Search Google Appliance

Home >> Information Security >> Email Security >> Email Security - Policy

Email Security - Policy

This page provides detailed information on the configuration of email security filter policies. Please refer to the introduction to email security page for a brief overview.

The following filter policies are configured and enabled:

  1. Sender Address Verification
  2. IP Reputation
  3. Approved Senders
  4. Sender Policy Framework (SPF)
  5. DomainKeys Identified Mail (DKIM)
  6. Domain-based Message Authentication, Reporting and Conformance (DMARC)
  7. Malware or Malicious Code Detection
  8. Phishing Detection
  9. Web Reputation
  10. Social Engineering Attack Protection
  11. Business Email Compromise

Furthermore, the email security tool provides additional passive checks:

  1. Spam Detection
  2. Greymail

This document also details scan exemptions.

Active Filter Policies

    Sender Address Verification

    The email gateway implements some of the Postfix smtp_sender_restrictions. The solution implements the following aspecsts:

    • reject_unknown_sender_domain: Reject the request when the MAIL FROM domain has no DNS MX and no DNS A/AAAA record, or a malformed MX record such as a record with a zero-length MX hostname.

    Note: this is a global feature of the product and we are unable to disable this behaviour.

    The email gateway introduces additional information to the email header:

    • X-TM-AS-SMTP The SMTP HELO and SMTP MAIL FROM information received by the gateway filter Base64 encoded. For example: X-TM-AS-SMTP: 1.0 ZW1haWxzZXJ2ZXIub3guYWMudWsK b3hjZXJ0QGluZm9zZWMub3guYWMudWsK, which translates to X-TM-AS-SMTP: 1.0 emailserver.ox.ac.uk oxcert@infosec.ox.ac.uk.
    • X-TM-Deliver-Signature MD5 encoded sender and messageId information

    IP Reputation

    The email gateway checkes the reputation of the email server sending a message to the University against a filter based on four lists:

    • Trend Micro Email Reputation Services (ERS)
    • Known Spam Source (RBL)
    • Dynamically Assigned IP (DUL)
    • Emerging Threat List (ETL)

    Email messages from IP addresses on any of the four lists will be rejected.

    We have whitelisted the following IPv4 address ranges:

    • 129.67.1.160/28 (IT Services email servers)
    • 163.1.2.160/28 (IT Services email servers)

    The results of the email server reputation scan are added into the email header as X-TM-AS-ERS.

    Approved Senders

    The email gateway operates a whitelisted approving senders as in the OxMail servers as of 03/07/2018. Messages from approved sender addresses will bypass further checks.

    Sender Policy Framework (SPF)

    SPF is an open standard to prevent sender address forgery. SPF protects the sender address, which is used for the delivery of messages.

    Whilst the email gateway verifies whether the message complies with the domain's stated policy or not, it does not actively filter based on the results of this check. The results of the SPF check are added into the email header as X-TM-Authentication-Results.

    Examples for SPF Verification Information in Email Headers

    • Failed SPF verification:
      X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com;
    • Successful SPF verification:
      X-TM-Authentication-Results: spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com;

    DomainKeys Identified Mail (DKIM)

    DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorised by the owner of that domain.

    Whilst the email gateway verifies DKIM signatures, it does not actively filter based on the results of this check. The results of the DKIM check are added into the email header as X-TM-Authentication-Results.

    Examples for DKIM Information in Email Headers

    • X-TM-Authentication-Results:dkim=pass; Contain verified signature, header.d=test.com, header.s=TM-DKIM_201603291435, header.i=sender@test.com
    • X-TM-Authentication-Results:dkim=pass; No signatures and verification is not enforced
    • X-TM-Authentication-Results:dkim=pass; No valid signatures and verification is not enforced
    • X-TM-Authentication-Results:dkim=fail; No processed signatures but verification is enforced

    Domain-based Message Authentication, Reporting and Conformance (DMARC)

    DMARC is built on top of the two aforementioned technologies, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows domain owners to publish policies how to deal with failures.

    Whilst the email gateway verifies DMARC signatures, it does not actively filter based on the results of this check. The results of the DMARC check are added into the email header as X-TM-Authentication-Results.

    Examples for DMARC Information in Email Headers

    • X-TM-Authentication-Results: dmarc=fail action=none header.from=example.com; spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com;
    • X-TM-Authentication-Results: dmarc=pass action=none header.from=example.com; spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com;

    Malware or Malicious Code Detection

    The email security solution takes actions on messages that contain malware, worms, or other malicious code. This is a multi-level process that does signature-based, machine learning techniques, as well as virtual analysis.

    For external messages, depending on the type of the malware, the email gateway cleans messages and attachments that can be safely removed from the contents of the infected file, resulting in an uninfected copy of the original message or attachment. Cleaned messages can be identified using the email header X-OxES-GW: malware. Messages that contain uncleanable malware, worms, or other threats that cannot be removed from messages or attachments, and that propagate by mass-mailing copies of themselves are stopped and deleted.

    For internal messages, cloud security cleans messages and attachments and replaces them with a text file warning that there was a virus. Messages that contain uncleanable malware, worms, or other threats that cannot be removed from messages or attachments are stopped or removed from mailboxes and the original recipients receive a notification.

    Phishing Detection

    The email security solution attempts to identify phishing messages and stop its delivery or removes such messages from mailboxes. The original recipients receive a notification.

    Web Reputation

    The web reputation technology assigns websites a "reputation" based on an assessment of the trustworthiness of an URL, derived from an analysis of the domain. Both components of the email security solution stop the delivery or remove messages containing disreputable high risk URLs from mailboxes. The original recipients receive a notification.

    The reputation of URLs in external messages can be identified using the email header X-OxES-GW-WR: with it up to six asterisks expressing the risks associated to the website URLs in the message:

    • X-OxES-GW-WR: * lowest risk associated to URLs in message
    • X-OxES-GW-WR: ** low risk associated to URLs in message
    • X-OxES-GW-WR: *** moderately low risk associated to URLs in message
    • X-OxES-GW-WR: **** moderately high risk associated to URLs in message
    • X-OxES-GW-WR: ***** high risk associated to URLs in message
    • X-OxES-GW-WR: ****** highest risk associated to URLs in message

    The email gateway introduces additional information to the email header:

    • X-OxES-GW-WRU internal to the email security team for testing purposes.
    • X-TM-AS-URL Trend Micro Anti Spam (TM-AS) URL web reputation scan (WRS) rating information in format X-TM-AS-URL: <URL WRS Score> - <URL WRS category1> - <URL WRS category ...> - <URL WRS category n> - <URL Base64 encoded>

    Social Engineering Attack Protection

    Social Engineering Attack Protection detects suspicious behaviour related to social engineering attacks in email messages. Both components of the email security solution are configured conservatively and only stop or remove messages with a high confidence in suspicious behaviour from mailboxes. The original recipients receive a notification.

    External messages classified as social engineering can be identified using the email header X-OxES-GW-SocEng: with it up to three asterisks expressing the email gateway's confidence in suspicious behaviour:

    • X-OxES-GW-SocEng: * low confidence in suspicious behaviour
    • X-OxES-GW-SocEng: ** medium confidence in suspicious behaviour
    • X-OxES-GW-SocEng: *** high confidence in suspicious behaviour

    The email gateway introduces additional information to the email header:

    • X-TMASE-SNAP-Result Trend Micro Anti Spam Engine (TMASE) Social Engineering Attack Protection (SNAP) scan result in format X-TMASE-SNAP-Result: <Version> - <Scan Result> - <Scan Aggressive Level> - <Traverse List>

    Business Email Compromise (BEC)

    The FBI defines Business Email Compromise (BEC) as "a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments." Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorised fund transfers.

    A BEC scam is a form of phishing attack where a fraudster impersonates a high profile executive, for example, the CEO or CFO, and attempts to trick an employee, a customer, or a vendor into transferring funds or sensitive information to the fraudster.

    External messages with suspect business email compromise can be identified using the email header X-OxES-GW-BEC: true. The cloud security tool moves such messages to the Junk folder of Nexus365 mailboxes.

    Passive Filter Policies

    In addition to the active policies above, the email gateway enriches messages with additional information in the email header. This information can be used to implement personal inbox rules to filter messages based on the additional information.

    Spam Detection

    External messages classified as spam by the email gateway can be identified using the email header X-OxES-GW-Spam: with it up to six asterisks expressing the email security solution's confidence in the message being spam:

    • X-OxES-GW-Spam: * lowest confidence in message being spam
    • X-OxES-GW-Spam: ** low confidence in message being spam
    • X-OxES-GW-Spam: *** moderately low confidence in message being spam
    • X-OxES-GW-Spam: **** moderately high confidence in message being spam
    • X-OxES-GW-Spam: ***** high confidence in message being spam
    • X-OxES-GW-Spam: ****** highest confidence in message being spam

    Note: Nexus365 does not filter based on this additional information provided in the email header. The known Email Content Scanning Service (X-Oxmail-Spam-Level) continues to be available.

    The email gateway introduces additional information to the email header:

    • X-TMASE-Version Trend Micro Anti Spam Engine (TMASE) version information in the format X-TMASE-Version: <Vendor Product Name> - <Product Version> - <Anti-Spam Engine Version> - <Spam Pattern Version>
    • X-TMASE-Result Trend Micro Anti Spam Engine (TMASE) scan result in the format X-TMASE-Result: <Type> - <Trend Score> - <Detection Threshold> - <Scan Result> - <Scan Aggressive Level> - <Traverse List>
    • X-TMASE-MatchedRID Trend Micro Anti Spam Engine (TMASE) vendor proprietary debug information, not readable by customer

    Greymail

    Greymail refers to solicited bulk email messages that are not spam. The email security solution detects marketing messages and newsletters, social network notifications, and forum notifications as greymail messages.

    The email gateway adds for suspect greymail messages the email header X-OxES-GW-Grey: true

    Scan Exemptions

    An email message will be stopped from delivery if it matches any of the following criteria:

    • The number of files in a compressed file exceeds 353.
    • The decompression ratio of a compressed file exceeds 100.
    • The number of decompression layers in a compressed file exceeds 20
    • An Office 2007/2010/2013/2016 file contains a subfile whose decompression ratio exceeds 100.
    • Malformed messages.

    If the Virtual Analyser scanner fails (raises an exception) the messages bypasses this check.

    By nature, Office 2007/2010 (and later) files (such as .XLSX, .DOCX, .PPTX, and others) are zipped files. When scanning, the Email Security Gateway scan engine treats these files as ordinary zip files and applies the same scan settings as for compressed files. The file number within these files is uncertain, so these files may sometimes violate compressed file scanning exceptions.

    Note also that in addition to the above size limits on compressed files, the email security solution will reject messages that are larger than 50MB in size. This is to prevent unintentional data loss (as legislation surrounding data leaks has become more onerous) and to try to encourage sharing of data in a better audited and controlled manner.

    Written by IT Services. Latest revision 20 February 2019