CLOUD SOLUTIONS

Message Rules

To access Message Rules actions go to Products > Message Rules.

For more information on the Message Rules screen click here.

Creating a new message rule

To create a new rule follow the below steps:

  1. Click the emailsecadd.png Add Rule button at the upper right side of the screen.

  2. Enter a descriptive rule name and click the Add emailsecadd2.png button. This will open the Rule Builder screen.

  3. Set the Active button on or off.

    Note

    • Newly created Rules are inactive by default.

    • Inactive rules will not be checked against any messages.

  4. (optional) Re-name the rule.

  5. (optional) Add a description to the rule - this is only visible from the Rule Builder screen and can be used to add a short explanation of what the rule is intended to do.

  6. Add the conditions. You can add one or more conditions to your rule. You can find a list of all available conditions here.

    Note

    • Be as specific as possible when creating conditions to avoid accidental triggering.

    • If more than one condition is added to the rule, all have to be passed for the action(s) assigned to the rule to be taken.

    • When creating a condition, you can set it to either Match or Does not Match when comparing against a specific value or data set.

    • Conditions can be system defaults or custom. Custom conditions can be accessed from the Custom Rule Data screen.

  7. Add the actions. You can add one or more actions, both regular actions and final actions. You can find a list of all available actions here and a list of all available final actions here. A list of rule examples can be found here.

    Note

    • Actions are taken only if every condition set to the rule has been passed.

    • Actions do not halt the processing of further Message Rules. So, it's possible that an email can trigger several different Rules. Processing will continue (in priority order) until the email triggers a Rule that has a Final Action.

    • Final Actions will stop the processing of further Message rules.

    • If a regular action is triggered, processing will continue by checking the message against other rules(in priority order) until a Final Action is taken or all rules have been processed.

  8. Click the Save emailsecsave.png button.

Re-ordering message rules

To change the order in which your message rules are processed, drag and drop it to a new position.

Note

You can not re-order System Rules.

Editing a message rule

To edit a Rule, double-click the rule's title in the Message Rules screen or click on the Change Rule 75300_3.PNG button. This will open the Rule Builder screen.

Once the modifications are complete, click the save emailsecsave.png button.

Deleting a message rule

To delete a Rule:

  • Click the delete delete_emsec.png button next to the rule you want to delete in the Message Rules screen.

    OR

  • Click the delete emailsecdelete2.png button while editing a rule.

Message rule examples

All message rules are applied to each message in the order that they appear in the Message Rule page. This will go on until all message rules have been processed or a Final Action has been applied that interrupts the process.

One of the many applications of Message Rules is to set and filter out spam messages. This is done by adding values to each message depending on multiple factors and, based on the score decide if the email should be sent through, digested or quarantined.

By default, Email Security has two rules set up that filters out spam emails:

  • Confirmed Spam - sends messages with a spam score over 140 to the Company Quarantine. The messages will not be available to users.

  • Possible Spam - messages with a spam score between 100 and 140 will be quarantined but will be digested and available to users.

Note

Be default, no action will be taken on messages with a spam score less than 100.

Avoiding false positives

IF you find the default spam setting to aggressive, there are a few ways you can modify them to better suit your company's needs.

Use Safe Lists

If you have a specific sender, domain, or IP address you can trust you can add it to your Company's Spam Safe List.

Warning

Having a large Spam Safe List can be a security risk. A faked email address that matches a domain on your Safe List will bypass any spam checks.

Increase the threshold for confirmed spam
  1. Go to Products > Email Security > Message Rules.

  2. Double click the Confirmed Spam rule to start editing it.

  3. Under the Selected Conditions column, edit the Spam Score condition by clicking on Configure.

    144347_1.png
  4. Change to Condition Value to a higher limit, such as 170.

  5. Click Save.

Disable the Confirmed Spam rule

Warning

This will significantly reduce Email Security's ability to detect and handle spam, and may result in an increase in the number of spam emails that reach your company's employees.

  1. Go to Products > Email Security > Message Rules.

  2. Click on the button under the Status column for the Confirmed Spam rule to turn it off.

    144347_2.png

This Rule detects phishing attacks that target high-profile employees such as the CEO or CFO and quarantines them.

You can activate executive tracking for specific email addresses from the Mailboxes screen. for Active Directory groups you can go to the Group Management screen.

Note

These types of attacks are directed at employees with high level positions who tend to have access to sensitive data by manipulating the victim into authorizing high-value wire transfers to the attacker.

Warning

In order for Executive Tracking to work properly, you need to be running the AD Connect tool, rather than AD export or LDAP export.

To set up this Rule:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a rule name and click the Add emailsecadd2.png button

  4. Add a Direction condition and set it to Inbound.

  5. Add an Executive Tracking condition, and set it to Matches: Exact.

  6. Add a Quarantine - Company final action, and set it to Spam.

    76907_1.png
  7. Click the Save emailsecsave.png button.

  8. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

Unless the Active button is set to On, the rule will not be processed.

Some Gmail accounts (either legitimate accounts that have been hacked or created specifically for spam) will send emails with little or no content. (e.g. an empty email with a subject line of "hi"). These emails have very little content to analyze and it is difficult to automatically determine if the email is legitimate or not.

Email Security can detect these types of attempts and block them. Here is how to set up a rule for that purpose:

  1. Go to Products > Email Security > Custom Rule Data

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. Gmail domains) and click Update.

    emailsecruledata.png
  3. Click the Save emailsecsave.png button.

  4. In the value field, enter:

    gmail.com
    googlemail.com
  5. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Gmail spam) and click Update.

    emailsecurityruleregex.png
  6. Click the Save emailsecsave.png button.

  7. In the value field, enter $|Hi$

    Note

    You may need to update this RegEx with additional values if you're regularly receiving spam emails with different subject lines. You can test out your new RegEx value at https://regex101.com/.

  8. Go to Products > Email Security > Message rules.

  9. Click the Add Rule emailsecadd.png button.

  10. Add a rule name and click the Add emailsecadd2.png button

  11. Add a Direction condition and set it to Inbound.

  12. Add an Email Size condition and set it to Less Than: 4kb.

  13. Add a Sender condition and set it to Matches: Gmail domains (or the name you gave the Rule Data in step 2).

  14. Add a Subject condition. Set the logic to Matches: Gmail spam or (the name you gave the Rule RegEx in step 5).

  15. Add a Quarantine final action and set it to Spam.

    76907_2.png
  16. Click the Save emailsecsave.png button.

  17. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

  • Unless the Active button is set toOn, the rule will not be processed.

  • If all detected emails are spam, you can change this Rule to use a Quarantine - Company final action instead.

This rule can be adapted and used to prevent any user or groups of users to receive specific types of documents:

  1. Go to Products > Email Security > Custom Rule Data

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. no Word document users) and click Update.

    emailsecruledata.png
  3. Add the email addresses for the users you want to include in the list, each on a separate line:

    76907_3.png
  4. Click the Save emailsecsave.png button.

  5. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Word documents) and click Update.

    emailsecurityruleregex.png
  6. Type in the following as the RegEx Data field:

    ^.+\.(?:(?:[dD][oO][cC][xX]?))$
  7. Click the Save emailsecsave.png button.

  8. Go to Products > Email Security > Product Configuration > Custom Quarantine.

  9. Click the Add emailsecadd.png button

  10. Type in a descriptive domain name, check the Permit User Access box, and click on the Add emailsecadd2.png button.

    76907_4.png
  11. Go to Products > Email Security > Message rules.

  12. Click the Add Rule emailsecadd.png button.

  13. Add a descriptive rule name and click the Add emailsecadd2.png button

  14. Add a Direction condition and set it to Inbound.

  15. Add a Recipient condition and set it to Matches: No Word Document Users (or the name you gave the Rule Data in step 2).

  16. Add an Attachment Name condition with the value set to Matches: Word documents (or the name you gave the Rule Regex in step 5).

  17. Add a Notify Sender action and type in the message you want to be sent to the sender.

  18. Add a Quarantine final action and set it to Matches: World file emails. (or the name you have the domain in step 10).

  19. Click the Save emailsecsave.png button.

  20. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.Message Rules

Note

Unless the Active button is set to On, the rule will not be processed.

To set up a rule that detects possible credit card numbers, follow the below steps:

  1. Go to Products > Email Security > Custom Rule Data.

  2. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Credit Card numbers) and click Update.

    emailsecurityruleregex.png
  3. Type in the following as the RegEx Data field:

    \b4\d{3}([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    Note

    The example given above will detect Visa cards. The following RegEx patterns can be used to detect other credit card types. You'll need to create a new Custom Rule Data for each one.

    Mastercard

    \b5[1-5]\d{2}([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    Discover or Diners

    \b6(?:011|22(?:1(?=[\ \-]?(?:2[6-9]|[3-9]))|[2-8]|9(?=[\ \-]?(?:[01]|2[0-5])))|4[4-9]\d|5\d\d)([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    JCB (China)

    \b35(?:2[89]|[3-8]\d)([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    American Express

    \b(?<!\-|\.)3[47]\d\d([\ \-]?)(?<!\d\ \d{4}\ )(?!(\d)\2{5}|123456|234567|345678)\d{6}(?!\ \d{5}\ \d)\1(?!(\d)\3{4}|12345|56789)\d{5}(?!\-)(?!\.\d)\b(?!([^<]+)?>)
  4. Click the Save emailsecsave.png button.

  5. Go to Products > Email Security > Message rules.

  6. Click the Add Rule emailsecadd.png button.

  7. Add a descriptive rule name and click the Add emailsecadd2.png button.

  8. Add a Body or Subject Condition, and set it to Matches: Credit Card numbers (or the name you gave the Rule RegEx at step 2).

  9. Add your desired Action or Final Action.

  10. Click the Save emailsecsave.png button.

  11. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.Message Rules

Note

Unless the Active button is set to On, the rule will not be processed.

To disable spam filtering for specific mailboxes follow the steps below:

Note

The Rule is designed to work for Inbound emails only. You can redo steps 5-12 for Outbound steps as well, replacing Matches: Inbound with Matches: Outbound in step 9.

  1. Go to Products > Email Security > Custom Rule Data.

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. No Spam filtering) and click Update.

    emailsecruledata.png
  3. Type in the email addresses you want to exclude from spam filtering, each on a separate line.

    76907_5.png
  4. Click the Save emailsecsave.png button.

  5. Go to Products > Email Security > Message rules.

  6. Click the Add Rule emailsecadd.png button.

  7. Add a descriptive rule name and click the Add emailsecadd2.png button.

  8. Add a Recipient condition and set it to Matches: No Spam Filtering (or whatever you named the rule data in step 2).

  9. Add a Direction condition, with the logic set to Matches: Inbound.

  10. Add a Deliver final action.

    76907_6.png
  11. Click the Save emailsecsave.png button.

  12. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.Message Rules

Note

Unless the Active button is set to On, the rule will not be processed.

This rule is meant to catch spam emailed that are designed to appear on casual inspection as if they originate from your domain.

It will trigger when domains in the header are very similar to (but not identical to) your configured domains. For example (e.g. bytdefender.com and bitdefender.com).

To set it up follow the below steps:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a descriptive rule name and click the Add emailsecadd2.png button.

  4. Add a Direction condition and set it to Matches: Inbound.

  5. Add a Nearby Domains condition and set it to Less Than: 3.

    Note

    The rule can be configured between 1 and 10, however we recommend 3 is a good starting point. You can then monitor the results and adjust as necessary.

  6. Add an Add to Spam Score action and type in 108. This will make sure the message will be identified as spam.

    76907_8.png
  7. Click the Save emailsecsave.png button.

  8. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.Message Rules

This rule is meant to protect against attacks that involve sending an email with very little content and an HTML attachment containing malware or other malicious software.

Note

This rule will appear for all customers provisioned after September 2021 but it will be disabled by default.

To manually create the rule, follow these steps:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a descriptive rule name and click the Add emailsecadd2.png button.

  4. Add a Direction condition and set it to Matches: Inbound.

  5. Add a Attachment Name condition and set it to Matches:HTML attachments.

  6. Add a Sender in List condition and set it to Does Not Match:All Safe Lists.

  7. Add an Add to Virus Score action and type in 123. This will make sure the message will be identified as a potential threat.

    76907_13.png
  8. Click the Save emailsecsave.png button.

  9. Move or drag the rule above the Confirmed Spam and Possible Spam rules so that it triggers before them.

Note

You can further modify the rule to match your company's needs by adding additional conditions.

To create a rule to quarantine marketing messages to one or more users, follow the steps below:

Note

For more information on Email Security policies regarding marketing emails, refer to How marketing emails are flagged

  1. Create a list of users you want the rule to apply to:

    1. Create a new Rule Data list.

      Note

      For more information on creating a new data list refer to Custom Rule Data

    2. Add the email addresses of the users you want the rule to apply to:

      76907_14.png
    3. Click on emailsecsave.png.

  2. Go to Products > Email Security > Message rules.

  3. Click the Add Rule emailsecadd.png button.

  4. Add a descriptive rule name and click the Add emailsecadd2.png button.

  5. Add a Direction condition and set it to Matches: Inbound.

  6. Add a Core Service condition and set it to Matches: CoreService Commercial Medium Reputation.

    Note

    You can replace CoreService Commercial Medium Reputation with CoreService Commercial High Reputation however, if you wish to quarantine both types of emails. you need two separate rules.

  7. Add a Recipient condition and set it to Matches:Marketing Exceptions (or whatever name you gave the rule data list in step 1.

  8. Add a Quarantine final action and set it to Matches: Spam.

    76907_15.png
  9. Click on emailsecsave.png

  10. Move the newly created rule above the already existing Medium Reputation Marketing rule.

    76907_16.png