Skip to main content

Default Rules

System Rules

Rule name

Description

(Default) Signature Verification

Adds an Authentification header (Authentication-Result) to the message with pass or fail DMARC parameters.

(Default) Invalid Sending Domain

Verifies if a connection can be created with the sender domain, and checks it for the presence of a valid MX record and host. It also checks if the remote server responses to a Helo or ehlo command, within 10 seconds. Adds 110 to spam score if triggered.

(Default) FROM Address Check

Checks if the address in the header exists in any deny lists. If triggered, adds 144 to the spam score.

(Default) CoreService Spam

Uses a combination of core anti-spam services to check for specific patterns, characteristics and attributes that would appear in a spam message. If triggered, it adds 180 to the spam score.

(Default) CoreService Malware

Uses a core service to check attachments for Malware using heuristic analysis. If triggered, it adds values to the Virus score.

(Default) CoreService Phishing

Checks and classifies the email as a known Phishing attempt. These are Messages detected as phishing either by heuristic analysis or through a fraudulent link found in it. if triggered it adds 699 to the spam score.

(Default) CoreService2 Spam

Checks if messages have the characteristics of a known spam outbreak from confirmed spam sources. If triggered, it adds 181 to the spam score.

(Default) CoreService2 Suspect

Checks if messages have the characteristics of a mass distribution outbreak from sources that are not confirmed spammers, but are considered as spam. If triggered, it adds 111 to the spam score.

(Default) Password Protected Attachment

Looks for password protected zip and PDF files, and adds a message header if such a file is found.

(Default) System Malware Detection

Runs the email and attachments through commercial anti-virus engines and checks it against known malware and threats. If triggered, it adds 108 to the virus score.

(Default) Bitdefender AV

Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 110 to the virus score.

(Default) SWL Safe List

Checks the IP of the sender against the commercial Safe White List. If listed, it subtracts 100 from the spam score.

(Default) System Malware Detection

Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 108 to the virus score.

(Default) Bitdefender AV

Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 110 to the virus score.

(Default) Blog Spam

Looks for known blog spam entries in the message body and subject. If triggered, it adds 110 to spam score if it finds any.

(Default) URL Scanner

Verifies the URLs in the email and checks their reputation using a subset of the LinkScan rule method.

(Default) Automatically add outbound recipients to Personal Safe List

Automatically add all recipient email address to the personal safe list for outbound emails.

Note

This rule is disabled by default.

(Default) Email Banner

Adds your customized branding to all emails.

Note

This rule is disabled by default.

(Default) Apply DKIM signing

Applies a DKIM entry to outbound emails.

(Default) Domain Name Detection

Detects external spoof emails that use your company domain within the Display Name (generated by the FROM header) to trick users into believing it is an internal or legitimate message. If triggered, it adds to the spam score.

Note

This rule is disabled by default.

Standard Rules

Rule name

Description

Opportunistic TLS

Marks the email for delivery by TLS if the remote server supports it. If not supported, non-TLS/Plain SMTP will be used.

Macro and VBA Detection

Scans Macro ,VBA, and office documents for malware. This includes .RTF files. If triggered, it adds 100 to the virus score.

Note

This rule is disabled by default.

HTML attachments

Checks emails from senders not in safe lists for any attachment with a HTML variant attachment name. If triggered, it adds 123 to the virus score.

Note

Used if the Sandbox feature is not licensed.

Virus

Send the message to the company quarantine if the virus score is greater than 30.

Advanced Email Sandbox

Sends all attachments in the email to a sandbox environment where they will be scanned for any possible threats. The email will not be sent to the recipient until the attachments have been scanned. You can configure the rule to remove attachments and replace them with a report if a threat is found.

Note

This rule only applies if the add-on is licensed. New EMS companies have the feature activated by default. Users of existing companies will be prompted to activate the feature when logging in to the Email Security console.

Important

The Send Attachments to Sandbox sandbox rule should always be placed below the Virus rule.

DMARC Fail

Checks the Authentification header added by the (Default) Signature Verification rule. If the value is failed and the sender domain has reject/quarantine in their published DMARC policy the email will be quarantined.

Spoofed Messages

Checks the Authentification header added by the (Default) Signature Verification rule. If the value is failed and the domain of the sender is configured as a domain for your account the rule will add 140 to the spam score.

Executive Tracking

For more information on this rule refer to this kb article.

Nearby Domain

For more information on this rule refer to this kb article.

CoreService Suspect

Uses a core service to check if the email may cause financial or other damage. It checks for references to money transfers or requests for personal information. If triggered, it will add 105 to the spam score.

Script and Executable Files

Looks for any of the following file types, and adds 178 to the spam score if such a file is detected:

  • Binary Format Extensions: .msi, .bin.

    Note

    If you wish to completely block Executable files then you can create a rule using the File Type condition with value Executable. The File Type condition will also unpack archives to find matching File Types.

  • Scripts: .js, .jse, .vb, .vbe, .vbs, .wsc, .wsf, .ws, .hta, .cmd, .bat, .acc, .asp, .ccs, .php, .php3, .sbs, .sct, .shd, .vba, .ps1, .ps1xml, .ps2, .msh, .pcd, .wsh, .htx, .je, .shb, .wst, .ps2xml, .psc1, .psc2, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .pl, .pm, .psm1, .psd1, .py, .sh, .command.

LinkScan

For more information on this rule refer to this kb article.

High Reputation Marketing

This rule identifies emails received from professional and know routing platforms that follow standard rules for email advertising (they provide unsubscribe lists, list cleaning, etc.). If triggered, it adds the [Marketing High] prefix to the email subject line.

Medium Reputation Marketing

This rule identifies emails which were not which was not sent through well-known routing platforms, but still that follow standard rules for email advertising. If triggered, it adds the [Marketing Medium] prefix to the email subject line.

Low Reputation Marketing

This rule identifies emails which were not which was not sent through well-known routing platforms and do not follow standard rules for email advertising. If triggered, it adds 109 to the spam score.

SPF Fail

Checks the SPF status of the sender's domain. If the status is SPF Fail the message will be placed in company quarantine.

Confirmed Phishing

Places all messages from senders not in a safe list with a spam score over 699 in the company quarantine.

Confirmed Spam

Places all messages from senders not in a safe list with a spam score over 140 in the company quarantine.

Possible Spam

Places all messages from senders not in a safe list with a spam score over 100 in quarantine.

Deliver Inbound

Routes email to DomainRoute, no NDR is sent back outbound if the customer's email server rejects the message. The message will remain in the queue for 144 hours before the message expires. For more information refer to this kb article.

Note

This rule is locked and cannot be changed or disabled.

Disclaimer

For this Rule to be triggered, the email has run through all the other Rules, and been considered safe. If you have a company-wide disclaimer that must be appended to the email, this Rule will add it. The Disclaimer rule is only created if a disclaimer has been added.

Deliver Outbound

Routes to MX records. An NDR will be sent to local sender if delivery fails, with an expiry of 4 hours. For more information refer to this kb article.

Note

This rule is locked and cannot be changed or disabled.