesupstreamMTAconnectionsinthefollowingways:• If the sending IP address is a known source of spam, the IP address of the sending server is marked

“untrustworthy"accordingtothereputationdatabase.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).

• If the sender’s computer is part of a botnet or is a zombie PC, the IP address can be found in the Email

ReputationServices(ERS)dynamicreputationdatabasethatidentifiesspamsourcesastheyemergeandforaslong as they are active. Hosted Email Security informs the sending server that Hosted Email Security istemporarilyunavailablebyrespondingwitha450error(atemporaryfailureoftherequestedconnection).Ifthesendingserverislegitimate,itwilltryagainlater.

HostedEmailSecurityperforms this filteringprior to receiving theactualmessage; therefore thecontentof themessageisnotyetscanned.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.

2.1.1.2 GeneralOrderofEvaluation

1. Senderemailaddressesfiltering:

Message sender email addresses and domains go through approved sender and blocked sender listfiltering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.

SeeSenderFilterOrderofEvaluation.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connectionlevelandcontent-based filteringat themessage level forspamdetection,andproceeddirectly tovirusdetection.Messagesfromblockedemailaddressesareblocked.

2. IPreputation-basedfilteringattheMTAconnectionlevel:

Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluateduntilthefirstmatchisfound.

SeeIPReputationOrderofEvaluation.

Messagesfromallowedsender IPaddressesbypass IPreputation-basedfilteringattheMTAconnectionlevelandproceedtospamdetection.MessagesfromblockedsenderIPaddressesareblocked.

3. Domain-levelpolicyfiltering:

Messageswill pass eachoneof the policies for filtering depending on the actionon the first triggeredpolicy.SeeSenderFilterOrderofEvaluation.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connectionlevelandcontent-based filteringat themessage level forspamdetection,andproceeddirectly tovirusdetection.Messagesfromblockedemailaddressesareblocked.

Note:HostedEmailSecuritytakesactiononemailmessagesthatpassEmailReputationandcustomapprovedlistfilteringusingthepolicyrulesconfiguredforcontent-basedfilters.Forexample,HostedEmailSecuritymayquarantineaninfectedemailmessagefromanaddressintheapprovedsenderslistifyouhaveconfiguredcontent-basedfilteringtoquarantinemalwarethreats.

Tip:HostedEmailSecuritydefaultrulesdeletealldetectedviruses,maliciouscontent,phish,andspam.

2.1.1.3 SenderFilterOrderofEvaluationMessage sender email addresses and domains go through approved sender and blocked sender list filtering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.Messages from allowed sender addresses bypass IP reputation-based filtering at theMTA connection level andcontent-basedfilteringatthemessagelevelforspamdetection,andproceeddirectlytovirusdetection.Messagesfromblockedemailaddressesareblocked.Evaluationisdoneinthefollowingorder:

1. EndUserQuarantinewebsiteApprovedSenderslists

2. AdministratorconsoleApprovedSenderslists

3. EndUserQuarantinewebsiteBlockedSenderslists

4. AdministratorconsoleBlockedSenderslists

2.1.1.4 IPReputationOrderofEvaluation

Message sender IP addresses go through IP reputation-based filtering. IP addresses areevaluateduntil the firstmatchisfound.MessagesfromallowedsenderIPaddressesbypassIPreputation-basedfilteringattheMTAconnectionlevelandproceedtospamdetection.MessagesfromblockedsenderIPaddressesareblocked.TheorderofevaluationforIPaddressesinthelistsontheApprovedandBlockedIPAddressesscreenisbasedonwhichlistcontainstheIPaddressorClasslessInter-DomainRouting(CIDR)block.Evaluationisdoneinthefollowingorder:

1. TheIPAddresseslist

a) OntheApprovedscreenb) OntheBlockedscreen

2. TheCountry/Regionlist

a) OntheApprovedscreen

b) OntheBlockedscreen

3. TheselectedstandardIPreputationdatabaselistsontheIPReputationSettingsscreen

4. TheadjusteddynamicIPreputationdatabaselistsontheIPReputationSettingsscreen

AnIPaddressaddedtotheIPAddresseslistontheApprovedscreenwillnotbeblockedevenifthatIPaddressisalsoinaCIDRblocklistedontheBlockedscreen.Furthermore,thatIPaddresswillnotbeblockedevenifitisalsointheKnownSpamSourcestandardIPreputationdatabaselist. Important:

IP reputation-based filters use only IP address data to filter messages. You can also use sender emailaddressanddomaintofilterincomingmessages.ApprovedsendersbypassIPreputation-basedfilteringattheMTAconnectionlevel.

2.1.1.5 PolicyOrderofEvaluationMessages sender email addresses and domains go through approved sender and blocked sender list filtering.Senderemailaddressesareevaluateduntilthefirstmatchisfound.Messages from allowed sender addresses bypass IP reputation-based filtering at theMTA connection level andcontent-basedfilteringatthemessagelevelforspamdetection,andproceeddirectlytovirusdetection.Messagesfromblockedemailaddressesareblocked.

SeeAboutRuleActions.Evaluationisdoneinthefollowingorder:

a. "Intercept"actions:Actions inthisclass interceptthemessage,preventing it fromreachingtheoriginal recipient. Intercept actions include deleting the entiremessage and re-addressing themessage.

i. Deleteii. DeliverNowiii. ChangeRecipientiv. Quarantine

b. "Modify" actions: Actions in this class change themessage or its attachments.Modify actions

include cleaning cleanable viruses, deleting message attachments, inserting a stamp in themessagebody,ortaggingthesubjectline.

i. CleaningCleanableVirusesii. DeletingMatchingAttachmentsiii. TaggingtheSubjectLineiv. InsertingaStampv. RuleTokens/Variables

c. "Monitor" actions: Actions in this class allow administrators to monitor messaging. Monitor

actionsincludesendinganotificationmessagetoothersorsendingaBCC(blindcarboncopy)ofthemessagetoothers.

i. SendNotificationActionii. BccAction

d. "ScanLimitation"actions:ActionsinthisclassallowadministratorstorejectorbypassscanningmessagesthatexceedHostedEmailSecuritycapabilities.

i. RejectingMessagesii. BypassingMessages

e. "EncryptEmailMessage"actions:Actionsinthisclassencryptthemessageandthenqueueitfor

delivery.Thisisanon-interceptaction,butnootheractionscanbetakenonthetargetmessageafterthisruleistriggered.Thisactionhasthelowestpriorityofallactions,butwhentriggereditisalwaysthefinalrulerunbeforethemessage isqueuedfordelivery. Ifmorethanonerule intherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.

2.1.2 OutboundScanning

1. Mailserverofexample.comwillforwardtheoutboundemailtoHostedEmailSecurity.

2. Hosted Email Security servers accept the message and perform message filtering and policymatchingonyourbehalf.

3. Assumingthatthemessageisslatedfordeliveryaccordingtoitssecuritypolicyorvaliditystatus,theemailwillbeforwardedtooutboundMTAs.

4. OutboundMTAswillthenroutethisemailtothemailserveroftherecipient.

2.2 MessageRetention

Thefollowingtableshowsmessageretentioninformation:

Note:IncomingMessagequeueisupto10daysbutoutgoingqueuewillonlybekeptfor1day.

Chapter3

3 Preparation

3.1 ServiceRequirements

HostedEmailSecuritydoesnotrequirehardwareonyourpremises.Allscanningishostedoff-siteatsecureTrendMicro network operations centers. To access yourweb-basedHosted Email Security administrator console, youneedacomputerwithaccesstotheInternet.ThefollowingarerequiredbeforeHostedEmailSecuritycanbeactivated:• AnexistingmailgatewayorworkgroupSMTPconnection

Forexample:o AlocalMTAormailservero Acloud-basedMTAsolution

• Access to domainMX records (DNSmail exchanger host records) for repointingMX records to the HostedEmailSecurityMTA(Contactyourserviceprovider,ifnecessary,formoreinformationorconfigurationhelp.)

3.2 DefaultHostedEmailSecuritySettings

Toensurehigh-qualitycontinuousserviceandtoprotectyournetworkfromcommonSMTPattackssuchasmailfloodsandZipofDeath,HostedEmailSecurityhasdefaultsettings.Youcanfindservicesystemlimitationsbydefaultonthelinkbelow:http://esupport.trendmicro.com/solution/en-US/1056545.aspx

Chapter4

4 GettingStarted

4.1 Registration

1. ContactyourTrendMicrosalesrepresentativeforanActivationCode.AnActivationCodeuses37characters,includinghyphens,inthefollowingformat:XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

2. Gotohttps://clp.trendmicro.com/FullRegistration?T=TMTheCreateAccountorSignInscreenfortheTrendMicroCustomerLicensePortalappears.

Youareasked,"Doyoualreadyhaveanaccount?"

3. Selecttheappropriateoptionfromthefollowing:• IfyoudonotalreadyhaveaTrendMicroBusinessaccount,selectNo,Iamafirsttimeuser.• IfyoualreadyhaveaTrendMicroBusinessaccount,dothefollowing:

a. SelectYes,IalreadyhaveaTrendMicroBusinessaccount.b. ClickContinue.

TheCustomerLicensePortalSignInappears.

c. SignintoyourTrendMicroBusinessaccount.TheEnterYourKeyscreenappears.

4. TypeyourHostedEmailSecurityActivationCode.TrendMicrosendsyouanemailmessagewithyourCustomerLicensePortalsignininformation,includingyouraccountusername,theconsolewebaddress,andyourActivationCode.

5. StarttheHostedEmailSecurityactivationprocess.

4.2 StartingtheActivationProcess

1. LogontheHostedEmailSecurityadministratorconsole.SeeAccessingtheAdministratorConsole.Ifnodomainsareactivewhenyou logon theadministrator console, youwill godirectly to theServiceActivation screen. Use this screen to activate the domains youwant tomanage throughHosted EmailSecurity.TomanagedomainsinHostedEmailSecurityafteractivation,seetheAdministrator'sGuide.

2. TypetheinformationforyourcurrentMTAsormailserversinthefollowingfields:• Domainname:Includeseverythingtotherightoftheatsign(@)inemailaddressesmanagedby

theserver(s)beingactivated• Seatcount:Seatscorrespondtothenumberofactualemailusersinthedomain• Inboundserver(s)

Note:Youcanspecifyupto30inboundserversand30outboundservers.Usetheadd andtheremove buttonstomanageadditionalentries.

a. IP address or FQDN: Fully qualified domain name (FQDN) is a unique name, which

includesbothhostnameanddomainname,andresolvestoasingleIPaddress.

i. Forexample:hostmaster1.example.comormailhost.example.comii. Notvalid:example.com

b. Port:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvary

basedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.

c. Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100.

Note:Ifmorethanonemailserverisavailable,deliveryisprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.

• Optionally,selectEnableoutboundfilteringandrefertothefollowingtable:

Warning:Enablingoutboundfilteringwithoutspecifyingoutboundserverswillprevent thedeliveryofanyoutboundtrafficroutedthroughtheservice.

StepstoConfigureOutboundFiltering

EmailSolution Steps

YoucurrentlyuseOffice365 SelectUseOffice365.

YoucurrentlyuseGoogleApps SelectUseGoogleApps.

YoudonotuseOffice365orGoogleApps SelectSpecifyIPaddress(es).TypetheIPaddress(es)ofyouroutboundserver(s).

• Sendtestmessageto:OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagesfromtheDomainManagementDetailsscreen.

3. ClickAddDomain.IfthedomainisvalidandanMXrecordforthedomainexists,thedomainappearsintheDomainstableatthebottomofthescreen.

4. ClickSubmit.TrendMicro sends awelcomemessage to the administrative email address on record confirming thatyourdomainhasbeenaddedsuccessfullyandstating:"Thiswelcomemessageconfirmsyourdomainhasbeensuccessfullyadded."

Warning:DonotrepointyourMXrecorduntilyoureceivethemessageconfirmingthatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,which is that confirmation. If you repoint yourMX record before your domainhasbeensuccessfullyadded,youremailmessagesmaybelost.

5. IfyoucurrentlyuseOffice365,youcanconfigureOffice365connectorstoallowemailtraffictoorfrom

HostedEmailSecurityMTAs.SeeAddingOffice365InboundConnectors.SeeAddingOffice365OutboundConnectors.

6. Finalizeyouractivation.

4.2.1 AddingOffice365InboundConnectors

BeforeintegratingyourMicrosoftOffice365manageddomainnamewithHostedEmailSecurity,performallstepsrecommendedbyMicrosofttocompleteconfigurationofOffice365emailmanagementforyourdomain.Toconfigureinboundconnectors,ensurethatyouhavethefollowing:

• Office365administratoraccount• HostedEmailSecurityadministratoraccount• Office365designationserveraddress• HostedEmailSecuritywelcomeemailmessageforcreateddomain• Maildomainadministratoraccountprivileges

Some organizations use Microsoft Office 365 to remotely host their email architecture, allowing Microsoft tomanagetheday-to-dayaspectsofmaintainingtheiremailservers.HostedEmailSecurityintegrateswithOffice365toprovideadditionalsecurityandbenefits.ConfigureOffice365connectorstoallowemailtraffictoandfromHostedEmailSecurityMTAs. Important:

ConsulttheMicrosoftOffice365helpforinformationaboutaddingconnectors.SomeOffice365plansdonotofferconnectors.http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx

1. LogonyourMicrosoftOffice365admincenteraccount.

2. Inthenavigationontheleft,gotoServiceSettings.

3. Undermailflow,clickCustommailrules.

4. Inthenavigationatthetop,gotoconnectors.

5. AddanInboundConnectortoOffice365.

ConfigureOffice365toacceptmailfilteredbyHostedEmailSecurityfordeliverytoemailaccountsinyourOffice365manageddomain.

a. UnderInboundConnectors,clicktheplusicon.Anewconnectorconfigurationscreenappears,displayingthegeneraltab.

b. IntheNamefield,typeadescriptivenamefortheconnector.Forexample,typeTrendMicroHostedEmailSecurity.

c. SelectEnableinboundconnector.

d. UnderConnectorType,selectPartner.

e. Clicksave.

f. Inthenavigationontheleft,gotosecurity.g. UnderConnectionSecurity,selectOpportunisticTLS.

h. UnderDomainRestrictions,selectNone.

i. Inthenavigationontheleft,gotoscope.

j. IntheDomainsfield,addyourOffice365manageddomainname.

• Forexample:example.com• Notvalid:hostmaster1.example.comormailhost.example.com

k. IntheIPaddressesfield,addthefollowingHostedEmailSecurityIPaddresses:

HESIPaddresses

l. Clicksave.

m. ConfirmthatEnabledisselectedforthenewlyaddedconnector.

4.2.2 AddingOffice365OutboundConnectorsToconfigureoutboundconnectors,ensurethatyouhavethefollowing:

• Office365administratoraccount• HostedEmailSecurityadministratoraccount• HostedEmailSecuritywelcomeemailmessageforcreateddomain

Some organizations use Microsoft Office 365 to remotely host their email architecture, allowing Microsoft tomanagetheday-to-dayaspectsofmaintainingtheiremailservers.HostedEmailSecurityintegrateswithOffice365toprovideadditionalsecurityandbenefits.ConfigureOffice365connectorstoallowemailtraffictoandfromHostedEmailSecurityMTAs.AddanOutboundConnectortoOffice365.ConfigureOffice365torelayoutboundmailtoHostedEmailSecurityforfilteringanddeliverytorecipientsoutsideofyourOffice365manageddomain.

a. UnderOutboundConnectors,clicktheplusicon.Anewconnectorconfigurationscreenappears,displayingthegeneraltab.

b. IntheNamefield,typeadescriptivenamefortheconnector.

Forexample,typeTrendMicroHostedEmailSecurity.

c. SelectEnableoutboundconnector.

d. UnderConnectorType,selectPartner.

e. Clicksave.

f. Inthenavigationontheleft,gotosecurity.

g. UnderConnectionSecurity,selectOpportunisticTLS.

h. UnderOutboundDelivery,selectRoutemailthroughsmarthosts.

i. IntheDomainsfield,addtheFQDNforyourOffice365manageddomainname.

• Forexample:hostmaster1.example.comormailhost.example.com

• Notvalid:example.com

j. UnderSenddomains,addtheoutbounddomainsthatshouldbeappliedtothisconnector.

k. Clicksave.

l. ConfirmthatEnabledisselectedforthenewlyaddedconnector.

4.3 FinalizingActivation

Tofinalizeyouractivation,pointyourMXrecordtotheHostedEmailSecurityMTAforyourregion.

TrendMicrowillnotactivateyourdomainuntiltheMXrecordforyourdomainpointstoaHostedEmailSecurityMTA.

Warning:Donot repointyourMX recorduntil you receive themessageconfirming thatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,whichisthatconfirmation. If you repoint yourMX record before your domain has been successfully added, youremailmessagesmaybelost.

1. PointyourmanageddomainMXrecordstotheHostedEmailSecurityMTAforyourregion.

• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu• Forallotherregions:in.hes.trendmicro.com

2. If you added Outbound Servers when you added your domain, configure those servers to relay mailthroughthefollowingHostedEmailSecurityMTAforyourregion:

• ForEurope,theMiddleEast,Africa:relay.hes.trendmicro.eu• Forallotherregions:relay.hes.trendmicro.com

3. To ensure messages can be received from the Hosted Email Security MTA, configure your firewall to

acceptemailmessagesonlyfromthefollowingHostedEmailSecurityIPaddress/CIDRblocks:HESIPaddresses

Tip:Useanasterisk(*)toincludealloutbounddomains.

Tip:IfyourcompanydoesnothavestandardizedproceduresforpointingMXrecords,oryouwouldlikeadditionalguidance,TrendMicrorecommendsusingthefollowingprocedure,whichalsoincludesallotherstepsonthispage:SeeRepointingMXRecords(BestPractice).

4.3.1 RepointingMXRecords(BestPractice)

WhenactivatingadomaininHostedEmailSecurity,TrendMicrorecommendsmakingthreestep-wisechangestoyourMXrecordtoreducethechanceofsecurityvulnerabilityoraninterruptionofservicewhilerepointingyourMXrecord.

Beforestartingtheprocedurebelow,optionallylearnaboutMXrecords.

See:AboutMXRecordsandHostedEmailSecurity

1. ModifytheMXrecordforyourdomain.AddapointertotheHostedEmailSecurityMTAforyourregion.Setthepreferencenumbertothelowestpriority/highestdistanceofallyourMTAs.

Tip:

Preference,sometimesreferredtoasdistance,isavaluefrom1to100.Ifmorethanonemailserver isavailable,delivery isprioritized to serverswith lower values.Using the samevaluewillbalancedeliverytoeachserver.Thehigherthepreferencenumber,thelowerthepriorityoftheMXrecord.

• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu

<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=100,mailexchanger=in.hes.trendmicro.eu

• Forallotherregions:in.hes.trendmicro.com

<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=100,mailexchanger=in.hes.trendmicro.com

2. Verifythatthestatusofyourdomaindisplaysas"Activated"intheadministratorconsole.

Tip:DNSpropagationcantakeupto48hours.Thestatusof thedomainyouareaddingdoesnotchangeuntilDNSpropagation is complete.During this time,donot turnoffanyon-premisessecurity. Youmay receive some emailmessages directly for a short time until the transitioncompletes.Whilewaiting for DNS propagation, you can use the administrator console to customize thedomainsettingsforPolicy,ApprovedSenders,IPReputation,andDirectoryManagementintheadministratorconsole.SeetheAdministrator'sGuideformoreinformationandprocedures.

a. Logontheadministratorconsole.

SeeAccessingtheAdministratorConsole.

b. GotoAdministration>DomainManagement.

c. IntheDomainslist,verifythattheStatusforthedomaindisplaysas"Activated".

Tip:Ifthestatusofadomaindisplaysas"Adding"formorethan48hours,confirmtheMXrecordforthatdomain ispointedtoaHostedEmailSecurityMTA.Openacommandpromptandtypeoneofthefollowing:ForLinux:digmx<domain_name>ForWindows:nslookup-q=mx<domain_name>

Whendomainstatusdisplaysas"Activated",theservicewillbeginrelayingemailtoyourMTA.

3. ModifytheMXrecordforyourdomain.SetthepreferencenumberforthepointertotheHostedEmailSecurityMTAforyourregiontothehighestpriority/lowestdistanceofallyourMTAs.

Tip:

Thelowerthepreferencenumber,thehigherthepriorityoftheMXrecord.

• ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu

<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.eu

• Forallotherregions:in.hes.trendmicro.com

<your_domain>MXpreference=20,mailexchanger=<your_domain_mta><your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.com

4. To ensure messages can be received from the Hosted Email Security MTA, configure your firewall toacceptemailmessagesfromallthefollowingHostedEmailSecurityIPaddress/CIDRblocks:HESIPaddresses

5. Verify thatmessagesarebeingdelivered fromHostedEmailSecurity.Tosenda testmessageusing theservice,dothefollowing:

a. Logontheadministratorconsole.

b. GotoAdministration>DomainManagement.

c. IntheDomainslist,clickthenewly-addeddomainname.TheDomainInformationscreenappears.

d. In the Send testmessage to field, type an email address to send a testmessage to using theservice.

e. ClickSend.

6. Optionally, customize the domain settings for Policy, Approved Senders, IP Reputation, and DirectoryManagement in the administrator console. See the Administrator's Guide for more information andprocedures.

7. If you added Outbound Servers when you added your domain, configure those servers to relay mailthroughthefollowingHostedEmailSecurityMTAforyourregion:

• ForEurope,theMiddleEast,Africa:relay.hes.trendmicro.eu

• Forallotherregions:relay.hes.trendmicro.com

8. ModifytheMXrecordforyourdomain.Deleteallentries intheMXrecordnotrelatedtoHostedEmail

Security.Thisreducesthechanceofspambeingsentdirectlytoyourmailserver.

ForEurope,theMiddleEast,Africa:in.hes.trendmicro.eu<your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.eu

Forallotherregions:in.hes.trendmicro.com<your_domain>MXpreference=10,mailexchanger=in.hes.trendmicro.com

4.3.2 AboutMXRecordsandHostedEmailSecurity

Tip:To reduce thechanceofa securityvulnerabilityoran interruptionof servicewhile repointingyour MX record, Trend Micro recommends using the following procedure: Repointing MXRecords(BestPractice)MakesuretheMXrecordisenteredexactlyasprovidedintheHostedEmailSecuritywelcomeemail.DNSpropagationcantakeupto48hours.Thestatusof thedomainyouareaddingdoesnotchange until DNS propagation is complete. During this time, do not turn off any on-premisesecurity. Youmay receive some emailmessages directly for a short time until the transitioncompletes.

An MX record (DNS mail exchanger host record) determines the message routing for all messages sent to adomain.ToroutemessagesdestinedforyourdomainthroughtheHostedEmailSecurityMTA,youmustrepointyourMXrecordtothefullyqualifieddomainname(FQDN)providedinthewelcomeemailthatTrendMicrosentyouafteryouregistered.TodisableHostedEmailSecurity,pointyourMXrecordtorouteallinboundSMTPtraffictoyourownmailserver.IfyouareunsurehowtoconfiguretheMXrecordsforyourdomain,contactyourInternetServiceProvideroryourDNStechnician.ThefollowingexternallinkstoMXrecordconfigurationhelppagesareprovidedforyourconvenience:

• GoDaddyhttp://support.godaddy.com/help/article/680/managing-dns-for-your-domain-names

• NetworkSolutions

http://www.networksolutions.com/support/mx-records-mail-servers-2/

• Enomhttp://www.enom.com/help/hostinghelp.asp?displaymenu=ok&hosthelp=9

• DreamHost

http://wiki.dreamhost.com/MX_record

• Yahoo!SmallBusinesshttp://help.yahoo.com/kb/index?page=content&y=PROD_YSB_DOMAIN&locale=en_US&id=SLN17921

4.4 AccessingtheAdministratorConsole

AccesstheHostedEmailSecurityadministratorconsolebasedonyourlicensingagreementwithTrendMicro.Useoneofthefollowingmethods:

• Sign in to your TrendMicroBusiness accountusing theCustomer LicensePortal (CLP), thenaccess theHostedEmailSecurityadministratorconsoleusingthelinkprovidedthere.

SeeUsingCLPtoAccesstheAdministratorConsole.

• Logondirectlytoyouradministratorconsoleatthefollowingwebaddressforyourregion:

§ ForEurope,theMiddleEast,Africa:https://tm.hes.trendmicro.eu

§ Forallotherregions:https://tm.hes.trendmicro.com

• UseoneofthefollowingauthorizedTrendMicroresellercredentialstoaccesstheadministratorconsole

foryourmanagedaccounts:

• ForxSPresellers,gotothefollowingwebaddressforyourregion:

§ ForEurope,theMiddleEast,Africa:https://ui.hes.trendmicro.eu

§ Forallotherregions:https://ui.hes.trendmicro.com

• ForLMPresellers,substituteyourTenantIDfor<tenant-id>inthefollowingwebaddressforyourregion:

§ ForEurope,theMiddleEast,Africa:https://<tenant-id>.hes.trendmicro.eu

§ Forallotherregions:https://<tenant-id>.hes.trendmicro.com

4.4.1 UsingCLPtoAccesstheAdministratorConsole

Tip:When you register, Trend Micro sends you an email message with your Customer LicensePortal sign in information, includingyouraccountusername, theconsolewebaddress,andyourActivationCode.

1. Gotohttps://clp.trendmicro.com/FullRegistration?T=TM.TheCreateAccountorSignInscreenfortheTrendMicroCustomerLicensePortalappears.

2. SelectYes,IalreadyhaveaTrendMicroBusinessaccount.

3. ClickContinue.TheCustomerLicensePortalSignInappears.

4. SignintoyourTrendMicroBusinessaccount.TheEnterYourKeyscreenappears.

5. ClickCancel.TheMyProducts/Servicesscreenappears.

6. ClickOpenConsoleintheboxforHostedEmailSecurity.

7. TheHostedEmailSecurityadministratorconsoleappearsinanewtaborwindow.

Tip:Bookmarktheaddressoftheadministratorconsole.UsethebookmarktobetakendirectlytotheHostedEmailSecurityadministratorconsoleaftersigningintoyourTrendMicroBusinessaccount.End users can access the Hosted Email Security End-User Quarantine website for self-management.SharetheEndUserQuarantineUser'sGuideandthefollowingwebaddressforyourregionwithendusers:ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.euForallotherregions:https://euq.hes.trendmicro.com

5 ManagementConsole

5.1 WorkingwiththeDashboard

TheDashboarddisplayschartsforemailtrafficrelayedthroughHostedEmailSecurity.

ThefollowingarethenavigationtabsontheDashboard:

Tonavigatebetweenthecharts,clickthetabs.

Note:Datacollectedwithinthelast2hoursmaynotbedisplayed.ThetimezoneofthebrowseraccessingHostedEmailSecurityisused.

SelectthedatashowninchartsandtheircorrespondingthumbnailchartsontheSummarytaboftheDashboardusingthefollowingcontrolsandsettings:

Table 1. All Charts Control Settings

Domain and directionoftraffic

Selectadomainandmailtrafficdirectionusingthefollowingcontrols:

Tip:Toselectalldomains,selectallmydomainsfromtheManageddomaindrop-downlist.

Timeperiods Select a time period at the top of each chart. The following are the definitions of timeperiods:Date:Themostrecenteight(8)days.Daysaresplitintohoursfrom0:00to23:59.Becausedaysstartatmidnight,chartswithatimeperiodofthecurrentdaywillnevershowafull24hoursofdata.Week: Themost recent eight (8) weeks.Weeks are the days from Sunday to Saturday.BecauseweeksstartonSunday,chartswithatimeperiodofthecurrentweekwillnevershowafullseven(7)daysofdata.Month:Themostrecenttwo(2)months.Monthsaredaysfromthefirsttothelastdayofthecalendarmonth.Becausemonths starton the first, chartswitha timeperiodof thecurrentmonthwillnevershowthefullmonthofdata.Last12months:Thedata for the last twelvemonthsplusalldaysof thecurrentmonth.

Chapter5

Table 1. All Charts Control Settings

Alwaysshowsmorethanoneyearofdata. Note:

ThespecifiedtimeperiodonlyaffectsthedatashownonthecurrentchartanditscorrespondingthumbnailchartontheSummarytab.Changingtheselectiononachartdoesnotaffectothercharts.

Important:Click Refresh after selecting a new domain under Managed domain, selecting a new direction in theDirectiondrop-downlist,ormakinganychangestootherselections,suchasthetimeperiod.

Table2.SpecificCharts

ChartorTab Settings

VolumeBandwidthThreatsDetailsAdvancedAnalysisDetails

SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.

Threats Select a time period by Date,Week,Month, or Last 12 months to show the totalpercentageofmessagesbyvaluefortheselectedtimeperiod.

TopSpamTopVirusTop Analyzed AdvancedThreats

Selecta timeperiodbyDate,Week,orMonth to showhourlyordailydata for theselectedtimeperiod.

Use theTopviolators’drop-down list to select thenumberofemail addresses thatdisplayonthechart.

5.1.1 SummaryChart

TheSummarytaboftheDashboardprovidesanoverviewofdatadisplayedonallotherchartsinonelocation.Clickonathumbnailtogotothatchart'scorrespondingtab

5.1.2 VolumeChart

The Volume tab of the Dashboard displays the total number of accepted and blockedmessages and the totalpercentageofblockedmessages.

SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:

Table1.DetectedValuesonCharts

DetectedValues ForIncomingMail ForOutgoingMail

Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfilteringNote:This value does not include messagesblockedbycontent-basedfiltering.

The number of messages blocked usingHosted Email Security relay mail servicefilteringPossiblereasonsforblockinginclude:Recipient address is not resolvable (such assomeone@???.com).Spammers forged the mail sender addressso themessageappears tobe coming fromthecustomerdomain.Thecustomer'sMTA is compromisedand issendingspammessages(forexample,itisanopenrelay).

Accepted ThenumberofemailmessagespassedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering

Thenumber ofmessages passedbyHostedEmailSecurityrelaymailservicefiltering



Blocked% The percentage of email messages blockedby IP reputation-based filtering at theMTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering

The percentage of messages blocked byHosted Email Security relay mail servicefiltering

Total Thetotalnumberofemailmessagesprocessed

5.1.3 BandwidthChart

TheBandwidthtaboftheDashboarddisplaysthetotalsizeofemailmessagesacceptedinKB.

SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectiondoesnotchangethedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:



NotQuarantined ThetotalsizeofemailmessagesthatHostedEmailSecuritydidnotquarantine

Quarantined ThetotalsizeofemailmessagesthatHostedEmailSecurityquarantinedNote:By default, no messages are quarantined. To begin using the quarantine, select aquarantineactionforoneormorepolicyrules.

TotalSize ThetotalsizeofemailmessagesscannedbyHostedEmailSecurity

5.1.4 ThreatsChart

TheThreatstaboftheDashboarddisplaysthetotalpercentageofmessagesdetectedasthreats.

SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowthetotalpercentageofmessagesbyvaluefortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:



Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering

Note:This value does not includemessages blocked by content-basedfiltering.


Virus Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat

Analyzed AdvancedThreats

The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection and detected as high-riskusingadvancedanalysis

Notavailable

Probable AdvancedThreats

The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection but not analyzed usingadvancedanalysis

Notavailable

Ransomware The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware

The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware

Phish Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats

Spam Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam

Note:Hosted Email Security includesmessages detected asmarketingmessages in the "Spam"category.

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam

Other Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)

Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)

Clean Thenumberof emailmessages thatpassedIP reputation-based and content-based

The number of mail messages that passedHosted Email Security relay mail service



filtering filtering


5.1.5 ThreatsDetailsChartThe Threat Details tab of the Dashboard displays the number of messages detected as threats and the totalpercentageofblockedmessages.For a summary of the total number of emailmessages scannedby detected category, refer to the table at thebottomoftheThreatDetailstab.ThistableisnotshowninthethumbnailviewontheSummaryscreen.

SelectatimeperiodbyDate,Week,Month,orLast12monthstoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.Thetrafficdirectionslightlychangesthedatadisplayedoncharts.Thefollowingisthespecificdatadisplayed:



Blocked ThenumberofemailmessagesblockedbyIPreputation-based filtering at the MTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering

Note:This value does not includemessages blocked by content-basedfiltering.


Virus Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedascontainingamalwarethreat

Analyzed AdvancedThreats

The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection and detected as high-riskusingadvancedanalysis

Notavailable

Probable AdvancedThreats

The number of email messages containingsuspectedthreatsdetectedbytheAdvancedThreat Scan Engine or Social EngineeringAttack Protection but not analyzed usingadvancedanalysis

Notavailable

Ransomware The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware

The number of email messages containingURL of sites that directly or indirectlyfacilitatethedistributionofransomware

Phish Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasphishingthreats

Spam Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam

Thenumberofemailmessages thatHostedEmail Security content-based filteringdetectedasspam



Note:Hosted Email Security includesmessages detected asmarketingmessages in the "Spam"category.

Other Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)

Thenumberofemailmessagesdetectedbycontent-based policy rules (for example,attachmenttruefiletype)

Clean Thenumberof emailmessages thatpassedIP reputation-based and content-basedfiltering

The number of mail messages that passedHosted Email Security relay mail servicefiltering


5.1.6 AdvancedAnalysisDetailsChartThe Advanced Analysis Details tab of the Dashboard displays the number and level of threats detected by theadvancedanalysisbasedontheselectedmailtrafficdirection.

Note:Thedataonthistabisdisplayedforincomingmailtrafficonly.

For a summary of the total number of emailmessages scannedby detected category, refer to the table at thebottomoftheThreatDetailstab.ThistableisnotshowninthethumbnailviewontheSummaryscreen.

5.1.7 TopSpamChart

TheTopSpamtaboftheDashboarddisplaystheemailaddressesthatsentorreceivedthemostspammessagesbasedontheselectedmailtrafficdirection.Hoveroverabartoseedetails.

SelectatimeperiodbyDate,Week,orMonthtoshowhourlyordailydatafortheselectedtimeperiod.ThespecifiedtimeperiodonlyaffectsthedatashownonthischartanditscorrespondingthumbnailchartontheSummarytab.Changingtheseselectionsdoesnotaffectothercharts.UsetheTopviolatorsdrop-downlisttoselectthenumberofemailaddressesthatdisplayonthechart.

5.1.8 TopVirusChart

The Top Virus tab of the Dashboard displays the email addresses that sent or received the most messagescontainingmalwarethreatsbasedontheselectedmailtrafficdirection.Hoveroverabartoseedetails.


5.1.9 TopAnalyzedAdvancedThreats

The TopAnalyzedAdvanced Threats tab of theDashboard displays the email addresses that received themostmessagescontainingadvancedthreatsbasedontheselectedmailtrafficdirection.

Note:Thedataonthistabisdisplayedforincomingmailtrafficonly.

Hoveroverabartoseedetails.


5.2 ConfiguringaPolicyThePolicyscreenshowsalistofthecurrentlydefinedrulesandtheirstatus.Fromthisscreenyoucanaddanewruleandedit,copy,ordeleteexistingrules.Therulesaredisplayed ina table,sortedbytheorder inwhichtherulesareappliedduringscanningbyHostedEmailSecurity.Youcanfiltertheinformationbyusingthedrop-downlistsatthetop.

Table1.PolicyTerminology

Column Description

Rules Nameoftherule.

Action Actiontakeniftherule'scriteriaaremet.

Order Thesequenceoftherules.

Modified Timestampwhentherulewaslastmodified.

LastUsed Timestamp ofwhen the rulewas last used. If the rulehasnotyetbeentriggered,thevalueinthiscolumnwillbe"Never".

Status Ruleisenabled.Ruleisdisabled.

5.2.1 ManagingPolicyRules

HostedEmailSecurityofferscontent-basedfilteringatthemessagelevel.RulesarethemeansbywhichmessagingpoliciesareappliedtomessagetrafficinHostedEmailSecurity.Atanytime,anadministratorcanseetherulesthatapplytotheirorganization,andcanmakechangestotherulesthatcomprisetheirpolicy,renamethoserules,andcreatenewrules.Eachrulecanbedisabledifdesiredwithoutlosingitsdefinition,andre-enabledatalatertime.

Table1.PolicyRuleTasksTasks Steps

AddingPolicyRules

Tip:Oftenanewrulewillbeverysimilarto one you already have. In thatcase,itisusuallyeasiertocopytheruleandedititratherthancreateanewrulefromscratch.

ClickAdd .1. Select theuser(s),domains(s)orgroup(s) that theruleapplies

to.SeeSelectingUserAccountsforRules.

2. Selectandconfigurecriteria.SeeAboutRuleTargetCriteria.

3. Selectandconfigureactions.SeeAboutRuleActions.

4. Edit the remaining rule parameters (rule name, whether it isenabledornot,andadministrativeoptions).SeeNamingandEnablingaRule.

Table1.PolicyRuleTasksTasks Steps

CopyingPolicyRules IntheRuleslist,selecttheruletocopy.ClickCopy .

EditingPolicyRules In the Rules list, click the name of the rule youwant to edit andfollowtheselectionproceduresinAddingPolicyRules.

DeletingPolicyRules IntheRuleslist,selecttheruleorrulestodelete.ClickDelete .

5.2.2 SelectingUserAccountsforRulesConfiguring sender, recipient, and exclusion lists with specific users and groups is done using this screen. Itsappearance differs slightly depending on which direction the messages are routed and whether Sender orRecipientaddressesarebeingselected.1. (ForoutgoingmessagesforRecipientsandincomingmessagesforSendersonly)Chooseoneofthefollowing:

• Anyonetoselectanyemailaddressesatall.• Selectedaddresses.

2. Fromthedrop-downlist,selectameansofaddingselectedaddresses.

• Mydomainspopulatealistboxbelowwiththeavailabledomains.• Mygroupspopulatealistboxbelowwiththeavailablegroups.• Typeaddressordomainprovidesatextentryfield.•

3. (ForMyDomainsorMygroupsoption)SelectanydesireddomainsorgroupsfromthatdisplayandclickAdd>.Theselecteditemsarecopiedtotheselectedlistattheright.

4. (ForTypeaddressordomainoption)TypeaspecificdomainorwildcardedaddressinthefieldandclickAdd>.5. ClickSavewhentheselectedlistincludesalltheusergroups,domains,andaddressesthatyouwantinit.

5.2.3 AboutRuleTargetCriteria

Rule criteria allow you to specify the conditions that the rule applies to messages scanned by Hosted EmailSecurity.

Theavailablecriteriaareshownina list inthecenterofthescreen.Someofthesecriteriahave linkstoscreenswhereyouspecifytheassociateddetails.

Table1.BasicCriteriaCriteria FilterBasedOn

Nocriteria Allmessages

Messagecontains "virusesormaliciouscode" Detectedviruses,worms,andotherthreats.

Messagedetectedas "Spam" Detectedspam.

Table1.BasicCriteriaCriteria FilterBasedOn

"Phish" Detectedphish.

"Marketingmessage" Detectedmarketingmessage.

"Socialengineeringattack" Detectedsocialengineeringattack.

Advanced Note:

SelectAdvancedtodisplaythe"Advanced"criteria.

"AllMatch""AnyMatch"

SpecificattributeandcontenttargetsSeeConfiguringAdvancedCriteria.

5.2.3.1 ConfiguringVirusorMaliciousCodeCriteriaTheMessagecontains"virusesormaliciouscode"criteriaallowyoutocreaterulesthattakeactionsonmessagesthatcontainviruses,worms,orothermaliciouscode.1. SelectMessagecontains.

2. ClickthevirusesormaliciouscodelinkontheRule>Criteriascreen.

TheVirusesorMaliciousCodescreenappears.

3. Toperformscanningforlessconventionalthreats,selectEnableAdvancedThreatScanEngine.SeeAboutAdvancedThreatScanEngine.

• SelectPerformadvancedanalysistoidentifythreats,andthenselectthethreatlevelfromthedrop-down

list,toperformfurtherobservationandanalysisforthreatsdetectedbytheAdvancedThreatScanEngine.

• SelectIncludemacroscanningduringadvancedanalysistoincludemacrothreatsduringobservationandanalysis.

Note:

If advanced analysis is enabled, Hosted Email Security performs observation and analysis on samples in aclosedenvironment.Advancedanalysiscandelaythedeliveryofmessagesby5to30minutes.

HostedEmailSecuritylogsadvancedthreatsasfollows:

• "ProbableAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocial

EngineeringAttackProtectionbutnotanalyzedusingadvancedanalysis

Tip:Some detected files may be safe. Trend Micro recommends selecting the Quarantine action forsuspectedthreatsdetectedbytheAdvancedThreatScanEngine.

• "AnalyzedAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionusingadvancedanalysis

Note:

The Advanced Threat Scan Engine or Social Engineering Attack Protection considermessages as suspectedthreatsaccordingtothesecuritylevelconfiguredforadvancedanalysis.Thatis:

• if theHigh security level is configured for advancedanalysis, then theactionwill beappliedonallmessagesthatexhibitanysuspiciousbehavior.

• if theMediumsecurity level is configured foradvancedanalysis, then theactionwill beappliedon

messagesthathavemoderatetohighprobabilityofbeingmalicious.

• if theLowsecurity level isconfiguredforadvancedanalysis, thentheactionwillbeappliedonlyonmessagesthathavehighprobabilityofbeingmalicious.

4. Specifyatleastoneofthefollowingdetectiontypes.

Option Description

Cleanablevirusesormaliciouscode

Apply the rule tomessagesorattachments that containcleanableviruses.Cleanablevirusesare those that canbe safely removed from the contents of the infected file, resulting in anuninfectedcopyoftheoriginalmessageorattachment.

Warning:SelectingCleanablevirusesormaliciouscodeasrulecriteria,andthenselectingarule action other than Delete or Clean, can result in infected messages orattachments entering your messaging environment. By default, Hosted EmailSecurity is configuredwith virus rules to appropriately handle threats when it isinstalled.

Uncleanableswithmass-mailingbehavior

Applytheruletomessagesthatcontainuncleanableviruses,worms,orotherthreatsthatcannotberemovedfrommessagesorattachments,andthatpropagatebymass-mailingcopiesofthemselves.

Uncleanableswithoutmass-mailingbehavior

Selectthecategoriesbelowasdesired:• Spyware• Dialers• Hackingtools• Passwordcrackingapplications• Adware• Jokeprograms• Remoteaccesstools• Allothers

5.2.3.1.1 AboutAdvancedThreatScanEngine

TheAdvancedThreatScanEngine(ATSE)usesacombinationofpattern-basedscanningandheuristicscanningtodetectdocumentexploitsandotherthreatsusedintargetedattacks.Majorfeaturesinclude:

• Detectionofzero-daythreats

• Detectionofembeddedexploitcode

• Detectionrulesforknownvulnerabilities

• Enhancedparsersforhandlingfiledeformities

Important:Because ATSE identifies both known and unknown advanced threats, enabling ATSE may increase thepossibilityoflegitimatefilesbeingflaggedasmalicious.

5.2.3.2 ConfiguringSpamCriteria

The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages. Note:

Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.

1. SelectMessagedetectedas.

2. Select"Spam".3. Chooseabaselinespamcatchrate.

• Lowest(mostconservative)• Low• Moderatelylow• Moderatelyhigh• High• Highest(mostaggressive)

5.2.3.3 ConfiguringPhishCriteria

The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.

Note:Hosted Email Security does not apply content-based heuristic spam, phish, marketing message, or socialengineeringattackrulestoemailmessagesreceivedfromemailaddressesanddomainslistedontheApprovedSendersscreen.


2. Select"Phishandothersuspiciouscontent".

5.2.3.4 ConfiguringMarketingMessageCriteria

Marketingmessages are emailmessages that have commercial or fund-raising content that the usermay haverequested,butthatoftendonotincludeanopt-outoption.The Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.


1. SelectMessagedetectedas.2. Select"Marketingmessage".3. ToomittheIPaddressesofspecificmailserversfromthisrule,selectExceptionlist.

TheMarketingMessageExceptionListscreenappears. Note:

TherulewillnotapplytomarketingmessagesfromIPaddresses inthisexceptionlist.Thelist isspecificjusttotherulebeingedited.

5.2.3.5 ConfiguringSocialEngineeringAttackCriteria

Social Engineering Attack Protection detects suspicious behavior related to social engineering attacks in emailmessages.Formoreinformationaboutsocialengineeringattackdetections,seeSocialEngineeringAttackLogDetailsThe Spam, Phish, Marketing message, or Social engineering attack criteria allow you to create rules that takeactionsonthesetypesofpotentiallyunwantedmessages.



2. SelectSocialengineeringattack.

• SelectPerformadvancedanalysistoidentifythreats,andthenselectthethreatlevelfromthedrop-downlist, to perform further observation and analysis for threats detected by Social Engineering AttackProtection.


HostedEmailSecuritylogsadvancedthreatsasfollows:

• "ProbableAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionbutnotanalyzedusingadvancedanalysis

Tip:Some detected files may be safe. Trend Micro recommends selecting the Quarantine action forsuspectedthreatsdetectedbySocialEngineeringAttackProtection.

• "AnalyzedAdvancedThreats":SuspectedthreatsdetectedbytheAdvancedThreatScanEngineorSocialEngineeringAttackProtectionusingadvancedanalysis

Note:TheAdvanced Threat Scan Engine or Social EngineeringAttack Protection considersmessages as suspectedthreatsaccordingtothesecuritylevelconfiguredforadvancedanalysis.Thatis:

• if theHigh security level is configured for advancedanalysis, then theactionwill beappliedonallmessagesthatexhibitanysuspiciousbehavior.

• if theMediumsecurity level is configured foradvancedanalysis, then theactionwill beappliedon

messagesthathavemoderatetohighprobabilityofbeingmalicious.

• if theLowsecurity level isconfiguredforadvancedanalysis, thentheactionwillbeappliedonlyonmessagesthathavehighprobabilityofbeingmalicious.

5.2.3.6 ConfiguringAdvancedCriteria

OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.Dooneofthefollowing:• Select"AllMatch"totherightofAdvancedtotriggertheruleonlywhenallselected"Advanced"criteriaare

matched.• Select"AnyMatch"totherightofAdvancedtodothefollowing:

§ Triggertherulewhenanyselected"Advanced"criteriaarematched

§ DisplaytheAttachmentis"passwordprotected"andRecipientnumbercriteriainthe"Advanced"criterialist

The following tablesall contain the same information sorteddifferently.Use the following sorted tables to findappropriate"Advanced"criteriatofiltermessagesbyyourdesiredruletargets:

Table1.AdvancedCriteriaSortedbyDisplayOrder

RuleTargets Criteria FilterBasedOn

Sortedbydisplayorder

Attachmentis

"nameorextension" Attachmentnameorextension

"MIMEcontent-type" AttachmentMIMEcontent-type

"truefiletype" Attachmenttruefiletype

Messagesizeis>,<=<number>KB,MB

Size

Subjectmatches "keywordexpressions"

Keywordsinheadersandcontent

Subjectis "blank"

Bodymatches "keywordexpressions"

Specifiedheadermatches "keywordexpressions"

Attachmentcontentmatches "keyword

Table1.AdvancedCriteriaSortedbyDisplayOrder


expressions"

Attachmentsizeis>,<=<number>B,KB,MB

Attachmentsize

Attachmentnumberis >,<=<number> Numberofattachments

Attachmentis Note:

Select"AnyMatch"totherightofAdvancedtodisplaythesecriteria.

"passwordprotected"

Zipped,signed,orpassword-protectedattachment

Recipientnumber Note:


>,<=<number> Numberofrecipients

Table2.AdvancedCriteriaSortedbyAttributeandContentTargets


Nameandtypeattributes Attachmentis




Sizeattributes


Size


Attachmentsize

Keywordcontent



Subjectis "blank"



Table2.AdvancedCriteriaSortedbyAttributeandContentTargets


Attachmentcontentmatches "keywordexpressions"

Quantityattributes





Compressed,signed,orencryptedattributes

Attachmentis Note:


"passwordprotected"


Table3.AdvancedCriteriaSortedbyMessage-OnlyorAttachment-OnlyTargets


Message-only


Size



Subjectis "blank"






Attachment-only Attachmentis




Table3.AdvancedCriteriaSortedbyMessage-OnlyorAttachment-OnlyTargets


Attachmentcontentmatches "keywordexpressions" Keywordsinheadersandcontent


Attachmentsize


Attachmentis Note:


"passwordprotected"


5.2.3.6.1 AboutKeywordExpressions

Keywordexpressionscanbe:• Groupsofliteraltextcharacters• Patterns,definedusingsymbols(regularexpressions)thatdescribearangeofpossiblegroupingsoftext• AmixtureofliteraltextandsymbolicpatternsForexample,akeywordexpressionmightbeasingleword,aphrase,orevenasubstring;oritmightbeapatternthatdefinesamoregeneralgroupingoftext,suchasanasteriskusedasawildcardtostandinforanytextofoneormorecharactersinlength.Regularexpressions,oftencalledregexes,aresetsofsymbolsandsyntacticelementsusedtomatchpatternsoftext.Thesymbolsstand in forcharacterpatternsordefinehowtheexpression is tobeevaluated.Usingregularexpressions is sophisticatedway to search for complex character patterns in large blocks of text. For example,supposeyouwanttosearchfortheoccurrenceofanemailaddress—anyemailaddress—inablockoftext.Youcanbuilda regularexpression thatwillmatchanypatternof text thathasanyvalidnamestring, followedbyan@character, followedbyanyvaliddomainnamestring, followedbyaperiod, followedbyanyvaliddomain suffixstring.HostedEmailSecurityusesasubsetofPOSIXregularexpressionsyntax.Fora fewsimpleexamples, seeRegularExpressionExamples.

Tip:Ifyourexpressionincludesthecharacters\|(){}[].^$*+or?,youmustescapethembyusinga\immediatelybeforethecharacter.Otherwise,theywillbeassumedtoberegularexpressionoperatorsratherthanliteralcharacters.

Thishelpsystemcontainsabriefsummaryofcommonregexelements,butathoroughguidetoregularexpressionsyntax is beyond the scope of this help system. However, there are many sources of reference informationavailableontheWeborinbooks.

5.2.3.6.1.1 UsingKeywordExpressions

You can select existing keyword expressions from the list of those available. New keyword expressions can bedefinedandsaved,eitherfromscratchorbycopyingandeditinganexistingexpression.

1. SelectanexistingkeywordexpressionfromtheAvailablefield.

2. Clickthemovebutton(Add>)tomovetheselectedkeywordexpressiontotheSelectedfield.

Note:Youcanalsoadd,edit,copy,ordeletekeywordexpressions.

3. Repeatuntilyouhavemovedallthekeywordexpressionsyouwanttoapply.

5.2.3.6.1.2 AddingKeywordExpressionsNewkeywordexpressionscanbedefinedandsaved,andthenappliedtoarule.1. ClickAdd.

2. Typeanameforthelist.3. SelectMatchcriteria:

• SelectAnyspecifiedtomatchkeywordsbasedonalogicalOR.• SelectAllspecifiedtomatchkeywordsbasedonalogicalAND.• SelectNotthespecifiedtoapplytheruletomessagesthatdonotcontainthekeywords.

4. Clickonindividualkeywordexpressionsinthelistbelowtoeditthem.

5. Repeatuntilyouhaveaddedyourkeywordexpressionstothelist.

5.2.3.6.1.3 EditingKeywordExpressionsExistingkeywordexpressionscanbemodified,orcanbecopiedwithanewname.1. ClickEdit.

2. EdittheMatchcriteriaifdesired:

• SelectAnyspecifiedtomatchkeywordsbasedonalogicalOR.• SelectAllspecifiedtomatchkeywordsbasedonalogicalAND.• SelectNotthespecifiedtoapplytheruletomessagesthatdonotcontainthekeywords.

3. Clickonindividualkeywordexpressionsinthelistbelowtoeditthem.

5.2.3.6.2 UsingAttachmentNameorExtensionCriteriaTheAttachmentis"nameorextension"criteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthenameortheextensionofattachmentsamessagecontains.1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.

2. SelecttheAttachmentis"nameorextension"criteria.3. Clickthe"nameorextension"link.

TheAttachmentNamesscreenappears.4. Fromthedrop-downlist,selecteitherSelectedattachmentnamesornottheselectedattachmentnames.5. Ifyouwanttoblockattachmentnamesbyfileextension:

a. SelectFileextensionstoblock(recommended)and/orFileextensionstoblock(commonlyexchanged).

Note:The"recommended"categorycontains thosewhose file types commonlyactas containers formalwareandarenottypesthatarenormallyexchangedviaemail inanorganization.This list includesextensionssuchasCOM,DLL,andEXE.Thecommonlyexchangedcategory includes file types thatarecommonlysentbetweenmembersofanorganization.The latter list includes theDOCextensionusedbyMicrosoftWorddocuments. These filesareoftenused topropagateVBmacroviruses,buttheyarealsooftencommonlyexchangedwithinorganizations.

b. Clicktheopenarrowbuttonstodrop-downthelistsofstandardfileextensions.

c. SelectthefileextensionsforHostedEmailSecuritytotriggeronforthisrule.

d. Clicktheclosearrowbuttontocollapsethelist.

6. Ifyouwanttoblockattachmentswithyourownspecifiednamesorextensions:a. SelectAttachmentsnamed.

b. Typeanextensiontoblockoruseanasterisk(*)asasubstituteforanypartofafilename.

Tip:Thefollowingexamplesarevalid:• docor*.doc• docxor*.docx• doc*or*.doc*• LOVE-LETTER-FOR-YOU.TXT.vbs• LOVE-LETTER*.vbs

c. ClickAdd.Thefilenameisaddedtothelistjustbelow.

Tip:Ifthereareanynamesinthelistthatyouwanttodelete,selectthemandclickDelete.

5.2.3.6.3 UsingAttachmentMIMEContent-typeCriteriaTheAttachmentis“MIMEcontent-type”criteriaallowyoutocreaterulesthattakeactionsonmessagesbasedontheMIMEcontent-typeofattachmentsamessagecontains. Note:

Where the Attachment is "MIME content-type" criteria makes decisions based on the MIME content-typeindicated,theAttachmentis"truefiletype"criteriascanstheheadersoftheactualattachedfilesthemselvesfortheidentifyingsignatures.

1. OntheCriteriascreen,selectAdvancedtodisplaytheadvancedcriteria.

2. SelecttheAttachmentis"MIMEcontent-type"criteria.3. Clickthe"MIMEcontent-type"link.

TheAttachmentMIMEscreenappears.4. Fromthedrop-downlist,selecteitherSelectedattachmentnamesorNottheselectedattachmentnames.

5. SelecttheMIMEtypesforHostedEmailSecuritytomatchon.

6. IfyouwanttoblockattachmentsbyexplicitMIMEcontent-types:a. SelectOtherMIMEcontent-type.

b. TypethenamesoftheMIMEcontent-typestoblock.

Tip:Thefollowingexamplesarevalid:• 3dmor*.3dm• 3dmfor*.3dmf

Tip:Ifthereareanynamesinthelistthatyouwanttodelete,selectthemandclickDelete.

5.2.3.6.4 UsingAttachmentTrueFileTypeCriteriaTheAttachmentis"truefiletype"criteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthetruefiletypeofattachmentsamessagecontains. Note:

Where the Attachment is "name or extension" criteria makes decisions based on just filenames and/orextensions, the Attachment is "true file type" criteria scans the headers of the files themselves for theidentifyingsignatures.


2. SelecttheAttachmentis"truefiletype"criteria.3. Clickthe"truefiletype"link.

a) TheAttachmentTrueFileTypescreenappears.

4. Fromthedrop-downlist,selectselectedattachmenttypesorNottheselectedattachmenttypes.

5. SelectthetruefiletypesforHostedEmailSecuritytomatchon.

Note:TheCompressed file typeofother includesonly the following file types:ar,arc,amg, lzw,cab, lha,pklite,diet,lzh,andlz.

5.2.3.6.5 UsingMessageSizeCriteria1. OntheCriteriapage,selectAdvancedtodisplaytheadvancedcriteria.

2. SelectMessagesizeisinthecriterialist.

3. Select>or<=fromthecomparisondrop-downlist.

• Select>toapplytheruletomessagesthatarelargerthanthespecifiedsize.• Select<=toapplytheruletomessagesthataresmallerthanorequaltothespecifiedsize.

Forexample,<=10MBappliestheruletoallmessagesthataresmallerthanorequalto10megabytes.

4. Typeanumberforthesize.

5. Selectaunitofmeasurementfromthefollowingchoices:• KB:Kilobytes• MB:Megabytes

Note:TheMessage size is a criteria applied to the total size of amessage, including any attachments itmightcontain.

Forexample,ifamessagecontainedtwoattachments,onea3MBattachmentandtheothera1MBattachment,arulethatdeletesmessagesover2MBwoulddeletetheentiremessage,includingbothattachments.

5.2.3.6.6 UsingSubjectMatchesCriteria

HostedEmailSecuritycanscanthemessagesubjectforkeywordexpressions.


2. SelectSubjectmatches“keywordexpressions".

3. Clickthe"keywordexpressions"link.

4. Configurekeywords.

5.2.3.6.7 UsingSubjectisBlankCriteria

HostedEmailSecuritycanscanthemessageforablanksubjectline.


2. SelectSubjectis"blank".

5.2.3.6.8 UsingBodyMatchesCriteria

HostedEmailSecuritycanscanthemessagebodyforkeywordexpressions.


2. SelectBodymatches.



5.2.3.6.9 UsingSpecifiedHeaderMatchesCriteria

HostedEmailSecuritycanscanthemessageheadersforkeywordexpressions.


2. SelectSpecifiedheadermatches.



5.2.3.6.10 UsingAttachmentContentMatchesKeywordCriteria

TheAttachmentcontentmatches"keywordexpressions"criteriaallowsyou tocreate rules that takeactionsonmessagesbasedonkeywordexpressionscontainedinamessage.


2. SelecttheAttachmentcontentmatches"keywordexpressions"criteria.

3. Clickthe"keywordexpressions"link.TheAttachmentContentKeywordExpressionsscreenappears.

4. Configurethekeywords.

5.2.3.6.11 UsingAttachmentSizeCriteria

TheAttachmentsizeiscriteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthesizeofanyattachmentstothemessage.


2. SelecttheAttachmentsizeiscriteria.


• Select>toapplytheruletoattachmentsthatarelargerthanthespecifiedsize.• Select<=toapplytheruletoattachmentsthataresmallerthanorequaltothespecifiedsize.

Forexample,<=10MBappliestheruletoallmessagesthatareequaltoorsmallerthan10megabytes.

4. Typeavalueforthesize.

5. Selectaunitofmeasurementfromthefollowingchoices:

• B:Bytes• KB:Kilobytes• MB:Megabytes

Note:TheAttachmentsizeiscriteriaisappliedtothetotalsizeofeachattachment.

Forexample,ifamessagecontainedtwoattachments,onea3MBattachmentandtheothera1MBattachment,arulethatdeletesattachmentsover2MBwoulddeleteonlythe3MBattachment.Theotherattachmentwouldnotbedeleted.

5.2.3.6.12 UsingAttachmentNumberCriteriaTheAttachmentnumberiscriteriaallowyoutocreaterulesthattakeactionsonmessagesbasedonthenumberofattachmentsthemessagecontains.


2. SelecttheAttachmentnumberiscriteria.


• Select > to apply the rule tomessages that are sentwithmore than the specified number ofattachments.

• Select<=toapplytheruletomessagesthathavethesamenumberorfewerthanthespecifiednumberofattachments.

Forexample:

>10applytheruletoallmessagesthathavemorethan10recipients.

<=10applytheruletoallmessagesthathave10orfewerrecipients.

4. Typethenumberofattachmentstoevaluate.

5.2.3.6.13 UsingAttachmentisPasswordProtectedCriteria

HostedEmailSecuritycanscanthemessageforazipped,signed,orpassword-protectedattachment.


2. Select"AnyMatch".

TheAttachmentis"passwordprotected"andRecipientnumbercriteriabecomeavailable.

3. SelectAttachmentis"passwordprotected".

5.2.3.6.14 UsingtheNumberofRecipientsCriteria

TheRecipientNumbercriteriaallowsyoutocreaterulesthattakeactionsonmessagesbasedonthenumberofrecipientsthemessageisaddressedto.


2. Select"AnyMatch".TheAttachmentis"passwordprotected"andRecipientnumbercriteriabecomeavailable.

3. SelectRecipientnumber.


• Select > to apply the rule to messages that are sent to more than the specified number of

recipients.• Select<=toapplytheruletomessagesthathavethesamenumberorfewerthanthespecified

numberofrecipients.

Forexample:

>10applytheruletoallmessagesthathavemorethan10recipients.<=10applytheruletoallmessagesthathave10orfewerrecipients.

5. Typeavalueforthenumberofrecipients.

5.2.4 AboutRuleActions

Ruleactionsallowyoutospecifywhathappenstomessagesthatsatisfytheconditionsoftherule'scriteria.Actionsfallintotheseclasses:• "Intercept" actions: Actions in this class intercept the message, preventing it from reaching the original

recipient.Interceptactionsincludedeletingtheentiremessageandre-addressingthemessage.• "Modify"actions:Actionsinthisclasschangethemessageoritsattachments.Modifyactionsincludecleaning

cleanable viruses, deleting message attachments, inserting a stamp in the message body, or tagging thesubjectline.

• "Monitor" actions:Actions in this class allowadministrators tomonitormessaging.Monitor actions include

sendinganotificationmessagetoothersorsendingaBCC(blindcarboncopy)ofthemessagetoothers.• "ScanLimitation"actions:Actionsinthisclassallowadministratorstorejectorbypassscanningmessagesthat

exceedHostedEmailSecuritycapabilities.

• "EncryptEmailMessage"actions:Actionsinthisclassencryptthemessageandthenqueueitfordelivery.Thisisanon-interceptaction,butnootheractionscanbetakenonthetargetmessageafterthisruleistriggered.Thisactionhasthelowestpriorityofallactions,butwhentriggeredit isalwaysthefinalrulerunbeforethemessageisqueuedfordelivery.Ifmorethanoneruleintherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.

Note:Thisactiononlyappliestooutboundrules.

Eachrulecancontain:• Oneandonlyoneinterceptaction,and• Anycombinationofmodifyormonitoractions

5.2.4.1 SpecifyingRuleActions

• Toaddactionstoaruledefinition,selectthedesiredaction.• Tospecifydetailsofanaction(whererequired),selectthedrop-downlist,textfield,orlinkthatprovidesmore

detailfortherule.For example, if thequarantine action is desired, youneed to selectwhichquarantine to sendmessages towhentheytriggerthisrule.Youalsomightwanttocreateanewquarantinebasedonanexistingone.YoucanclickEdittheretobeginthatprocess.

5.2.4.2 "Intercept"Actions

"Intercept"actionspreventamessagefrombeingdeliveredtothemailboxoftheoriginalrecipient. Instead,themessageisdeleted,quarantined,orsenttoadifferentrecipient."Intercept"actionsare"terminal"actions.Onceaterminalactionexecutes,processingofthatrulestopsandnofurtheractiontakesplaceforthatrule.Terminalactionsexecutefollowingastrictpriorityorder:

1. Deletetheentiremessage.

2. Deliverthemessagenow.

Warning:The Deliver now action is not recommended for use as the only action. If you chooseDelivernowastheonlyactionforSpammail, forexample,allofthatmailwillsimplybedeliveredtoyourrecipients,asiftherewerenospamfilterinplace.IfyouuseDelivernowwithavirusrule,ensurethatyoualsohaveaDeleteactionforthevirusrule.OnlytheDeleteactiontakeshigherprioritythanDelivernowandsowouldbeprocessedbeforeit(andthenterminatestheprocessingofthatrule).IfyouchoseDelivernowastheonlyactionforavirusrule,mailcontainingviruseswouldleakthroughunblocked.

3. Quarantinethemessage.

4. Re-addresstoanotheremailrecipient.

5.2.4.2.1 UsingtheDeleteAction

This action deletes themessage and all attachments. Themessage is recorded as deleted in the Hosted EmailSecuritylogs,butoncedeleted,themessagecannotberecovered.Itisoneofthe"intercept"categoryofactions.Toconfigurearuleactiontodeleteamessage:SelecttheDeleteentiremessageactionfromthe"Intercept"section.

5.2.4.2.2 UsingtheDeliverNowAction

Use theDeliver Now action to deliver email immediately.When this action takes effect, Hosted Email Securitydeliverstheemailwithoutexecutinganymorerulesfortheaffectedemail.All rules are auto-ordered for security and execution efficiency. Administrators are relieved of determining theorderofruleexecution.TheDeliverNowactionbypassestheautomaticorderofexecutionsothatHostedEmailSecuritycandelivertheemailimmediately.

Warning:TheDelivernowactionisnotrecommendedforuseastheonlyaction.IfyouchooseDelivernowastheonlyactionforSpammail,forexample,allofthatmailwillsimplybedeliveredtoyourrecipients,as iftherewerenospamfilterinplace.IfyouuseDelivernowwithavirusrule,ensurethatyoualsohaveaDeleteactionforthevirusrule.OnlytheDeleteactiontakeshigherprioritythanDelivernowandsowouldbeprocessedbeforeit(andthenterminatestheprocessingofthatrule).IfyouchoseDelivernowastheonlyactionforavirusrule,mailcontainingviruseswould leakthroughunblocked.

1. SelecttheDeliverNowactionfromthe"Intercept"section.

2. ClickNextifyouarecreatinganewrule,orSaveifyouareeditinganexistingrule.

3. ClickOKontheDelivernowwarningmessagethatappears.Themessagecloses.

4. Ifcreatinganewrule,typeanamefortheruleintheRuleNamefield.

5.2.4.2.3 UsingtheChangeRecipientAction

TheChangeRecipientactioninterceptsmessagesandsendsthemtoanewrecipient.Thismeansthattheoriginalmessagerecipientwillnotreceiveacopyofthemessage.Itisoneofthe"intercept"classofactions.Youcanonlyselectarecipientaddressthatisinyourdomain.

Note:TheChangeRecipientactionchangestherecipientaddressinthemessageheader.Themessagewillberoutedtothenewaddressandtheoriginalrecipientwillnotreceivethemessage.Thenewrecipient,however,willseethe original recipient's address in themessage header. To have a copy of themessage sent to a differentaddresswhileallowingtheoriginalmessagetogototheoriginalrecipient,selecttheBCCaction.

Warning:Redirectedmessagesmaycontainvirusesormaliciouscode.TrendMicrorecommendsagainstredirectingmessagestoexternaladdressesunlessyouhaveconfiguredanoutboundviruspolicy.

1. Fromthe"Intercept"sectionoftheActionpage,selecttheChangeRecipientaction.

2. Typetheemailaddressoftherecipientinthefield.Ifyouhavemorethanoneemailaddress,enterthem

inthefieldseparatedbycommasorsemicolons.

5.2.4.2.4 UsingtheQuarantineAction

QuarantineditemsarenowstoredinadirectorystructurecreatedbyHostedEmailSecurity.ThisstructureallowsforincreasedperformancewhentheserviceissavingitemsintoquarantinesorwhenusersviewthemthroughtheEndUserQuarantinewebsite.QuarantinedmessagesareindexedintheHostedEmailSecuritydatabasetoprovideyouwithqueriesandimprovedsearchtools.

1. Inthe"Intercept"sectionoftheRuleActionscreen,selecttheQuarantineaction.

2. Selectaquarantineareafromthedrop-downlist,orclickEdittocreateanewquarantinearea.

5.2.4.3 "Modify"Actions

"Modify" actions change the message or its attachments. The original sender will still receive the modifiedmessage,assumingthatthemessagedoesnottriggerotherruleswith"Intercept"actions.

5.2.4.3.1 CleaningCleanableVirusesThis action will clean cleanable viruses (or other configured threats) contained inmessage attachments. If thethreatcannotbecleaned,themessageattachmentthatcontainsitwillbedeleted.CleancleanableVirusesisoneofthe"Modify"classofactions.

Important:TheCleancleanableviruses,delete those thatcannotbecleanedaction isonlyavailable inpolicieswith thetargetcriteriaofMessagecontains"virusesormaliciouscode".IftheCleancleanableviruses,deletethosethatcannotbecleanedactionisusedintherule,andamessagecontainsanuncleanablevirus,theattachmentwillbedeleted.TheDeletematchingattachmentsandClean cleanable viruses, delete those that cannotbe cleanedactionscannotbeusedinthesamerule.

Toconfigurearuleactiontocleanvirus-infectedattachments:From the "Modify" section of the Action page, select the Clean cleanable viruses, delete those that cannot becleanedaction.

5.2.4.3.2 DeletingMatchingAttachments

Thisactiondeletesanyattachmentsthatmatchtherulecriteria.Itisoneofthe"Modify"categoryofactions.

Important:TheDeletematchingattachmentsandClean cleanable viruses, delete those that cannotbe cleanedactionscannotbeusedinthesamerule.

TheDeletematchingattachmentsactionisinvokedonlywhenoneormoreofthefollowingcriteriatriggerarule:

• Messagecontains"virusesormaliciouscode"

• Attachmentis"nameorextension"

• Attachmentis"MIMEcontent-type"

• Attachmentis"truefiletype"

• Attachmentis"passwordprotected"

• Attachmentsizeis

• Attachmentcontentmatches"keywordexpressions"Forexample,a"spam"rulewithanactionofDeletematchingattachmentsdoesnotdeleteanyattachmentsiftheonly target criteria is Message contains "Spam". Add criteria from the list above to use the Delete matchingattachmentsaction.Toconfigurearuleactiontodeleteattachmentsthatmatchacriteria:SelectDeletematchingattachmentsfromthe"Modify"section.

5.2.4.3.3 TaggingtheSubjectLineTheTagSubjectaction inserts configurable text into themessage subject line. It isoneof the "Modify" classofactions.

1. SelecttheTagSubjectaction.

2. Clickthetaglink.TheTagSubjectscreenappears.

3. TypeatagintheTagfield.

4. OptionallyselectDonottagdigitallysignedmessages.

Note:HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.

5.2.4.3.4 InsertingaStampThe Insert stamp in body action inserts a block of text into themessage body. The stamps aremaintained asnamedobjects inthedatabaseandareselectedfroma list.Thestampdefinitionscontainthetextofthestamp(whichcancontainHostedEmailSecuritytokens/variables),whethertheyaretobe insertedatthebeginningortheendofthemessagebody,andwhetherornottoavoidstampingTNEFanddigitallysignedmessagestopreventbreakage.HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.

1. SelectInsertstampinbody.

2. Selectfromthedrop-downlistofavailablestamps.3. Toconfigurestampsinthelist,clickEdit.

SeeConfiguringStamps.

5.2.4.3.4.4 ConfiguringStampsYoucaneditoraddanewmessagestamp.Stampsareinsertedintomessageswhentheytriggertherule.Typicallythey contain some standard confidentiality statement or a similar block of text. Rule Tokens/Variables (forexample,thenameofanattachedfile)canalsobeincludedinthetext.Toeditoraddanewmessagestamp:

1. OntheActionspage,selectInsertstampinbody.

2. ClickEdit.TheStampsscreenappears,showingalistofavailablestamps.

3. ClickAddorselectastampfromthelistandclickEdit.TheStampsscreenappears,showingdetailsforthestamp.

4. TypeanameintheNamefield,oredittheexitingnameifdesired.

5. Selectwhethertoinsertthestampattheendorthebeginningofthemessagebody.

6. Typethedesiredtextintothetextbox.Optionally,useruletokens/variables(suchastheanattachment

name)aspartofthetextmessage.SeeRuleTokens/Variables.

7. To exclude TNEF and digitally signedmessages from stamping, select Do not stamp TNEF and digitally

signedmessages;preventbreakage.

Note:HostedEmailSecurityrecognizesmessagessignedusingtheS/MIMEstandard.TheMicrosoft TNEF format is used when sending rich text email using the Outlook client. If Hosted EmailSecurity tries to insert a stamp into a TNEF-formatted email, the message might become corrupted orunreadable.Topreventthis, ifyourorganizationusesOutlooktosendrichtext formattedmessages,HostedEmailSecurityenablesyoutoexemptTNEFmessagesfromthoseactionsthatmightcorruptthemessage.

5.2.4.3.5 RuleTokens/Variables

Usethefollowingtokenstoincludevariablesinmessagetagsandstamps:

Table1.TokensandVariables

Token Variable

%SENDER% Messagesender

%RCPTS% Messagerecipients

Table1.TokensandVariables

Token Variable

%SUBJECT% Messagesubject

%DATE&TIME% Dateandtimeofincident

%MAILID% MailID

%RULENAME% Nameoftherulethatcontainedthetriggeredfilter

%RULETYPE% Thetypeofrule:ContentFilter,MessageSizeFilter,andothers

%DETECTED% Currentfilterscanresultinothertask

%FILENAME% Name(s)offile(s)thatwereaffectedbytherule

%DEF_CHARSET% Defaultcharactersetofthenotificationmessage

%MSG_SIZE% Totalsizeofthemessageandallattachments

%ATTACH_SIZE% Totalsizeoftheattachment(s)thattriggeredtherule

%ATTACH_COUNT% Numberofattachmentsthattriggeredtherule

%TACTION% TerminalactiontakenbyHostedEmailSecurity

%ACTION% Allother(non-terminal)actionstakenbyHostedEmailSecurity

%VIRUSNAME% NameofanyvirusdetectedThistokenwillbeemptyifthemessagedidnottriggeravirusaction.

%VIRUSACTION% ActiontakenonanyvirusesdetectedinthemessageThistokenwillbeemptyifthemessagedidnottriggeravirusaction.

5.2.4.4 "Monitor"Actions"Monitor"actionsdonotchangetheoriginalmessageoritsattachments.Theoriginalsenderwillstillreceivethemessage,assumingthatthemessagedoesnottriggerotherruleswithinterceptactions.Therearetwo"Monitor"actions:

• SendNotificationaction

• BCCactionYou can combine the first actionwith anyother kindof action. You can combine theBCCactionwith "modify"actions (and with the first "monitor" action). However, the BCC action cannot be combined with terminal"intercept"actions.

Tip:Thenotificationemailmessagesentto"monitor"actionscanbecustomizedusingthevariablesshowninRuleTokens/Variables.

5.2.4.4.1 AbouttheSendNotificationAction

Notificationsaremessagesthataresentwhentheruleistriggered.Theyareoneofthe"Monitor"actions.Youcanonlysendnotificationmessagesfromaddresseswithinyourowndomain.

5.2.4.4.1.5 ConfiguringSendNotificationActions

1. Selectamessagefromthelistofthoseavailableontheleftsideofthescreen.

2. Clicktherightarrowbutton(Add>).TheselectedmessageappearsintheSelectedlistontherightside.

5.2.4.4.1.6 DeletingNotificationsfromRuleActions

1. SelectthemessageyouwanttodeletefromtheSelectedlistontherightside.

2. ClickDelete.

5.2.4.4.1.7 DeletingNotificationsfromListsofMessagesTodeleteanexistingnotificationmessagefromthelistofmessages:

1. Selectthemessageyouwanttodeletefromthelistofthoseavailableontheleftsideofthescreen.

2. ClickDelete.

5.2.4.4.2 UsingtheBccAction

TheBCCactionsendsaBcc(blindcarboncopy)toarecipientorrecipientsconfiguredintherule.Itisoneofthe"monitor"classofactions.Youcanonlyconfigureanotificationtobesenttoanaddressinyourowndomain.

1. FromtheMonitorsectionoftheActionpage,selectBCC.

2. Typetheemailaddressoftherecipientinthefield.Ifyouhavemorethanoneemailaddress,entertheminthefieldseparatedbycommasorsemicolons.

5.2.4.5 "ScanLimitations"Actions"Scan limitations" actions can only be usedwith policies that protect against viruses ormalware. They can becombinedwithanyterminalor"Modify"actions.Thesearethescanlimitationtriggers:

• Office2007/2010filecontainsmorethan353files.

• Compressedarchivecontainsmorethan353files.

• Office2007/2010filecontainsafilewithdecompressionratioofmorethan100.

• Compressedfilecontainsafilewithdecompressionratioofmorethan100.

5.2.4.5.1 RejectingMessagesTheRejectthemessageactiondeletesthemessageandsendsaNon-DeliveryReport(NDR)tothesender.HostedEmail Security message logs record that the message was deleted. Once deleted, the message cannot berecovered. Note:

TheRejectthemessageactionisonlyavailableinpolicieswiththetargetcriteriaofMessagecontains"virusesormaliciouscode".

SelecttheRejectthemessageactionfromthe"ScanLimitations"section.

5.2.4.5.2 BypassingMessages

Bypassthisruleskipstakinganyactiononthespecifiedmessagebutcontinuestocheckthemessageagainsttheremainingrulesinthepolicy. Note:

TheBypassthisruleactionisonlyavailableinpolicieswiththetargetcriteriaofMessagecontains"virusesormaliciouscode".

SelecttheBypassthisruleactionfromthe"ScanLimitations"section.

Warning:Thedeliveredmessagemaycontainasecurityrisk.

5.2.4.6 EncryptingOutboundMessages

Thepurposeofthisruleactionistoprotectsensitivedatainemailmessagessentbyusersinyourorganization.

Note:Thisactiononlyappliestooutboundrules.

Actionsinthisclassencryptthemessageandthenqueueitfordelivery.Thisisanon-interceptaction,butnootheractions canbe takenon the targetmessageafter this rule is triggered.This actionhas the lowestpriorityof allactions,butwhentriggereditisalwaysthefinalrulerunbeforethemessageisqueuedfordelivery.Ifmorethanoneruleintherulesetistriggered,therulethatusestheencryptemailactionwillalwaysbetriggeredlast.

Inmostcases,aruletoencryptemailwillbebasedononeofthefollowing:

• Specificsendersorrecipientsofthemessage(forexample,arulethatencryptsallemailsentfromHumanResourcesortheLegaldepartment)

• Specificcontentinthemessagebody

1. Fromthe"Intercept"sectionoftheActionpage,selectDonotinterceptmessages2. Fromthe"Modify"sectionofthepage,selecttheEncryptemailaction.

5.2.5 NamingandEnablingaRuleOnceyouhavecreatedarule,thefinalstepistonameandenableit.Youcanalsoaddnotes.

1. OntheRuletab:

a. Nametherule.

Note:TrendMicro recommendsusingadescriptivenamethatwillallowadministrators toeasily identify this rulefrom the list in the Policy screen. For instance, if you are creating a spam rule that applies to theone.example.comdomain,youmightnameitsomethinglike"OneExampleSpamRule".

b. ClickEnabletoputtheruleintoeffect.

c. Reviewtheruledefinitionsummarizedinthebox.Ifanythinginanyofthethreesectionsneedschanging, you can clickon the links to return to that stepof the ruledefinition andmake thechange.

2. OntheNotestab,enteranynotesaboutthisrule.

3. ClickSave.

ThePolicyscreenisdisplayed,withyourruleintheappropriateorderandhighlightedinthelist.

5.3 ConfiguringSenderFilter

ConfiguretheApprovedSendersandBlockedSendersliststocontrolwhichemailmessagesHostedEmailSecurityscans.Specifythesenderstoalloworblockusingspecificemailaddressesorentiredomains.Forexample,*@example.comspecifiesallsendersfromtheexample.comdomain.Evaluationisdoneinthefollowingorder:1. EndUserQuarantinewebsiteApprovedSenderslists2. AdministratorconsoleApprovedSenderslists3. EndUserQuarantinewebsiteBlockedSenderslists4. AdministratorconsoleBlockedSenderslistsSeeSenderFilterOrderofEvaluation.

Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeGeneralOrderofEvaluation.

Listsofapprovedorblockedsendersaremanagedusingthefollowingscreens:• ApprovedSenders

Email messages from senders added to this list are not subject to IP reputation-based, spam, phish, ormarketingmessage filtering. Hosted Email Security still performsmalware and attachment scanning on allmessages received and takes the action configured in policy rules after detecting a malware threat or anattachmentpolicyviolation.

GotoSenderFilter>ApprovedSenderstodisplaythisscreen.

• BlockedSenders

HostedEmailSecurityautomaticallyblocksmessagessent fromaddressesordomainsaddedto theblockedlistwithoutsubjectingthemessagestoanyscanning.GotoSenderFilter>BlockedSenderstodisplaythisscreen.

TheApprovedSendersandBlockedSenderstablesdisplaythefollowinginformation:• Sender:TheemailaddressordomainthatyouapprovedorblockedforthespecifiedRecipientDomain• RecipientDomain:Themanageddomainforwhichyouapprovedorblockedthespecifiedsender• DateAdded:Thedatethatyouaddedthesendertothelist

5.3.1 AddingSenders

HostedEmailSecurityonlyapprovesorblocksemailmessagesfromthespecifiedsenderforthespecifieddomain.Forexample,afteraddingspammerbob@examplespamdomain.comtotheblockedlistforyourmanageddomainmydomain.com, Hosted Email Security only blocks the email messages sent [email protected] in themydomain.comdomain.HostedEmailSecuritystillscans and possibly passes email messages sent from [email protected] to your othermanageddomains.Toblockorallowemailmessagesfromaspecificsendertoalldomains,selectallmydomainsfromtheManageddomaindrop-downlist.1. Select a specific domain from the Managed domain drop-down list. To select all domains, select all my

domainsfromthelist.a)

2. IntheEmailaddressordomainfield,typeasender.Asendercanbeaspecificemailaddressoralladdresses

fromaspecificdomainorsubdomain.

• Filteraspecificemailaddressbytypingthatemailaddress.

• Filter all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the emailaddress.Forexample,*@example.comwillfilterallemailaddressesintheexample.comdomain.

• Filteralladdressesfromasubdomainbyusinganasterisk(*)totheleftoftheatsign(@)andalsousing

anasterisk(*)inplaceofthesubdomainintheemailaddress.Forexample,*@*.example.comwillfilterallemailaddressesinallsubdomainsoftheexample.comdomain.

Thefollowingtabledisplaysformatexamplesthatarevalidornotvalid:

Table1.FormatExamplesforApprovedSendersandBlockedSenders

Valid NotValid

[email protected] name@*.example.com

*@example.com *@*.com

*@server.example.com *@*

*@*.example.com

3. ClickAddtoListHostedEmailSecurityvalidatesthesenderaddressandaddsittothelist.

Tip:HostedEmailSecurityvalidatestheformatofthesenderaddressbeforeaddingthesendertothelist.Ifyoureceivemultipleformattingerrorsmessagesandaresurethattheaddressprovidedisaccurate,youradministratorconsolemayhavetimedout.Reloadthepageandtryagain.

5.3.2 EditingSenders

1. Select a specific domain from the Managed domain drop-down list. To select all domains, select all mydomainsfromthelist.

2. Clicktheemailaddressordomainofasender.Theemailaddressordomainbecomeseditable,andbuttonslabeledOKorCancelappear.

3. Makeandconfirmyourchangesorcorrections.• Filteraspecificemailaddressbytypingthatemailaddress.• Filter all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the email

address.Forexample,*@example.comwillfilterallemailaddressesintheexample.comdomain.• Filteralladdressesfromasubdomainbyusinganasterisk(*)totheleftoftheatsign(@)andalsousing

anasterisk(*)inplaceofthesubdomainintheemailaddress.Forexample,*@*.example.comwillfilterallemailaddressesinallsubdomainsoftheexample.comdomain.


Table1.FormatExamplesforApprovedSendersandBlockedSenders

Valid NotValid




*@*.example.com

5.4 UnderstandingIPReputation

Hosted Email Security offers two tiers of protection. IP reputation-based filtering at theMTA connection level,providedbyTrendMicroEmailReputationServices(ERS),isthefirsttier.Thesecondiscontent-basedfilteringatthemessagelevel.

Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeIPReputation-BasedFilteringattheMTAConnectionLevel.SeeGeneralOrderofEvaluation.SeeIPReputationOrderofEvaluation.

HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.EmailReputationServicesusesastandardIPreputationdatabaseandanadvanced,dynamicIPreputationdatabase (a database updated in real time). These databases have distinct entries, allowing Trend Micro tomaintainaveryefficientandeffectivesystemthatcanquicklyrespondtonewsourcesofspam.

ConfigurethefollowingsettingsontheIPReputationSettingsscreen:

• DynamicReputationSettingscontrolhowHostedEmailSecurityusesthedynamicIPreputationdatabasefromEmailReputationServicesAdvancedService.

• StandardIPReputationSettingscontrolhowHostedEmailSecurityusesthestandardIPreputationdatabasefromEmailReputationServicesStandardService.

TheApprovedandBlockedIPAddressesscreenshowsapprovedandblockedcountries,Internetserviceproviders,IPaddresses,andCIDRblocks.

5.4.1 AboutDynamicIPReputationSettings

HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.Dynamic IP Reputation Settings use TrendMicro Email Reputation Services Advanced Service, a real-time anti-spam solution. The TrendMicro network of automated expert systems, alongwith TrendMicro spam experts,continuouslymonitornetworkandtrafficpatternsandimmediatelyupdatethedynamicIPreputationdatabaseasnewspamsourcesemerge,oftenwithinminutes.Asevidenceofspamactivityincreasesordecreases,thedynamicIPreputationdatabaseisupdatedaccordingly.ThedynamicIPreputationdatabaseincludesthefollowingblockinglevels:

• Level0:Off

QueriesthedynamicreputationdatabasebutdoesnotblockanyIPaddresses.

• Level1:Leastaggressive

HostedEmailSecurityallowsthesameamountofspamfromasenderwithagoodratingasinLevel2.Thelength of time that the IP address stays in the database is generally shorter than formore aggressivesettings.

• Level2:(thedefaultsetting)

Hosted Email Security allows a larger volume of spam from a sender with a good rating than moreaggressivesettings.However,ifanincreaseinspamabovetheallowablethresholdisdetected,itaddsthesendertothedynamicreputationdatabase.ThelengthoftimethattheIPaddressstaysinthedatabaseisgenerallyshorterthanformoreaggressivesettings.

• Level3:

Hosted Email Security allows a small volumeof spam from senderswith a good rating.However, if anincrease in spam beyond the allowable threshold is detected, it adds the sender to the dynamicreputationdatabase.The lengthof time that the IPaddress stays in thedatabasedependsonwhetheradditionalspamfromthesenderisdetected.

• Level4:Mostaggressive

IfevenasinglespammessagefromasenderIPaddressisdetected,EmailReputationServicesaddsthesender to the dynamic reputation database and Hosted Email Security blocks all messages from thesender.ThelengthoftimethattheIPaddressstaysinthedatabasedependsonwhetheradditionalspamfromthesenderisdetected.

If legitimateemail isbeingblocked, selecta lessaggressive setting. If toomuchspam is reachingyournetwork,selectamoreaggressivesetting.However,thissettingmightincreasefalsepositivesbyblockingconnectionsfromlegitimateemailsenders.

Note:Toavoidfalsepositivesfromatrustedpartnercompany,gotoIPReputation>Approved/BlockedandaddtheIPaddressfortheirMTAtotheApprovedlist.The IP addresses in the Approved lists bypass other IP reputation-based filtering. This list is useful forensuringallmessagesfromapartnercompanyorotherMTAareallowed,nomattertheirstatuswiththestandard IP reputation databases or with the Trend Micro Email Reputation Services (ERS) dynamic IPreputationdatabase.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.

5.4.2 AboutStandardIPReputationSettings

HostedEmailSecuritymakesuseofTrendMicroEmailReputationServices(ERS)StandardServiceandAdvancedService.SeeIPReputation-BasedFilteringattheMTAConnectionLevel.Standard IPReputationSettingsuseTrendMicroEmailReputationServices StandardService,whichhelpsblockspambyvalidatingrequestedIPaddressesagainsttheTrendMicrostandardIPreputationdatabase,poweredbythe TrendMicro Threat Prevention Network. This ever-expanding database currently contains over a billion IPaddresses with reputation ratings based on spamming activity. Trend Micro spam investigators continuouslyreviewandupdatetheseratingstoensureaccuracy.HostedEmailSecuritymakesaquerytothestandardIPreputationdatabaseserverwheneveritreceivesanemailmessage from an unknown host. If the host is listed in the standard IP reputation database, that message isreportedasspam.

YoucanchoosewhichliststoenablefromthestandardIPreputationdatabase.Bydefault,alllistsareenabled.Thedefaultsettingisthemosteffectiveforreducingspamlevels,anditmeetstheneedsofmostcustomers.

Note:IfyoudisablesomeportionsofthestandardIPreputationdatabase,youmayseeanincreaseintheamountofspammessagesthatreachyourinternalmailserverforadditionalcontentfiltering.

ThestandardIPreputationdatabaseincludesthefollowinglists:

• KnownSpamSource:TheReal-timeBlackholeList (RBL) isa listof IPaddressesofmail servers thatareknowntobesourcesofspam.

• Dynamically Assigned IP: TheDynamicUser List (DUL) is a list of dynamically assigned IP addresses, or

thosewith an acceptable use policy that prohibits publicmail servers.Most entries aremaintained incooperationwiththeISPowningthenetworkspace.IPaddressesinthislistshouldnotbesendingemaildirectlybutshouldbeusingthemailserversoftheirISP.

Note:Toavoidfalsepositivesfromatrustedpartnercompany,gotoIPReputation>Approved/BlockedandaddtheIPaddressfortheirMTAtotheApprovedlist.The IP addresses in the Approved lists bypass other IP reputation-based filtering. This list is useful forensuringallmessagesfromapartnercompanyorotherMTAareallowed,nomattertheirstatuswiththestandard IP reputation databases or with the Trend Micro Email Reputation Services (ERS) dynamic IPreputationdatabase.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.

5.4.3 AboutApprovedandBlockedIPAddresses

GotoIPReputation>Approved/Blockedtodisplaythisscreen.TomanuallyoverrideIPreputation-basedfilteringattheMTAconnectionlevel,addIPaddressestothelistsontheApprovedandBlockedIPAddressesscreen.TheselistsoverridetheDynamicIPReputationSettingsandStandardIP Reputation Settings and allow for customization of which addresses are subjected to IP reputation-basedfiltering.Therearelistsofapprovedandblockedcountries,IPaddresses,andClasslessInter-DomainRouting(CIDR)blocks.

Tip:To add a CIDR block to the list, type the IPv4 address / CIDR block. The following is the only validformat:x.x.x.x/z

TheIPaddressesintheApprovedlistsbypassotherIPreputation-basedfiltering.Thislistisusefulforensuringallmessages from a partner company or other MTA are allowed, no matter their status with the standard IPreputation databases orwith the TrendMicro Email Reputation Services (ERS) dynamic IP reputation database.WhenusingtheIPreputationapprovedlists,youmayexperienceloweroverallspamcatchrates.TheIPaddresses intheBlockedlistsarenotsubjecttootherIPreputation-basedfiltering.HostedEmailSecuritypermanentlyrejectsconnectionattemptsfromsuchIPaddressesbyrespondingwitha550error(arejectionoftherequestedconnection).

Tip:IPreputation-basedfiltersuseonlyIPaddressdatatofiltermessages.Youcanalsousesenderemailaddress and domain to filter incoming messages. Approved senders bypass IP reputation-basedfilteringattheMTAconnectionlevel.SeeConfiguringSenderFilter.

5.4.4 TroubleshootingIssues

If youencounterunexpectederrorswhile trying to saveyour settingson the IPReputationSettings screen,youmaybeabletoresolvetheissueonyourown.Consultthefollowingtableforguidanceonresolvingtheproblembeforecontactingtechnicalsupport.

Table1.IPReputationSettings:IssuesandSolutions

Issue PossibleCause PossibleSolution

TheSavebuttonisdisabled.

YoudonothaveavalidActivationCode. ObtainavalidActivationCodefromyourvendor.

YouhaveappliedforanActivationCode,butithasnotyetbeenaddedtotheHostedEmailSecuritysystem.

Tryagainlater.

AtemporarynetworkissueispreventingHostedEmailSecurityfromvalidatingtheActivationCode.

Tryagainlater.

IcannotsavemyIPReputationsettings.

Thereisatemporarynetworkissue.Tryagainlater.

Logoff,logon,andtryagain.

ThereismorethanonebrowserwindowopentotheHostedEmailSecurityadministratorconsole,andthesessioninoneoftheotherwindowshasexpired.

Closetheotherwindowsandtryagain.

Logoff,logon,andtryagain.

5.5 UnderstandingAdvancedProtection

HostedEmailSecurityadvancedprotectionallowsyoutobettersecuredataandensurecommunicationprivacyforemailtrafficinyourManagedDomains.

5.5.1 AboutTransportLayerSecurity(TLS)

TransportLayerSecurity(TLS)isaprotocolthathelpstosecuredataandensurecommunicationprivacybetweenendpoints.HostedEmailSecurityallowsyoutoconfigureTLSencryptionpoliciesbetweenHostedEmailSecurityandspecifiedTLSpeers.HostedEmailSecuritysupportsthefollowingTLSprotocolsindescendingorderofpriority:TLS1.2,TLS1.1,TLS1.0,andSSL3.0.TheTransportLayerSecurity(TLS)screenusesthefollowingimportantterms:

Term Details

TLSpeer Hosted Email Security can apply your specified TLS configuration with this domainduringnetworkcommunications.

Securitylevel Opportunistic:• CommunicatesusingencryptionifthepeersupportsandelectstouseTLS• CommunicateswithoutencryptionifthepeerdoesnotsupportTLS• CommunicateswithoutencryptionifthepeersupportsTLSbutelectsnotto

useTLSMandatory:

• CommunicatesusingencryptionifthepeersupportsandelectstouseTLS• DoesnotcommunicateifthepeerdoesnotsupportTLS• DoesnotcommunicateifthepeersupportsTLSbutelectsnottouseTLS

Important:

Becauseof the riskof losingdata,TrendMicro recommendsconfirmingTLSencryptedmessagedeliverybetweenaManagedDomainandapeerbeforeusingtheMandatorysecuritylevel.SeeTestingTLS.To ensuremessages can be received from the Hosted Email SecurityMTA,configureyour firewall toacceptemailmessages fromthe followingHostedEmailSecurityIPaddress/CIDRblocks:• 216.104.0.0/24• 216.99.128.0/24• 150.70.0.0/24–AllRegions• 54.219.191.0/25–NorthandSouthAmerica,Asia,andJapanRegions• 54.86.63.64/26–NorthandSouthAmerica,Asia,andJapanRegions• 52.58.63.0/25–Europe,Middle-eastandAfrica(EMEA)Regions• 52.58.62.192/26–Europe,Middle-eastandAfrica(EMEA)Regions• 52.48.127.192/26–Europe,Middle-eastandAfrica(EMEA)Regions

Status • Enabled:HostedEmailSecurityappliesyourspecifiedTLSconfigurationtothepeer

• Disabled: Hosted Email Security does not apply your specified TLSconfigurationtothepeerInstead,the"Default"TLSconfigurationapplies.

Default(TLSPeer) Thisconfigurationappliestoalldomainsthatmeetanyofthefollowingcriteria:• Domainisnotinthepeerlist• Domainisinthepeerlist,butisnotenabled

5.5.1.1 TestingTLS Important:

Becauseoftheriskoflosingdata,TrendMicrostronglyrecommendsdoingthefollowingbeforespecifyingaSecurityLevelofMandatory:• Confirm TLS encrypted message delivery between Hosted Email Security and your Managed

Domain.

• Confirm the TLS configuration for any peers on the Internet. Contact themanagers of each peer

yourself.TrendMicroisunabletoassistyouinthisprocess.

Use the followingprocedure to testTLSbetweenHostedEmail Securityand theemail server foryourManagedDomain.

1. GotoAdvancedProtection>TransportLayerSecurity(TLS).

2. SelectaManagedDomain.

3. SelecttheDirectionofIncoming.TestTLSappearsatthetop-rightofthescreen.

4. ClickTestTLS.

5. SpecifytheSendtestmessagetoemailaddress.

6. ClickSendTest.

Hosted Email Security sends a message to the specified email address confirming TLS works for theManagedDomain.

Tip:If themessage does not arrivewithin a short period of time, confirm that the email server for theManagedDomainiscorrectlyconfiguredtouseTLS.Afterverifyingtheserverconfiguration,sendthetestagain.

5.5.1.2 AddingTLSPeers



3. SelecttheDirectionofIncomingorOutgoing.

4. SpecifytheTLSPeertoadd.

5. SettheSecurityleveltooneofthefollowing:• Opportunistic:

§ CommunicatesusingencryptionifthepeersupportsandelectstouseTLS§ CommunicateswithoutencryptionifthepeerdoesnotsupportTLS§ CommunicateswithoutencryptionifthepeersupportsTLSbutelectsnottouseTLS

• Mandatory:

§ CommunicatesusingencryptionifthepeersupportsandelectstouseTLS§ DoesnotcommunicateifthepeerdoesnotsupportTLS§ DoesnotcommunicateifthepeersupportsTLSbutelectsnottouseTLS

Important:Because of the risk of losing data, TrendMicro recommends confirming TLSencryptedmessage delivery between aManagedDomain and a peer beforeusingtheMandatorysecuritylevel.SeeTestingTLS.To ensure messages can be received from the Hosted Email Security MTA,configure your firewall to accept emailmessages from the followingHostedEmailSecurityIPaddress/CIDRblocks:

HESIPaddresses

6. SelectEnabledtohaveHostedEmailSecurityapplyyourspecifiedTLSsecurityleveltothenewpeer.

7. ClickAdd.

5.5.1.3 EditingTLSPeers



3. SelecttheDirectionofIncomingorOutgoing.

4. Totherightofapeerinthelist,clickEdit.

5. Reconfigurethepeer.

6. ClickSave.

5.5.2 AboutSenderPolicyFramework(SPF)

Sender Policy Framework (SPF) is an open standard to prevent sender address forgery. The SPF protects theenvelope sender address, which is used for the delivery of messages. Hosted Email Security enables you toconfigureSPFtoensuresender'sauthenticity.

TheSPFrequirestheownerofadomaintospecifyandpublishtheiremailsendingpolicyinanSPFrecordinthedomain'sDNSzone.Forexample,whichemailserverstheyusetosendemailfromtheirdomain.

When an email server receives a message claiming to come from that domain, the receiving server verifieswhetherthemessagecomplieswiththedomain'sstatedpolicyornot.If,forexample,themessagecomesfromanunknownserver,itcanbeconsideredasfake.

EvaluationofanSPFrecordcanreturnanyofthefollowingresults:

Result Explanation IntendedAction

Pass TheSPFrecorddesignatesthehosttobeallowedtosend. Accept

Fail TheSPFrecordhasdesignatedthehostasNOTbeingallowedtosend. Reject

Result Explanation IntendedAction

SoftFail TheSPFrecordhasdesignatedthehostasNOTbeingallowedtosendbutisintransition.

Accept

Neutral TheSPFrecordspecifiesexplicitlythatnothingcanbesaidaboutvalidity. Accept

None ThedomaindoesnothaveanSPFrecordortheSPFrecorddoesnotevaluatetoaresult.

Accept

PermError Apermanenterrorhasoccurred(forexample,badlyformattedSPFrecord). Accept

TempError Atransienterrorhasoccurred. Accept

5.5.2.1 EnablingorDisablingSenderPolicyFramework(SPF)

You can enable Sender Policy Framework (SPF) to allow Hosted Email Security to evaluate the legitimacy ofsender'semailaddress,beforedeliveringtheemailtotherecipient.

1. GotoAdvancedProtection>SenderPolicyFramework(SPF).

2. Select Enable SenderPolicy Framework toenable SPF inHostedEmail Security. Clear this check-box todisableSPF.

3. ClickOKontheconfirmationdialogbox.

Note:TheconfirmationdialogboxonlyappearsifthedomainselectedinManagedDomainisallmydomains.

4. IfyoualsowanttoaddtheSPFcheckresultintotheemailmessage'sxheader,selectAddSPFDNScheck

result intomessage'sxheader,andthenclickOKontheconfirmationdialogbox.Clearthischeck-boxtodisable this setting. Hosted Email Security adds messages similar to the following in email message’sxheadernamedX-TM-Received-SPF:

Status xheader

Pass X-TM-Received-SPF: Pass (domain of [email protected] designates 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

Fail X-TM-Received-SPF: Fail (domain of [email protected] does not designates 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

SoftFail X-TM-Received-SPF: SoftFail (domain of transitioning [email protected] discourages use of 10.64.72.206 as permitted sender) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

Status xheader

Neutral X-TM-Received-SPF: Neutral (10.64.72.206 is neither permitted nor denied by domain of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

None X-TM-Received-SPF: None (domain of [email protected] does not designate permitted sender hosts) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

PermError X-TM-Received-SPF: PermError (domain of [email protected] uses mechanism not recognized by this client) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

TempError X-TM-Received-SPF: TempError (error in processing during lookup of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

InternalError X-TM-Received-SPF: InternalError (fail to lookup of or get meaning result of [email protected]) client-ip=10.64.72.206; [email protected]; helo=imsva-1382.com

5.5.2.2 AddinganSPFPeertotheIgnoredListHostedEmail Securityenablesyou toaddSPFpeers to the ignored list. If SPF isenabled,HostedEmail SecurityignorestheSPFpeersthatareincludedinthislist,anddoesnotperformverificationforthesepeers.


2. InIgnoredPeerfield,typeasenderdomainname,IPaddressorIP/CIDRblockthatyouwanttoignoreforverification.

3. ClickAddtoList.

5.5.2.3 EditinganSPFPeerintheIgnoredList


2. FromthelistofSPFPeers,clickEditbeforethepeerwhosedomainname,IPaddressorIP/CIDRblockyouwanttomodify.

3. Modifytheinformationinthefielddisplayed,andthenclickSave.

5.5.2.4 DeletingSPFPeersfromIgnoredList


2. FromthelistofSPFpeers,selectthepeersthatyouwanttodelete,andthenclickDelete.


5.6 UnderstandingQuarantine

Quarantinedmessagesareblockedasdetectedspamorother inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.

Warning:HostedEmailSecurityautomaticallydeletesmessagesfromthequarantineafter30days.

Tomanagemessages forothermembersof amanageddomain, theQuery screenof the administrator consolemustbeused.Quarantinemanagementintheadministratorconsoleisdividedintothefollowingparts:

• Use theQuarantine>Query screen toviewa listofquarantinedmessages foryourmanageddomains.Youcanreviewmessages,deletethem,orreleasethemforfurtherfiltering.

Queriesincludedataforuptosevencontinuousdaysinonecalendarmonth.Usemorethanonequerytosearchacrosscalendarmonths.

• Use the Digest Settings screen to configure the schedule and format for the Quarantine Digest. If the

digest is enabled, all domain recipients receive their own customized copy of the digest. Intendedmessage recipients can use the End User Quarantine website to manage messages in quarantinethemselves.

Note:To allow intended recipients use the End User Quarantine website to manage messages in quarantinethemselves,dothefollowing:• Configurepolicyrulestoquarantinemessages:

SeeManagingPolicyRules.• SharetheEndUserQuarantineUser'sGuideandthefollowingwebaddressforyourregionwithend

users:

§ ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.eu

§ Forallotherregions:https://euq.hes.trendmicro.com

5.6.1 QueryingtheQuarantine

Use theQuarantine>Query screen toviewa listofquarantinedmessages foryourmanageddomains.Youcanreviewmessages,deletethem,orreleasethemforfurtherfiltering.

1. IntheDatesfields,selectarangeofdates. Note:

Queries includedata for up to seven continuousdays in one calendarmonth.Usemore thanonequerytosearchacrosscalendarmonths.

2. IntheDirectionfield,selectamailtrafficdirection.

3. Typeyoursearchcriteriaintooneormoreofthefollowingfields:

• Recipient

• Sender

• Subject

Arecipientorsendercanbeaspecificemailaddressoralladdressesfromaspecificdomain.

• Queryaspecificemailaddressbytypingthatemailaddress.

• Queryalladdresses fromadomainbyusinganasterisk (*) to the leftof theatsign (@) in the

email address. For example, *@example.com will search for all email addresses in theexample.comdomain.


Table1.FormatExamplesforMailTrackingandQuarantineQuery

Valid NotValid




*@*.example.com

4. ClickSearch.

5. Selectthemessagestomanage.

6. Clickoneofthefollowingbuttonstomanageselectedmessages:

• Delete:Canceldeliveryandpermanentlydeletethemessage

• Deliver(NotSpam):Releasefromquarantine

Note:Releasedmessagesarenolongermarkedasspam,buttheywillcontinuetobeprocessedbyHostedEmailSecurity.Thefollowingconditionsapplytodelivery:

• Ifamessagetriggersacontent-basedpolicyrulewithanInterceptactionofQuarantine,itwillonceagainappearinthequarantinedmessagelist.

• Ifamessagetriggersacontent-basedpolicyrulewithanInterceptactionofDeleteentire

messageorChangerecipient,itwillnotarriveatitsintendeddestination.

5.6.2 AbouttheQuarantineDigest

TheQuarantineDigestlistsupto100ofeachenduser'squarantinedemailmessages,andprovidesalinkforthataccountholder toaccessquarantinedmessages through theEndUserQuarantinewebsiteat the followingwebaddressforyourregion:

• ForEurope,theMiddleEast,Africa:https://euq.hes.trendmicro.eu

• Forallotherregions:https://euq.hes.trendmicro.comUse theDigest Settings screen to configure the schedule and format for theQuarantineDigest. If the digest isenabled,alldomainrecipientsreceivetheirowncustomizedcopyofthedigest.IntendedmessagerecipientscanusetheEndUserQuarantinewebsitetomanagemessagesinquarantinethemselves.TheQuarantineDigestemailmessagefeaturesatemplatewithcustomizableplain-textandHTMLversions.Eachversionofthetemplatecanincorporate"tokens"tocustomizeoutputfordigestrecipients.If theQuarantineDigest InlineActioncheckboxontheDigestSettingsscreen isselected, recipientscandirectlymanage theirquarantine from thedigestemailmessage.Byenabling this function, youcan relieveusersof thenecessity of logging on to the End User Quarantine website andmanually approving quarantinedmessages orsenders.

Warning:AnyonereceivingthisQuarantineDigestemailmessagewillbeabletoaddanyofthesesenderstotheaccountholder'sapprovedsenders list.Therefore,administratorsmustwarndigest recipientsnot toforwardtheQuarantineDigestemailmessage.TheQuarantineDigestformanagedaccountsissenttotheprimaryaccount.Formore informationaboutmanagedaccounts, seeAboutEnd-UserManagedAccounts.The Quarantine Digest Inline Action feature supports only client computers running MicrosoftWindowsXPServicePack3orlaterandusingonlyoneofthefollowingemailclients:

• MicrosoftOutlook2003ServicePack3orlater

• MicrosoftOutlookExpress6.0orlater

5.6.2.1 ConfiguringtheQuarantineDigest

1. GotoQuarantine>DigestSettings.

2. EnablesendingQuarantineDigestemailmessages(disabledbydefault)usingthebuttonatthetop-rightofthescreen.

Tip:The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.

3. SelectaspecificdomainfromtheManageddomaindrop-downlist.

4. IntheFrequencydrop-downlist,selectthefrequencywithwhichtosendthedigest:

• Daily:Specifytosendthedigestamaximumofthreetimesdaily.

Tip:TheQuarantineDigest emailmessage featuresa templatewith customizableplain-textandHTMLversions.Eachversionofthetemplatecan incorporate"tokens"tocustomizeoutputfordigestrecipients.Right-clickanyofthefollowingfieldstodisplayalistofavailableandselectabletokensforthefield.

• Weekly:Specifythedaysoftheweekandtimeofdaytosendthedigest.

Warning:HostedEmailSecurityautomaticallydeletesmessagesfromthequarantineafter30days.

5. UnderDigestMailTemplatefor<managed_domain>,configurethefollowingsettings:

Tip:Usetheadd andtheremove buttonstomanageadditionalentries.

• From:SpecifytheemailaddressthatthedigestdisplaysintheFromfield.

Table1.FromFieldDigestTokens

Token ContentinSentDigestEmailMessage

%DIGEST_RCPT% Digestrecipient'semailaddressappearsintheFromfieldofthereceiveddigestemailmessage

• Subject:Specifythesubjectlineforthedigest.

Table2.SubjectFieldDigestTokens


%DIGEST_RCPT% Digestrecipient'semailaddressappearsinthesubjectline

%DIGEST_DATE% Digestdateappearsinthesubjectline

• HTMLcontent:

§ SpecifyifInlineActionshouldbeEnabled orDisabled usingthetogglebuttonabovetheHTMLcontentfield.

§ SpecifytheHTMLcontentofthedigestiftheemailclientacceptsHTMLmessages.

Table3.HTMLContentFieldDigestTokens


%DIGEST_RCPT% Digestrecipient'semailaddressappearsinHTMLbodyofmessage

%DIGEST_DATE% DigestdateappearsinHTMLbodyofmessage

%DIGEST_BODY_HTML% DigestsummaryinHTMLtableformatappearsinHTMLbodyofmessage

%DIGEST_PAGE_COUNT% Total number of quarantinedmessages in listed digest summary (up to100maximum)appearsinHTMLbodyofdigestemailmessage

%EUQ_HOST_SERVER% AddressofHostedEmailSecurityEndUserQuarantinewebsiteappearsinHTMLbodyofdigestemailmessage

§ Plain text content: Specify theplain text content of thedigest if the email client onlyacceptsplaintextmessages.

Table4.PlainTextContentFieldDigestTokens


%DIGEST_RCPT% Digestrecipient'semailaddressappearsintextbodyofmessage

%DIGEST_DATE% Digestdateappearsintextbodyofmessage

%DIGEST_BODY_TEXT% Digestsummaryinplaintextformatappearsintextbodyofmessage

%DIGEST_PAGE_COUNT% Totalnumberofquarantinedmessageslistedinthedigestsummary(upto100maximum)appearsinplaintextbodyofdigestemailmessage

%EUQ_HOST_SERVER% AddressofHostedEmailSecurityEndUserQuarantinewebsiteappearsinHTMLbodyofdigestemailmessage

5.7 UnderstandingMailTracking

Thisscreenisoptimizedfortracking"missing"messages.TrendMicroHostedEmailSecuritymaintainsupto30daysofmailtrackinginformation.Queriesincludedataforuptosevencontinuousdaysinonecalendarmonth.Usemorethanonequerytosearchacrosscalendarmonths.Whenyouquerythemailtrackinginformation,HostedEmailSecurityprovidesalistofallmessagesthatsatisfythecriteria.YoucanclickSearchatanytimetoexecutethequeryagain.Usethevariouscriteriafieldstorestrictyoursearches.TheMailTrackingqueryresultsaredisplayedintabs:

• BlockedTraffic:Attemptstosendmessages inthatwerestoppedby IPreputation-basedfilteringattheMTAconnectionlevelorbyHostedEmailSecurityincomingsecurityfiltering

Note:Content-basedfilteringisnotincludedinthiscategory.ThedisplayofBlockedTraffic hasdifferentmeanings for incomingandoutgoing traffic. Incomingtraffic is filteredbyTrendMicroEmailReputationServicesandbyHostedEmail Security incomingsecurityfiltering;outgoingtraffic isnot. Ifmessagesareblockedinoutgoingtraffic,thereasonforblocking is unrelated to email reputation butmay be related to Hosted Email Security relaymailservicefiltering.

• AcceptedTraffic:MessagesthatwereallowedinbyHostedEmailSecurityforfurtherprocessing.

• UnresolvedTraffic:MessagesthatcannotbeuniquelyidentifiedbytheirSenderMessageIDbecausethe

IDisnull.Themostefficientwayto trackmessages is toprovidebothsenderandrecipientemailaddresseswithina timerangethatyouwanttosearch.Foranemailmessagethathasmultiplerecipients,theresultwillbeorganizedasonerecipientperentry.Ifthemessageyouaretrackingcannotbelocatedusingthisstrategy,considerthefollowing:

• Expandtheresultsetbyomittingtherecipient.

• If the sender is actuallyblockedby IP reputation-based filtering, theBlockedTraffic results thatdonotmatch the intended recipientmight indicate this. Provide only the sender and time range for a largerresultset.

• Lookforotherintendedrecipientsofthesamemessage.

• If thesender IPaddresshasa"bad" reputation,mail tracking informationwillonlybekept for the firstrecipient in a list of recipients. Therefore, the remainingmessage recipient addresseswill notbe listedwhenqueryingthissender.

• Expandtheresultsetbyomittingthesender.

If the sender IPaddresshasa "bad" reputation,omit the senderandprovideonly the recipient. Ifonly therecipientemailaddressisprovided,allthemessagesthatpertaintotherecipientwillbelisted.

5.7.1 AbouttheBlockedTrafficTab

ThistabdisplaysasummaryofmatchedsenderMTAIPsthatwereeitherpermanentlyortemporarilyblockedbyTrend Micro Email Reputation Services and Hosted Email Security incoming security filtering (for incomingmessages)orbyHostedEmailSecurityrelaymailservicefiltering(foroutgoingmessages).Whendata isavailable in theBlockedTraffic tab, itwillbedisplayedbydefault.Also,anemailmessagemaybepermanently rejected by Hosted Email Security due to its exceedingly large size, for example, if the size of amessageexceeds50MB.ThefollowingBlockedTrafficinformationisdisplayed:

• Timestamp: The time the message attempt was blocked. Click on the Timestamp value to view MailTrackingDetailsforagivenmessage.

• Sender:Thesenderemailaddresson themessageenvelope, inotherwords, thesenderaddress in the

SMTPMAILcommand.

• Recipient:Thefirstrecipientemailaddressonthemessageenvelope,inotherwords,therecipientinthefirstSMTPRCPTcommand.

• Blocked:

§ For incoming messages: The sender IP address was blocked by Email Reputation Services or

HostedEmailSecuritycontent-basedfilteringatthemessagelevel.

BlockedstatusiseitherTemporaryorPermanent.

If themessagehas anexceedingly large size, the statuswill display Size limit. In this case, themessage is rejectedandblockedpermanentlybyHostedEmail Security content-based filteringduetoitssize.HostedEmailSecuritywillrespondtothesendingMTAwitha552error(afailureoftherequestedconnectionbecausethemessageexceededstorageallocation).

§ For outgoingmessages: Themessagewas blocked byHosted Email Security relaymail service

filtering. Outgoing messages are not filtered by Email Reputation Services (ERS). Outgoingmessagescanbeblockedforthefollowingreasons:

o Therecipientaddressisnotresolvable,forexamplesomeone@???.com.

o Spammersforgedthemessagesendertobeinthecustomerdomain.

o Your MTA is compromised, for example it is an open relay, and it is sending spammessages.

• SenderIP:TheIPaddressoftheupstreamMTAthatdeliveredthismessagetoHostedEmailSecurity.

5.7.2 AbouttheAcceptedTrafficTab

ThistabdisplaysasummaryofmatchingmessagesthatwereacceptedbyTrendMicroHostedEmailSecurity.WhenyouclickontheAcceptedTraffictab,youwillseeasummaryofthematchingemailmessagetrafficthatwasacceptedby TrendMicroHosted Email Security.Once amessage is accepted, it goes through various stages ofprocessingbyHostedEmailSecurity.SeeContent-BasedFilteringattheMessageLevel.Thisresultsummaryisorganizedwithrecipientinmind,sincemailtrackingismostlyinitiatedbyanenduser.Foramessagethathasmultiplerecipients,theresultwillbeorganizedasonerecipientperentry.ThefollowinginformationisdisplayedforAcceptedTraffic:

• Timestamp:ThetimethemessagewasacceptedbyHostedEmailSecurity.ClickontheTimestampvaluetoopentheMailTrackingDetailswindowforagivenmessage.


SMTPMAILcommand.


• Action:Thelastactiontakenonthemessage.Foralltheactions,seeActionsbelow.

§ Delivered: The message has been delivered to the downstream MTA that is responsible for

transportingthemessagetoitsdestination.

§ Bounced: Themessagehasbeen rejectedby thedownstreamMTA.HostedEmail Securitywillattempttonotifythesenderabouttheevent.

§ Deleted: The message has been deleted by Hosted Email Security according to the policy

establishedbytheauthorizedmailadministratorofthismaildomain.

§ Redirected: Themessage has been redirected to a different recipient according to theHostedEmailSecuritypolicyestablishedbytheauthorizedmailadministratorofthismaildomain.

§ Expired:HostedEmailSecurityattempteddeliveryrepeatedlyoverseveraldayswithoutsuccess

anddecidedthatthemessageisundeliverable.HostedEmailSecuritywillattempttonotifythesenderabouttheevent.

§ Queued for delivery: The message is ready to be delivered to the downstream MTA that is

responsible for transporting the message to its destination. This is a transient state of thismessage;itshouldnotremaininthisstateforanextendedperiodoftime.

§ Temporarydeliveryerror:ThemessageshouldbereadytobedeliveredtothedownstreamMTA

that is responsible for transporting the message to its destination. However, something ispreventing themessage from posting. This is a transient state of this message; it should notremaininthisstateforanextendedperiodoftime.

§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.

§ Encryption in progress: The message is being encrypted by Hosted Email Security. After

encryptioniscomplete,HostedEmailSecuritywillqueuethemessagefordelivery.

§ Others:Allnotlistedabove.

• Subject:Thesubjectline(ifavailable)ofthemessage.


• Deliveredto:TheIPaddressofthedownstreamMTAthataccepteddeliveryofthismessage.Thisisonlyavailablewhentheactionis"Delivered".

• Size(KB):Thesizeofthemessage.Thisinformationisnotalwaysavailable.

5.7.3 AbouttheUnresolvedTrafficTab

• ThefollowinginformationisdisplayedforUnresolvedTraffic:

• Timestamp:ThetimethemessagewasacceptedbyHostedEmailSecurity.ClickontheTimestampvaluetoopentheMailTrackingDetailswindowforagivenmessage.


SMTPMAILcommand.


• Action:Thelastactiontakenonthemessage.Foralltheactions,seeActionsbelow.

§ Delivered: The message has been delivered to the downstream MTA that is responsible for

transportingthemessagetoitsdestination.

§ Bounced: Themessagehasbeen rejectedby thedownstreamMTA.HostedEmail Securitywillattempttonotifythesenderabouttheevent.

§ Deleted: The message has been deleted by Hosted Email Security according to the policy

establishedbytheauthorizedmailadministratorofthismaildomain.

§ Redirected: Themessage has been redirected to a different recipient according to theHostedEmailSecuritypolicyestablishedbytheauthorizedmailadministratorofthismaildomain.

§ Expired:HostedEmailSecurityattempteddeliveryrepeatedlyoverseveraldayswithoutsuccess

anddecidedthatthemessageisundeliverable.HostedEmailSecuritywillattempttonotifythesenderabouttheevent.

§ Queued for delivery: The message is ready to be delivered to the downstream MTA that is

responsible for transporting the message to its destination. This is a transient state of thismessage;itshouldnotremaininthisstateforanextendedperiodoftime.

§ Temporarydeliveryerror:ThemessageshouldbereadytobedeliveredtothedownstreamMTA

that is responsible for transporting the message to its destination. However, something ispreventing themessage from posting. This is a transient state of this message; it should notremaininthisstateforanextendedperiodoftime.

§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriate

contentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.



§ Others:Allnotlistedabove.

• Subject:Thesubjectline(ifavailable)ofthemessage.


• Deliveredto:TheIPaddressofthedownstreamMTAthataccepteddeliveryofthismessage.Thisisonlyavailablewhentheactionis"Delivered".

• Size(KB):Thesizeofthemessage.Thisinformationisnotalwaysavailable.

• SenderMessageID:Auniqueidentifierforthemessage.Thisinformationisnotalwaysavailable.

5.7.4 SocialEngineeringAttackLogDetails

HostedEmail Security providesdetailed information for emailmessagesdetected as possible social engineeringattacks.Toviewsocialengineeringattackdetails,clicktheDetailslinkbesideSocialengineeringattackontheMailTrackingDetailsscreen.

Thefollowingtableliststhepossiblereasonsforsocialengineeringattackdetections.

EmailCharacteristics Description

Inconsistentsenderhostnames InconsistenthostnamesbetweenMessage-ID(<domain>)andFrom(<domain>).

Brokenmailroutingpath Brokenmailroutingpathfromhop(<IP_address>)tohop(<IP_address>).

Mailroutingpathcontainsmailserverwithbadreputation

Themailroutingpathcontainsmailserverwithbadreputation(<IP_address>).

Significanttimegapduringemailmessagetransit

Significanttimegap(<duration>)detectedduringemailmessagetransitbetweenhops(<source>&<destination>)fromtime(<date_time>)totime(<date_time>).

Inconsistentrecipientaccounts Enveloperecipient(<email_address>)isinconsistentwithheaderrecipient(<email_address>).

Possiblyforgedsenderaccountorunexpectedrelay/forward

Possiblyforgedsenderaccount(<email_address>)issendingemailmessagesviahost/IP(<host_address>)ofwhichASNs(<ASN_list>)areinconsistenttosenderASNs(<ASN_list>);orunexpectedserver-side

EmailCharacteristics Description

relay/forward.

Emailmessagetravelsacrossmultipletimezones Theemailmessagetravelsacrosstimezones(<time_zone_list>).

Possiblesocialengineeringattackcharacterizedbysuspiciouscharsetsinemailentities

Suspiciouscharsets(<character_set_list>)areidentifiedinasingleemailmessage,implyingtheemailmessageoriginatedfromaforeignregion.Thisbehaviorisanindicatorofasocialengineeringattack.

Violationoftimeheaders Multipletimeheaders(<date_time>,<date_time>)existinonemessage,whichviolatesRFC5322section3.6.

Possiblyforgedsender(Yahoo) TheemailmessageclaimedfromYahoo(<email_address>)lostrequiredheaders.

Executablefileswithtamperedextensionnamesintheattachment

Executablefilesincompressedattachment(<file_name>)intendtodisguiseasordinaryfileswithtamperedextensionnames.

Anomalousrelationshipbetweensender/recipient(s)relatedemailheaders

Anomalousrelationshipbetweensender/recipient(s)relatedemailheaders(<email_address>).

Encryptedattachmentintendstobypassantivirusscanengines

Encryptedattachment(<file_name>)withpassword(<password>)providedinemailcontentpossiblyintendstobypassantivirusscanengines.

Emailattachmentcouldbeexploitable Emailattachment(<file_name>)couldbeexploitable.

Emailmessagemightbesentfromaself-writtenmailagentduetoabnormaltransferencodinginemailentities

Content-Transfer-Encoding(<encoding_type>)isabnormalintheemailmessage.Theemailmessagemightbesentfromaself-writtenmailagent.

Fewmeaningfulwordsintheemailmessage

Theemailmessageislessmeaningfulwithonlyfewcharactersinitstext/HTMLbody(<character_count>).

PossibleemailspoofingTheemailmessagewasclaimedasaforwardedorrepliedmessagewithsubject-tagging(<email_subject>),buttheemailmessagedoesnotcontaincorrespondingemailheaders(RFC5322).

EmailmessagetravelsacrossmultipleASNs TheemailmessagetravelsacrossmultipleASNs(<ASN_list>).

Emailmessagetravelsacrossmultiplecountries Theemailmessagetravelsacrossmultiplecountries(<country_code_list>).

AbnormalContent-typebehaviorinemailmessage Content-typeinemailcontentshouldnothaveattributes(<attribute_list>).

Executablefilesarchivedinthecompressedattachment Executablefilesarchivedincompressedattachment(<file_name>).

Exploitablefiletypesdetectedinthecompressedattachment Exploitablefiletypesdetectedincompressedattachment(<file_name>).

5.8 UnderstandingPolicyEvents

Thisscreenenablesyoutotracktheemailmessagesthattriggertheadvancedthreatpolicy.TrendMicroHostedEmailSecuritymaintainsupto30days'logsforpolicyevents.Queriesincludedataforonedayonly.Usemorethanonequerytosearchacrosscalendarmonths.ThePolicyEventQueryscreenprovidesthefollowingsearchcriteria:

• Type

• Advancedpersistentthreat:Querythemessagesthattriggeredtheadvancethreatpolicy

§ All:queryallmessages

§ Analyzed Advanced Threats: Query the messages that are identified as threats according toadvancedanalysisandthepolicyconfiguration

§ Probable Advanced Threats: Query the messages that are treated as suspicious according to

policyconfigurationorthemessagesthatarenotsent foradvancedanalysisduetoexceptionsthatoccurredduringtheanalysis.

• Dates:Thetimerangeforyourquery.

• Direction:Thedirectionofmessages.

• Recipient:Therecipientemailaddress.

• Sender:Thesenderemailaddress.

• Subject:Themessagesubject.

• MessageID:ThesendermessageID.

When you query the email policy event, Hosted Email Security provides a list of all messages that satisfy thecriteria.YoucanclickSearchatanytimetoexecutethequeryagain.Usethevariouscriteriafieldstorestrictyoursearches.Themostefficientway to trackpolicyevents is toprovideboth senderand recipientemail addresses,messagesubjectandmessageIDwithinatimerangethatyouwanttosearch.RecipientandSendercannotusethewild-cardcharacteratthesametime.Thefollowingpolicyeventinformationisdisplayed:

• Timestamp:Thetimethepolicyeventoccurred.ClickontheTimestampvaluetoviewtheeventdetailsforagivenmessage.

• Sender:Thesenderofthemessage.

• Recipient:Therecipientofthemessage.

• MessageSize:Thesizeofthemessage.Thisinformationisnotalwaysavailable.

• RuleName:Thenameofthetriggeredpolicyrulethatisusedtoanalyzethemessage.

• TriggerReason:Thereasonforthepolicyruletotrigger.

• RiskRating:Theriskratingofthemessageidentifiedafteradvancedanalysis.

• Action:Theactiontakenonthemessage.Foralltheactions,seeActionsbelow.

§ BCC:Ablind carbon copy (BCC)was sent to theauthorized recipients according to theHostedEmailSecuritypolicy.

§ Bypass:ThemessagehasbeenignoredandwasnotinterceptedbyHostedEmailSecurity.

§ Changed recipient: The recipienthasbeenchangedand themessagehasbeen redirected toa

different recipient according to theHostedEmail Securitypolicy establishedby theauthorizedmailadministratorofthismaildomain.

§ Clean:ThemessagewascleanedforvirusesbyHostedEmailSecurity.

§ DeleteAttachment: The attachment in the email message has been deleted by Hosted Email

Security.

§ Deliver: The message has been delivered to the downstream MTA that is responsible fortransportingthemessagetoitsdestination.

§ InsertStamp:Ablockoftextwasinsertedintotheemailmessagebody.

§ Message deleted: The message has been deleted by Hosted Email Security according to the

policyestablishedbytheauthorizedmailadministratorofthismaildomain.

§ Notification:Anotificationwassenttotherecipientwhenthepolicyrulewastriggered.

§ Quarantined: Quarantined messages are blocked as detected spam or other inappropriatecontentbeforedeliverytoanemailaccount.Messagesheldinquarantinecanbereviewedandmanuallydeletedordelivered.

§ TagSubject:Insertedatextdefinedinpolicyrulesintothemessagesubjectline.



• Scanned File Report (s): The report for the attached files in the message. If the file is analyzed foradvancedthreats,therisklevelforthefileisdisplayedhere.Ifthereportexists,clickViewreporttoseethedetailedreport.

Note:Ifa file isdetectedashigh-risk,HostedEmailSecuritywillnot send the file foradvancedanalysis,andtherefore,adetailedreportwillnotbeavailableforsuchfile.Reportscouldalsobeunavailableifanerroroccursingeneratingthereport.

If an email message contains multiple recipients, the result will be organized for each recipientseparately.

5.9 ConfiguringAdministrationSettings

DoanyofthefollowingfromtheAdministrationscreens:

• ManageadministratoraccountsfortheHostedEmailSecurityserverSeeManagingAdministratorAccounts.

• ResetenduserpasswordsfortheHostedEmailSecurityEndUserQuarantinewebsite

SeeChangingEndUserPasswords.

• UploaduserdirectoriestoHostedEmailSecurityforimprovedspammanagementSeeAboutDirectoryManagement.

• ManagedomainstatusesinHostedEmailSecurity

SeeAboutDomainManagement.

• Co-brandandcustomizeHostedEmailSecurityscreensSeeAboutCo-Branding.

• AutomatedirectorymanagementinHostedEmailSecurityusingwebserviceclients

SeeInstallingWebServices.

• ViewtheHostedEmailSecurityServiceLevelAgreementSeeViewingYourServiceLevelAgreement.

5.9.1 ManagingAdministratorAccounts

5.9.1.1 AboutAccountManagementUse theAdministration>AccountManagement screen to search foraccountsunder your controland toactonbehalfofthoseaccounts.

AfterclickingAssumeControlbesideanaccountinthelist,youwillassumecontrolofthataccount.Forexample,youwillseeandbeabletochangetheirApprovedSendersandBlockedSenderslists,theirMailTrackinglogs,andtheirmanageddomainsontheDomainManagementscreens.YouwillalsoseetheaccountstheycancontrolfromtheirAccountManagementscreen.

Tostopactingonbehalfofanaccount,clickReleaseinthetitlebararea.

5.9.1.2 AddingandConfiguringanAdministratorAccount

1. GotoAdministration>AccountManagement.

2. ClickAdd.AddSubaccountscreenappears.

3. Configurethefollowinginformationonthescreen:

• SubaccountBasicInformation:addtheuserAccountNameandEmailAddress.• Select Permission Types: select predefined permissions from the Predefined Permission Types

list,orconfigurepermissionsforeachofthefeaturemanually.• SelectDomains:selectdomainsthattheaccountcanuseandupdate.

4. ClickOK.

HostedEmailSecuritygeneratesapasswordandsendsittothenewlycreatedaccountownerthroughanemailmessage.

Note:Iftheaccountownerdoesnotreceivethenotificationmessageordeletesthenotificationmessagebymistake,youcanresentthenotificationbyclickingSendundertheSendEmailcolumnonAccountManagementscreen.TheSendbuttonwillbedisabledaftertheaccountownerlogsinsuccessfully.

5.9.1.3 EditingAdministratorAccountConfiguration


2. Clickontheaccountnamethatyouwanttoedit.EditSubaccountscreenappears.

3. Modifythefollowinginformationonthescreenasrequired:• SubaccountBasicInformation:modifytheuserEmailAddress.

Note:TheuserAccountNamecannotbemodified.

• Select Permission Types: select predefined permissions from the Predefined Permission Typeslist,orconfigurepermissionsforeachofthefeaturemanually.

• SelectDomains:selectdomainsthattheaccountcanmanage.

4. ClickOK.

5.9.1.4 DeletingAdministratorAccounts


2. Selecttheaccountsthatyouwanttodelete,andthenclickDelete.


5.9.1.5 ChangingAdministratorPasswords

Note:If you have a Business account on the Customer License Portal (CLP), sign in to your CustomerLicensePortalaccountandfollowtheinstructionsprovidedthere.TrendMicrorecommendschangingyourpasswordregularly.Youcannotchangethepasswordforadisabledaccount.


2. Selecttheaccountsforwhichyouwanttochangepasswords,andthenclickResetPassword.Hosted Email Security generates new passwords for the accounts, and sends it to the account ownersthroughanemailmessage.

5.9.1.6 EnablingorDisablinganAdministratorAccount


2. Click (enabled) or (disabled) to toggle the status of the account, and then click OK on theconfirmationdialogbox.

5.9.2 ChangingEnd-UserPasswordsIfanenduserlosestheirpassword,thesystemadministratorcanresetthatpassword.

1. GotoAdministration>End-UserPasswords.

2. Typethemanagedemailaddressoftheenduser.

3. Typeandconfirmthenewpasswordtobeassociatedwiththeaccount.

Important:Passwordsmust contain 8 to 32 alphanumeric characters. TrendMicro recommends using a longpassword.Strongpasswordscontainamixofletters,numbers,andspecialcharacters.

5.9.3 AboutEnd-UserManagedAccounts

End-users canmanagemultiple Hosted Email Security End User Quarantinewebsite accounts by using a singleaccounttologon.Afteranend-userbeginsmanaginganaccount,theycanviewthequarantinedmessagesandsettheApprovedSendersassociatedwiththataccount.End-users log onwith their primary account, and then specify one of theirmanaged accounts or All managedaccounts at the top of the screen to view Quarantined messages and set Approved Senders for the specifiedaccountoraccounts.Figure1.ExampleoftheEnd-UserManagedAccountSelectionControl

Afteranend-userbeginsmanaginganaccount, thatmanagedaccountwillbeunable to logon to theEndUserQuarantine website. The managed account will be able to log on again only if the account managementrelationship is removed. To allow the account to log on again, the primary account can remove themanagedaccountfromtheManagedAccountsscreenoftheEndUserQuarantinewebsite.Addingamanagedaccountdoesnotchangethecredentialsforthataccount.TheHostedEmailSecurityadministratorconsoleallowsyoutoenableordisable(enabledbydefault)theabilityofuserstoaddmanagedaccounts.Disablingthefeaturedoesnotchangetheaccountmanagementrelationshipofaccountsthatend-usershavealreadyadded.


End-users can always remove accounts from their list ofmanaged accounts. However, end-users can only addmanagementofaccountsunderthefollowingconditions:

• TheHostedEmailSecurityadministratorhasenabledthefeature.

• TheaccountisaregisteredEndUserQuarantinewebsiteaccount.

• TheaccountisnotcurrentlyamanagedaccountofanotherEndUserQuarantinewebsiteaccount.

• Theend-userisabletoopentheconfirmationemailmessagesenttotheaccountaddress.

• Theend-userhastheEndUserQuarantinewebsitepasswordfortheaccount.

5.9.3.1 RemovingEnd-UserManagedAccountsThe primary account can remove the managed account from the Managed Accounts screen of the End UserQuarantinewebsite.To removeanaccountmanagement relationshipusing theHostedEmailSecurityadministratorconsole,use thefollowingprocedure.

1. GototheEnd-UserManagedAccountsscreen.

2. Selecttheprimaryaccountandmanagedaccountpairorpairsinthelist.

3. ClickRemove.

5.9.4 AboutDirectoryManagement

You can import LDAPData Interchange Format (LDIF) or comma-separated values (CSV) files intoHosted EmailSecurity. This helps Hosted Email Security to better filter and process messages for valid email addresses.Messagestoinvalidemailaddresseswillberejected.HostedEmailSecurityusesuserdirectoriestohelppreventbackscatter(oroutscatter)spamandDirectoryHarvestAttacks(DHA).ImportinguserdirectoriesletsHostedEmailSecurityknowlegitimateemailaddressesanddomainsinyourorganization.HostedEmailSecurityalsoprovidesaSynchronizationTool thatenablesyoutosynchronizeyourcurrentgroupsandemailaccountsontheActiveDirectoryserverwiththeHostedEmailSecurityserver.TheDirectoryManagementscreenincludesthefollowingtabs:

• DirectoryImport

§ ImportUserDirectory:Selectionsforimportinganewuserdirectoryfile

§ ImportedUserDirectories:Thecurrentuserdirectoryfile(s)thatHostedEmailSecurityisusing

• DirectorySynchronize

§ SynchronizationSummary:Displaysthenumberofvalidrecipientsandgroupssynchronizedusingthesynchronizationtool.

§ SynchronizationHistory:Displaysthelastseven(7)days'synchronizationhistory.

5.9.4.1 ImportingUserDirectories

You can import LDAPData Interchange Format (LDIF) or comma-separated values (CSV) files intoHosted EmailSecurity. This helps Hosted Email Security to better filter and process messages for valid email addresses.Messagestoinvalidemailaddresseswillberejected.

Important:BeforeyouimportanLDIForCSVdirectoryfile,notethefollowing:

• HostedEmailSecurityonlyrecognizesANSI-encodedLDIF(withtheextension.ldf)andANSIor UTF-8-encoded CSV (with the extension .csv) files. Do not include blank lines or otherirrelevantdatainthefilethatyouimport.Usecautionwhencreatingafile.

• When importing user directory files, Hosted Email Security replaces all records for a

manageddomainatonce.Ifanyemailaddressesforamanageddomainareimported,allotheremailaddresses for thatdomainare removed.Newly importedemailaddresses forthat domain, and records for other managed domains, will be kept. If you import anupdateduserdirectoryfilethatdoesnothaveanyinformationforoneofyourdomains,theentriesforthosedomainsremainthesameandarenotoverwritten.

• Every time you import a directory file, it overwrites the old version. If you import an

updateddirectory file that has information for oneof your domains, all entries for thosedomainsareoverwritten.Usecautionwhenimportingadirectory.

• Youcanonlyseethedirectoriesthatareassociatedwithyouradministratoraccount.Ifyou

aresharingyourHostedEmailSecurityservicewithanotheradministrator(forexample,avalue-addedreseller)who logsonwithhis/herspecificaccount information,HostedEmailSecuritywillnotshowthedirectoriesforthataccount.

• Every time you add more users to your network, you must import your updated user

directories;otherwise,HostedEmailSecuritywillrejectemailfromnewlyaddedusers.

Warning:TrendMicrostronglysuggeststhatyoudonotimportmorethan24directoriesinaday.Doingsocouldoverwhelmsystemresources.

1. NexttoFormat,selecttheformattype:

• LDIF

• CSV

Important:If you create a CSV file, divide the records into fields for email_address and FirstnameLastnameandseparatethemusingacommaandoptionalquotationmarks.Useofspacesorotherdelimitersisnotsupported.Useonerecordperline.Forexample:

[email protected],[email protected],SallyJones"[email protected]","BobSmith""[email protected]","SallyJones"

NotValid

[email protected],BobSmith,[email protected],SallyJonesMicrosoftExcelwillsaveatwocolumnchartasaCSVusingvalidformatting.

2. NexttoName,typeadescriptivenameforthefile.

3. NexttoFile location,typethefiledirectorypathandfilenameorclickChooseFileandselectthe .ldfor.csvfileonyourcomputer.

4. ClickVerifyFiletoreadthefileandshowasummaryofhowmanyemailaddresseswerefound.

Aftertheprogressbarcompletes,asummaryscreenappearsshowingthefollowing:

• Summary:Asummaryoftheinformationabove

• DomainsandNumberofCurrentUserstoReplaceCurrentUsers:ThedomainsthatyouspecifiedwhenyousubscribedtotheHostedEmailSecurityservice

• Invalid domains: Any domains that are included in your directory file, but are not officially

registeredwithyourHostedEmailSecurityservice

5. ClickImport.Thiswillimportandthenenabletheemailaddresslist.

Note:Youcanverifywhichemailaddresseswere foundbyselectingyourdomainnameandclicking theExporttoCSVbutton.Ifyouneedtodisablethefeature,youcanclickthetoggle.The toggle button shows the current enabled or disabled state of the setting. Click thebuttontoswitchthestateofthesetting.

5.9.4.2 SynchronizingUserDirectory

• TheDirectorySynchronize tabdisplayssynchronizationsummaryandhistory.Thescreen isdivided intotwosections:

• SynchronizationSummary:Thissectiondisplaysthenumberofvalidrecipientsandgroupssynchronized

usingthesynchronizationtool.

• SynchronizationHistory:Thissectiondisplaysthelastseven(7)days'synchronizationhistory. It includesthefollowinginformation:

§ Synchronizationtime

§ Type:whetherthesynchronizeddataincludesvalidrecipients,groupsorboth

§ thesynchronizationtoolinformationincludingthemachine'sIPaddressorhostnamewherethe

toolisinstalled

§ synchronizationresult:whetherthesynchronizationissuccessfulorunsuccessful,orwhetheranygroupsorpolicieswereaddedorremoved.

5.9.4.3 VerifyingUserDirectories

If you are uncertain which domains in the user directories are going to be active for your service, you cantemporarilydisablethedirectories,importthefile,exportthedirectoriestoaCSVfile,andviewthemwithoutthedirectorybeingenabled.Whenyouareconfidentthattheuserdirectoryiscorrect,youcanre-enableit.

Note:HostedEmailSecuritytakesuptofiveminutestoenableordisablethedirectories.

VerifyingUserDirectoriesforValidRecipients

1. DisabletheValidrecipientcheck.

Note:The togglebuttonshows thecurrentenabled ordisabled stateof thesetting.Clickthebuttontoswitchthestateofthesetting.

2. Importdirectoriesorsynchronizevalidrecipients.

3. SelectthedomainsfromtheValidrecipientdrop-downlistthatyouwanttoverify.

4. ClickExporttoCSVforValidrecipient.

5. Savethedirectoryfile.

6. OpenthedirectoryfileinanapplicationthatreadsCSVfiles.

7. Verifythattherecipientinformationiscorrect.

8. Re-enabletheValidrecipientcheck.

Note:The togglebuttonshows thecurrentenabled ordisabled stateof thesetting.Clickthebuttontoswitchthestateofthesetting.

VerifyingUserDirectoriesforDirectoryGroups

Note:PerformthisprocedureafteryouhavesynchronizedusergroupsusingSynchronizationTool.

1. SelectthegroupsfromtheDirectorygroupsdrop-downlistthatyouwanttoverify.

2. ClickExporttoCSVforDirectorygroups.

3. Savethegroupfile.

4. OpenthegroupfilesinanapplicationthatreadsCSVfiles.

5. Verifythatthegroupinformationiscorrect.

5.9.5 AboutDomainManagement

UsetheAdministration>DomainManagementscreentoadd,modify,ordeactivatedomains.

Table1.ActivateaDomainFieldDescriptions

Field Description

InboundServer(s)

IPaddressorFQDN:Fullyqualifieddomainname(FQDN)isauniquename,whichincludesbothhostnameanddomainname,andresolvestoasingleIPaddress.

• Forexample:hostmaster1.example.comormailhost.example.com

• Notvalid:example.comPort:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvarybasedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100. Note:

Ifmorethanonemailserver isavailable,delivery isprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.

OutboundServer(s)

Ifoutboundfilteringisenabled,thisistheinformationfortheMTA(s)thatHostedEmailSecurityrelaysyouroutboundmessagesfrom.Thefollowingchoicesareavailable:UseOffice365:RelaysyouroutboundmessagesfromyourOffice365solution

Table1.ActivateaDomainFieldDescriptions

Field Description

UseGoogleApps:RelaysyouroutboundmessagesfromyourGoogleAppssolutionSpecifyIPaddress(es):RelaysyouroutboundmessagesfromthespecifiedIPv4address(es)foryourcurrentMTA(s)

Seatcount Thisisthelicensedseatcountusedbythisdomain.Seatscorrespondtothenumberofactualemailusersinthedomain.

Sendtestmessageto OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagestothisaddressfromtheDomainManagementscreen.

Domain status is shown in the Domains table at the bottom of the screen. Domain status can be one of thefollowing:

Table2.DomainStatusDescriptions

DomainStatus Description

Adding Hosted Email Security is waiting for you to point yourMX record to the Hosted EmailSecurityMTAforyourregion

Activated Domainissuccessfullydeliveringemailmessages

5.9.5.1 AddingaDomain

1. TypetheinformationforyourcurrentMTAsormailserversinthefollowingfields:

• Domainname:Includeseverythingtotherightoftheatsign(@)inemailaddressesmanagedby

theserver(s)beingactivated• Seatcount:Seatscorrespondtothenumberofactualemailusersinthedomain• Inboundserver(s)

§ IP address or FQDN: Fully qualified domain name (FQDN) is a unique name, whichincludesbothhostnameanddomainname,andresolvestoasingleIPaddress.

§ Port:Portisanumberfrom0-65535thataninboundserverlistenson.Theseportsvarybasedonserverconfiguration.Well-knownportsforemailserversincludeSMTPat25,SMTPSat465,andMSAat587.

§ Preference:Preference,sometimesreferredtoasdistance,isavaluefrom1to100.

Note:Ifmorethanonemailserverisavailable,deliveryisprioritizedtoserverswithlowervalues.Usingthesamevaluewillbalancedeliverytoeachserver.

Note:Youcanspecifyupto30inboundserversand30outboundservers.Usetheadd andtheremove buttonstomanageadditionalentries.

• Optionally,selectEnableoutboundfilteringandrefertothefollowingtable:


StepstoConfigureOutboundFiltering

EmailSolution Steps

YoucurrentlyuseOffice365 SelectUseOffice365.

YoucurrentlyuseGoogleApps SelectUseGoogleApps.

YoudonotuseOffice365orGoogleApps SelectSpecifyIPaddress(es).TypetheIPaddress(es)ofyouroutboundserver(s).

• Sendtestmessageto:OptionalemailaddressusedtoconfirmemaildeliveryfromHostedEmailSecurity.ManuallysendtestmessagesfromtheDomainManagementDetailsscreen.

To display the DomainManagement Details screen, follow the step to edit information for adomainatManagingDomains.

2. ClickActivateDomain.

IfthedomainisvalidandanMXrecordforthedomainexists,thedomainappearsintheDomainstableatthebottomofthescreen.TrendMicro sends awelcomemessage to the administrative email address on record confirming thatyourdomainhasbeenaddedsuccessfullyandstating:"Thiswelcomemessageconfirmsyourdomainhasbeensuccessfullyadded."

Warning:DonotrepointyourMXrecorduntilyoureceivethemessageconfirmingthatyourdomainhasbeenadded.Theadministrativeemailaddressonrecordshouldreceivethewelcomemessage,which is that confirmation. If you repoint yourMX record before your domainhasbeensuccessfullyadded,youremailmessagesmaybelost.

3. IfyoucurrentlyuseOffice365,youcanconfigureOffice365connectorstoallowemailtraffictoorfrom

HostedEmailSecurityMTAs.SeeAddingOffice365InboundConnectors.SeeAddingOffice365OutboundConnectors.

SeeRepointingMXRecords(BestPractice)

5.9.5.2 ManagingDomains

1. Selectdomainsbydoingoneofthefollowing:

• Toselectoneormoredomains,selectthecheckboxestotheleftofeachentry.

• Toselectalldomains,selectthecheckboxtotheleftoftheDomainNamecolumntitle.

2. Manageselecteddomainsbyclickingoneofthefollowingbuttons:

• Deactivate:SubmitadeactivationrequesttoTrendMicroforaction

• CheckMXRecord:VerifytheMXrecordpointstotheHostedEmailSecurityinboundMTA

3. Toeditinformationforadomain,dothefollowing:

a. ClickthedomainnameintheDomainslistatthebottomoftheDomainManagementscreen.The DomainManagement Details screen appears, displaying the title DomainManagement >{your-domain-name}withfieldspre-filledwiththeinformationonrecordforthatdomain.

b. Modifythefieldsasneeded.

5.9.5.2.1 EnablingOutboundFilteringforaDomain

1. FollowthestepstoopentheDomainManagementDetailsscreenforyourmanageddomain.Todisplay theDomainManagementDetails screen, followthesteptoedit information foradomainatManagingDomains.

2. EnableOutboundFilteringforyourmanageddomain.

SelectEnableoutboundfilteringandrefertothefollowingtable:


Table1.StepstoConfigureOutboundFilteringEmailSolution Steps

YoucurrentlyuseOffice365

a. SelectUseOffice365.

Tip:IfyouuseOffice365,configureOffice365connectorstoallowemailtrafficfromHostedEmailSecurityMTAs.SeeAddingOffice365OutboundConnectors.

YoucurrentlyuseGoogleApps a. SelectUseGoogleApps.

YoudonotuseOffice365orGoogleAppsa. SelectSpecifyIPaddress(es).

b. TypetheIPaddress(es)ofyouroutboundserver(s).

5.9.6 AboutCo-Branding

HostedEmailSecurityenablesyoutodisplayaservicebanner,suchasyourcompanylogo,onthetopbannerofthe Hosted Email Security logon screen, administrator console, and End User Quarantine website. You can setdifferentdomainswiththesameordifferentservicebannersorcanallowdomainadministratorstosettheservicebannertobedisplayedfortheirdomain.Youcanalsoleavethefeaturedisabled.Thefollowingisanexampleofacustomizedservicebanner:

TheservicebannerselectedforadomainwilldisplayinthetopbanneroftheHostedEmailSecuritylogonscreen,the Hosted Email Security End User Quarantine website, and the administrator console associated with thatdomain. The service banner selected for an account name will display only in the Hosted Email Securityadministratorconsole.

Resellerscansetdifferentservicebannersfordifferentdomainsorallowsystemadministratorsofthedomaintosettheservicebannerforthatdomain.Before attempting to establish co-branding, verify that your service banner image meets the followingrequirements:

Table1.ServiceBannerSpecifications

ImageAttributes Specifications

Height Exactly60pixels(notallerorshorter)

Width 800-1,680pixels

Fileformat GIFJPEG(withtheextension.jpg)PNG

Note:Co-brandingisdisabledbydefault.Thetogglebuttonshowsthecurrentenabled ordisabled stateofthesetting.Clickthebuttontoswitchthestateofthesetting.

5.9.6.1 Accessing the Co-Branded Administrator Console and End User QuarantineWebsite

Asareseller,youcansupplyyourcustomerswithawebaddresstheycanusetoaccesstheirco-brandedHostedEmailSecurityadministratorconsoleandEndUserQuarantinewebsite.

Refertotheaccesslocationsforyourregioninthetablebelow:

Table1.AccessLocations

ConsoleorWebsite StepsforEurope,theMiddleEast,Africa StepsforAllOtherRegions

Administrator consolefor Customer LicensingPortal (CLP) Businessaccounts

Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:

• Hosted Email Securityadministratorconsole:https://tm.hes.trendmicro.eu

• Co-brandedadministratorconsolefortheaccountnamed"adminA":https://tm.hes.trendmicro.eu/co-brand/adminA


• Hosted Email Securityadministratorconsole:https://tm.hes.trendmicro.com

• Co-branded administrator console

fortheaccountnamed"adminA":https://tm.hes.trendmicro.com/co-brand/adminA

Administrator consolefor xSP and localaccounts


• Hosted Email Securityadministratorconsole:https://ui.hes.trendmicro.eu

• Co-brandedadministratorconsole

fortheaccountnamed"adminB":https://ui.hes.trendmicro.eu/co-brand/adminB

Append /co-brand/ and the HostedEmail Security account name to the baseURL.Forexample:Hosted Email Security administratorconsole:https://ui.hes.trendmicro.comCo-branded administrator console for theaccountnamed"adminB":https://ui.hes.trendmicro.com/co-brand/adminB

End User Quarantinewebsite

Append /euq-co-brand/ and theHostedEmailSecuritymanageddomaintothebaseURL.Forexample:

Append /euq-co-brand/ and theHosted Email Securitymanaged domain tothebaseURL.Forexample:

Note:Ifanenduseraccessesaco-brandedwebsitewithoutappending theaccountnameordomainname, thewebsitewillstilluseco-brandingforallscreensexceptthelogonscreen

Table1.AccessLocations

ConsoleorWebsite StepsforEurope,theMiddleEast,Africa StepsforAllOtherRegions

Note:ThisappliestoCustomerLicensingPortal,xSP,andlocalaccounts.

Hosted Email Security End UserQuarantinewebsite:https://euq.hes.trendmicro.euCo-branded administrator console for themanageddomain"example.com":https://euq.hes.trendmicro.eu/euq-co-brand/example.com

HostedEmailSecurityEndUserQuarantinewebsite:https://euq.hes.trendmicro.comCo-branded administrator console for themanageddomain"example.com":https://euq.hes.trendmicro.com/euq-co-brand/example.com

5.9.7 InstallingWebServices

HostedEmailSecurityWebServicesautomatesomerepetitivetasks.TheWebServicesClientandActiveDirectorySynchronizationToolautomatetheimportofdirectoryfilesofvalidrecipientemailaddresses.TheActiveDirectorySynchronization Tool also enables you to import user groups. The Web Services Client and Active DirectorySynchronization Tool functionally is similar to the Import User Directory feature on the DirectoryManagementscreen.

1. GotoAdministration>WebServices.

2. IfCurrentKeyunderServiceAuthenticationKeyisblank,clickGenerateNewKeytogenerateakey.TheServiceAuthenticationKeyistheglobaluniqueidentifierforyourWebServiceClienttoauthenticateitsaccesstoHostedEmailSecurityWebServices.

3. EnableApplicationsusingthebuttonattherightofthescreen(disabledbydefault).


4. In the Downloads list, click download to download the desired items. Download theWeb Services

GuideforadditionalinstructionsontheuseandconfigurationofHostedEmailSecurityWebServices.

• Active Directory Synchronization Tool: For synchronizing accounts and groups between localActiveDirectoryandHostedEmailSecurityserver

• Active Directory Synchronization Tool User Guide: For more information on using the

synchronizationtool

• WebServicesClient:Formostenvironments

Important:CurrentKeydisplaystheServiceAuthenticationKeythattheWebServicesClientshoulduse.Ifyougenerateanewkey,youmustupdateWebServicesClienttousethenewkey.TheServiceAuthenticationKeyallowsyour Web Services Client to communicate with Hosted Email Security Web Services. Keep the ServiceAuthenticationKeyprivate.

• WebServicesGuide:Formoreinformationonusingtheclients

5. Savetheclientonalocaldrive.

6. Followtheclientinstallationstepstoinstalltheclient.

5.9.8 ViewingYourServiceLevelAgreement

TrendMicro provides a Service Level Agreement (SLA) for Hosted Email Security that is intended to help yourorganizationreceivesecure,uninterruptedemailservice.

The Service Level Agreement covers availability, latency, spam blocking, false positives, antivirus, and support.Specific service-level guarantees are included in themost current version of the Hosted Email Security ServiceLevelAgreement,whichyoucanviewordownloadfromthisscreen.

ToviewtheServiceLevelAgreementforyourregion:

1. Go to Administration > Service Level Agreement. The Hosted Email Security Service Level Agreementscreenappears.

2. Inthedrop-downlist,selectyourlanguage/region.

Tip:Disableanypop-upblockersforyourbrowserinordertodownloadtheServiceLevelAgreement.

HostedEmailSecuritydisplaysanAdobeReader(PDF)documentoftheServiceLevelAgreementforthelanguageandregionthatyouselected.

Important:Provisionsof the Service LevelAgreementmay vary among regions, sobe sure to select your region andlanguagewhenusingthisscreen.TrendMicroreservestherighttomodifytheserviceatanytimewithoutpriornotice.ThecurrentversionoftheHostedEmailSecurityservicelevelagreementisavailableforreviewbypaidcustomersandbycustomersconductingatrial.

Date post:	26-Jun-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

TrendMicro™ Hosted Email Security · Chapter 1 1 Best Practice Configurations 1.1 Activating a...

Documents