Version 5.2. SurfControl Filter for SMTP Administrator s Guide

Transcription

1 Version 5.2 SurfControl Filter for SMTP Administrator s Guide

2 Notices NOTICES Copyright 2006 SurfControl plc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner. This product includes software developed by the Apache Software Foundation ( SurfControl is a registered trademark, and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners. March 2006 COMMENTS ON THIS GUIDE? You can view updated documentation and support information at Was this guide helpful? us at documentation@surfcontrol.com to suggest changes or make a correction. TECHNICAL SUPPORT For the latest support information on SurfControl products, visit You can find the following information on the Technical Support Web pages: Read the Top Issues This page has a quick list that covers the most common support issues encountered with SurfControl products. Search our Knowledge Base Our constantly updated Knowledge Base contains articles, FAQs and glossary items to answer your questions about all SurfControl products. If your question or problem cannot be answered by the Top Issues or is not in the Knowledge Base, complete an Online Support Request Form. Telephone Support numbers If you would like to speak with a Technical Support Representative, our excellent SurfControl Technical Support is just a phone call away. SurfControl Filter for SMTP Administrator s Guide i

3 SurfControl Sales SURFCONTROL SALES For product and pricing information, or to place an order, contact SurfControl. To find your nearest SurfControl office, please visit our Website. ii Administrator s Guide SurfControl Filter for SMTP

4 TABLE OF CONTENTS Notices... i Comments on this Guide?... i Technical Support... i SurfControl Sales... ii INTRODUCTION In This Chapter... 2 About SurfControl Filter... 2 New Features in Version FINDING YOUR WAY AROUND In This Chapter... 6 How Filter Works Filter Services Filter Core Components Filter Additional Components... 9 Launching Filter Components...10 From the Start Menu...10 System Tray Icon Right-Click Menu...11 Launching Filter Components From Within Other Components...12 SETTING UP FILTER In This Chapter...14 Connecting to a Different Filter Server...14 Adding an Filter Server...15 Editing Server Details...15 Selecting an Server...16 Disconnecting From an Filter Server...16 Launching Server Configuration...17 Configuration Workflow...18 Configuring Connection Management...19 Protected Domains...19 Trusted IPs (Relay Sources)...23 Blacklist...27 Reverse DNS Lookup...32 Realtime Blackhole List (RBL)...34 Directory Harvest Detection...37 Denial of Service (DoS) Detection...40 Remote User Authentication...41 SPF Check...43 SurfControl Filter for SMTP Administrator s Guide iii

5 Configuring the Receive Service...44 Receive Service - General Settings...45 SMTP Properties...46 Connections...48 ESMTP Commands...49 Configuring the Rules Service...50 Rules Service - General Settings...51 Rules Service Configuration...52 Queue Management...54 Configuring the Send Service...61 Send Service - General Settings...61 SMTP Properties...62 Connections...64 Routing...66 Smart Host Routing...72 Requeuing...75 Configuring The Administration Service...78 Administration Settings - General...78 Configuring Administrators...79 Certificate Management...83 Configuration Complete...86 Backing Up Your Server Configuration...86 THE MONITOR In This Chapter...88 Launching the Monitor...88 Parts of the Monitor Window...88 Service Panels...89 The Server Status Panels...91 Queue Statistics and Status Bar...93 QueueView...94 Launching QueueView...94 QueueView Window...95 Re-Sending a Queued or Dead Message...96 Deleting a Queued or Dead THE RULES ADMINISTRATOR In This Chapter Launching the Rules Administrator Rules Administrator Window Rules Panel Rules Object Panel How Filter Uses Rules Rules Objects Building a Rule Connecting Rules Objects Enabling a Rule Deleting a Rule iv Administrator s Guide SurfControl Filter for SMTP

6 Positioning of Rules Moving Rules Pre-defined Rules Rule Groups Exporting Rules Importing Rules Configuring the Rules Administrator Configuring Dictionary Scanning Configuring Password Protected Archives Configuring Document Decomposition Configuring HTML Parsing RULES OBJECTS In This Chapter Adding a Rule Object to a Rule Reverse Logic Who Objects From Users and Groups Configuring the From Users and Groups Object Configuring an LDAP Connection Testing the LDAP Connection Inbound/Outbound Mail Object Configuring the Inbound/Outbound Mail Object To Users and Groups Configuring the To Users and Groups Object What Objects Anti-Spam Agent Object Anti-Spam Agent Tools Configuring the Anti-Spam Agent Object Updating the Anti-Spam Agent Object Anti-Virus Agent Configuring the Anti-Virus Agent Object The Pre-configured Anti-Virus Agent Rule Updating the Anti-Virus Agent Anti-Virus Scanning Object Configuring the Anti-Virus Scanning Object Multiple Scans Avoiding Conflicts with Third-Party AV Products Dictionary Threshold Object Configuring the Dictionary Threshold Object External Program PlugIn Object File Attachment Object Configuring the File Attachment Object Illegal MIME Format Configuring the Illegal MIME Format Object LexiMatch Object Configuring the LexiMatch Object SurfControl Filter for SMTP Administrator s Guide v

7 Loop Detection Object Configuring the Loop Detection Object Message Size Object Configuring the Message Size Object Number of Recipients Object Configuring the Number of Recipients Object Internet Threat Database Object Configuring the Internet Threat Database Object Virtual Image Agent Object Configuring the VIA Object The Virtual Learning Agent Object Configuring the VLA Object When Object Configuring the When Object Operations Objects Archive Message Configuring the Archive Message Object Compress Attachments Objects Configuring the Compress Attachments Object Footers and Banners Object Configuring the Footers and Banners Object Header Modification Object Configuring the Header Modification Object HTML Stripper Configuring the HTML Stripper Object Routing Object Configuring the Routing Object Strip Attachments Object Configuring the Strip Attachments Object Notify Objects Blind Copy Object Configuring the Blind Copy Object Notification Object Configuring the Notification Object Actions Objects Allow Object Configuring the Allow Object Delay Message Object Configuring the Delay Message Object Discard Message Object Configuring the Discard Message Object Isolate Message Object Configuring the Isolate Message Object MESSAGE ADMINISTRATOR In This Chapter vi Administrator s Guide SurfControl Filter for SMTP

8 Launching the Message Administrator The Message Administrator Window Configuring Message Administrator Launching Message Administrator Options General Tab Messages Tab File Types Tab HTML Viewer Tab Columns Tab The Message Administrator Panels The Queues and Logs Panel The Message List Panel The Message Parts Panel The Message Contents Panel Working with Queues The Message Administrator Toolbar Viewing Properties Analyzing s Forwarding a Copy of the Selected Replying to the Sender of an Submitting an to the Anti-Spam Agent Database Releasing s Moving s Saving Copies of s Deleting s Releasing All s From a Queue Working with Queues on Multiple Servers Working with Logs Using Queues and Logs with Multiple Servers DICTIONARY MANAGEMENT In This Chapter Launching Dictionary Management The Dictionary Management Window Adding a Dictionary Adding Words or Phrases to a Dictionary Editing Dictionary Words Deleting Words From A Dictionary Deleting a Dictionary Importing Dictionaries Importing a SurfControl Dictionary Pack Importing a Unicode Text File Exporting Dictionaries Exporting a Dictionary as a Dictionary Pack Exporting a Dictionary as a Unicode File SurfControl Filter for SMTP Administrator s Guide vii

9 SCHEDULER In This Chapter Launching the Scheduler Scheduler Window Scheduled Events Scheduling Anti-Virus Agent Updates Scheduling Anti-Spam Agent Updates Scheduling Internet Threat Database Updates Scheduling Queue Synchronization Scheduling Database Management Tasks Purging the Database Archiving the Database Shrinking the Database REPORTING In This Chapter Installing Report Central Managing Database Disk Space Logging On for the First Time Remote Access System Requirements for Remote Access Getting Started With Report Central Launching SurfControl Report Central Finding Your Way Around Configuration Options Setting Up Users Specifying Logon Details Specifying User Permissions Specifying Report Permissions Changing User Details Specifying a Mail Server Databases Connecting to a Different Database Resolving Database Memory Issues Increasing Memory to the Java Virtual Machine Increasing the TempDB Transaction File Archiving/Deleting Reports Enabling Report Archiving/Deletion Deleting Reports Archiving Reports Reporting Standard Reports Rules Reports viii Administrator s Guide SurfControl Filter for SMTP

10 Traffic Statistics Reports Setting Up Reports Selecting a Report Specifying Report Criteria Specifying Running Options Schedule Options Generating Reports Saving Reports Public Folder Private Folder Sub-folders Completed Reports REMOTE ADMINISTRATION In This Chapter Administration Client Web Administrator Launching Web Administrator Message Administrator Sorting s Moving, Releasing and Deleting s Viewing the Properties of Individual s Analyzing s Dictionary Management Adding a Dictionary Adding Words or Phrases to a Dictionary Viewing Logs PERFORMANCE MONITORING In This Chapter Windows Performance Monitoring VIRTUAL LEARNING AGENT In This Chapter Workflow Before You Begin Launching the VLA Training Wizard VLA Tutorial Training File Keywords VLA Accuracy Counter Category Trivial Words DATABASE TOOLS In This Chapter Launching Database Tools SurfControl Filter for SMTP Administrator s Guide ix

11 Configuration Database Management Backing Up the Configuration Database Restoring the Configuration Database Log Database Management Creating a New Log Database Archiving the Log Database Restoring an Archived Log Database Deleting a Log Database Truncating the Log Database Transaction Log SQL User Management Creating a New SQL User Account Changing the Password on a SQL User Account Deleting a SQL/MSDE Account Managing Database Authentication APPENDIX A Anti-Spam Agent Categories and Criteria Core/Liability Categories Productivity Categories APPENDIX B Supported File Types File Attachments Object Document Decomposition APPENDIX C Anti-Virus Return Codes APPENDIX D Editing Autoreply.txt APPENDIX E Third-Party Reporting Database Schema SMTP Relationships System Log Relationships Message Relationships INDEX x Administrator s Guide SurfControl Filter for SMTP

12 Chapter 1 Introduction In This Chapter page 2 About SurfControl Filter page 2 New Features in Version 5.2 page 3

13 1 INTRODUCTION In This Chapter IN THIS CHAPTER This chapter introduces SurfControl Filter and its features. ABOUT SURFCONTROL FILTER SurfControl Filter is a server-based software solution that enables you to implement an Acceptable Use Policy (AUP) for within your organization by: 1 Scanning the content, sender, destination, attachments and size of all s to and from the Internet. 2 Applying rules that you have established to support your AUP. For further information about developing an AUP, visit SurfControl Filter comprises the following core components: Monitor The Monitor shows the progress of s through SurfControl Filter in real time, and also server status and the number of s in each queue. Rules Administrator Use the Rules Administrator to set up rules to meet the needs of your AUP. Configuring rules requires careful planning initially, but is then easy to set up and apply. If an triggers a rule, Filter uses the actions specified in the rule to delay, discard or isolate the . Delayed or isolated s are placed in dedicated queue folders. If an does not trigger a rule, it is placed in a folder for delivery to its destination. Message Administrator Use the Message Administrator to review, manage and analyze s that have been placed in queue folders, and view logs of Filter activity. Filter also contains additional components that enhance the capabilities of the Filter core components. For more information, see Filter Core Components on page 9. 2 Administrator s Guide SurfControl Filter for SMTP

14 INTRODUCTION New Features in Version NEW FEATURES IN VERSION 5.2 Table 1-1 describe the advancements in functionality that version 5.2 delivers. Table 1-1 New Features in Version 5.2 Feature Improved Security Transport Layer Security (TLS) Spam Protection What it does Provides secure communications on the Internet by using cryptography. Authenticates the server, and prevents eavesdropping, tampering and message forgery between mail servers/message Transfer Applications (MTAs). Sender Policy Framework (SPF) Default Compliance Rules and Dictionaries Targets spam. Fights return-path address forgeries and makes it easier to identify spoofs. Distinguishes authentic messages from forgeries before any message data is transmitted. New compliance rules New compliance dictionaries Connection Management Connection Management Web Threat Protection Internet Threat Database General Maintenance Improved dictionaries Remote installation Server configuration features rebranded esmtp commands VIA (Virtual Image Assistant) Licensing There are now standard supplied rules to filter s that contain credit card numbers, Social Security numbers and medical records. There are now standard supplied dictionaries that you can use to filter s that contain credit card numbers, Social Security numbers and medical records. You can add an extra layer of protection against unwanted s by setting up Connection Management. This means you can automatically drop connections from untrustworthy sources and control incoming before s are filtered. Protects against inappropriate and fraudulent Web links in s. Note: This has been re-branded from URL Category List. Russian and Korean dictionaries have been added. There are also enhancements to existing dictionaries. Filter can now be installed remotely by using a remote desktop or a Terminal Server. The Pre-screening settings for server configuration in the Monitor have been renamed as Connection Management. A new dialog has been added in the Server Configuration console in the Monitor to enable you to enable and disable esmtp commands. VIA licensing now supports 1, 2 and 3 year licensing subscriptions. SurfControl Filter for SMTP Administrator s Guide 3

15 1 INTRODUCTION New Features in Version Administrator s Guide SurfControl Filter for SMTP

16 Chapter 2 Finding Your Way Around In This Chapter page 6 How Filter Works page 7 Filter Services page 8 Filter Core Components page 9 Launching Filter Components page 10

17 2 FINDING YOUR WAY AROUND In This Chapter IN THIS CHAPTER This chapter explains how SurfControl Filter works, and the basics of navigating around the product. 6 Administrator s Guide SurfControl Filter for SMTP

18 FINDING YOUR WAY AROUND How Filter Works 2 HOW FILTER WORKS Figure 2-1 shows how an is processed by Filter: Figure 2-1 The filtering process SurfControl Filter for SMTP Administrator s Guide 7

19 2 FINDING YOUR WAY AROUND Filter Services FILTER SERVICES SurfControl Filter s functionality is managed by four software services: Receive Service Rules Service Send Service Administration Service. Figure 2-2 shows how the services fit together: Figure 2-2 Flow of through Filter services. You can stop or start any of the services see System Tray Icon Right-Click Menu on page Administrator s Guide SurfControl Filter for SMTP

20 FINDING YOUR WAY AROUND Filter Core Components 2 FILTER CORE COMPONENTS There are three core components in Filter that you will use to manage Table 2-1 Filter core components Component What it does Find out more Monitor The Monitor shows the progress of s through SurfControl Filter in real time. see The Monitor on page 87. Rules Administrator Message Administrator Use the Rules Administrator to set up rules to meet the needs of your Acceptable Use Policy. Use Message Administrator to review, manage and analyze s that have been placed in queues, and view logs of Filter activity. see The Rules Administrator on page 99. and Rules Objects on page 125 Message Administrator on page FILTER ADDITIONAL COMPONENTS Filter also contains the following additional components, which enhance the capabilities of the Filter core components. Table 2-2 Filter additional components Component What it does Find out more QueueView QueueView displays information about see QueueView on s currently held in queues. page 94. Dictionary Management Scheduler Web Administrator Virtual Learning Agent (VLA) Dictionaries are used in rules to detect particular types of content use the Dictionary Management tool to configure Dictionaries to suit your needs. Use the Scheduler to automate tasks such as: Anti-Spam Agent, Internet Threat Database and Anti-Virus Agent updates. Database Maintenance Queue Synchronization Use the Web Administrator to Manage isolated s View logs Manage dictionaries from a remote location. The VLA is a unique tool that you can train to understand and detect specific content. see Dictionary Management on page 247. see Scheduler on page 261. see Web Administrator on page 325. see Virtual Learning Agent on page 339. SurfControl Filter for SMTP Administrator s Guide 9

21 2 FINDING YOUR WAY AROUND Launching Filter Components LAUNCHING FILTER COMPONENTS You can launch Filter components from: The Start menu The system tray right-click menu Within other open components. FROM THE START MENU To launch Filter from the Start menu, select: Start > All Programs > SurfControl Filter > and then select the component. Figure 2-3 Launching Filter 10 Administrator s Guide SurfControl Filter for SMTP

22 FINDING YOUR WAY AROUND Launching Filter Components 2 SYSTEM TRAY ICON RIGHT-CLICK MENU When Filter is running, the following icon is displayed in the system tray: Right-click the icon to display the following menu. You can use this menu to launch Filter components, configure the server, and stop and start the services: Figure 2-4 Filter icon right-click menu SurfControl Filter for SMTP Administrator s Guide 11

23 2 FINDING YOUR WAY AROUND Launching Filter Components LAUNCHING FILTER COMPONENTS FROM WITHIN OTHER COMPONENTS When you launch one Filter component, you can launch some other components from within that component. If you can launch another component, its icon is shown on the toolbar of the open component: Table 2-3 Launching Filter Components Component Dictionary Management Icon Message Administrator Monitor Queue View Rules Administrator Scheduler Virtual Learning Agent (VLA) Web Administrator 12 Administrator s Guide SurfControl Filter for SMTP

24 Chapter 3 Setting Up Filter In This Chapter page 14 Connecting to a Different Filter Server page 14 Launching Server Configuration page 17 Configuration Workflow page 18 Configuring Connection Management page 19 Configuring the Receive Service page 44 Configuring the Rules Service page 50 Configuring the Send Service page 61 Configuring The Administration Service page 78 Configuration Complete page 86

25 3 SETTING UP FILTER In This Chapter IN THIS CHAPTER This chapter explains how to connect to SurfControl Filter, and how to configure Connection Management, the Receive, Rules, Send and Administration services so that is filtered correctly. CONNECTING TO A DIFFERENT FILTER SERVER If you have more than one server running Filter, you can select the server that the Monitor connects to. For example, you can view the activity taking place on server A using an installation of Filter on server B. Server B can be running either a full install or just the Filter Administration Client. You can manage your Filter server connections from any of the following Filter components: Monitor Message Administrator Rules Administrator Dictionary Management. 14 Administrator s Guide SurfControl Filter for SMTP

26 SETTING UP FILTER Connecting to a Different Filter Server 3 ADDING AN FILTER SERVER To monitor activity taking place on another server, you need to add its connection details to the list of available servers. To add a new server to the list, follow Procedure 3-1. Procedure 3-1:Adding an Server Step Action 1 From any of the Filter components, select File > Select Server > Add New The Add a New Server dialog box is displayed. 2 In the Server Name: field, enter or browse to the name of the server whose traffic you want to monitor. 3 Enter the user name and password for accessing the server. 4 Enter the connection port for the mail server you want to add. This is the port used by the Administration Service. 5 Click OK to confirm your changes. Filter will automatically try to monitor activity on the server you have added. If it fails to do this, check that you have entered the server details correctly. EDITING SERVER DETAILS You can change the details of a mail server that you have added to the list: Procedure 3-2:Editing Server Details Step Action 1 From any of the Filter components, select File > Select Server > Edit. The Select Server dialog box is displayed. 2 Select the server to edit, and then click OK. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 15

27 3 SETTING UP FILTER Connecting to a Different Filter Server Procedure 3-2:Editing Server Details (Continued) Step Action 3 The Edit Server dialog box is displayed. Change the details as needed, and then click OK. Note: You cannot change the server name. (Sheet 2 of 2) SELECTING AN SERVER When you add a server, it is displayed on the Select Server menu so that you can select it: Procedure 3-3:Selecting a Server Step Action 1 From any of the Filter components, select File > Select Server. 2 The available servers are displayed on the Select Server menu. The current server is marked. 3 Select the required server. 4 Filter will attempt to monitor activity on that server. If the connection fails, check that the server details are correct. DISCONNECTING FROM AN FILTER SERVER To disconnect from the server you are currently connected to, select File > Disconnect from Server activity on that server will no longer be displayed in Filter. 16 Administrator s Guide SurfControl Filter for SMTP

28 SETTING UP FILTER Launching Server Configuration 3 LAUNCHING SERVER CONFIGURATION To launch the Server Configuration console, launch the Monitor, and then select File > Server Configuration Alternative: On the Monitor toolbar, click. Figure 3-1 shows a typical Server Configuration console: Each branch of the console tree controls a group of Server Configuration settings When you select a branch the settings display in the right-hand panel of the console. Figure 3-1 Server Configuration console SurfControl Filter for SMTP Administrator s Guide 17

29 3 SETTING UP FILTER Configuration Workflow CONFIGURATION WORKFLOW To set up Filter correctly, you need to configure each of the services. Some of the services have more than one group of configuration settings in a series of dialog boxes. Table 3-1 shows how the Server Configuration console is structured, and where to find out more about each branch and sub-branch. Table 3-1 Configuration tasks Service Branch Find out more Connection Protected Domains page 19 Management Trusted IPs (Relay Sources) page 23 Blacklist page 27 Reverse DNS Lookup page 32 Realtime Blackhole List (RBL) page 34 Directory Harvest detection page 37 Denial of Service detection page 40 Remote User Authentication page 41 SPF Check page 43 Receive service General settings page 45 SMTP Properties page 46 Connections page 48 ESMTP Commands page 49 Rules service General settings page 51 Configuration page 52 Queue Management page 54 Send service General settings page 61 SMTP Properties page 62 Connections page 64 Routing page 66 Smart Host Routing page 72 Requeuing scheme page 75 Administration Properties page 78 Configuration page 79 Certificate Management page Administrator s Guide SurfControl Filter for SMTP

30 SETTING UP FILTER Configuring Connection Management 3 CONFIGURING CONNECTION MANAGEMENT You can add an extra layer of protection against unwanted s by setting up Connection Management. This means you can automatically drop connections from untrustworthy sources and control incoming before s are filtered. Connection Management has these branches: Protected Domains Trusted IPs (Relay Sources) Blacklist Reverse DNS Lookup Realtime Blackhole List (RBL) Directory Harvest detection Denial of Service detection Remote user authentication SPF Check. PROTECTED DOMAINS Note: There must always be at least one domain in the Protected Domains list. Use Protected Domains to identify the domains for which is to be filtered, and for which Filter will accept . When you installed Filter, you entered the primary domain name, but if your network. has more than one domain, for example mycompany.co.uk and mycompany.com, you must enter the other domains so that they can send and receive . Warning: Do not add the protected domain to the blacklist. SurfControl Filter does not check the Protected Domains list for duplicate entries on the Blacklist. If protected domains are added to the Blacklist, s to the protected domain will be rejected. SurfControl Filter for SMTP Administrator s Guide 19

31 3 SETTING UP FILTER Configuring Connection Management Adding a Protected Domain To add a protected domain, follow Procedure 3-4. Procedure 3-4:Adding a Protected Domain Step Action 1 In the Server Configuration console, select the branch Connection Management > Protected Domains 2 The Protected Domains dialog box is displayed. Click Add 3 The Protected Domain Properties dialog box is displayed. In the Domain Name field enter the name of the domain you want Filter to accept for, for example mycompany.co.uk The Administrator Address field will fill in automatically as Postmaster@ the domain you specify: for example, Postmaster@mycompany.co.uk You can edit this address for example, you could change it to admin@mycompany.co.uk 4 Click OK. Editing a Protected Domain To edit a protected domain, follow Procedure 3-5. Procedure 3-5:Editing a protected domain Step Action 1 In the Protected Domains dialog box, select the domain to change. Click Edit (Sheet 1 of 2) 20 Administrator s Guide SurfControl Filter for SMTP

32 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-5:Editing a protected domain (Continued) Step Action 2 The Protected Domain Properties dialog box is displayed. Change the domain name and/or the administrator s address as needed. 3 Click OK. (Sheet 2 of 2) Deleting a Protected Domain You can also delete a domain from the protected domain list so that Filter will no longer accept for that domain. To delete a protected domain, follow Procedure 3-5. Procedure 3-6:Deleting a protected domain Step Action 1 In the Protected Domains dialog box, select the domain to change. 2 Click Delete. You will be asked to confirm your choice. 3 Click OK. The domain is removed from the list and Filter does not accept for that domain. Anti-Spoofing Sometimes spammers use a technique called spoofing to fake their From: address so that their s appear to be from a protected domain. By default SurfControl Filter will block these s. Filter can examine and authenticate the IP address of all incoming mail, and reject s that cannot be authenticated. If you do not enable this function, s from the protected domain will be accepted, without examining the From: address. If your organization includes users who send mail from the protected domain from an unlisted IP address, for example dial-up users, you should set up SurfControl Filter to authenticate addresses using Receive Service Remote User Authentication. This will allow legitimate mail from these users to get through, while still denying s from fraudulent addresses. See Remote User Authentication on page 41 for information about how to set up remote users. Warning: Disabling Anti-Spoofing makes it possible for spammers to send spoofed s into your organization. By default, Anti-Spoofing is enabled. SurfControl recommend that you keep it enabled. SurfControl Filter for SMTP Administrator s Guide 21

33 3 SETTING UP FILTER Configuring Connection Management Anti-Relay Protection Spammers may attempt to relay s through your mail server using old-style routing techniques. These routing techniques are not commonly used any more but may still be recognized by your mail server. SurfControl Filter can detect various routing relay techniques and deny s that have been forwarded or routed using one of the routing methods in the following table. Table 3-2 Routing relay techniques Relay Method Bang routing Quoted routing Source routing Percent hack routing Example @domain.com If you do not deny Source Routing, SurfControl Filter will strip any additional routing information from the incoming , so an from would be delivered as To change the Anti-Spoof/Anti-Relay settings, follow Procedure 3-7: Procedure 3-7:Changing the Anti-Spoof/Anti-Relay settings Step Action 1 In the Server Configuration console, select the branch Connection Management > Protected Domains Click Advanced (Sheet 1 of 2) 22 Administrator s Guide SurfControl Filter for SMTP

34 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-7:Changing the Anti-Spoof/Anti-Relay settings Step Action 2 The Anti-Spoof Settings dialog box is displayed. 3 By default, all anti-spoofing and anti-relay protection options are enabled. To disable an option, clear the check box. SurfControl recommends you keep all options selected to protect your system. 4 Click OK. (Sheet 2 of 2) TRUSTED IPS (RELAY SOURCES) Trusted IPs are IP addresses of mail servers that are allowed to send to and/or from the protected domain. You should include details of all the mail servers for which you want to filter . The purpose of the Trusted IP list is to identify: The IP addresses of the protected domains. The IP addresses of any other nodes that need to access the protected domains from outside the network. When you add or edit a Trusted IP, you need to specify what can be relayed through that server by choosing a relay type, and also whether received from this IP address must be through an encrypted connection. You can select from the following options: Table 3-3 Relay options Type Outbound Inbound Outbound and inbound (Sheet 1 of 2) Description The mail server can send only to IP addresses outside the protected domain. Message sender: must be in the protected domain Message recipient: must be outside the protected domain The mail server can send only to IP addresses inside the protected domain. Message sender: must be outside the protected domain Message recipient: must be inside the protected domain. The mail server is allowed to send to any IP addresses (other than blacklisted ones). Message sender: can be inside or outside the protected domain. Message recipient: can be inside or outside the protected domain. One of these, either the sender or the recipient, must be inside the protected domain. SurfControl Filter for SMTP Administrator s Guide 23

35 3 SETTING UP FILTER Configuring Connection Management Table 3-3 Relay options Type Open relay received from this IP address must be via an encrypted connection (Sheet 2 of 2) Description The mail server is allowed to send to any other domain (including blacklisted domains) without any relay restrictions. Filter will accept any from the supplied IP address regardless of the domain name. Use with caution. Default = Cleared If selected, the sending mail server from this trusted IP must send encrypted s to the Receive service using STARTTLS. If the mail server does not support TLS, the connection is dropped. Note: If selected, this overrides the Enable STARTTLS option in the ESMTP Commands dialog box. See ESMTP Commands on page 49. To specify that Filter will accept only from the Trusted IPs in the list, select the Deny connections from all IP addresses not listed below check box. Adding a Trusted IP To add a Trusted IP, follow Procedure 3-8: Procedure 3-8:Adding a Trusted IP Step Action 1 In the Server Configuration console, select the branch Connection Management > Trusted IPs (Relay Sources) 2 Click Add to open the Edit Relay Source dialog box. (Sheet 1 of 2) 24 Administrator s Guide SurfControl Filter for SMTP

36 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-8:Adding a Trusted IP (Continued) Step Action 3 Enter the IP address of the mail server for which you want to be filtered. You can also enter a name for the trusted IP address. This name is shown in the hostname field of the logging database (LogDB) and is very useful for identifying the mail server in reports. 4 Select a relay type and whether the should be through an encrypted connection. See Table 3-3 on page 23 for more information. 5 Click OK. Note: (Sheet 2 of 2) You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message: Duplicate entry, please try again. Editing a Trusted IP To edit the details of a Trusted IP, follow Procedure 3-9: Procedure 3-9:Editing a Trusted IP Step Action 1 In the Server Configuration console, select the branch Connection Management > Trusted IPs (Relay Source) 2 Select the IP address to edit. 3 Click Edit to open the Edit Relay Source dialog box. 4 Change the options needed. 5 Click OK. SurfControl Filter for SMTP Administrator s Guide 25

37 3 SETTING UP FILTER Configuring Connection Management Deleting a Trusted IP To delete a Trusted IP, follow Procedure Procedure 3-10: Deleting a Trusted IP Step Action 1 In the Server Configuration console, select the branch Connection Management > Trusted IPs (Relay Source) 2 Select the IP address to delete. 3 Click Delete. 4 You will be asked to confirm your choice. Click Yes to delete the IP address. When a mail client attempts to connect to Filter, a status message is displayed in the Receive panel of the Monitor. Table 3-4 shows some common status messages and examples: Table 3-4 Receive service status messages Message The sender must be from a protected domain as its IP is in the Trusted Outbound list. The recipient must not be to a protected domain as the sender s IP is in the Trusted Outbound list. The sender must not be from a protected domain as the sender s IP is in the Trusted Inbound list. The recipient must be to a protected domain as the sender s IP is in the trusted Inbound list. Connection rejected deny connection for unknown [n.n.n.n] (sender in Deny Connection list). Example The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the sender is not in the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the recipient is inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender is inside the protected domain, or is spoofed to appear to be from inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender has attempted to send an to an IP address outside the protected domain. The IP address has been added to the Trusted IP list with a setting of Denied. The mail client is prohibited from making a connection to the Receive service. 26 Administrator s Guide SurfControl Filter for SMTP

38 SETTING UP FILTER Configuring Connection Management 3 BLACKLIST If there are domains, addresses or IP addresses from which you do not want to receive s, you can add them to the Blacklist. This is an important step in preventing unwanted content because: The Receive service will reject the before the content is transferred to your mail server. No hard disk space is wasted storing unwanted s. Fewer s have to be processed by the Rules service, which conserves system resources. To add an item to the Blacklist, follow Procedure 3-11: Procedure 3-11: Adding an item to the Blacklist Step Action 1 In the Server Configuration console, select the branch Connection Management > Blacklist 2 Click Add 3 The Add/Edit deny list entry dialog box is displayed. Note: The text boxes are limited to 255 characters. Enter the domain, address or IP address to be blacklisted. In the Comment field you can enter a brief description of the item, or an explanation of why it is blacklisted. You can blacklist an entire range of IP addresses by entering only the first three number sets in the IP address. For example: To blacklist all IPs from to , you could add to the Blacklist. Note: Note: You cannot blacklist a partial range of numbers, for example IPs from (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 27

39 3 SETTING UP FILTER Configuring Connection Management Procedure 3-11: Adding an item to the Blacklist (Continued) Step Action 4 Click OK. The blacklisted item is displayed in the list. (Sheet 2 of 2) When an has been added to the Blacklist, a Update Now pop-up is displayed in the Monitor. If you click Yes, a status message Receive service configuration reloaded is displayed in the Receive panel of the Monitor. The Receive service will reject any mail client trying to send an from any of the set domains, addresses or IP addresses, unless the mail client s IP is added to the Trusted IP list with a setting of Open Relay. Warning: Do not add the protected domain to the Blacklist, or s to the protected domain will be rejected. If you have added a domain to the Blacklist, but want filter to accept from individuals within that domain, you can exclude individuals from the Blacklist. For example, if your organization was pursuing a grievance with another organization, you might want to block all from that organization except for their legal department. Note: You can also Blacklist an IP address using the Trusted IPs (Relay Sources) list with a setting of Denied. See Trusted IPs (Relay Sources) on page Administrator s Guide SurfControl Filter for SMTP

40 SETTING UP FILTER Configuring Connection Management 3 Excluding an Item from the Blacklist To exclude an item from the Blacklist, follow Procedure 3-12: Procedure 3-12: Excluding an item from the Blacklist Step Action 1 In the Server Configuration console, select the branch Connection Management > Blacklist 2 Click Exclude 3 The Exclusions from the Blacklist dialog box is displayed. 4 Click Add The SMTP List Entry dialog box is displayed. 5 Enter the address to exclude from the Blacklist. You can specify that the address is for a Sender, Receiver, or Both. Note: The address must have fewer than 255 characters. 6 Click OK. SurfControl Filter for SMTP Administrator s Guide 29

41 3 SETTING UP FILTER Configuring Connection Management Editing an Item on the Exclude List To edit an item on the Exclude list, follow Procedure 3-13 Procedure 3-13: Editing an item on the Exclude list Step Action 1 In the Server Configuration console, select the branch Connection Management > Blacklist 2 Click Exclude. The Exclusions from the Blacklist dialog box is displayed. 3 Select the item to edit, and then click Edit The SMTP List Entry dialog box is displayed. 4 Make your changes to the item, and then click OK. Deleting an Item from the Exclude List To delete an item from the Exclude list, follow Procedure 3-14 Procedure 3-14: Deleting an item from the Exclude list Step Action 1 In the Server Configuration console, select the branch Connection Management > Blacklist 2 Click Exclude. The Exclusions from the Blacklist dialog box is displayed. 3 Click Delete. You will be asked to confirm your choice. 4 Click Yes to delete the item. Filter will no longer accept from this domain, address or IP address. 30 Administrator s Guide SurfControl Filter for SMTP

42 SETTING UP FILTER Configuring Connection Management 3 Importing a Blacklist If there are a large number of domains, addresses or IP addresses that you want to blacklist or exclude, you can create a text file containing all the items, and import it into Filter. The text file can contain the items to blacklist, and the items to be excluded from the Blacklist. To import a blacklist, follow Procedure 3-15: Procedure 3-15: Importing a Blacklist Step Action Creating the text file 1 Create a new.txt file using any text editor. 2 In the.txt file, enter the domains, addresses or IP addresses to be blacklisted. Each item on the list must follow this format: type;domain, address or IP address;comment Each item on the list must begin on a new line. If you do not want to add a comment, leave a blank after the final semicolon. type is a numerical code to identify whether the item is a domain, an address or an IP address: 0 = domain 1 = address 2 = address to be excluded from the Blacklist 3 = IP address. Example blacklist entries are: 0;yahoo.co.uk;internet mail 1;mailinglist.org.uk; known spammer 2;legitimat @mailinglist.org.uk; legitimate newsletter 3 When you have finished editing the file, save it to any location that is accessible to the server where Filter is installed. However, saving it within the SurfControl Filter folder will save time, as the import facility automatically looks there first. Importing a blacklist file 4 In the Server Configuration console, select the branch Connection Management > Blacklist 5 Select Import. 6 Select your saved blacklist file, and then click Open. 7 If the blacklist file has been imported successfully, a confirmation message is displayed, and the blacklisted domains, addresses and/or IP addresses are displayed in the list. If the file does not import successfully, check that each entry has the correct syntax. SurfControl Filter for SMTP Administrator s Guide 31

43 3 SETTING UP FILTER Configuring Connection Management REVERSE DNS LOOKUP The Receive service can check that an is from a legitimate source by verifying that the domain name specified by the sending mail client in the HELO/EHLO greeting matches the domain name in its DNS record: 1 When a mail client requests a connection to the Receive service, the Receive service performs a reverse DNS lookup on that client s IP address to receive its PTR record. Note: The default timeout is usually 3 seconds. 2 If the PTR record does not exist, or if the DNS record doesn t match the host name specified in the HELO/EHLO command, the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. If a mismatch is detected, there are three actions that Filter can take. Table 3-5 describes each action. Table 3-5 Reverse DNS Lookup actions Action Log Only Deny if no DNS record found Deny if DNS record fails to match HELO string. What it does The mismatch of domain names is displayed in the Receive service panel of the Monitor, but the Receive service will accept the connection and continue to process the . If the Receive service cannot find a DNS record that corresponds to the IP address of the sending mail server, and the sending mail client fails to authenticate itself, the connection will be terminated at the MAIL FROM command. If the domain name in the DNS record does not match the one in the HELO/EHLO command the Receive service will terminate the connection at the MAIL FROM command, unless the sending mail client authenticates itself. 32 Administrator s Guide SurfControl Filter for SMTP

44 SETTING UP FILTER Configuring Connection Management 3 Enabling Reverse DNS Lookup By default Reverse DNS Lookup is disabled. To enable it, follow Procedure 3-16: Procedure 3-16: Enabling Reverse DNS Lookup Step Action 1 In the Server Configuration console, select the branch Connection Management > Reverse DNS Lookup 2 Select Enable Client Name DNS lookup. 3 Select an option for the Filter action if the domain names in the HELO string and the DNS record do not match. Excluding a Mail Server from Reverse DNS Lookup It is an RFC recommendation, but not a requirement that the HELO/EHLO command contains the fullyqualified domain name (FQDN) of the sending mail client. If you have chosen to deny the connection, you may find that legitimate is blocked because the sending mail client does not use the FQDN in its HELO/EHLO command. To avoid blocking legitimate you should either: Select only to log the mismatch Exclude any known legitimate servers which may have a mismatched DNS/HELO string. Procedure 3-17: Excluding a mail server from Reverse DNS Lookup Step Action 1 In the Server Configuration console, select the branch Connection Management > Reverse DNS Lookup 2 Click Exclude (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 33

45 3 SETTING UP FILTER Configuring Connection Management Procedure 3-17: Excluding a mail server from Reverse DNS Lookup Step Action 3 The Exclusion from Client DNS Lookup dialog box is displayed. Click Add... 4 The SMTP List Entry dialog box is displayed. 5 Enter the IP address you want to exclude from Reverse DNS Lookup. 6 Click OK. (Sheet 2 of 2) REALTIME BLACKHOLE LIST (RBL) Filter can check an sender s domain name against a list of known spammers held in a Realtime Blackhole List. To enable this, you need to know the domain name or IP address of the RBL you want to check s against. Enabling RBL Lookup If the is from a sender on the RBL, Filter will reject it. To use an RBL, follow the steps in Procedure 3-18: Procedure 3-18: Enabling Realtime Blackhole List Lookup Step Action 1 In the Server Configuration console, select the branch Connection Management > Realtime Blackhole List 2 Select Check IP addresses against RBL. (Sheet 1 of 2) 34 Administrator s Guide SurfControl Filter for SMTP

46 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-18: Enabling Realtime Blackhole List Lookup (Continued) Step Action 3 Click Add The SMTP Lists dialog box is displayed. 4 Enter the IP address or domain name of the RBL Server to use. 5 Click OK. The RBL is displayed in the RBL Servers list. 6 Select how you want Filter to deal with a connection from a sender on the RBL: Log Only The information that the connection came from a sender on the RBL is recorded in the system log and displayed in the Monitor. Deny connection The connection is dropped and from that sender is rejected. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 35

47 3 SETTING UP FILTER Configuring Connection Management Excluding a Mail Server from RBL Lookups A legitimate organization can sometimes be wrongly placed on an RBL, for example if its domain name has been used by a spammer to send spoofed . You can exclude an individual domain or IP Address from RBL lookups so that Filter will accept from that source. If any you receive is missioncritical, you should make sure the sender s domain is excluded from RBL lookups. Procedure 3-19: Excluding a mail server from RBL Lookups Step Action Action 1 In the Server Configuration console, select the branch Connection Management > Realtime Blackhole List 2 Select Exclude The Exclusions dialog box is displayed. 3 Click Add the SMTP List Entry dialog box is displayed. 4 Enter the domain name or IP address to exclude from RBL lookups. Filter will then accept connections from this source. 5 Click OK. 36 Administrator s Guide SurfControl Filter for SMTP

48 SETTING UP FILTER Configuring Connection Management 3 DIRECTORY HARVEST DETECTION Spammers use a variety of methods to mine your organization for valid addresses. If they succeed it can not only cause an increase in spam, but also slow down the delivery of legitimate . A common technique is to flood a mail server with a large number of s using fabricated addresses. Those addresses that are not immediately rejected by your mail server are assumed to be valid addresses and are added to the spammer s database knowing that to these addresses will be received. Note: If you restart the Receive service, these counts are reset to zero. Filter can detect when a server is trying to send large numbers of s for the purposes of directory harvesting, by keeping a count of: the number of invalid addresses or domains per connection the number of invalid addresses or domains from each IP address per hour. You can configure the Receive service to terminate a connection when these counts reach a maximum. Directory Harvest Detection uses LDAP to check the validity of addresses and domains. Enabling Directory Harvest Detection To enable Directory Harvest Detection, follow Procedure 3-20: Procedure 3-20: Enabling Directory Harvest Detection Step Action Enabling Directory Harvest detection 1 In the Server Configuration console, select the branch Connection Management > Directory Harvest Detection 2 Select Enable Directory Harvest Detection. 3 Click LDAP to configure and manage your LDAP servers and connections. The LDAP Connections dialog box is displayed. (Sheet 1 of 4) SurfControl Filter for SMTP Administrator s Guide 37

49 3 SETTING UP FILTER Configuring Connection Management Procedure 3-20: Enabling Directory Harvest Detection (Continued) Step Action Adding an LDAP connection 4 You can configure one or more LDAP connections. If there are no connections in the list, or if you want to add more connections, click Add 5 The Add LDAP Connection dialog box is displayed. 6 Enter a name for the LDAP connection. Each LDAP connection must have a unique name. 7 In the Server Name: field, enter the name of the LDAP server that you want to connect to. 8 To make it compulsory that Filter uses a username and password to log on to the LDAP server, select I must log on to this server and enter the user name and password to be used by Filter. (Sheet 2 of 4) 38 Administrator s Guide SurfControl Filter for SMTP

50 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-20: Enabling Directory Harvest Detection (Continued) Step Action Configuring the connection to the LDAP Server Advanced 9 To specify additional information about the LDAP server, click the Advanced tab. 10 In the LDAP Port number: field, enter the LDAP port number. Default = To use a secure connection (SSL) to connect to the LDAP server, select Use Secure Connection. 12 Select search base details for users and/or groups: The information for LDAP users and groups is not stored on the SurfControl Filter server; it is requested from the LDAP server as necessary. Therefore specifying a Search Base makes the connection more efficient for locating specific users or groups. 13 In the Search timeout (seconds): text box, enter the amount of time that Filter will search for users and groups before timing out. Default = 120 seconds. 14 In the Maximum number of search results: text box, enter the maximum number of users and groups to be included. 15 Click OK. 16 To exclude one or more legitimate addresses or domains, click Exclude. 17 The Exclusion from LDAP Lookup dialog box is displayed. If the address or domain is not in the list, click Add. (Sheet 3 of 4) SurfControl Filter for SMTP Administrator s Guide 39

51 3 SETTING UP FILTER Configuring Connection Management Procedure 3-20: Enabling Directory Harvest Detection (Continued) Step Action 18 Enter the address or domain, and then click OK. The address or domain is added to the list in the Exclusion from LDAP Lookup dialog box. (Sheet 4 of 4) DENIAL OF SERVICE (DOS) DETECTION Note: An incomplete SMTP session occurs when a connection is made but no is received. A Denial of Service (DoS) attack attempts to stop a network from functioning by flooding it with useless traffic or using up network resources. DoS attacks can take many forms: a well-known example is the Ping of Death, which attempts to disrupt network traffic by repeatedly sending packets of data that exceed the standard length. Filter can detect when servers are trying to launch a DoS attack by monitoring the number of incomplete SMTP sessions per hour. If you restart the Receive service, this count is reset to zero. 40 Administrator s Guide SurfControl Filter for SMTP

52 SETTING UP FILTER Configuring Connection Management 3 To set up protection against DoS attacks, follow Procedure 3-21: Procedure 3-21: Enabling Denial of Service Detection Step Action 1 In the Server Configuration console, select the branch Connection Management > Denial of Service Detection 2 Select Enable Denial of Service detection. 3 Specify how many incomplete SMTP sessions Filter will accept per IP address per hour. Default = 30 4 Specify the action that Filter should take if a single IP address attempts more than the specified incomplete SMTP sessions per hour. You can: Log only Logs the DoS attack in the System Log and the Monitor. Deny any further connections from that IP address for a specified number of hours. Default =24 hours REMOTE USER AUTHENTICATION Use this to configure the access of users who need to connect to your mail server from outside the protected domain, for example, home workers using a dial-up connection. To enable remote user authentication, follow Procedure 3-22: Procedure 3-22: Enabling Remote User Authentication Step Action 1 In the Server Configuration console, select the branch Connection Management > Remote User Authentication 2 Click Add (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 41

53 3 SETTING UP FILTER Configuring Connection Management Procedure 3-22: Enabling Remote User Authentication (Continued) Step Action 3 The User Authentication Information dialog box is displayed. Enter the remote user a user name and password. The remote user will need to supply these details when they attempt to log on to Filter. 4 Click OK. The user name is displayed in the right-hand panel. (Sheet 2 of 2) Importing a List of Remote Users If you have large numbers of remote users to configure, you can create a list as a text file and import it into Filter. To import a text file, follow Procedure 3-23: Procedure 3-23: Importing a list of remote users Step Action Creating the text file 1 Create a new.txt file using any text editor. 2 In the text file, list the remote users. Each item on the list must follow the following syntax: SEFAUTH;user name;password;<cr><lf> For example: SEFAUTH;Rachel;abcd1234<CR><LF> SEFAUTH;Barney;xyz987<CR><LF> SEFAUTH;Homer;a1b2c3d4<CR><LF> SEFAUTH;Marge;z9y8x7<CR><LF> 3 Save the file to any location that is accessible to the server where Filter is installed. However, saving the file within the SurfControl Filter folder saves time, as the import facility automatically looks in this folder first. Importing the text file 1 In the Server Configuration console, select the branch Connection Management > Remote User Authentication 2 Click Import 3 Select the file to import. (Sheet 1 of 2) 42 Administrator s Guide SurfControl Filter for SMTP

54 SETTING UP FILTER Configuring Connection Management 3 Procedure 3-23: Importing a list of remote users (Continued) Step Action 4 Select your saved list of users, and then click Open. 5 If your file is imported successfully, a confirmation message is displayed, and the remote users are displayed in the right-hand panel. If your file does not import successfully, check that all the items on the list have the correct syntax. (Sheet 2 of 2) SPF CHECK Sender Policy Framework (SPF) verifies a sender s address, targets spam, and fights return-path address forgery, which makes it easier to identify spoofs. An SPF check determines if a client or mail server is authorized to send s with a given mail from identity. To set up SPF checking, follow Procedure 3-24: Procedure 3-24: Enabling SPF Checking Step Action 1 In the Server Configuration console, select the branch Connection Management > SPF Check 2 Select Perform SPF checking against sender. 3 Select the conditions that are needed to reject s from senders. Note: Some options might block legitimate mail servers. You should exclude these legitimate servers from the SPF check. 4 To exclude legitimate servers from the SPF check, click Exclude. 5 The Exclusion from SPF check dialog box is displayed. If the IP address of the legitimate server is not in the list, click Add. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 43

55 3 SETTING UP FILTER Configuring the Receive Service Procedure 3-24: Enabling SPF Checking (Continued) Step Action 6 Enter the IP address of the server, and then click OK. (Sheet 2 of 2) CONFIGURING THE RECEIVE SERVICE The Receive service accepts SMTP traffic on port 25 and checks each against a series of Connection Management criteria. If the passes these checks, Filter accepts the and passes it to the Rules service for further processing. It is important to configure the Receive service correctly to keep your system running efficiently and securely, and to maintain the flow of legitimate . The Receive service has general settings and these branches: SMTP Properties Connections ESMTP Commands. 44 Administrator s Guide SurfControl Filter for SMTP

56 SETTING UP FILTER Configuring the Receive Service 3 RECEIVE SERVICE - GENERAL SETTINGS In the Service Configuration dialog box navigation panel, select Receive Service. The Receive Service dialog box is displayed in the right-hand panel. Figure 3-2 shows a typical Receive Service dialog box. Figure 3-2 Receive service general settings Received Mail Drop-off Folder When an has passed the Connection Management checks, Filter accepts the and deposits it in the Received mail drop-off folder (the \In folder). By default, the path of the Received mail drop-off folder is: C:\Program Files\SurfControl Filter\In You can enter a different path, or click Browse... to select another location. SurfControl Filter for SMTP Administrator s Guide 45

57 3 SETTING UP FILTER Configuring the Receive Service Logging The Logging options control where details of s handled by the Receive service are recorded. Select the check boxes to enable the a logging option. Table 3-6 describes the logging options: Table 3-6 Logging options Logging Option Real-time console System log Traffic log What it does Details of incoming s are displayed in the Receive panel of the Monitor. For more information about the Monitor consoles, see Service Panels on page 89. System events related to incoming mail, such as the sending of notification s are displayed in the System Log in Message Administrator. See Working with Logs on page 246. Information about each incoming is displayed in the Traffic Log in Message Administrator. See Working with Logs on page 246. SMTP PROPERTIES The SMTP properties affect how Filter receives incoming for filtering. Figure 3-3 shows a typical SMTP Properties dialog box: Figure 3-3 SMTP Properties dialog box 46 Administrator s Guide SurfControl Filter for SMTP

58 SETTING UP FILTER Configuring the Receive Service 3 Table 3-7 shows the options for SMTP Properties. Table 3-7 SMTP Properties settings Field Receive Service SMTP Port Enable Secure SMTP over SSL (SMTPS) Computer Name SMTP greeting text Description The port used by Filter to receive SMTP traffic. This is displayed in the Receive Service SMTP Port. You can change the port by entering a different port number here. Select this to secure the entire SMTP conversation, that is, from connection to receiving the , through secure connection over SSL (Secure Socket Layer). Default (recommended) port = 465 If this is selected and an SMTP port specified, the sending mail clients must send s that are encrypted using SSL. You can specify which computer name the Receive service uses in its greeting when it receives a connection: Windows Computer Name The Receive service will use the fully-qualified primary domain name of the computer where Filter is installed. Specify Computer Name The Receive service will use the computer name you specify. You can use any commonly accepted form of host name, for example the domain name or the IP address. By default Filter will use the Windows Computer Name. The SMTP greeting is the greeting which is sent to a remote computer when it initiates a connection by sending a HELO or EHLO command. By default, the SMTP greeting is: 220 [server name].[domain name] If this text is added, the SMTP greeting consists of the default text plus any additions. You can use the SMTP greeting text to communicate your organization s policy on how that mail server can be used. For example if you do not allow the mail server to be used as a relay host you can warn mail clients not to try to relay mail through your server. To change greeting, click Customize. The Customize Greeting Text dialog box is displayed. Note: You cannot delete or edit the default greeting text. When a HELO or an EHLO command is received, all the text visible in the box will be sent as a greeting. SurfControl Filter for SMTP Administrator s Guide 47

59 3 SETTING UP FILTER Configuring the Receive Service CONNECTIONS The Connections settings affect how many connections the Receive service can accept, and how much incoming s it can process at any one time. It is important to set these limits at appropriate levels for your system s capacity; network performance can be reduced if too many connections are accepted. Figure 3-4 shows a typical Connections dialog box: Figure 3-4 Connections dialog box Table 3-8 shows the connections that you can limit. Select the check boxes of the limits you want to set. If a check box is cleared, Filter does not limit the number of connections. Table 3-8 Connection options Option Description Default Maximum Connection Settings Maximum active inbound connections Limit maximum connections for each trusted IP address (Sheet 1 of 2) The total number of incoming connections that Filter will accept at any one time. Limit the number of connections Filter will accept from the IP addresses on the Trusted IPs List. See Trusted IPs (Relay Sources) on page 23. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections Administrator s Guide SurfControl Filter for SMTP

60 SETTING UP FILTER Configuring the Receive Service 3 Table 3-8 Connection options (Continued) Option Description Default Maximum Limit maximum connections for each non-trusted IP address Idle connection timeout Data Size Limit the number of connections from IP addresses not on the trusted IP addresses list. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. The number of seconds the receive service will wait to receive data before terminating the connection Limit maximum message size Limit maximum data per connection SMTP Options Limit maximum messages per connection (Sheet 2 of 2) Limit the size (in MB) of inbound s that Filter will accept. Limit the total amount (in MB) of data that Filter will accept in a single connection. Limit the total number of s that Filter will accept in a single connection MB MB ESMTP COMMANDS The ESMTP Commands options enable you to select the ESMTP commands to be used by the Receive service in the response to the SMTP EHLO command. Figure 3-4 shows a typical ESMTP Commands dialog box: Figure 3-5 ESMTP Commands dialog box SurfControl Filter for SMTP Administrator s Guide 49

61 3 SETTING UP FILTER Configuring the Rules Service Table 3-9 shows the ESMTP commands that are available. Select the check boxes of the commands to be used. Table 3-9 ESMTP options Option Authentication Options Description Enable AUTH-LOGIN To enable or disable the ESMTP AUTH-LOGIN function. Enable AUTH-PLAIN To enable or disable the ESMTP AUTH-PLAIN function. Enable AUTH-CRAM-MDS To enable or disable the ESMTP AUTH-CRAM-MDS function. Note: These functions are used by remote users. To add details of remote users, see Remote User Authentication on page 41. Transmission Optimizations Enable CHUNKING Enable PIPELINING Secure SMTP over TLS Enable STARTTLS The size of each SMTP data chunk is sent with the data. This means that the SMTP host does not have to scan continuously for the end of the data. This improves the speed of transmissions. Provides the ability to send a stream of commands without having to wait for a response after each command. This improves the speed of transmissions. To enable a secure SMTP connection over Transport Layer Security (TLS). CONFIGURING THE RULES SERVICE SurfControl Filter works by checking s against the rules you specify, to enforce your Acceptable Use Policy (AUP). The Rules Service controls how s are checked and processed. The Rules Service has general settings and these branches: Configuration Queue Management. 50 Administrator s Guide SurfControl Filter for SMTP

62 SETTING UP FILTER Configuring the Rules Service 3 RULES SERVICE - GENERAL SETTINGS The Rules Service general settings affect the folders used by the Rules service to access, hold and act upon s, and how the actions of the service are logged. Figure 3-6 shows a typical Rules Service dialog box: Figure 3-6 Rules Service - General Settings dialog box Rules Service Folders There are three folders used by the Rules service to pick up, store and act upon Warning: The path of the rules mail pickup folder must be exactly the same as the received mail dropoff folder. Table 3-10 Rules service folders Folder Function Default path Rules mail pick-up folder The Rules service monitors this folder for C:\Program Files\SurfControl incoming . It is also called the In folder. Filter\In Work folder Processed mail dropoff folder s are held in this folder while they are being checked against the rules. If an has been checked against the rules and allowed to proceed, it is placed in the Processed mail dropoff folder. If it has been delayed or isolated it is placed in the folder specified by the rule it triggered. C:\Program Files\SurfControl Filter\Work C:\Program Files\SurfControl Filter\Out You can edit the path of these folders or browse to another location. SurfControl Filter for SMTP Administrator s Guide 51

63 3 SETTING UP FILTER Configuring the Rules Service Logging Options The Rules service logging options control how the actions of the Rules service are recorded and where they are displayed: Table 3-11 Rules service logging options Logging option Real-time console When enabled The actions of the Rules service are displayed in the real-time console: System Log For more information about the Real-time console, see Service Panels on page 89. The status of the Rules service is displayed in the System Log in Message Administrator. For example, if you add and activate a new rule, a message is displayed, indicating that the rules configuration has been reloaded: For more information about the System log, see Working with Logs on page 246. RULES SERVICE CONFIGURATION Figure 3-7 shows a typical Rules Service - Configuration dialog box: Figure 3-7 Rules Service - Configuration dialog box 52 Administrator s Guide SurfControl Filter for SMTP

64 SETTING UP FILTER Configuring the Rules Service 3 Number of Rules Processing Threads Specify the number of s that the Rules service can process at any one time. For example, using the default setting of 4 means that the Rules service can check 4 s at the same time. The default setting is 4, the maximum is 16. Warning: If there are too many rules threads for your system to handle with its available memory, Filter will not function. Each extra thread you add requires approximately 16MB of memory above the minimum system requirement of 512MB RAM. Corrupted s If an has been corrupted, the Rules service may not be able to check it against the enabled rules. You can specify how Filter acts in the event that an becomes corrupted: Table 3-12 Handling Corrupted s Action Release corrupted messages Move corrupted messages to folder Copy to folder and send corrupted message What happens The corrupted will not be checked by the Rules service, and will be sent directly to its recipient. A copy of the will be left in the In folder. The corrupted will be moved to the folder you specify. Enter the path of the folder, or browse to the destination you want. Filter will take a copy of the corrupted and save it in the folder you specify, and then send the original to its recipient. Enter the path of the folder, or browse to the destination you want. SurfControl Filter for SMTP Administrator s Guide 53

65 3 SETTING UP FILTER Configuring the Rules Service QUEUE MANAGEMENT If the Rules service detects that an has triggered a rule, there are four automatically managed actions that Filter can take: Discard the Release the Isolate the Delay the s that are isolated or delayed are held in dedicated queue folders until they are either discarded or released and sent to their recipient. Filter is installed with 11 pre-configured queues for easy management of , but you can set up others to suit your needs. Use Queue Management to configure and manage queues. The queues are displayed in the Queue Management dialog box. The list of queues is displayed in the Queue Management dialog box Figure 3-8 Queue Management dialog box 54 Administrator s Guide SurfControl Filter for SMTP

66 SETTING UP FILTER Configuring the Rules Service 3 Adding a Queue To add a queue, follow Procedure 3-25: Procedure 3-25: Adding a queue Step Action Creating the queue 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 Click Add 3 The Queue Configuration dialog box is displayed. In the Queue Name box enter the name of the queue you want to create, for example Gambling. 4 In the Queue Folder box, enter the path of the folder where you want the queue to be held. To find a folder, click Browse To create a new folder click New Folder, and then enter the path and name of the new folder in the text box. 5 Either: Click OK to accept the defaults, or Configure the queue see Procedure 3-28 to Procedure SurfControl Filter for SMTP Administrator s Guide 55

67 3 SETTING UP FILTER Configuring the Rules Service Editing and Deleting Queues When you have created a queue, you can change its details. To edit the details of a queue, follow Procedure 3-26: Procedure 3-26: Editing a queue Step Action 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 Select the queue to be changed, and then click Edit. 3 The Queue Configuration dialog box is displayed. You cannot change the name of the queue, but you can save it to a different folder by browsing to an existing folder, or creating a new folder. 4 Configure the rest of the queue settings as normal see Procedure 3-28 to Procedure To delete a queue, follow Procedure 3-27 Procedure 3-27: Deleting a queue Step Action 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 Select the queue to delete, and then click Delete. 3 A confirmation message is displayed. Note: You cannot delete a queue if it contains s or is being used by a rule. Configuring Your Queue When you have entered the queue name and set up the queue folder, you can configure the details. Table 3-13 details the options: Table 3-13 Queue Management options Option Queue Administration Automated Queue Management (Sheet 1 of 2) What it does If there are multiple administrators in your organization you can assign administrators to queues for the management of . Automated Queue Management allows you to automatically release, delete or move isolated s at a set time. 56 Administrator s Guide SurfControl Filter for SMTP

68 SETTING UP FILTER Configuring the Rules Service 3 Table 3-13 Queue Management options (Continued) Option Administrator Alerts (Sheet 2 of 2) What it does Filter can send an to the administrator of a queue when the number of s in that queue reaches a set number. To specify who can manage s held in a queue, follow Procedure 3-28 Procedure 3-28: Configuring queue administration Step Action 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 3-25 on page The Queue Configuration dialog box is displayed. Select either: All Users All administrators will be able to view, release, delete and move s held in this queue. Selected Users In the list that is displayed, select the check boxes of the administrators who should have access to this queue. If there are no administrators in the list, you need to configure administrator accounts. See Configuring Administrators on page 79. SurfControl Filter for SMTP Administrator s Guide 57

69 3 SETTING UP FILTER Configuring the Rules Service Automatic Queue Management You can automatically delete, release or move s that have been isolated or delayed for a specified amount of time. To configure automated queue management, follow Procedure 3-29: Procedure 3-29: Configuring Automated Queue Management Step Action Action Enabling Automated Queue Management 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 3-25 on page The Queue Configuration dialog box is displayed. Select Enable Automated Queue Management. 4 Select the action to be applied to the s in the queue: Release Release each from its current queue folder a set time after it is placed there. Delete Permanently delete each a set time after it was placed in its current queue folder. Move to Move each to the specified queue a set time after it was placed in its current queue. Each queue is listed and when you add a new queue it will be added to the list. 5 To specify the time when your chosen action will happen, select Configure... (Sheet 1 of 2) 58 Administrator s Guide SurfControl Filter for SMTP

70 SETTING UP FILTER Configuring the Rules Service 3 Procedure 3-29: Configuring Automated Queue Management Step Action Action 6 The Configure Automated Queue Management dialog box is displayed. To set the timing: Take Action after time delay Enter the amount of time in days, hours and minutes you want each to be held in the queue before an action is applied to it. When each arrives in its specified queue, it will be held there for that period of time. Minimum = 5 minutes. Take action at Specified Times Click Add 7 Enter the time in the Time of Action dialog box. Click OK. 8 After you have selected the time using either method, click OK. 9 To keep a record of which s have been deleted or released by automatic queue management, select Log to the system database. Note: 10 Click OK. (Sheet 2 of 2) This check box is unavailable if you have chosen to automatically move s to another queue. SurfControl Filter for SMTP Administrator s Guide 59

71 3 SETTING UP FILTER Configuring the Rules Service Administrator Alerts Filter can notify the administrator of a queue when that queue reaches a specified size, for example, s. To enable administrator alerts, follow Procedure 3-30: Procedure 3-30: Enabling Administrator Alerts Step Action 1 In the Server Configuration console, select the branch Receive Service > Rules Service > Queue Management 2 If you have already created your queue, select it and click Edit. To create a new queue follow Procedure 3-25 on page The Queue Configuration dialog box is displayed. Select Enable Administrator Alerts. 4 Enter the number of s that the queue must contain for an alert to be sent. Default = Administrator s Guide SurfControl Filter for SMTP

72 SETTING UP FILTER Configuring the Send Service 3 CONFIGURING THE SEND SERVICE The Send service controls what happens to s after they have been allowed to proceed through the system by the Rules service. It is important to configure the Send service correctly, otherwise s that have passed through the system will not reach their intended recipients. The Send service has general settings and these branches: SMTP Properties Connections Routing Smart Host Routing Requeuing scheme. SEND SERVICE - GENERAL SETTINGS Figure 3-9 shows a typical Send Service dialog box: Figure 3-9 Send Service - general settings SurfControl Filter for SMTP Administrator s Guide 61

73 3 SETTING UP FILTER Configuring the Send Service Send Mail Pickup Folder Warning: The Send Mail Pickup Folder must always be the same folder as the Rules Service Processed Mail Folder. When an has been checked and allowed to proceed, it is placed in the Send Mail Pickup Folder (\Out folder), where the Send Service can pick it up for delivery. By default the path is: C:\Program files\surfcontrol Filter\Out You can change the path or browse to a different location. Logging When an is moved to the /Out folder for delivery, you can log the action in two places: Table 3-14 Send Service logging options Option Real-time console System log What it does Details of s placed in the \Out folder are displayed in the Receive console of the Monitor. For more information about the Monitor consoles, see Service Panels on page 89 System events related to the Send Service are displayed in the System log in Message Administrator. See Working with Logs on page 246. SMTP PROPERTIES The configurable SMTP properties are: SMTP EHLO/HELO command Transmission Optimizations. 62 Administrator s Guide SurfControl Filter for SMTP

74 SETTING UP FILTER Configuring the Send Service 3 Figure 3-10 shows a typical Send Service - SMTP Properties dialog box: Figure 3-10 Send Service - SMTP Properties dialog box SMTP EHLO/HELO Command The SMTP EHLO/HELO command is the SMTP statement that will be used to make an SMTP connection with the receiving mail server to send the in the \Out folder. There are two ways that Filter can connect. Table 3-15 SMTP EHLO/HELO Command settings Setting Use the Windows computer name as the Domain name Specify the Domain name: What happens When Filter initiates the outbound connection, the EHLO/ HELO statement will use the host name of the machine where Filter is installed as a domain name, for example: HELO devserver When Filter initiates the outbound connection, the EHLO/ HELO statement will contain the domain name you specify, for example: HELO mycompany.com SurfControl Filter for SMTP Administrator s Guide 63

75 3 SETTING UP FILTER Configuring the Send Service Transmission Optimizations Filter can use one or more methods to optimize the Send service when sending s. Note: Some external servers do not support pipelining or chunking. Table 3-16 Transmission Optimizations settings Setting Enable CHUNKING Enable PIPELINING What happens The size of each SMTP data chunk is sent with the data. This means that the SMTP host does not have to scan continuously for the end of the data. This improves the speed of transmissions. Provides the ability to send a stream of commands without having to wait for a response after each command. This improves the speed of transmissions. CONNECTIONS The Connections branch controls the type and number of connections that Filter can make when it is sending s. The configurable connection settings are: Connection properties SMTP options. Figure 3-11 shows a typical Send Service - Connections dialog box: 64 Administrator s Guide SurfControl Filter for SMTP

76 SETTING UP FILTER Configuring the Send Service 3 Figure 3-11 Send Service - Connections dialog box Connection Properties Table 3-17 shows the Connections settings. Table 3-17 Send Service Connections Option Description Default Maximum Maximum active outbound connections Maximum connections per IP address Idle connection timeout The maximum number of outbound connections that Filter can make at any one time. The maximum number of outbound connections that Filter can make to any single IP address. Note: This number must be less than or equal to the maximum active outbound connections. The number of seconds after which Filter will drop an attempted connection SMTP Options You can limit the number of s that can be sent through a single connection: Procedure 3-31: Limiting s sent through a single connection Step Action 1 In the Server Configuration console, select the branch Send Service > Connections 2 In the SMTP options area, select Limit maximum messages per connection. 3 Enter or scroll to the maximum number of s that Filter can send for any one connection. SurfControl Filter for SMTP Administrator s Guide 65

77 3 SETTING UP FILTER Configuring the Send Service ROUTING Use Routing to define routing tables for Filter. Figure 3-12 shows a typical Send Service - Routing dialog box: Routing table You can move items up and down the list using the arrows. Figure 3-12 Send Service - Routing dialog box The routing table defines the location of your mail servers so that Filter can identify where to send within the protected domain. 66 Administrator s Guide SurfControl Filter for SMTP

78 SETTING UP FILTER Configuring the Send Service 3 Static Routes By default, the protected domain you specified during installation is listed in the Static Routes list. If your organization has more than one protected domain, you need to add the other domains that you did not specify during installation. You can also add details of an external mail server, for example if your organization generates a lot of traffic with a particular company. To add a static route, follow Procedure Procedure 3-32: Adding a static route Step Action 1 In the Server Configuration console, select the branch Send Service > Routing 2 Click Add 3 The Domain Route properties dialog box is displayed. In the Domain Name for Static Route text box, enter the domain name. 4 In the Route Host for this Domain text box, enter the IP address of a server that you want to handle for this domain. 5 In the IP port to use for this SMTP host text box, enter the port number of the server you want to handle for this domain. Default = 25 6 If Filter will need to supply authentication details to connect to the server, select Server Requires Authentication and enter a valid user name and password. 7 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-18 for a description of the options. SurfControl Filter for SMTP Administrator s Guide 67

79 3 SETTING UP FILTER Configuring the Send Service Table 3-18 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. When you have added static routes, you need to specify how Filter will route addressed to destinations outside the domains specified on the Static Routes list. You can: Use a default route that you specify The Send service will pass any s addressed to domains not on the Static Routes list to the server you specify as the default route. This server then handles the and performs the MX lookups to send the to its destination. The default route is initially the route you specified during installation, but you can change its details or add further servers. See Configuring a Default Route on page 69. Use MX records Filter attempts to route the by performing the MX lookups itself. See Configuring MX Lookups on page Administrator s Guide SurfControl Filter for SMTP

80 SETTING UP FILTER Configuring the Send Service 3 Configuring a Default Route To set the default route, follow Procedure 3-33: Procedure 3-33: Configuring a Default Route Step Action 1 In the Server Configuration console, select the branch Send Service > Routing 2 In the Undefined routes area, select Use default route. 3 Click Configure. The Default Routes Configuration dialog box is displayed. By default the default route is the server you specified during installation. You can either: Select the default server, and then click Edit to change the details of the server, or Click Add to add another server. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 69

81 3 SETTING UP FILTER Configuring the Send Service Procedure 3-33: Configuring a Default Route (Continued) Step Action 4 The Domain Route properties dialog box is displayed. 5 The name in the Domain Name for Static Route field is always Default. 6 In the Route Host for this Domain field, enter the IP address of the server you want to use as the default route. 7 In the IP Port to use for this SMTP Host field, enter the IP port that Filter will use to communicate with the server. 8 If the server requires authentication, enter a valid user name and password. Confirm the password. 9 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-19 for a description of the options. 10 Click OK. The dialog box closes, and the server details are listed in the Default Routes Configuration dialog box. Click OK to return to the Server Configuration console. (Sheet 2 of 2) Table 3-19 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. 70 Administrator s Guide SurfControl Filter for SMTP

82 SETTING UP FILTER Configuring the Send Service 3 Configuring MX Lookups To set Filter to perform MX Lookups, follow Procedure 3-34: Procedure 3-34: Configuring MX Lookups Step Action 1 In the Server Configuration console, select the branch Send Service > Routing 2 In the Undefined route area, select Use MX Lookups. 3 Click Configure (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 71

83 3 SETTING UP FILTER Configuring the Send Service Procedure 3-34: Configuring MX Lookups (Continued) Step Action 4 The MX Lookup Properties dialog box is displayed. 5 If a domain exists, but Filter cannot find an MX record for it, it can try to connect to the domain directly using port 25. Specify the action you want Filter to take if an MX Lookup fails: Always try direct connections Never try direct connections. The timeout value for direct connections is 60 seconds, so attempting direct connections can delay the delivery of mail. 6 If you want MX records to be cached, select Cache MX records and specify how long you want MX records to be cached for. Maximum = 24 hours 7 To cache non-existent MX records, select Cache non-existent domains and specify how long you want the non-existent records to be cached for. Maximum = 24 hours If a non-existent MX record is cached, Filter will not attempt further MX lookups for that domain. 8 You can select to send the encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Default = Cleared 9 Click OK to return to the Server Configuration console. (Sheet 2 of 2) SMART HOST ROUTING You can route s to a specific mail server or MTA according to their content, for example: If your organization uses an encryption server, Filter can redirect s that meet the criteria you specify for encryption. The encryption server encrypts the s and sends them to their destination. If your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original s as normal. 72 Administrator s Guide SurfControl Filter for SMTP

84 SETTING UP FILTER Configuring the Send Service 3 Enabling Smart Host Routing Before you start to configure Smart Host Routing, make sure that the Smart Host server can accept all mail from the Filter Send service. Consult your Smart Host documentation for more information on how to do this. When you have enabled the Smart Host to accept mail, you need to: 1 Configure Smart Host Routing in the Server Configuration console. Follow Procedure Set up a rule in the Rules Administrator which specifies which s you want to be routed to the Smart Host. See Routing Object on page 209. To configure Smart Host Routing, follow Procedure Procedure 3-35: Configuring Smart Host Routing Step Action 1 In the Server Configuration console, select the branch Send Service > Smart Host Routing 2 Click Add 3 The Smart Host Properties dialog box is displayed. 4 In the Smart Host Name text box, enter the name of the Smart Host server to which you want s redirected. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 73

85 3 SETTING UP FILTER Configuring the Send Service Procedure 3-35: Configuring Smart Host Routing (Continued) Step Action 5 Click Add the Relay Host properties dialog box is displayed. 6 Enter the DNS server name or IP address of the Smart Host to which you want s redirected, for example, the encryption server. 7 Enter the IP port number that Filter will use to connect to the Smart Host. Default = 25 8 If Filter needs to be authenticated by the Smart Host, select the Server Requires Authentication box, and enter the username and password of an account that will be accepted by the Smart Host. 9 You have the option to force the mail server to accept only encrypted s using TLS (STARTTLS) or SSL (SMTPS). To do this, select Send message encrypted. Default = Cleared See Table 3-20 for a description of the options. 10 Click OK. 11 The details of your Smart Host server are displayed in the Smart Host Properties dialog box. 12 Click OK. Smart Host routing supports fail-over. If you configure more than one relay host, the Send service will first try to send mail to the first relay host on the list. If it cannot send to that relay host, it will try each one in order. If the Send Service cannot send the to any of the Relay Hosts, the will be requeued. 13 You have now configured a smart host. To route s to this server when they trigger a rule, you need to set up a rule containing the Routing object. See Routing Object on page 209. (Sheet 2 of 2) 74 Administrator s Guide SurfControl Filter for SMTP

86 SETTING UP FILTER Configuring the Send Service 3 Table 3-20 Options for encrypted s Option Always use STARTTLS Use STARTTLS if available, otherwise send unencrypted Description s are sent encrypted using TLS. If the mail server does not support TLS, or the STARTTLS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. s are sent encrypted using TLS. However, if the mail server does not support TLS, the s are sent unencrypted. Use SMTPS on port Default (recommended) port = 465 s are sent encrypted using SSL. If the mail server does not support SSL, or the SMTPS operation fails, the Send service: Sends a warning message, which is also logged in the system log. Temporarily fails the s and requeues them. Deleting a Smart Host To delete a Smart Host, follow Procedure You cannot delete a Smart Host that is being used in a rule. Procedure 3-36: Deleting a Smart Host Step Action 1 In the Server Configuration console, select the branch Send Service > Smart Host Routing 2 Select the Smart Host you want to delete, and then click Delete. 3 You will be asked to confirm that you want to delete the selected Smart Host. REQUEUING If SurfControl Filter cannot send an , for example because it cannot connect to a remote mail host, it will store the in a queue and try to send it again at intervals. You can specify how often these attempts to resend s take place. You can configure: How many times Filter will try to send the . The length of time between each attempt. You can decrease the number of attempts and increase the time between each attempt over four stages. SurfControl Filter for SMTP Administrator s Guide 75

87 3 SETTING UP FILTER Configuring the Send Service Figure 3-13 shows a typical Requeuing Scheme dialog box: Figure 3-13 Requeuing Scheme Table 3-21 shows the default requeuing intervals: Table 3-21 Stage Requeuing intervals Retry attempts Retry intervals What happens min filter tries to send the once every 15 minutes for 12 attempts min filter tries to send the once every 60 minutes for 21 attempts min filter tries to send the once every 360 minutes for 8 attempts min filter tries to send the once every 1440 minutes for 0 attempts. 76 Administrator s Guide SurfControl Filter for SMTP

88 SETTING UP FILTER Configuring the Send Service 3 You can change any of the retry attempts and retry intervals to suit your needs. However SurfControl recommends that you leave the default settings unchanged. Procedure 3-37: Changing the requeuing intervals Step Action 1 In the Server Configuration console, select the branch Send Service > Requeuing Scheme 2 Change the number of attempts, or the number of minutes between each attempt by entering new amounts in the boxes. The requeuing intervals are added up to make the total retry time. If the Filter cannot send the once the total retry time has elapsed, the is designated a dead message. Dead Messages Dead messages have the file extension.msg.d and are stored in the Out folder. When you configure the requeuing schedule, you can choose to automatically delete dead messages as soon as the total retry time is up. Procedure 3-38: Automatically deleting dead messages Step Action 1 In the Server Configuration console, select the branch Send Service > Requeuing Scheme 2 Select Delete dead messages. 3 When the total retry time expires, the is deleted. Note: Deleted s cannot be retrieved. Warning: If dead messages are allowed to build up in the \Out folder, this can impair the performance of the Send service and delay the delivery of . If you do not discard dead messages automatically, they remain in the Out folder until you delete them manually. While they are held in the \Out folder you can attempt to re-send them using QueueView. See QueueView Window on page 95. SurfControl Filter for SMTP Administrator s Guide 77

89 3 SETTING UP FILTER Configuring The Administration Service CONFIGURING THE ADMINISTRATION SERVICE The Administration service controls general system settings and also has these branches: Configuration to configure remote administration access to Filter. Certificate Management to manage the certificate used for the Send and Receive services TLS and SMTPS security features. ADMINISTRATION SETTINGS - GENERAL Figure 3-14 shows a typical Administration Settings - General screen: Figure 3-14 Administration Settings General Administrator s Address When you set up a protected domain you are asked to specify the address of the system administrator for that domain. If Filter needs to send a notification (for example an NDR), it examines each recipient of the and checks each domain against the Protected Domains list. When it finds a recipient in a protected domain, Filter sends the notification from the administrator of that domain. If none of the recipients are in any of the protected domains, Filter sends the notification from the address specified in the Administration Settings. You cannot enter more than one address. However, if you create a group in Exchange that contains all the Filter administrators, you can enter the group address, for example, SEF_administrators@mycompany.com. 78 Administrator s Guide SurfControl Filter for SMTP

90 SETTING UP FILTER Configuring The Administration Service 3 Print Configuration You can print a record of your system configuration by clicking Print Configuration. A text file is displayed, which shows all the Server Configuration settings: Figure 3-15 Configuration printout By default the name of this file is: STEFCFG_date_time (for example STEFCFG_09_Jul_2005), but you can save it under any name in any location. CONFIGURING ADMINISTRATORS Use the Configuration branch to configure access to remote administration of Filter. There are two methods of remote access: Web Administrator The SurfControl Filter Web Administrator is a Web-based application that gives remote access to selected Filter functions from any computer through a Web browser. Administration Client You can install the Filter Administration Client on a remote computer and use it to access the Filter user interface. For details of how to install the client, see the SurfControl Filter Installation Guide. SurfControl Filter for SMTP Administrator s Guide 79

91 3 SETTING UP FILTER Configuring The Administration Service Remote Administration Permissions Table 3-22 shows the remote administration permissions you can set, and which method of remote access you can use for each permission setting. Table 3-22 Remote administration permissions Permission setting Access Access method All Permissions All of the permissions on the list below. Message Administration Rules Administration Systems Administration Dictionary Management View Logs User Management View and work with isolated s using Message Administrator functions. See Message Administrator on page 225 for more information about Message Administrator. Create and manage rules to enforce your organizations AUP using Rules Administrator functions. See The Rules Administrator on page 99 for more information about Rules Administrator. View the progress of s through Filter in real time. See The Monitor on page 87. Configure SurfControl Filter using the Server Configuration console. See Setting Up Filter on page 13. Manage Dictionaries and their content. See Dictionary Management on page 247 for more information. View the Traffic, Rules and System logs from a remote computer. Set administrative access to Filter. Web Administrator Yes No No Yes Yes No Administration Client Yes Yes Yes Yes Yes Yes 80 Administrator s Guide SurfControl Filter for SMTP

92 SETTING UP FILTER Configuring The Administration Service 3 Adding a Remote Administrator Account To use Remote Administration you need to add administrator accounts and set their permissions. If there are no administrator accounts, Remote Administration is unavailable. To add a remote administrator account, follow Procedure Procedure 3-39: Adding a remote administrator account Step Action 1 In the Server Configuration console, select the branch Administration > Configuration 2 Click Add 3 The User Profile dialog box is displayed. 4 Enter a user name, password and address for the administrator. The password must have at least six characters. 5 Select the permissions for the administrator. See Table 3-22, Remote administration permissions, on page 80 for a list of permissions. The Queues list displays the queues that are available to the administrator. Use Queue Management to change these settings. See Queue Management on page Click OK. SurfControl Filter for SMTP Administrator s Guide 81

93 3 SETTING UP FILTER Configuring The Administration Service Editing a Remote Administrator Account To edit a remote administrator account, follow Procedure 3-40: Procedure 3-40: Editing a Remote Administrator Account Step Action 1 In the Server Configuration console, select the branch Administration > Configuration 2 Select an administrator from the list, and then click Edit... 3 The User Profile dialog box is displayed. 4 Change the user details or the permissions as needed. 5 Click OK. 82 Administrator s Guide SurfControl Filter for SMTP

94 SETTING UP FILTER Configuring The Administration Service 3 Deleting a Remote Administrator Account To delete a Remote Administrator account, follow Procedure 3-41: Procedure 3-41: Deleting a Remote Administrator Account Step Action 1 In the Server Configuration console, select the branch Administration > Configuration 2 Select an administrator from the list, and then click Delete... 3 To delete the profile, click Yes in the confirmation pop-up. CERTIFICATE MANAGEMENT You need to use a certificate for the TLS and SMTPS security features in the Send and Receive services. SurfControl supports two types of certificate: Self-signed Self-signed certificates are useful to secure internal traffic between mail servers because verification/authentication is not an issue; all servers are owned by the company, and therefore trusted. CA (Certification Authority) signed You can buy a certificate from a CA, such as Thawte or Verisign. To obtain a certificate, you need to submit a CSR (certificate signing request) to the CA. These CAs will only issue a certificate if they are satisfied that you own the domain that the certificate is being issued for. SurfControl Filter for SMTP Administrator s Guide 83

95 3 SETTING UP FILTER Configuring The Administration Service Figure 3-16 shows a typical Certificate Management dialog box if there is no certificate installed and there is no pending certificate signing request (CSR). Figure 3-16 Administration - Certificate Management If there is a certificate installed, or a certificate is installed with a pending CSR, or there is a pending CSR and no certificate installed, the relevant details are displayed. Using the Certificate Wizard When you click Certificate Manager, the Certificate Wizard opens. Figure 3-17 shows the first page of the Certificate Wizard. Figure 3-17 Administration Certificate Management - Certificate Wizard 84 Administrator s Guide SurfControl Filter for SMTP

96 SETTING UP FILTER Configuring The Administration Service 3 The options available depend on the status of your certification. Using the Certificate Wizard, you can: Create a CSR. Create a self-signed certificate and install it. Assign an existing certificate, if you have one saved. Process a pending CSR and install the certificate. Delete a pending CSR. Remove the current certificate. Warning: If you do not have a certificate installed, your server will not be able to send or receive securely. Creating a Self-signed Certificate or CSR To create a self-signed certificate or CSR, you need to enter the following information in the Certificate Wizard: A common name for the server. If your server is on the Internet, use a valid DNS name. If your server is on an Intranet, you might want to use the computer s NetBIOS name. An easily-remembered, friendly name for the certificate. The number of bits to be used to generate the certificate. The certificate is more secure if you select a higher number. Default = 1024 Note: A higher strength security key might decrease performance. The name of your organization and your organizational unit (division or department). Your geographical information. CSR only. If you are creating a CSR, you also need to enter a file name (format *.txt) for the request file. Either accept the default file name, or enter or browse to the location of an existing file. When you have saved the file, you can send it (for example, by ) to your CA. Assigning an Existing Certificate If you have an existing certificate, you can select the file from a list of available certificates in the Certificate Wizard. SurfControl Filter for SMTP Administrator s Guide 85

97 3 SETTING UP FILTER Configuration Complete Processing a Pending CSR If you select to process a pending CSR using the Certificate Wizard, you will enter or browse to the location of the.cer file that you received from the CA. Deleting a Pending CSR If you select to delete a pending CSR using the Certificate Wizard, any data from the pending CSR is removed, and you will not be able to process any future responses. Note: You might want to notify your CA that your CSR has been deleted. Removing a Current Certificate If you select to remove a current certificate using the Certificate Wizard, the current certificate is removed from the server. Warning: If you do not have a certificate installed, your server will not be able to send or receive securely. CONFIGURATION COMPLETE When you have completed all your server configuration changes, click OK to confirm your changes. The following message is displayed: Figure 3-18 Configuration update message Filter will then stop and restart any services that have changed in their configuration. You are now ready to begin filtering and monitoring . BACKING UP YOUR SERVER CONFIGURATION You can back up the configuration settings you have chosen so that you can replicate it on other servers, or restore it if for any reason you have to reinstall Filter. Please see the Database Management Guide for details of how to use the database management utilities. 86 Administrator s Guide SurfControl Filter for SMTP

98 Chapter 4 The Monitor In This Chapter page 88 Launching the Monitor page 88 Parts of the Monitor Window page 88 QueueView page 94

99 4 THE MONITOR In This Chapter IN THIS CHAPTER This chapter explains how to use the Monitor to view the progress of s as they pass through Filter. LAUNCHING THE MONITOR To launch the Monitor, select Start > SurfControl Filter > Monitor The Monitor window is displayed. PARTS OF THE MONITOR WINDOW The Monitor window is divided into panels, each showing information about a different part of the filtering process. Figure 4-1 shows the default layout of the panels: Service Panels Server status panel: shows how long each Filter service has been running for, and keeps count of all the actions applied to each . Receive panel: shows the activity of the Receive service. Rules panel: shows the activity of the Rules service. Queue statistics panel: shows how many s are held in each queue. Send panel: shows the activity of the Send service. Status bar: shows the status of the Receive, Rules and Send services Figure 4-1 The Monitor You can drag the Server Status and Queue Statistics panels anywhere on the desktop. To hide or show the Server Status and Queue Statistics panels, click. Table 4-1 Table 4-5, starting on page 89 explain the parts of the monitor window in more detail. 88 Administrator s Guide SurfControl Filter for SMTP

100 THE MONITOR Parts of the Monitor Window 4 SERVICE PANELS There are three service panels, which show the progress of s through Filter: Table 4-1 The service panels Panel Receive panel Rules panel Send panel Information displayed Shows activity by the Receive Service. When a mail server or firewall requests a connection with SurfControl Filter, a log entry is displayed in this panel. Shows activity by the Rules Service. When Filter checks an against enabled rules, a log entry is displayed in this panel. When an triggers an action (Isolate, Delay, Delete or Allow), the log entry is in red text. A log entry is also displayed in this panel when you update the Anti-Spam Agent. Shows activity by the Send Service. When Filter delivers an including those released from isolate or delay queues a log entry is displayed in this panel. Clearing the Service Panels To clear the service panels of all information, follow Procedure 4-1: Procedure 4-1:Clearing the service panels Step Action 1 Right-click the service panel to clear of information. A shortcut menu is displayed. 2 Select Clear Console. 3 The information is cleared from the selected panel. When there is a new event, for example, the service is restarted or the service handles an , log entries are again displayed in the service panel. 4 To clear all three service panels simultaneously, select View > Clear Status Windows. SurfControl Filter for SMTP Administrator s Guide 89

101 4 THE MONITOR Parts of the Monitor Window Copying Service Panel Information to the Clipboard You can copy the information displayed in each service panel to the clipboard to paste into another application, for example Notepad. Procedure 4-2:Copying service panel information to the clipboard Step Action 1 Right-click in the service panel to copy. A shortcut menu is displayed. 2 Select Copy to Clipboard. 3 Paste the information into an application of your choosing, for example Notepad. Changing the Information Displayed in the Service Panels You can specify how much detail you want to be displayed in each service panel by changing the logging level. There are four levels: Note: SurfControl recommends you keep the logging level set to 0 or 1, unless necessary for support purposes. Level 0 Level 0 is the lowest logging level. At level 0 you will see only basic information about the status of processing, for example: Blue text to show when the receive service has accepted an . If the has triggered a rule Blue text to show when the send service has sent an . Level 1 With the logging level set to 1 you will see more detailed information about service activity, for example: The SMTP conversation between the receive service and the connecting mail client. The status of rule the checking process The SMTP conversation between the send service and the mail server it is connecting to. Levels 2 and 3 Levels 2 and 3 display very detailed technical information sometimes used for diagnostic purposes. If you are discussing an issue with SurfControl Customer Support, you may be asked to increase your logging level to 2 or Administrator s Guide SurfControl Filter for SMTP

102 THE MONITOR Parts of the Monitor Window 4 To change the logging level, follow Procedure 4-3: Procedure 4-3:Changing the information in the service panels Step Action 1 Right-click the service panel to change. A shortcut menu is displayed. 2 Select Console Logging Level, then select the logging level 0 = least detail 3 = most detail. 3 If you do not want information messages to be displayed, for example notification of configuration reloads, select Hide Info Messages. THE SERVER STATUS PANELS Note: To stop, start and pause services from the Server Status panel, right-click the service, and then select an action. The Server Status panels show information about the running of the services and the connections they are making. Information Displayed in the Server Status Panels Table 4-2 shows the information displayed in the Receive service panel. Table 4-2 Server Status panels Receive service Section Information displayed Uptime Time since the Receive service was last started. Total messages Number of s handled by the Receive service during Uptime. Total MB Amount of data in MB handled by the Receive service during Uptime. Connections Total Total number of connections accepted during Uptime. Active Number of connections currently active. Denied Number of connections denied during Uptime. SurfControl Filter for SMTP Administrator s Guide 91

103 4 THE MONITOR Parts of the Monitor Window Table 4-3 shows the information displayed in the Send service panel. Table 4-3 Server Status panels Rules service Section Uptime Enabled Rules Messages Pending Statistics Messages (Total) Isolated Delayed Discarded Statistics Messages (Last Hour) Isolated Delayed Discarded Information displayed Time since the Rules service was last started. Number of rules currently enabled. Number of s in the \In folder awaiting checking against enabled rules. Number of s checked by the Rules service during Uptime. Number of s moved to an Isolate folder during Uptime. Number of s moved to the Delay folder during Uptime. Number of s discarded during Uptime. Number of s checked by the Rules service in the last hour. Number of s moved to an Isolate folder in the last hour. Number of s moved to the Delay folder in the last hour. Number of s discarded in the last hour. Table 4-4 shows the information in the Send Service panel: Table 4-4 Server Status panels Send service Section Uptime Total Messages Total MB Active Connections Messages Pending Failed Requeued Dead Messages Information displayed Time since the Send service was last started. Total number of s delivered by the Send service during Uptime. Total amount of data in MB handled by the Send service during Uptime. Number of connections currently being made by the Send service. Number of s in the Out folder awaiting delivery. Number of s that have been requeued because of a temporary failure to connect to the intended mail server. Number of s that could not be delivered and have been designated dead messages. Clearing the Statistics If you start the Rules service, the Statistics (Total) and the Statistics (Last hour) displays will reset to 0. To reset these statistics, right-click Rules Service and selecting Clear Statistics. 92 Administrator s Guide SurfControl Filter for SMTP

104 THE MONITOR Parts of the Monitor Window 4 QUEUE STATISTICS AND STATUS BAR The Queue Statistics panel shows information about queue folders and the s held in them. The Status bar shows activity by the Receive, Rules and Send services. Table 4-5 Queue Statistics and Status bar Area Queue Statistics Status bar Information displayed Shows all the queues currently set up, and the number of s held in each queue. Double-click on a queue to view the contents in Message Administrator. Each box on the status bar shows the status of an Filter service. From left to right the boxes show the status of the Receive, Rules and Send services respectively: The left field (Receive service) shows the number of current connections to the Receive Service. The middle field (Rules service) shows the number of currently active Rules processing threads. This number is equal to the number of s currently being processed by the Rules service. The right field (Send service) shows the number of connections being made by the Send service. If a service stops, an X is displayed in its status field; if the services is running but connection cannot be made, a question mark is displayed. If a service is paused, a P is displayed in its status field. SurfControl Filter for SMTP Administrator s Guide 93

105 4 THE MONITOR QueueView QUEUEVIEW If an cannot be delivered immediately it is held in a queue while Filter attempts to deliver it. You can view the status of queued s in the QueueView window. LAUNCHING QUEUEVIEW You can launch the QueueView window from the Start Menu, or from within the Monitor. From the Start Menu To launch QueueView from the Start menu, select All Programs > SurfControl Filter > QueueView From the Monitor To launch QueueView from the Monitor, Click on the Toolbar. Figure 4-2 shows a typical QueueView window: Figure 4-2 QueueView window 94 Administrator s Guide SurfControl Filter for SMTP

106 THE MONITOR QueueView 4 QUEUEVIEW WINDOW You can view information for three types of message file: Queued message files If Filter cannot send an immediately, it is requeued (see Requeuing on page 75) while Filter makes further attempts to send it. Pending message files Pending messages are s that are waiting for Filter to make an initial connection with a mail server so that they can be sent. If Filter attempts to make a connection but is unsuccessful, the will then be queued. Dead message files If Filter cannot send an and the total requeuing period has passed, it is designated a dead message. The file is given a file extension of.d and held in the \Out folder until you act upon it. To select a type of message file to view, follow Procedure 4-4. Procedure 4-4:Selecting which s to view Step Action 1 Launch QueueView. Viewing Queued Messages 2 Select View > Queued files. The Queued Message Files view is displayed. Viewing Pending Messages 3 Select View > Pending files. The Pending Message Files view is displayed. Viewing Dead Messages 4 Select View > Dead files. The Dead Message Files view is displayed. SurfControl Filter for SMTP Administrator s Guide 95

107 4 THE MONITOR QueueView Each view is divided into columns showing the following information: Table 4-6 QueueView Columns Column File Name Date Time Recipient Sender Subject Attempts Reason for failure Description The file name of the . The is stored under this name in the Out folder. The date that the was placed in the Out folder The time that the was placed in the Out folder The recipient in the s To: field. The sender in the s From: field The subject in the s Subject: field The number of attempts that Filter has made to send the . The reason Filter was unable to deliver the , for example if the recipient s address is invalid. You can drag the QueueView columns to rearrange the order. RE-SENDING A QUEUED OR DEAD MESSAGE You can re-send dead or requeued s. This means that SurfControl Filter will make a further attempt to deliver the . Procedure 4-5: Re-sending a Queued or Dead Step Action 1 Launch QueueView and select the view; either Queued Message Files or Dead Message Files. 2 Select the you want to re-send. Use Shift or Ctrl to select more than one . (Sheet 1 of 2) 96 Administrator s Guide SurfControl Filter for SMTP

108 THE MONITOR QueueView 4 Procedure 4-5:Re-sending a Queued or Dead (Continued) Step Action 3 Right-click the selected . A shortcut menu is displayed. 4 Select Resend Message Note: When an is designated a dead message, a failure report is sent to the sender. If you re-send the and it still cannot be sent, further failure reports will be sent. You should therefore avoid re-sending dead messages unless you are sure that they will be delivered successfully. 5 You will be asked to confirm that you want to resend the selected . (Sheet 2 of 2) DELETING A QUEUED OR DEAD You can delete queued or dead s. This means that the will be irreversibly deleted, and will not be sent. Procedure 4-6:Deleting a Queued or Dead Step Action 1 Launch QueueView and select the view you want to work with either Queued Message Files or Dead Message Files. 2 Select the you want to delete. 3 Right-click the selected . A shortcut menu is displayed. 4 Select Delete Message 5 You will be asked to confirm that you want to delete the selected . SurfControl Filter for SMTP Administrator s Guide 97

109 4 THE MONITOR QueueView You can automatically delete dead messages immediately after the requeuing period has passed. See Dead Messages on page Administrator s Guide SurfControl Filter for SMTP

110 Chapter 5 The Rules Administrator In This Chapter page 100 Launching the Rules Administrator page 100 How Filter Uses Rules page 102 Rules Objects page 103 Building a Rule page 103 Positioning of Rules page 108 Pre-defined Rules page 110 Rule Groups page 112 Exporting Rules page 114 Importing Rules page 115 Configuring the Rules Administrator page 116

111 5 THE RULES ADMINISTRATOR In This Chapter IN THIS CHAPTER You use the Rules Administrator to define, create and manage the rules that support your Acceptable Use Policy. This chapter explains how Filter uses the rules you specify to check . In this chapter you will also learn how to: Configure the Rules Administrator to suit your needs. Use SurfControl Filter s preconfigured rule set. Create your own custom rules using the Rule objects. Manage and organize rules for optimum performance. The chapter Rules Objects on page 125, gives a detailed breakdown of each Rule object and how to include it in a rule. LAUNCHING THE RULES ADMINISTRATOR To launch the Rules Administrator, select Start > All Programs > SurfControl Filter > Rules Administrator Figure 5-1 Launching Rules Administrator from the Start menu 100 Administrator s Guide SurfControl Filter for SMTP

112 THE RULES ADMINISTRATOR Rules Administrator Window 5 RULES ADMINISTRATOR WINDOW Figure 5-2 shows a typical Rules Administrator window: Toolbar: icons to manage rules and launch other Filter components. Tabs: divide the Rules objects into logical groups Rules panel: displays all available rules and their status Rules objects panel: displays all available Rules objects Rules palette: drag and drop the Rules objects here to build or modify a rule Figure 5-2 The Rules Administrator window RULES PANEL The upper part of the window displays all the available rules: The rules are grouped into a logical order. You can create and delete groups, and move rules from one group to another. Rule description: when you create a Rule you can give it a summary description. Figure 5-3 Rules panel SurfControl Filter for SMTP Administrator s Guide 101

113 5 THE RULES ADMINISTRATOR How Filter Uses Rules Figure 5-4 shows details of the information shown for rules: If this box is selected, all the rules in the group are enabled The group that the rule belongs to The number of enabled rules in the group If this box is selected, the rule is enabled The name of the rule What the rule does Figure 5-4 Rule information RULES OBJECT PANEL The lower part of the window shows: The list of Rules objects you can use to build a rule. The Rules palette, where you build and modify rules. There are five types of Rules object. When you select a type of Rules object, the objects belonging to that type are displayed here When you select a Rule from the list, the objects used to create the rule are displayed here Figure 5-5 Rules objects and Rules palette HOW FILTER USES RULES The Rules service checks the against the list of enabled rules, starting at the top of the window and working through the enabled rules in order until the triggers a rule. If an triggers a rule, Filter uses the action specified in the rule. The four actions objects Allow, Delay, Discard, Isolate are terminating actions. When Filter performs a terminating action on an , no further processing takes place. If an passes all the rules checks without being isolated, delayed or discarded, it is placed in the \Out folder for delivery to its destination. 102 Administrator s Guide SurfControl Filter for SMTP

114 THE RULES ADMINISTRATOR Rules Objects 5 RULES OBJECTS Rules objects are the basic logical units that you use to create a rule. There are five types of Rules object. Starting with the Who object, Table 5-1 describes the rules and shows the logical order in which they should be added to a rule. Table 5-1 Types of Rules object Object type Description Find out more Who A Who object in a rule affects who the rule applies to for example an individual, a department, senders or recipients of . If you don t include a Who object in a rule it will apply to everybody sending and receiving in and out of your protected domain. Who Objects on page 128. What Operations Notify Actions A What object in a rule checks the characteristics of the against the criteria you specify for example size, content, type of attachments. An Operations object in a rule will modify the in some way for example by adding a footer. A Notify object in a rule will send an to the user you specify to notify them that a rule has been triggered. An Actions object in a rule will perform an action on the , for example isolating it. When an action has been carried out, no further processing takes place on the . What Objects on page 145. Operations Objects on page 198. Notify Objects on page 213. Actions Objects on page 218. BUILDING A RULE To build an effective rule, SurfControl have the following guidelines: Begin with a Who object. Work through the object types in the order they are shown on the Rules object panel: Who > What > Operations > Notify > Actions You do not have to include every object type in every rule, but without a Who or What object, every will trigger the rule. Finish with an Action object. SurfControl Filter for SMTP Administrator s Guide 103

115 5 THE RULES ADMINISTRATOR Building a Rule CONNECTING RULES OBJECTS You can connect Rules objects together in different ways, depending on how you want the rule to work. Rules objects connected together form logic blocks, and you can connect these logic blocks to form a complete rule. There are four logical connections you can use: Table 5-2 Rule connectors Connector IF AND OTHERWISE IF THEN What it does The opening statement of a rule Adds extra conditions to the logic block. Creates a new logic block that will trigger if the conditions of its preceding logic block are not met. Connects the conditions to an event which will take place if the conditions are met a Notify, Operations or Action object. For example, this rule has two logic blocks and uses all four connectors: Procedure 5-1 shows how to create a rule. As an example, this procedure creates a rule that will isolate s containing links to inappropriate Web sites. Procedure 5-1: Creating a Rule Step Action 1 Right-click any rule in the Rules description area. A shortcut menu is displayed. 2 Select New Rule... (Sheet 1 of 4) 104 Administrator s Guide SurfControl Filter for SMTP

116 THE RULES ADMINISTRATOR Building a Rule 5 Procedure 5-1:Creating a Rule (Continued) Step Action 3 The New Rule dialog box is displayed. 4 Enter the name of the rule in the Rule name: text box. In the Rule description: text box, enter a brief description of what the rule will do. 5 If you want the rule to be enabled as soon as you create it, select the Enabled check box. Note: 6 Click OK. The rule will not be applied to s until you save your changes. 7 The Rules palette is cleared. You can now add Rules objects. 8 To select a Who object: Select the Who tab. Available Who objects are listed. (Sheet 2 of 4) SurfControl Filter for SMTP Administrator s Guide 105

117 5 THE RULES ADMINISTRATOR Building a Rule Procedure 5-1:Creating a Rule (Continued) Step Action 9 Select a Who object and drag it into the Rule palette. The dialog box for the object is displayed, where you can specify the exact conditions of the object. To learn more about Rules objects and how to configure them, see Rules Objects on page 125. Note: You do not have to use a Who object in all the rules you create if you want a rule to apply to everybody sending to or from your organization, do not use the Who object. 10 When you have configured the Who object, click OK. A Continue Processing object is automatically added to the end of the logic block, and will remain there until you select an Action object to specify how Filter deals with s that trigger the rule. 11 To select a What object to specify what criteria to apply to s: Select the What tab. The available What objects are listed. 12 Drag the What object into the Rules palette and place it under the Who object. A dialog box is displayed that enables you to configure the object. Configure the object as needed, and then click OK. For a full description of each object, see Rules Objects on page 125. (Sheet 3 of 4) 106 Administrator s Guide SurfControl Filter for SMTP

118 THE RULES ADMINISTRATOR Building a Rule 5 Procedure 5-1:Creating a Rule (Continued) Step Action 13 The What object is displayed under the Who object. 14 Add further objects to develop your rule as needed. 15 Click to save your changes. (Sheet 4 of 4) Note: Your rule will not be available until you save your changes and enable the rule. To enable the rule, see Procedure 5-2 on page 107. ENABLING A RULE To enable a rule, follow Procedure 5-2: Procedure 5-2:Enabling a Rule Step Action 1 Select the check box next to the rule that you want to enable. 2 Click to save your changes. Note: You must save your changes for the rule to be applied to s. SurfControl Filter for SMTP Administrator s Guide 107

119 5 THE RULES ADMINISTRATOR Positioning of Rules DELETING A RULE To delete a rule, follow Procedure 5-3: Procedure 5-3:Deleting a Rule Step Action 1 Select the rule to delete. 2 Click. 3 You will be asked to confirm if you want to delete the selected rule. 4 Click to save your changes. Note: If you do not save your changes, the rule will continue to apply to s. POSITIONING OF RULES When Filter processes an , it checks the against each of the rules in order, from the top of the screen until it reaches a terminating action (Allow, Delay, Discard or Isolate) or until the all the has been checked against all the rules and allowed to continue. Changing the order of rules can therefore change which s trigger rules and which are allowed to reach their destination. Rules are always processed from the top of the screen to the end, regardless of the Rule Group they are in: Figure 5-6 Rules are processed from top to bottom. When an triggers a rule with an Action object (Allow, Delay, Discard or Isolate) it is not checked against any subsequent rules. 108 Administrator s Guide SurfControl Filter for SMTP

120 THE RULES ADMINISTRATOR Positioning of Rules 5 In the example below, the user has placed a rule allowing all from the systems administrator above a rule to detect virus-infected . This means that if the administrator were to send a virus-infected , it would be checked by the first rule and allowed to continue without any further processing. The would not be checked against the Anti-Virus Agent rule because it had already encountered a terminating action (the Allow object in the first rule). MOVING RULES Use the arrow buttons and to move a selected rule up or down the order. Alternatively, use the mouse to drag the rule into position. A red line indicates where the rule will be placed. Figure 5-7 Moving a rule SurfControl Filter for SMTP Administrator s Guide 109

121 5 THE RULES ADMINISTRATOR Pre-defined Rules PRE-DEFINED RULES SurfControl Filter is supplied with a comprehensive series of preconfigured rules, so that you can start filtering immediately. Although the preconfigured rules are a quick and easy way to begin filtering , you will still need to enter some details to make the rules work correctly in your organization. For example, you will need to enter your domain name in the Footers & Banners Rule, and specify the location of your anti-virus scanning software for the Virus Rule. Procedure 5-4:Using the Rule Configuration wizard Step Action 1 To enable a rule, select its check box. 2 If the rule needs to be configured, the Rule Configuration wizard is displayed. Click Next. 3 Follow the instructions in the wizard to configure the rule. If you enable a rule but don t fill in the Configuration wizard, the rule may not filter correctly. Editing Pre-defined Rules Clicking on each rule will reveal its objects in the Rules palette. You can edit these pre-defined rules to suit your organization in the same way as if you were creating a new rule. See Building a Rule on page 103 to find out more about how to create rules, or the chapter Rules Objects on page 125 for a full list of Rules objects. 110 Administrator s Guide SurfControl Filter for SMTP

122 THE RULES ADMINISTRATOR Pre-defined Rules 5 Table 5-3 lists the pre-defined rules. Table 5-3 Pre-defined Rules Rule Group Rule What it does Network Security Loop Detection Isolates s that loop more than 5 times. Rules Illegal MIME format Isolates non-standard or malformed s. Encrypted Detects if staff are transmitting S/MIME or PGP files. Compressed Isolates mail that fails automatic decompression. Virus Protection Rules VBS Scripts Strips VBS attachments from s. Anti-Virus Agent Isolate s that contain a virus that cannot be cleaned. Third-party Virus Scanning Executables Isolate s that contain virus-infected or suspect attachments. Isolates s that contain executable attachments. Spam Rules Whitelist Allows s from designated parties. Inappropriate Material Rules Anti-Spam Agent - DFP Anti-Spam Agent Internet Threat Database - Spam HTML Stripper Isolates s that trigger the Anti-Spam Agent Digital Fingerprinting component. Isolates s that trigger the Anti-Spam Agent Heuristics or LexiRules components. Isolates s from the database that contain spam-, phishing-, fraud- or spyware-related URLs. Strips active HTML components from s. Virtual Image Agent Isolates s that contain explicit adult images. Graphics Sound Video Isolates s containing graphics, sound or video files. Adult Dictionary Isolates s with an Adult dictionary score > 100. Gambling Dictionary Isolates s with a Gambling dictionary score > 100. Offensive or Isolates s with Hate or Violence Dictionary. Derogatory Internet Threat Database - Inappropriate Isolates s from the database that contain inappropriate URLs. Network Resources Files > 5MB Automatically compresses s larger than 5 MB. Rules Files > 2MB Delays s larger than 2 MB. More than 10 recipients Blind copies the administrator if has more than 10 recipients. Compliance Rules Credit Cards Isolates s that contain credit card numbers. Social Security Isolates s that contain Social Security numbers. Numbers Medical Records Isolates s that contain medical records. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 111

123 5 THE RULES ADMINISTRATOR Rule Groups Table 5-3 Pre-defined Rules (Continued) Rule Group Rule What it does Confidential Information Rules Competitors Computer Security Confidential Information Isolates transmission to competitors. Isolates outbound s containing the word username or the word password. Isolates outbound s containing intellectual property or confidential data. Other Footers Attaches an outbound or inbound footer. (Sheet 2 of 2) RULE GROUPS You can organize your rules by moving them into groups. Rule groups make it easier to manage and apply your rules, so that you can: Keep similar rules together Enable all similar rules (for example all the anti-spam rules) with a single mouse click. Delete a rule set you no longer need quickly and easily. Filter s pre-configured rules are already organized into five groups (see Table 5-3 on page 111). Creating a Rule Group To create a rule group, follow Procedure 5-5: Procedure 5-5:Creating a Rule Group Step Action 1 Select Rule > New Group Alternative: click. The New Group dialog box is displayed 2 Enter a name for the group. 3 To create a new rule within the new group, select Create a New Rule. (Sheet 1 of 2) 112 Administrator s Guide SurfControl Filter for SMTP

124 THE RULES ADMINISTRATOR Rule Groups 5 Procedure 5-5:Creating a Rule Group (Continued) Step Action 4 Click OK. The new group is displayed in the Rules pane. If you selected Create a New Rule the New Rule dialog box is displayed automatically. The new rule you create is automatically placed inside the group that you have created. (Sheet 2 of 2) Moving a Rule into a Group To move a rule into a group, click the Rule you want to move and drag it onto the group. When the mouse pointer is position correctly over a rule, you will see a red arrow. This means that if you release the mouse button, the rule will become part of that group: Figure 5-8 Moving a rule into a group Working with Groups of Rules Note: You must save your selected rules to activate them. You can enable all the rules in a group by selecting the check box of the group. All the rules in the group are selected automatically: Figure 5-9 Enabling a group of rules Clear the check box next to the group to disable all the rules in the group: Figure 5-10 Disabling a group of rules SurfControl Filter for SMTP Administrator s Guide 113

125 5 THE RULES ADMINISTRATOR Exporting Rules If you do not select all of the rules in a group, the group check box is shown grayed to indicate that the group is partially selected: Figure 5-11 A partially enabled group EXPORTING RULES You can export rules into a separate.rul file, which you can then use to restore your saved rule set. This is useful if you are deploying Filter on multiple servers, if you are undertaking server maintenance and want to keep your current rule configuration in place, or if you want to make a backup of your rules. To export your rules to a.rul file, follow Procedure 5-6: Procedure 5-6:Exporting Rules Step Action 1 In the Rules panel, select the Rules to export. You can select any number of rules or groups, or the entire rule set. Note: When you export a rule group, all the rules within that group are exported. 2 Select File > Export Rules 3 The Save As dialog box is displayed. Save your.rul file in the required location. 4 Click. A confirmation message is displayed when Filter has successfully exported the rules. 114 Administrator s Guide SurfControl Filter for SMTP

126 THE RULES ADMINISTRATOR Importing Rules 5 IMPORTING RULES You can import a.rul file containing Filter Rules. Note: If a rule you are importing already exists in the Rule panel, Filter will add an additional copy. Importing a rule does not overwrite any of your current rules. You can: Import a rule set that you have previously exported Import the same rule set onto each server running Filter in your organization. Restore the default rule set that is included in the Filter install. To import a.rul file into Filter, follow Procedure 5-7: Procedure 5-7:Importing Rules Step Action 1 From the File menu, select Import Rules. The Open dialog box is displayed. 2 Select the.rul file you want to import. 3 Click Open. The Import Rules dialog box is displayed, which shows a list of rules that the.rul file contains. 4 Select the rules to import. If you select a rule group, all the rules in that group are imported. 5 Specify where you want the selected rules to be placed in the Rules panel: Insert after the selected rule the imported rules will be placed after whichever rule is currently highlighted in the Rules panel. Insert after the last rule the imported rule will be placed at the end of the list of rules. 6 Click Import. The imported rules are displayed in the Rules panel. SurfControl Filter for SMTP Administrator s Guide 115

127 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator CONFIGURING THE RULES ADMINISTRATOR There are four configuration settings you can apply to the Rules Administrator. These settings affect the way s are checked against the Rules, and can affect the speed with which s proceed through the rules checking process. Table configuration settings: Table 5-4 Rules Administrator Configuration Setting Dictionary Scanning Password Protected Archives Document Decomposition HTML Parser What it does Specifies which files are scanned against the dictionaries for content that could trigger a rule. Specify how much of each file is scanned. Sets up decompression of encrypted and password protected files. Set up the extraction of data from compound document files, so that Filter can check them against the rules. See Document Decomposition on page 390. Set up the parsing of HTML s to combat HTML spam. CONFIGURING DICTIONARY SCANNING Many rules check the contents of an and its attachments against the SurfControl Dictionaries. However, some file types are more suitable for dictionary scanning than others. To save processing time, you can select not to scan certain file types, for example, image or audio files, or to only scan a specified amount of each Administrator s Guide SurfControl Filter for SMTP

128 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 To configure Dictionary Scanning, follow Procedure 5-8: Procedure 5-8:Configuring Dictionary Scanning Step Action 1 Launch the Rules Administrator. 2 From the Tools menu, select Options. The System Options dialog box is displayed. 3 Select the Dictionary Scanner tab. 4 Specify how much of each is to be scanned against the dictionaries: Default = 10KB Maximum =10,000KB. The more of each file is scanned, the longer it takes to check each against the rules. 5 Select which file types are to be exempt from dictionary scanning. You can select groups of file types, for example audio files, or specific file types, for example, MP3s. 6 To add a file type to the list, click Add extension. 7 Enter the file type in the text box. Note: Do not include the period (. ) character. For example, enter txt, not.txt 8 To remove a file type that you have added, select it, and then click Remove extension. Note: 9 Click OK. You cannot delete the preset file extensions. CONFIGURING PASSWORD PROTECTED ARCHIVES You can prevent unauthorized users from sending password protected archive files, for example, a zip file with a password, by entering recipient/password pairs on the Password Protected Archives tab. You can specify which users are allowed to send password protected archive files, and the password that they will use to create these files. SurfControl Filter will use the password to decompress the file and scan the contents. If a user that has not specified a password attempts to send an with a password-protected archive file, or uses a different password, the will trigger the preconfigured rule, if enabled. SurfControl Filter for SMTP Administrator s Guide 117

129 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To add a recipient/password pair, follow Procedure 5-9: Procedure 5-9:Adding a recipient/password pair for decompression Step Action 1 Launch the Rules Administrator. 2 Select Tools > Options The System Options dialog box is displayed. 3 Select the Password Protected Archives tab. 4 Click Add The Enter Recipient/Password Pair dialog box is displayed. 5 In the Recipient: text box, enter the name of the recipient to add. To find a recipient, click Browse. (Sheet 1 of 2) 118 Administrator s Guide SurfControl Filter for SMTP

130 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 Procedure 5-9:Adding a recipient/password pair for decompression Step Action Browsing for Recipients 6 The Select Users dialog box is displayed. You can select to retrieve the following users: Monitored External users Monitored Internal users Imported users/groups database Windows address book Outlook address book Select which user you want to retrieve from the Select users from: drop-down menu. 7 Click Add. Retrieving recipients using LDAP 8 You can also retrieve a list of recipients using an LDAP connection. If you have already configured a connection to the LDAP server, the connection will be listed in the Select users from: drop-down menu. To configure a connection to the LDAP server, click LDAP and follow Procedure 6-4 on page The recipients retrieved are displayed in the user list. To add a user, select it and click Add. 10 When you have selected the user, click OK. The user name or address will then display in the Recipient box. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 119

131 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator CONFIGURING DOCUMENT DECOMPOSITION Filter can extract data from supported files, and apply the current filtering rules to that data. You can decompose documents and then: Scan extracted text with the Dictionary Scanner object. Examine extracted pictures with the Virtual Image Agent object. Detect executables that are embedded in a file. Scan extracted files with the Anti-Virus Agent. By default, decomposition of all documents is enabled. Filter can decompose nested and combined containers with up to 25 levels of depth. For example, a Word document inside a Zip container that is inside an Excel workbook. To enable document decomposition, follow Procedure 5-10: Procedure 5-10: Enabling document decomposition Step Action 1 Launch Rules Administrator. 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the Document Decomposition tab. 4 Select Enable document decomposition. 5 Click OK 120 Administrator s Guide SurfControl Filter for SMTP

132 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 Choosing Which Files are Decomposed You can specify which document types and data you want to be decomposed. Table 5-5 Advance document decomposition options Option Microsoft Word Documents Microsoft Excel Workbooks Microsoft PowerPoint Presentations OLE Embedded Files Web Archives Microsoft Mail Data Rich Text Documents Adobe PDF Documents Data extracted Text and Pictures included in Word document files (*.doc, *.dot). Text and Pictures included in Excel workbook files (*.xls, *.xlt). Text and Pictures included in PowerPoint presentations (*.pps, *.ppt). Embedded-files (OLE objects) from any of the Microsoft Office documents types listed above. Files in MIME format Files in TNEF format.rtf files PDF documents created using Adobe Acrobat. For a full list of the Microsoft Office programs and versions that Document Decomposition supports, see Supported File Types on page 386. SurfControl Filter for SMTP Administrator s Guide 121

133 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To select the file types that are to be decomposed, follow Procedure 5-11: Procedure 5-11: Selecting the file types to decompose Step Action 1 Launch Rules Administrator. 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the Document Decomposition tab. 4 Click Advanced. The Advanced Properties dialog box is displayed. 5 Select the document types you want document decomposition to extract data from. 6 Click OK. 122 Administrator s Guide SurfControl Filter for SMTP

134 THE RULES ADMINISTRATOR Configuring the Rules Administrator 5 CONFIGURING HTML PARSING A common spamming technique is to use HTML tags to break up the flow of text to defeat anti-spam filters. The HTML Parser extracts the user-visible text from the HTML document so that it can scanned by the Dictionary Scanner. User-visible text is text which is visible to the user, as opposed to white-on-white text, text in hidden HTML tags or text outside the valid parts of an HTML document. Note: As well as extracting visible text, the HTML parser will also extract any URLs from the body of the into a text file called SC_URL.txt. You can examine this file in Message Administrator. There are two types of HTML parsing that you can enable: HTML extraction from body this extracts the user-visible text from the body so that the text can be scanned. Text extraction from HTML attachments this extracts text from HTML attachments so that the text can be scanned. For example, here is the body of an HTML spam Figure 5-12 HTML spam Here is a section of source code from the same <B>Re<!KQ>tail or online, big or small, we provide businesses o<!nj>f all <!KQ>t<!HOM>ypes an oppor<!kq>tuni <!KQ> t<!hom>y <!KQ> to have <!KQ> theirown no hassle Credi<!KQ>t Card Merchan<!KQ>t Accoun<!KQ>t. The spammer has inserted HTML tags into the middle of words to avoid detection. When the HTML Parser is enabled, the HTML tags are removed so that the remaining text can be scanned by the dictionary scanner. SurfControl Filter for SMTP Administrator s Guide 123

135 5 THE RULES ADMINISTRATOR Configuring the Rules Administrator To enable HTML parsing, follow Procedure Procedure 5-12: Enabling HTML Parsing Step Action 1 Launch the Rules Administrator 2 Select Tools > Options. The System Options dialog box is displayed. 3 Select the HTML Parser tab. 4 Select which types of HTML parsing you want to use with s. By default, both are enabled. 5 Click OK. For a full description of each rule object, see Rules Objects on page Administrator s Guide SurfControl Filter for SMTP

136 Chapter 6 Rules Objects In This Chapter 126 Adding a Rule Object to a Rule 126 Who Objects 128 What Objects 145 Operations Objects 198 Notify Objects 213 Actions Objects 218

137 6 RULES OBJECTS In This Chapter IN THIS CHAPTER This chapter gives a detailed description of each rule object, and an explanation of how to include it in a rule. ADDING A RULE OBJECT TO A RULE The process of adding any rule object to a rule is the same: Procedure 6-1:Adding a Rule object to a rule Step Action 1 Launch the Rules Administrator 2 Select the rule object you want to include in your rule. 3 Drag the Rule object into position in the Rules palette. 4 The dialog box for the object is displayed. Enter the criteria that Filter will use to check s. You can find out how to configure each rules object later in this chapter. 5 Click OK. (Sheet 1 of 2) 126 Administrator s Guide SurfControl Filter for SMTP

138 RULES OBJECTS Adding a Rule Object to a Rule 6 Procedure 6-1:Adding a Rule object to a rule (Continued) Step Action 6 You will see your criteria displayed in the Rules palette. You can move the object into different positions to change the logic of the rule. (Sheet 2 of 2) REVERSE LOGIC The logic of rule objects can be reversed by applying a reverse logic condition. This means that if the criteria in the rule object is not met, the rule will trigger. For example, this rule isolates any sent from mycompany.com: Figure 6-1 Rule without reverse logic If you applied reverse logic to the From Users and Groups object, the rule would change to: Figure 6-2 Rule with reverse logic If reverse logic is available for a rule object, there is a Reverse Logic check box on its dialog box. Each rule object is explained fully in this chapter, including an explanation of how reverse logic can be applied. SurfControl Filter for SMTP Administrator s Guide 127

139 6 RULES OBJECTS Who Objects WHO OBJECTS A Who object checks the sender and the recipients of each against the criteria you specify. If you do not include a Who object in a rule, it will apply to every sent to and from your protected domain. There are three Who objects: From Users and Groups Inbound/Outbound mail To Users and Groups FROM USERS AND GROUPS The From Users and Groups object checks the contents of an s From: field against the criteria you specify. Filter can check whether or not the comes from a specified address, group or domain. CONFIGURING THE FROM USERS AND GROUPS OBJECT To specify which sending users and groups the rule will look for, follow Procedure 6-2: Procedure 6-2:Specifying a sending user or group Step Action 1 Drag the From Users and Groups object into position on the Rules palette. (Sheet 1 of 2) 128 Administrator s Guide SurfControl Filter for SMTP

140 RULES OBJECTS From Users and Groups 6 Procedure 6-2:Specifying a sending user or group (Continued) Step Action 2 The From Users and Groups dialog box is displayed. 3 Click Add The Add Senders dialog box is displayed. 4 Enter one or more addresses or domains to detect. Separate multiple entries with a semicolon. 5 Click OK. The senders are displayed in the Message senders: list: = Individual address = Domain 6 Click OK. The users and groups that you added are displayed in the Rules palette in the From Users and Groups object. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 129

141 6 RULES OBJECTS From Users and Groups Retrieving User Information From a Data Source As well as entering user details manually, you can also retrieve a list of users and groups from your system that you can use in a rule. The advantages of this are: You can add many users, domains or groups at one time. You do not have to remember user details. You do not have to risk misspelling user details by typing them in. There are six ways to automatically retrieve user information. Table 6-1 User lists Data Source Monitored external users Monitored internal users Imported Users/Groups database Windows address book Outlook address book LDAP Details Every time an from outside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules. Every time an from inside the protected domain triggers a rule, filter collects the details in the logging database. You can retrieve a list of these addresses to use in Who rules. If you created a users/groups database using the Scout Exchange Import utility, you can retrieve the user details from there. Retrieve user details from the Windows address book. Retrieve user details from the Outlook address book. Retrieve user details from the LDAP server. To retrieve user details using LDAP, you must first configure a connection to the LDAP server, see Configuring an LDAP Connection on page Administrator s Guide SurfControl Filter for SMTP

142 RULES OBJECTS From Users and Groups 6 To retrieve a list of users, follow Procedure 6-3: Procedure 6-3:Retrieving User information from a data source Step Action 1 Drag the From Users and Groups object into position in the Rules palette. 2 The From Users and Groups dialog box is displayed. 3 Click Browse The Select Users dialog box is displayed. 4 Select the data source from which you want to retrieve user details: Monitored external users Monitored internal users Imported Users/Groups database Windows address book Outlook address book. LDAP connection Note: To retrieve user details from the LDAP server, you first need to configure a connection to the LDAP server. See Configuring an LDAP Connection on page 132 (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 131

143 6 RULES OBJECTS From Users and Groups Procedure 6-3:Retrieving User information from a data source Step Action 5 Filter will retrieve the user details from the data source you specify and display them on the left hand pane of the dialog box. 6 Select the users and groups you want to include in your Who rule and click Add. The users/groups that you add will move to the right hand pane of the dialog box. To remove a user or group, select it and click Remove. 7 When you have chosen the users/groups to include in your Who rule, click OK. (Sheet 2 of 2) CONFIGURING AN LDAP CONNECTION To use LDAP to retrieve user details, you need to set up a connection to the LDAP server. Follow Procedure 6-4: Procedure 6-4:Configuring an LDAP Connection Step Action 1 Drag the From Users and Groups object into position in the Rules palette. (Sheet 1 of 5) 132 Administrator s Guide SurfControl Filter for SMTP

144 RULES OBJECTS From Users and Groups 6 Procedure 6-4:Configuring an LDAP Connection (Continued) Step Action 2 The From Users and Groups dialog box is displayed. 3 Click Browse The Select Users dialog box is displayed. 4 Click LDAP. The LDAP Connections dialog box is displayed. 5 Click Add. The Add LDAP Connection dialog box is displayed. 6 Select the General tab. (Sheet 2 of 5) SurfControl Filter for SMTP Administrator s Guide 133

145 6 RULES OBJECTS From Users and Groups Procedure 6-4:Configuring an LDAP Connection (Continued) Step Action 7 Give this LDAP connection a name. This is the name that is displayed in the Select Users From dialog box when you browse for users and groups to include in a Who object. 8 In the Server name field enter the name of the LDAP server from which you want to retrieve user information. 9 To make it compulsory that Filter uses a username and password to log on to the LDAP server, select log on to this server, and then enter the username and password. If you want Filter to connect to the LDAP server anonymously, clear the Log on to this server check box. 10 If you want Filter to connect to the LDAP server using secure authentication, select Log on using Secure Authentication. (Sheet 3 of 5) 134 Administrator s Guide SurfControl Filter for SMTP

146 RULES OBJECTS From Users and Groups 6 Procedure 6-4:Configuring an LDAP Connection (Continued) Step Action Advanced Settings 11 Select the Advanced tab 12 Enter the LDAP port number of the LDAP server. By default this is 389. If you want to connect to the LDAP server using a secure connection (Secure Sockets Layer), select Use a secure connection (SSL). If you enable SSL, the default port number will change to Specify a search base for the LDAP query. The search base is the starting point for the query. LDAP users and groups information is not stored on the SurfControl Filter server; it is requested from the LDAP server whenever necessary, so specifying a search base makes the connection more efficient at locating specific users or groups. To automatically enter the default search base, click Get Default. 14 Click Specify Group Object. The LDAP Server Options dialog box is displayed. 15 By default, Filter uses the default group object, GroupofNames. To specify a different Group object, enter the name in the text box. 16 Click OK. If you have successfully configured the LDAP connection, it is listed in the Select users from: drop-down list prefixed by LDAP. (Sheet 4 of 5) SurfControl Filter for SMTP Administrator s Guide 135

147 6 RULES OBJECTS From Users and Groups Procedure 6-4:Configuring an LDAP Connection (Continued) Step Action 17 When you select the LDAP connection, you will see the users and groups retrieved from the LDAP server displayed in the left hand pane of the dialog box. You can then include these users and groups in any Who rule. 18 If the users and groups do not display successfully, you can test the LDAP connection. See Testing the LDAP Connection on page 136. (Sheet 5 of 5) TESTING THE LDAP CONNECTION You can test that Filter is able to make a successful connection to the LDAP Server. The testing process comprises three separate tests, carried out in this order: 1 Test Basic LDAP connection 2 Test LDAP Authentication 3 Test Search for Groups and Users filter will carry out each test in order, until either the connection has passed all the tests, or until it fails one. Test Basic LDAP Connection The Basic LDAP Connection test will fail if SurfControl Filter cannot make a TCP/IP connection with the server. If the test fails, you will see a dialog box with the details: 136 Administrator s Guide SurfControl Filter for SMTP

148 RULES OBJECTS From Users and Groups 6 Make sure you have specified the server name or IP address and LDAP Port number correctly remember that the server may not be using the default port number of 389. If the server and port number are correct, other possible causes of a connection failure are: The server is not running The server is running but its LDAP service is not. SurfControl Filter cannot access the server, possibly because of firewall or DNS factors. Test LDAP Authentication The LDAP Authentication test will fail if the LDAP server cannot authenticate your user details (user name, password and domain names). If the test fails, you will see a dialog box with the details: Make sure that the user name, password and domain name you supplied are correct. If the I must log on to this server check box is selected, SurfControl Filter uses simple authentication, that is, the password passed in clear text. If you also check the Log on using Secure Authentication check box, the program uses secure authentication. So, if you experience an invalid credentials error and are using simple authentication, try switching to secure authentication, and vice versa. Test Search for Groups and Users The Search for Groups and Users test will fail if: you have not specified a search base. you have specified a search base incorrectly. SurfControl Filter for SMTP Administrator s Guide 137

149 6 RULES OBJECTS From Users and Groups If the test fails, you will see a dialog box with the details: If you have not specified a search base, Go to the Advanced tab in the Add LDAP Connection dialog box. Click Get Default to get the default search base. Note: If you connect to the server through an anonymous connection, the test may be successful without finding any Groups. This is because the client has not been authenticated by the server and so does not have permission to retrieve Groups. If you have entered a search base and the test still fails, check the search base for errors and check with the LDAP server Administrator that you have specified a valid search base for this server. 138 Administrator s Guide SurfControl Filter for SMTP

150 RULES OBJECTS From Users and Groups 6 When all three tests have been successful, a dialog box is displayed confirming that all the tests have been passed: Reverse Logic Select the Reverse logic check box to reverse the logic of the From Users and Groups object: Table 6-2 Reverse logic From Users and Groups Reverse Logic Disabled Enabled Result The rule will trigger if the is from the user or group specified in the rule. The rule will trigger if the is not from the user or group specified in the rule. SurfControl Filter for SMTP Administrator s Guide 139

151 6 RULES OBJECTS Inbound/Outbound Mail Object INBOUND/OUTBOUND MAIL OBJECT Warning: If you enable a rule that contains the Inbound/Outbound Mail object, you must have antispoofing enabled somewhere in your system, either in the receive service (see Anti-Spoofing on page 21) or with an upstream MTA. Without anti-spoofing there is a risk that spoofed inbound mail will be treated as internal. The Inbound/Outbound Mail object specifies whether a rule applies to coming into, going out of or coming from within the protected domain. This avoids unnecessary processing for example you can apply anti-spam filtering only to s coming into your organization. The Inbound/Outbound object checks the domain of the sender and the domain of the recipient against the criteria you specify. There are four criteria you can set: Table 6-3 Inbound/Outbound options Option Inbound Outbound Internal External Relay What it does The rule will apply only to s sent from outside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient outside a protected domain. The rule will apply only to s sent from inside a protected domain to a recipient inside a protected domain. The rule will apply only to s sent from outside a protected domain to a recipient outside a protected domain. CONFIGURING THE INBOUND/OUTBOUND MAIL OBJECT To include the Inbound/Outbound Mail object in a rule follow Procedure 6-5: Procedure 6-5:Adding the Inbound/Outbound Mail object to a rule Step Action 1 Drag the Inbound/Outbound Mail object into position on the Rules palette. (Sheet 1 of 2) 140 Administrator s Guide SurfControl Filter for SMTP

152 RULES OBJECTS Inbound/Outbound Mail Object 6 Procedure 6-5:Adding the Inbound/Outbound Mail object to a rule Step Action 2 The Properties for Inbound/Outbound Mail dialog box is displayed. 3 Select the types of that the rule should apply to: Inbound Outbound Internal External Relay 4 Select the protected domains to include in the rule. By default the rule will check against all protected domains. To use only specific domains, click Selected, and then select one or more of the protected domains on the list. 5 If you want to reverse the logic of the Inbound/ Outbound Mail object, select Reverse logic. See Reverse Logic: Inbound/Outbound Mail Object on page 141 for an explanation of how this will affect the logic of the rule. 6 Click OK. (Sheet 2 of 2) Reverse Logic: Inbound/Outbound Mail Object Table 6-4 explains how reverse logic affects the Inbound/Outbound Mail object, using the example protected domain mycompany.com. Table 6-4 Reverse Logic Inbound/Outbound Mail object Message type Reverse Logic Disabled Reverse Logic Enabled Inbound If the is sent from outside If the is sent from: mycompany.com to a recipient inside Inside mycompany.com mycompany.com, the rule will trigger. recipient to any Outside mycompany.com to a recipient outside mycompany.com the rule will trigger. Outbound (Sheet 1 of 2) If the is sent from inside mycompany.com to a recipient outside mycompany.com, the rule will trigger. If the is sent from Outside mycompany.com to any recipient. Inside mycompany.com to a recipient inside mycompany.com the rule will trigger SurfControl Filter for SMTP Administrator s Guide 141

153 6 RULES OBJECTS To Users and Groups Table 6-4 Reverse Logic Inbound/Outbound Mail object (Continued) Message type Reverse Logic Disabled Reverse Logic Enabled Internal External Relay (Sheet 2 of 2) If the is sent from inside mycompany.com to a recipient inside mycompany.com, the rule will trigger. If the is sent from outside mycompany.com to a recipient outside mycompany.com, the rule will trigger. If the is sent from Outside mycompany.com to any recipient Inside mycompany.com to a recipient outside mycompany.com the rule will trigger If the is sent from: Outside mycompany.com to a recipient inside mycompany.com Inside mycompany.com to a recipient outside mycompany.com Inside mycompany.com to a recipient inside mycompany.com the rule will trigger. TO USERS AND GROUPS The To Users and Groups object checks the contents of an s To: field against the criteria you specify. Filter can check whether or not the is addressed to a specified address, group or domain. CONFIGURING THE TO USERS AND GROUPS OBJECT To specify which recipient users or groups the rule will look for, follow Procedure 6-6: Procedure 6-6: Specifying a Recipient User or Group Step Action 1 Drag the To Users and Groups object into the position on the Rules palette. (Sheet 1 of 2) 142 Administrator s Guide SurfControl Filter for SMTP

154 RULES OBJECTS To Users and Groups 6 Procedure 6-6: Specifying a Recipient User or Group (Continued) Step Action 2 The Properties for To Users and Groups dialog box is displayed. 3 Click Add The Add Recipients dialog box is displayed. 4 Enter one or more addresses or domains you want to detect. Separate multiple entries by a semicolon. 5 Click OK. The recipients are displayed in the Message Recipients: list. = Individual addresses = Domains 6 Click OK. The users and groups that you added are displayed in the Rules palette in the To Users and Groups object. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 143

155 6 RULES OBJECTS To Users and Groups Retrieving Recipient Information From a Data Source As well as entering user details manually, you can also retrieve a list of recipient users and groups from your system that you can use in a rule. The advantages of this are: You can add many users, domains or groups at one time. You do not have to remember user details. You do not have to risk misspelling user details by typing them in. The process for retrieving user information automatically is the same as for the From Users and Groups object see Retrieving User Information From a Data Source on page 130. Reverse Logic Select the Reverse logic check box to reverse the logic of the To Users and Groups object. Table 6-5 Reverse logic From Users and Groups Reverse Logic Disabled Enabled Result The rule will trigger if the is addressed to the specified user or group. The rule will trigger if the is not addressed to the specified user or group. 144 Administrator s Guide SurfControl Filter for SMTP

156 RULES OBJECTS What Objects 6 WHAT OBJECTS What objects check s to identify them against characteristics you specify. There are 15 What objects: Table 6-6 What objects What object Description Find out more Anti-Spam Agent Digital Fingerprinting Tool Checks s against the known spam and junk mail in SurfControl s Anti-Spam database. SurfControl s Global Content Team is constantly updating the Anti-Spam database with the electronic signatures of known spam circulating on the Internet. page 146 Anti-Virus Agent Anti-Virus Scanning object Dictionary Threshold External Program Plugin object Heuristics The ASA analyzes the and assesses its characteristics in relation to known spam. LexiRules The ASA uses LexiRules to check the for word combinations and patterns commonly seen in spam. Neural Networks The Anti-Spam Agent uses artificial intelligence to assess the likelihood of the being spam. Performs a virus scan on s using McAfee mcscan32.dll Integrates with your own anti-virus software to detect viruses in s and attachments. Scans the for words in one or more of the SurfControl dictionaries, or from a dictionary you have created. Integrates SurfControl Filter with an external executable or batch file. page 147 page 147 page 147 page 151 page 158 page 167 page 169 File Attachment Identifies the file type of an attachment. page 172 Illegal MIME Format Detects whether the or its attachments contain page 176 non-standard or malformed MIME content. LexiMatch Inspects the for specified word combinations page 178 from the filter dictionaries. Loop Detection Detects looping of s between mail servers, for example loops due to Auto-forwarding rules on servers and auto-replies to delivery failure s. page 182 Message Size Number of Recipients Internet Threat Database (Sheet 1 of 2) Sets the maximum size for an or individual attachments. Checks whether an is being sent to more recipients than you have allowed in a rule. Detects when an contains a URL, and checks that URL against the SurfControl Internet Threat Database. page 188 page 190 page 191 SurfControl Filter for SMTP Administrator s Guide 145

157 6 RULES OBJECTS Anti-Spam Agent Object Table 6-6 What objects (Continued) What object Description Find out more Virtual Image Agent Checks whether an image contains explicit adult page 193 graphics. Virtual Learning Scans s for patterns of words and phrases. page 194 Agent When Controls the day and time that a rule is enabled. page 196 (Sheet 2 of 2) ANTI-SPAM AGENT OBJECT The Anti-Spam Agent (ASA) object is a powerful tool that: Checks against a database of known spam Analyzes content to detect spam characteristics. The ASA object is an add-on component that requires an activation key. However, if you are running an evaluation copy of SurfControl Filter you can use the Anti-Spam Agent during your 30-day evaluation period without entering the activation key. ANTI-SPAM AGENT TOOLS The Anti-Spam Agent comprises four separate tools. You can enable or disable any combination of tools for use in a rule.: Table 6-7 Anti-Spam Agent tools ASA Tool Digital Fingerprinting Heuristics LexiRules Neural Networks What it does The ASA compares the digital fingerprint of the against its database of known spam and junk mail. The ASA analyzes the and assesses its characteristics in relation to known spam. The ASA uses LexiRules to check the for word combinations and patterns commonly seen in spam. The Anti-Spam Agent uses artificial intelligence to assess the likelihood of the being spam. 146 Administrator s Guide SurfControl Filter for SMTP

158 RULES OBJECTS Anti-Spam Agent Object 6 Digital Fingerprinting The Digital Fingerprinting tool checks the digital fingerprint of an against SurfControl s Anti-Spam database. The Anti-Spam database classifies spam into one of 17 categories, so that you can decide which kinds of content you want to allow, and which you want to block. The categories are as follows: Adult Chain letters Computing and Internet Dating and personals Entertainment Finance and home business Gambling Games and interactive Health and medicine Humor Illegal material Novelty software Offensive Other Phishing and Fraud Products and services Special events You can read a full description of each category in Appendix A on page 379. Heuristics The Heuristics tool analyzes the entire , performing a series of tests that determine how closely an resembles spam. You can specify how sensitive the Heuristics tool is in evaluating s. The higher the sensitivity, the fewer spam-like traits an needs in order to trigger the rule. By default, the Heuristics tool will scan the entire . In high-volume environments however, it is quicker to scan only the header. LexiRules The LexiRules tool performs the same tests as the Heuristics tool, but if will trigger the rule if the has any spam-like traits. Neural Networks The Neural Networks tool is a pre-trained artificial intelligence tool which examines the contents of the and compares it with known spam. SurfControl Filter for SMTP Administrator s Guide 147

159 6 RULES OBJECTS Anti-Spam Agent Object CONFIGURING THE ANTI-SPAM AGENT OBJECT To include the Anti-Spam Agent object in a rule, follow Procedure 6-7: Procedure 6-7:Configuring the Anti-Spam Agent object Step Action 1 Drag the Anti-Spam Agent object into position in the Rules palette. 2 The Properties for Anti-Spam Agent dialog box is displayed. Enabling the Digital Fingerprinting tool 3 Select the Digital Fingerprinting tab. 4 Select Enable Digital Fingerprinting 5 Select the categories of spam to detect. (Sheet 1 of 3) 148 Administrator s Guide SurfControl Filter for SMTP

160 RULES OBJECTS Anti-Spam Agent Object 6 Procedure 6-7:Configuring the Anti-Spam Agent object (Continued) Step Action Enabling the Heuristics tool 6 Select the Heuristics tab. 7 Select Enable Heuristics. 8 Use the slider to set a sensitivity level. See Heuristics on page 147 for more information. 9 Select to scan the whole or just the header. Enabling the LexiRules tool 10 Select the LexiRules tab. 11 Select Enable LexiRules (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 149

161 6 RULES OBJECTS Anti-Spam Agent Object Procedure 6-7:Configuring the Anti-Spam Agent object (Continued) Step Action Enabling the Neural Networks tool 12 Select the Neural Networks tab 13 Select Enable Neural Networks. 14 When you have enabled the tools you want, click OK. (Sheet 3 of 3) Reverse Logic If you reverse the logic of the Anti-Spam Agent object, you reverse the logic of all its enabled tools: Table 6-8 Reverse Logic Anti-Spam Agent object Reverse Logic Disabled Enabled Result The rule will trigger if ANY of the enabled ASA tools detect spam content in the . The rule will trigger if NONE of the enabled ASA tools detect spam content in the . Anti-Spam Agent Best Practice The Anti-Spam Agent attacks spam in two ways: The Digital Fingerprinting tool detects that is known to be spam because it has been seen and categorized by SurfControl in the ASA database. The Heuristics, LexiRules and Neural Network tools detect that has the characteristics of spam. The Digital Fingerprinting tool is extremely accurate at detecting known spam and will return virtually no false positives. 150 Administrator s Guide SurfControl Filter for SMTP

162 RULES OBJECTS Anti-Virus Agent 6 The Heuristics LexiRules and Neural Network tools are highly effective in detecting new, unclassified spam, but because they assess the likelihood that an is spam, there is a chance that legitimate will trigger the rule. For example, a marketing newsletter could share some characteristics with a spam (such as its use of HTML) and therefore trigger the rule. Because of this difference, there are two default rules that use the ASA object: 1 The first ASA rule enables only digital fingerprinting. If an has the digital signature of known spam, it is isolated in the Anti-Spam Agent DFP folder. 2 The second ASA rule enables the Heuristics, LexiRules and Neural Network tools. If any of these tools detect a likely spam it is isolated in the Anti-Spam Agent folder. Separating these functions into two rules means that: Known spam is detected and isolated you can be confident that isolated by the Digital Fingerprint tool into the Anti-Spam Agent DFP folder is spam, and manage it accordingly. isolated by the Heuristics, LexiRules and Neural Network tools are kept in a separate folder, so that you can monitor which s are isolated and assess whether you need to change the sensitivity of the Heuristics tool. UPDATING THE ANTI-SPAM AGENT OBJECT SurfControl s content team constantly updates the Anti-Spam Agent object. SurfControl recommend you schedule regular updates to the ASA using the scheduler. See Scheduling Anti-Spam Agent Updates on page 266. ANTI-VIRUS AGENT The Anti-Virus Agent helps protect your system by deleting viruses and cleaning infected files when they occur. It uses the industry-leading McAfee Olympus Anti-Virus engine to detect files that could damage your system. To use the Anti-Virus Agent you need an activation key. If you are running an evaluation copy of SurfControl Filter, you can use the Anti-Virus Agent without an activation key for the 30-day evaluation period. CONFIGURING THE ANTI-VIRUS AGENT OBJECT When you include the AVA object in a rule, you need to specify: What kind of virus threats the AVA will scan for. What action the AVA will take if it finds a virus. Which files are exempt from AVA scanning. The message that users receive if a virus has been removed or cleaned from their . SurfControl Filter for SMTP Administrator s Guide 151

163 6 RULES OBJECTS Anti-Virus Agent Scan Options You can specify what kind of virus threats the AVA will detect. Select any or all of the following: Table 6-9 AVA Scan options Scanning Method Treat Errors as Infected Treat Encrypted Files as Infected Treat Macros as Infected Heuristic Analysis Macro Analysis Scan All Files for Macros Malicious Applications Joke/Hoax Viruses What it does If the anti-virus software reports an error (for example scan failed), the Anti-Virus Agent will treat the file as if it was infected with a virus. If the file uses encryption that the anti-virus software cannot decrypt, the Anti-Virus Agent will treat the files as if it was infected with a virus. Any encrypted files (including password protected archive or document files) will be treated as virus-infected. If a macro is found in a scanned file, the file will be treated as if it was infected with a virus. Heuristic Analysis means anti-virus software can recognize a virus without ever having seen that virus before. If the anti-virus software detects virus-like traits in a file, the Anti-Virus Agent will treat that file as if it was infected with a virus. All macros found will be dissected and scanned for the presence of viruses. If the analysis of a macro within any scanned file reveals it to be infected, it is reported to the Anti-Virus Agent. By default, the Anti-Virus Agent submits only files from the Document Files group to the anti-virus scanner for analysis. With this option selected, all files are scanned for macros, regardless of their file type and if a macro is found, it is reported to the Anti-Virus Agent. Malicious applications include any software that has effects unintended by or prejudicial to the user; usually where these effects are hidden. If the anti-virus software detects a malicious application, it will report it to the Anti-Virus Agent. Joke or Hoax viruses do not destroy or interfere with the working of the computer system. They do, however, act as a nuisance to the user and can place an overload on your server. With this option selected, the anti-virus software will scan files for the presence of joke/hoax viruses and if detected then a positive virus return code gets reported back to the Agent. 152 Administrator s Guide SurfControl Filter for SMTP

164 RULES OBJECTS Anti-Virus Agent 6 AVA Actions You can specify what action the AVA will take if it finds a virus. Select one of the following: Table 6-10 AVA actions Action Take No Action Delete the virus Attempt to Clean the infected file Description The AVA will take no action, but the rule will trigger. The AVA will attempt to delete the virus. If it cannot delete it, the rule will trigger. The AVA will attempt to clean the virus. If it cannot clean it, the rule will trigger. Excluded Files You can add filenames to the excluded file list. The AVA will not scan these files. Notification Footer If the AVA deletes or cleans a virus from an you can add a footer to tell the recipient that this has happened. As well as free text, you can insert the following variable codes into the footer: Table 6-11 Virus notification footer variables Variable What it means $A the name of the infected file $B the subject $D the date that the was processed $F the filename $N the name of the triggered rule $R the recipient s name $S the senders name $T the time of processing $V the name of the virus detected by McAfee DLL anti-virus $Z the size SurfControl Filter for SMTP Administrator s Guide 153

165 6 RULES OBJECTS Anti-Virus Agent So, for example, you could type the text: Virus $V was detected in $A, by SurfControl Anti-Virus Agent. The infected file contents have been removed. This would add the following text to the infected Virus (The name of the virus) was detected in (The name of the file) by SurfControl Anti-Virus Agent. The infected file contents have been removed. To include the Anti-Virus Agent in a rule, follow Procedure 6-8: Procedure 6-8:Configuring the Anti-Virus Agent object Step Action 1 Drag the Anti-Virus Agent object into position in the Rules palette. 2 The Anti-Virus Agent dialog box is displayed. Specify Scan Options 3 Click Scan Options. The Scan Options dialog box is displayed. 4 Select which virus threats you want the AVA to scan for. See Table 6-9 on page 152 for an explanation of the options. 5 Click OK. The Scan Options dialog closes. (Sheet 1 of 3) 154 Administrator s Guide SurfControl Filter for SMTP

166 RULES OBJECTS Anti-Virus Agent 6 Procedure 6-8:Configuring the Anti-Virus Agent object (Continued) Step Action Specify AVA Actions 6 Select what action you want the AVA to take if it finds a virus: No action Delete virus Clean virus Specify which files will not be scanned 7 Select Exclude File List 8 The Exclude File List dialog box is displayed 9 Click Add. The Add Filename dialog box is displayed. 10 Enter the filename of the file you want to exclude from scanning. 11 Click OK. The file is listed on the Exclude File List dialog. The AVA will not scan any of the files listed. (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 155

167 6 RULES OBJECTS Anti-Virus Agent Procedure 6-8:Configuring the Anti-Virus Agent object (Continued) Step Action Adding a notification footer 12 From the Action menu, select either: Delete virus, or Clean virus. The Message for Place-holder file: text box becomes available. 13 Enter the text that is to be added when the AVA has successfully cleaned or deleted the virus from an infected . You can use the variables listed in Table 6-11 on page Click OK. (Sheet 3 of 3) Reverse Logic If you reverse the logic of the Anti-Virus Agent object, it will behave as follows: Table 6-12 Reverse Logic Anti-Virus Agent AVA Action Reverse Logic Result No action Disabled If the AVA detects a virus, the rule will trigger. Enabled If the AVA does NOT detect a virus, the rule will trigger. Delete virus Disabled If the AVA detects a virus and cannot delete it, the rule will trigger. Enabled If the AVA detects a virus and deletes it, the rule will trigger. Clean virus Disabled If the AVA detects a virus and cannot clean it, the rule will trigger. Enabled If the AVA detects a virus and cleans it, the rule will trigger. 156 Administrator s Guide SurfControl Filter for SMTP

168 RULES OBJECTS Anti-Virus Agent 6 THE PRE-CONFIGURED ANTI-VIRUS AGENT RULE SurfControl Filter is installed with a pre-configured Anti-Virus Agent rule, enabled by default, which isolates virus-infected s that the AVA cannot clean. The logic of the rule is as follows: Figure 6-3 The preconfigured Anti-Virus Agent rule Scan 1 The first scan detects for the presence of a virus. If the AVA finds a virus the rule progresses to scan 2. Scan 2 The second scan has virus cleaning enabled. If the AVA cannot clean the virus, it is isolated in the Virus folder. If the AVA can clean the , it cleans it, adds a notification footer to all users, sends a notification to the sender and continues checking the against the remaining rules. UPDATING THE ANTI-VIRUS AGENT You can automatically download updates to the Anti-Virus Agent using the SurfControl Filter Scheduler. To keep your system safe against new viruses, you should download updates weekly. If you are an evaluating user, you can download updates for the duration of the 30-day evaluation period. For more on live updates, see Scheduling Anti-Virus Agent Updates on page 264. SurfControl Filter for SMTP Administrator s Guide 157

169 6 RULES OBJECTS Anti-Virus Scanning Object ANTI-VIRUS SCANNING OBJECT The Anti-Virus Scanning object uses your third-party virus software to detect viruses in s and attachments. If you have more than one type of anti-virus scanner, SurfControl filter can use all of them to give a comprehensive scan of suspect files. SurfControl Filter breaks up an into its component parts and passes them to the virus scanners for analysis. The virus scanners report the results of the scan using the standardized set of codes listed in Appendix C on page Filter then deals with the as specified in your rule set. The Anti-Virus Scanning object works independently of the Anti-Virus Agent object. You do not need an -specific version of your anti-virus software, but you must disable any automatic file level or directorylevel scanning that your anti-virus software performs, at least on the SurfControl Filter subdirectories. CONFIGURING THE ANTI-VIRUS SCANNING OBJECT You can scan with three different kinds of anti-virus scanner: DLL-based Command line based ICAP based For sites with high volumes of traffic, SurfControl recommends using DLL-based scanners rather than command line scanners. DLL scanners are usually faster because they are memory-resident. Filter is integrated with the AV scanners listed in Table Alternatively, you can configure the Anti- Virus Scanning object to use any other command line based AV product. Table 6-13 Fully integrated AV scanners Type Available Scanners See DLL-based Norman Defense Systems page 159 Sophos SAVI Trend InterScan VirusWall IKARUS Software Command Line McAfee/Network Associates page 160 NetShield Executable (scan.exe) ICAP Symantec Anti-Virus Scanning Engine (SASE) page Administrator s Guide SurfControl Filter for SMTP

170 RULES OBJECTS Anti-Virus Scanning Object 6 To scan with a DLL-based scanner: Procedure 6-9:Scanning with a DLL-based scanner Step Action 1 Drag the Anti-Virus Scanning object into position in the Rules palette. 2 The Properties for Anti-Virus Scanning dialog box is displayed. 3 Click Add. 4 The Select Virus Scanner dialog box is displayed. 5 Select the DLL-based scanner to use; these are marked DLL. 6 Click OK. 7 The scanner is displayed in the Selected Anti-Virus Scanners: list. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 159

171 6 RULES OBJECTS Anti-Virus Scanning Object Procedure 6-9:Scanning with a DLL-based scanner (Continued) Step Action 8 Select the virus code you want to trigger the rule. If your anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object triggers the rule. For example, if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 9 Click OK. (Sheet 2 of 2) To scan with a Command Line based scanner: Procedure 6-10: Scanning with a Command Line based scanner Step Action 1 Drag the Anti-Virus Scanning object into position in the Rules palette. (Sheet 1 of 3) 160 Administrator s Guide SurfControl Filter for SMTP

172 RULES OBJECTS Anti-Virus Scanning Object 6 Procedure 6-10: Scanning with a Command Line based scanner Step Action 2 The Properties for Anti-Virus Scanning dialog box is displayed. 3 Click Add. 4 The Select a Virus Scanner dialog box is displayed. 5 Select the command line scanner to use. If your scanner is not on the list, select Other. (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 161

173 6 RULES OBJECTS Anti-Virus Scanning Object Procedure 6-10: Scanning with a Command Line based scanner Step Action 6 Click OK. The Anti-Virus Product Configuration dialog box is displayed. 7 In the AntiVirus Executable text box, enter or browse to the location of the.exe file for your scanner. If you selected a fully integrated scanner from the list in Table 6-13 on page 158, the default location is displayed automatically. 8 The Default Parameters text box contains instructions for your anti-virus scanner. Any product listed in Table 6-13 on page 158 is displayed automatically. If you are using an anti-virus scanner that is not on the list, you need to enter codes in the Default Parameters text box. These codes will be listed in the documentation that were supplied with your virus scanning software. 9 Enter a value in the Timeout Period text box. This value indicates how long SurfControl Filter will wait for the scanner to complete its scan. If the virus software does not respond within this time, Filter moves on to the next processing step in the rule. 10 Click OK. The scanner is displayed in the Selected Anti-Virus Scanners: list. 11 Select the virus code that will trigger the rule. If your anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object triggers the rule. For example if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 12 Click OK. (Sheet 3 of 3) 162 Administrator s Guide SurfControl Filter for SMTP

174 RULES OBJECTS Anti-Virus Scanning Object 6 Scanning with Symantec SASE Procedure 6-11: Scanning with Symantec SASE Step Action 1 Drag the Anti-Virus Scanning object into position in the Rules palette. 2 The Properties for Anti-Virus Scanning dialog box is displayed. 3 Click Add. 4 The Select a Virus Scanner dialog box is displayed. 5 Select Symantec Anti-Virus Scan Engine (SASE). 6 Click OK. 7 The Anti-Virus Product Configuration dialog box is displayed. (Sheet 1 of 3) SurfControl Filter for SMTP Administrator s Guide 163

175 6 RULES OBJECTS Anti-Virus Scanning Object Procedure 6-11: Scanning with Symantec SASE (Continued) Step Action 8 Select Add.The SASE Server Configuration dialog box is displayed. 9 In the SASE Server IP box, Enter the IP address of the SASE Server. If SASE is installed on the same machine as Filter, enter Click Test. If the connection is successful, a message shows the virus definition date. If Filter cannot connect to the SASE server, an error message is displayed check that the IP address is correct. 11 In the SASE Server Port Number text box, enter the port that Filter will use to communicate with the SASE server. 12 In the Fail Retry Time text box, enter the length of time in seconds Filter will wait before retrying the connection if it is unsuccessful first time. 13 In the Scan Timeout text box, enter the amount of time Filter will wait for SASE to complete its scan. If SASE doesn t complete the scan in this time, Filter proceeds to the next processing step. 14 Click OK. The Symantec SASE scanner is listed in the Anti-Virus Product Configuration dialog box. 15 Click OK. (Sheet 2 of 3) 164 Administrator s Guide SurfControl Filter for SMTP

176 RULES OBJECTS Anti-Virus Scanning Object 6 Procedure 6-11: Scanning with Symantec SASE (Continued) Step Action 16 The Symantec SASE scanner is listed on the Properties for Anti-Virus Scanning dialog box. 17 Select the Virus code that will trigger the rule. If your anti-virus scanner returns a value equal to or higher than this code, the Anti-Virus Scanning object triggers the rule. For example, if you set the Scan Evaluation Code to 001, and the virus scanning software reports with code 010, this means that either: A virus has been found There was an error scanning the file. 18 Click OK. (Sheet 3 of 3) SurfControl Filter for SMTP Administrator s Guide 165

177 6 RULES OBJECTS Anti-Virus Scanning Object Reverse Logic You can reverse the logic of the Anti-Virus Scanning object so that the rule will trigger if the virus scanner returns a code less than the scan evaluation code you specify: Table 6-14 Reverse Logic Anti-Virus Scanning object Reverse Logic Disabled Enabled Result The rule will trigger if the anti-virus scanner returns a scan evaluation code greater or equal than the scan evaluation code you specified in the dialog box. The rule will trigger if the anti-virus scanner returns a scan evaluation code less than the scan evaluation code you specified in the dialog box. MULTIPLE SCANS You can allow multiple virus scans of the same file to take place when: You have enabled more than one rule that uses the Anti-Virus Scanning object. You have configured the Anti-Virus Scanning object to use more than one anti-virus product. By default, once an has been scanned once, the results of the scan will be carried over and applied when there is a further instance of the Anti-Virus Scanning object. To re-scan the each time, select the Force Scan check box on the Anti-Virus Scanning object dialog box. AVOIDING CONFLICTS WITH THIRD-PARTY AV PRODUCTS Occasionally, there can be a conflict when third-party anti-virus software is installed on the SurfControl server, and the Filter Rules service and the anti-virus service try to access the In folder simultaneously. This can occur whether or not the Anti-Virus Agent or SurfControl Anti-Virus Scanning objects are part of a rule. To prevent this conflict: Exclude the SurfControl root directory from real-time scanning. Do not use your anti-virus software to scan inbound files. You can continue the real-time scanning of outbound s. 166 Administrator s Guide SurfControl Filter for SMTP

178 RULES OBJECTS Dictionary Threshold Object 6 DICTIONARY THRESHOLD OBJECT The Dictionary Threshold object uses a library of dictionaries to detect content that your organization may want to avoid. These dictionaries contain words associated with different aspects of unwanted content, for example adult material, hate speech and gambling. Filter is pre-configured with the following dictionaries: Adult Alcohol/Tobacco/Drugs Arts/Entertainment Computing/Internet/hacking Compliance - Credit Cards Compliance - Medical Records Compliance - Social Security Numbers Confidential Finance Gambling Hate speech/offensive Job search Medical/Healthcare Shopping Spam Spam Misspellings Sports Travel Violence/Weapons You can edit these dictionaries by adding or deleting words, or by changing the scores. You can also create new dictionaries see Dictionary Management on page 247. CONFIGURING THE DICTIONARY THRESHOLD OBJECT To configure the Dictionary Threshold object you need to specify: What kind of content you want the rule to detect. Which parts of the you want to scan for dictionary content. The dictionary score required to trigger the rule. How the Dictionary Threshold Object Works The Dictionary Threshold object assigns a numeric value to each word. If words in an match the dictionary entries, the values are added to produce a total. If this total is equal to, or greater than, the value specified in the Dictionary Threshold object, the rule is triggered. Example: 1 You set a rule to trigger the Dictionary Threshold object for the Gambling dictionary at The SurfControl server receives an that contains the words baccarat, blackjack and slot machine. SurfControl Filter for SMTP Administrator s Guide 167

179 6 RULES OBJECTS Dictionary Threshold Object 3 Each of these words has a value of 50. Therefore = 150, which exceeds your threshold. 4 The rule is triggered. To include the Dictionary Threshold object in a rule, follow Procedure 6-12:. Procedure 6-12: Configuring the Dictionary Threshold object Step Action 1 Drag the Dictionary Threshold object into position in the Rules palette. 2 The Properties for Dictionary Threshold dialog box is displayed. 3 Select the categories of content you want to detect, or select All Categories. 4 Select which parts of the you want to scan for dictionary content: Entire Message Header Body Attachments 5 Select the threshold that will trigger the rule. Default = 100 Note: If you have selected more than one dictionary, the threshold is cumulative across all of the selected dictionaries. 6 Click OK. 168 Administrator s Guide SurfControl Filter for SMTP

180 RULES OBJECTS External Program PlugIn Object 6 Reverse Logic Table 6-15 shows how the Dictionary Threshold behaves when you reverse the logic, where N is the threshold score. Table 6-15 Reverse Logic Dictionary Threshold object Reverse Logic Disabled Enabled Result If the selected part of the has a score of N or higher, the rule will trigger. If the selected part of the has a score of N or lower, the rule will trigger. EXTERNAL PROGRAM PLUGIN OBJECT The External Program PlugIn object integrates SurfControl Filter with an external executable or batch file. You can use an external program to run a third party command line executable that does not require user input, either to check s for a condition or to perform an action when an meets a condition. The command must return a standard return code if an external command is to check for a condition. Command Line Parameters You can enter parameters for the executable or batch file. A list of these parameters should be available in the documentation supplied with the program. Message Part Operators You can also automatically add text from the to form part of the external program trigger by inserting operators in the Command Line Parameters field. Different operators refer to different parts of the . Table 6-16 shows the message part operators: Table 6-16 Message part operators Operator What it means $F The filename $S The sender s name $R The recipient s name $D The date that the was processed $T The time that the was processed $B The subject $Z The size $N The name of the triggered rule $W Current working directory SurfControl Filter for SMTP Administrator s Guide 169

181 6 RULES OBJECTS External Program PlugIn Object Table 6-16 Message part operators Operator What it means $V The name of the virus detected by the Anti-Virus Agent Return Values The return value is the value returned by the external program. You can specify what value will trigger the rule. You can also specify the following logical conditions for the return value. Table 6-17 shows the options, using the return value N. Table 6-17 Logical condition Always Never Less than Return Values and logical conditions Less than or equal to Result If the value returned is N, the rule will trigger. If the value returned is not N, the rule will trigger. If the value returned is less than N, the rule will trigger. If the value returned is less than or equal to N the rule will trigger. Greater than If the value returned is greater than N, the rule will trigger. Greater than or equal to If the value returned is greater than or equal to N, the rule will trigger. To include the External Program PlugIn object in a rule, follow Procedure 6-13: Procedure 6-13: Configuring the External Program PlugIn object Step Action 1 Drag the External Program Plugin object into position on the Rules palette. (Sheet 1 of 2) 170 Administrator s Guide SurfControl Filter for SMTP

182 RULES OBJECTS External Program PlugIn Object 6 Procedure 6-13: Configuring the External Program PlugIn object Step Action 2 The External Program PlugIn dialog box is displayed. 3 Click Browse to find the file location of the external program. 4 In the Command Line Parameters: text box, enter the command line parameters and/or the message part operators. For command line parameters, see the external program s documentation. For message part operators, see Message Part Operators on page Select an option from the Will Return TRUE dropdown list. 6 Enter the return value that will trigger the rule if it meets the logical condition specified. 7 Enter the Timeout Period. This is the time that Filter will allow for the external program to complete its function. If the external program takes longer than the period specified, Filter moves on to the next processing step. 8 Click OK. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 171

183 6 RULES OBJECTS File Attachment Object Reverse Logic Table 6-18 Reverse Logic External Program Plugin object Logical condition Reverse Logic Result Always Disabled If the value returned is N, the rule will trigger. Enabled If the value returned is not N, the rule will trigger. Never Disabled If the value returned is not N, the rule will trigger. Enabled If the value returned is N the rule will trigger. Less than Disabled If the value returned is less than N, the rule will trigger. Enabled If the value returned is greater than or equal to N, the rule will trigger. Less than or equal to Disabled If the value returned is less than or equal to N, the rule will trigger. Enabled If the value returned is greater than N, the rule will trigger. Greater than Disabled If the value returned is greater than N, the rule will trigger. Enabled If the value is less than or equal to N, the rule will trigger. Greater than or equal to Disabled If the value returned is greater than or equal to N, the rule will trigger. Enabled If the value returned is less than N, the rule will trigger. FILE ATTACHMENT OBJECT The File Attachment object triggers a rule when it detects a specified file type as an attachment to an . SurfControl Filter examines the contents of a file and detect its indigenous format, so even if a.bmp file was renamed as a.doc file, SurfControl Filter would still recognize it as a bitmap file. However, for unsupported file types, the filter only analyzes the attachment according to its extension. If you configure a File Attachment object to scan for archive files, SurfControl Filter attempts to decompress these archives into their component files. If successful, it will break up the archive into its component files and act on these files, discarding the archive wrapper. If it fails to decompress the archive, for example in the case of a protected archive where the password is not supplied, Filter will apply an If Message contains any archive files rule condition to the file. You can also add your own file types to the list. Warning: If you configure the File Attachment object to trigger the rule when it detects document files, the rule will also trigger if it detects Web archive files (.mht). You can view a complete list of file types supported by SurfControl Filter in Appendix B on page Administrator s Guide SurfControl Filter for SMTP

184 RULES OBJECTS File Attachment Object 6 CONFIGURING THE FILE ATTACHMENT OBJECT Supported File Types See Supported File Types on page 386 for a full list of the file types that Filter can process. Advanced Settings If you specify that the File Attachment object detects archive files, you can select what Filter does if it detects this type of file: Table 6-19 Advanced Settings Archive Files Setting Trigger Archive file types only on archive files that cannot be decompressed. Trigger Archive file types on any archive file. What it does If Filter detects an archive file and cannot decompress it, it will trigger the rule. If Filter detects an archive file that it can decompresses, it will scan the component files and apply the enabled rule set to them. If Filter detects any archive file, it will trigger the rule. You can also specify that the rule triggers only if all the files attached to an are of the same type. Including the File Attachment Object in a Rule To include the File Attachment object in a rule, follow Procedure 6-14: Procedure 6-14: Configuring the File Attachment object Step Action 1 Drag the File Attachment object into position on the Rules palette. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 173

185 6 RULES OBJECTS File Attachment Object Procedure 6-14: Configuring the File Attachment object (Continued) Step Action 2 The File Attachment dialog box is displayed. 3 Select the file types you want to trigger the rule. You can select a group of file types, such as image files, or an individual file type, such as.jpg You can also add file types to the list. See Adding File Types on page If you want the rule to trigger if there is an attachment of any type, select Any Attachment. 5 Click OK. (Sheet 2 of 2) Adding File Types Note: Ensure that the file type that you add is supported; Filter cannot detect unsupported file types if they have been renamed. To add a file type to the list, follow Procedure 6-15: Procedure 6-15: Adding a file type to the list Step Action 1 Drag the File Attachment object into position in the Rules palette. (Sheet 1 of 2) 174 Administrator s Guide SurfControl Filter for SMTP

186 RULES OBJECTS File Attachment Object 6 Procedure 6-15: Adding a file type to the list (Continued) Step Action 2 The Properties for File Attachment dialog box is displayed. 3 Click Add. 4 The Add File Extension dialog box is displayed. 5 Enter the file type to add. Note: Do not include the period (. ) character in the extension. 6 Click OK. The Add File Extension dialog box closes, and the new file type is displayed in the list under the File Extensions category. By default, the file type is not selected. Select the check box to include it in the rule. 7 Click OK. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 175

187 6 RULES OBJECTS Illegal MIME Format Reverse Logic You can reverse the logic of the File Attachment object. This means that the rule will trigger if Filter does not find attachments of the type you specify: Table 6-20 Reverse Logic File Attachments Trigger only if attachments are all of selected type Reverse Logic Result Disabled Disabled If the File Attachment object finds files of the type specified, the rule will trigger. Enabled If the File Attachment object does not find any files of the type specified, the rule will trigger. Enabled Disabled If the File Attachment object finds files of the type specified, and all the attachments are of the same file type, the rule will trigger. Enabled If the File Attachment object does not find any attachments, the rule will trigger. If the File Attachment object finds more than one attachment and the attachments are not of the same file type, the rule will trigger. ILLEGAL MIME FORMAT MIME stands for Multipurpose Internet Mail Extensions, an Internet standard that specifies the format of s so that they can be exchanged between different systems. MIME is a flexible format, so that many types of file or document can be included in an . MIME s can contain text, images, audio, video, or other application-specific data. An and its attachments must be translated (demimed) by a mail client so that a user can read it. Most mail clients are built to be tolerant of loose interpretations of MIME to allow the sending of s that contain flawed MIME coding. This flexibility makes it easier for communication to flow between different systems, but it also poses security risks, because virus writers can create malicious hand-coded MIME sequences. The Illegal MIME Format object detects s and attachments that do not pass Filter's rigorous process. CONFIGURING THE ILLEGAL MIME FORMAT OBJECT s can fail the object for the following reasons: A mail client produces a non-standard . An attachment is invalid. The contains malicious code. 176 Administrator s Guide SurfControl Filter for SMTP

188 RULES OBJECTS Illegal MIME Format 6 SurfControl recommends that you implement the Illegal MIME Format object in a rule at the top of the rules list, and place any s that trigger the DeMIME Failure object into a dedicated Isolate folder for analysis. Warning: Be aware that some of these s may contain viruses. There are two kinds of scans Filter can perform: Detect non-standard Filter will scan the body. Detect invalid attachment Filter will scan any files attached to the . When you include the Illegal MIME Format object in a rule you can specify that Filter performs any or both of these scans. To include the Illegal Mime Format object in a rule, follow Procedure 6-16: Procedure 6-16: Configuring the Illegal MIME Format object Step Action 1 Drag the Illegal MIME Format object into position in the Rules palette. 2 The Properties for Illegal MIME Format dialog box is displayed. 3 Select either or both of the check boxes: Detect non-standard message Scans for non-rfc standards compliant s. Detect invalid attachments Scans for attachments that have an invalid format and have failed to demime correctly. 4 Click OK. SurfControl Filter for SMTP Administrator s Guide 177

189 6 RULES OBJECTS LexiMatch Object LEXIMATCH OBJECT The LexiMatch object uses advanced Boolean searches to check for specific words or combinations of words. This means that you can trigger a rule when words are used in one context, for example breast enlargement, but allow the same word to be used in a different context, for example breast cancer. CONFIGURING THE LEXIMATCH OBJECT To Configure the Leximatch object you need to: Select which parts of the you want to scan for LexiMatch content Select words from the dictionaries and specify the relationship between them to create word patterns. Connecting Words There are three operators that you can use to join words from the dictionary. Table 6-21 describes the operators using the example words Red and Blue Table 6-21 Word Operators Operator Example word pattern What it does AND Red AND Blue If the scanned part of the contains the word Red and the word Blue, the rule will trigger. The words can occur any distance apart and in any order. OR Red OR Blue If the scanned part of the contains either the word Red or the word Blue, the rule will trigger. NEAR Red NEAR Blue If the scanned part of the contains both Red and Blue within the number of characters specified in the NEAR distance, the rule will trigger. If the two words are further apart than the specified NEAR distance, the rule will not trigger. Near Distance When you create a word pattern using the NEAR operator, Filter evaluates whether: 1 The contains the words in the word pattern 2 Whether the words are less than the specified number of characters (the NEAR distance) apart. The NEAR distance applies only to this rule. You can set different NEAR distances for each rule you create that uses the LexiMatch object. 178 Administrator s Guide SurfControl Filter for SMTP

190 RULES OBJECTS LexiMatch Object 6 Joining Word Patterns Together As well as joining single words together you can join word patterns together to form more sophisticated combinations by using JOIN commands. Table 6-22 describes the JOIN command, using examples Phrase A and Phrase B. Table 6-22 JOIN commands JOIN command Example What it does AND Phrase A AND Phrase B If the scanned part of the contains Phrase A AND Phrase B, the rule will trigger. AND NOT Phrase A AND NOT Phrase B If the scanned part of the contains Phrase A but NOT Phrase B, the rule will trigger. OR Phrase A OR Phrase B If the scanned part of the contains EITHER Phrase A OR Phrase B, the rule will trigger. OR NOT Phrase A OR NOT Phrase B If the scanned part of the contains Phrase A the rule will trigger. If the scanned part of the does NOT contain Phrase A but also does NOT contain Phrase B, the rule will trigger. Including the LexiMatch Object in a Rule To include the LexiMatch object in a rule, follow Procedure 6-17: Procedure 6-17: Configuring the Leximatch object Step Action 1 Drag the LexiMatch object into position in the Rules palette. (Sheet 1 of 3) SurfControl Filter for SMTP Administrator s Guide 179

191 6 RULES OBJECTS LexiMatch Object Procedure 6-17: Configuring the Leximatch object (Continued) Step Action 2 The Properties for LexiMatch dialog box is displayed. 3 Select the part of the you want to scan for LexiMatch content: Entire Message Header Body Attachments Create a word pattern 4 Select the dictionary, for example, Finance. Note: You can select a different dictionary for each word in your word pattern. 5 Select the first word in your word pattern, for example, Stocks. 6 Select the second word in your word pattern, for example, Shares. 7 Select the Operator to define the relationship between the two words, for example, Stocks AND Shares. 8 If your word pattern uses the NEAR operator, you can change the NEAR distance. This is the number of characters between the two words. (Sheet 2 of 3) 180 Administrator s Guide SurfControl Filter for SMTP

192 RULES OBJECTS LexiMatch Object 6 Procedure 6-17: Configuring the Leximatch object (Continued) Step Action Joining word patterns together 9 Create your word patterns using steps Join the two word patterns together using the JOIN command. 11 Click OK. (Sheet 3 of 3) Reverse Logic Reversing the logic of the LexiMatch object causes the rule to trigger if the does not contain the specified words or phrases: Table 6-23 Reverse Logic LexiMatch object Reverse Logic Disabled Enabled Result If the contains the specified words or word patterns and meets the specified conditions, for example, NEAR distance, the rule will trigger. If the does not contain the specified words or word patterns, or the word patterns do not meet the specified conditions, for example, NEAR distance, the rule will trigger. Reversing the logic of a LexiMatch object is useful if you combine the LexiMatch object with a Dictionary Threshold object. For example you can create a rule that triggers if it detects words from the Adult dictionary, which would not trigger if the same words were used in, for example, a medical context:. Figure 6-4 Using a Reverse Logic Leximatch object with a Dictionary Threshold SurfControl Filter for SMTP Administrator s Guide 181

193 6 RULES OBJECTS Loop Detection Object LOOP DETECTION OBJECT The Loop Detection object detects looping s between two or more servers. It can detect four different kinds of looping s: Single looping. Looping s due to Auto-Forwarding rules on servers. Outgoing reply to Delivery-failure looping s. Looping of Delivery-failure s to and from the same user. The Loop Detection object marks each passing through it with a unique domain ID. If the mark is already there the Loop Detection object recognizes that it has been processed before and checks it for looping. The best way to deal with looping s is to isolate them into a dedicated folder. CONFIGURING THE LOOP DETECTION OBJECT To include the Loop Detection object in a rule you need to specify: How many occurrences of an will trigger the rule. The condition that will identify the as looping: Greater than or equals if the occurrences of one reach the number specified in Message Occurrences, or higher, the loop detection object will trigger. Equals if the occurrences of one reach exactly the number specified in Message Occurrences, the loop detection object will trigger. The Loop Detection object also checks the header of s to detect delivery failure notices. Because looping is commonly caused by delivery failure notices, you can set the Loop Detection object to trigger the rule when it encounters the header of a delivery failure notice. By default, the loop detection object will trigger the rule if the header contains any of the following: <> could not be sent delivery failure postmaster report-type=delivery status. You can edit this list see Configuring Delivery Failure Loop Detection on page Administrator s Guide SurfControl Filter for SMTP

194 RULES OBJECTS Loop Detection Object 6 To include the Loop Detection object in a rule, follow Procedure 6-18: Procedure 6-18: Configuring the Loop Detection object Step Action 1 Drag the Loop Detection object into position in the Rules palette. 2 The Properties for Loop Detection dialog box is displayed. 3 Enter the number of occurrences of the same that will trigger the rule. Default = 5 4 Enter the condition that will trigger the rule: Greater than or equals If the number of times that the passes through Filter is greater than or equal to the number you specified in step 3, the rule will trigger. Equals If the number of times that the passes through Filter is exactly equal to the number you specified in step 3, the rule will trigger. 5 Click OK. SurfControl Filter for SMTP Administrator s Guide 183

195 6 RULES OBJECTS Loop Detection Object Configuring Delivery Failure Loop Detection To set up the Loop Detection to detect Delivery Failure notices, follow Procedure 6-19: Procedure 6-19: Configuring Delivery Failure Loop Detection Step Action 1 Drag the Loop Detection object into position in the Rules palette. 2 The Properties for Loop Detection dialog box is displayed. In the Delivery Failure loop detection area, click Configure. 3 The Delivery Failure Configuration dialog box is displayed. Click Add. (Sheet 1 of 2) 184 Administrator s Guide SurfControl Filter for SMTP

196 RULES OBJECTS Loop Detection Object 6 Procedure 6-19: Configuring Delivery Failure Loop Detection Step Action 4 The Add message header text dialog box is displayed. 5 Enter the text to be used to identify delivery failure messages, for example Failure Notice. The Loop Detection object will check the message header to see if it contains this text string. 6 Click OK. 7 The text string is displayed in the Delivery Failure Configuration dialog box. (Sheet 2 of 2) Advanced Settings The Loop Detection object has the following advanced settings: Unique Identifier. The Loop Detection object uses a unique identifier to track s as they pass through SurfControl Filter. The default number that is generated during installation is displayed in the box, but you can edit this number. If you are running Filter on more than one server, you should edit the number to ensure that all servers in your domain share the same Unique Identifier. Procedure 6-20: Editing the Unique Identifier Step Action 1 Drag the Loop Detection object into position in the Rules palette. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 185

197 6 RULES OBJECTS Loop Detection Object Procedure 6-20: Editing the Unique Identifier (Continued) Step Action 2 The Properties for Loop Detection dialog box is displayed. Click Advanced. 3 The Advanced dialog box is displayed. 4 In the Unique Identifier text box, enter the code to be used as a unique identifier for s. You can use up to 36 characters. 5 Click OK. (Sheet 2 of 2) 186 Administrator s Guide SurfControl Filter for SMTP

198 RULES OBJECTS Loop Detection Object 6 Forwarded Messages. Looping is sometimes caused by auto-forwarding s as attachments. You can specify the number of levels of nesting that are allowed in forwarded s before triggering the loop detection object. The default is 3. The maximum level of nesting you can allow is 25 Procedure 6-21: Specifying Nesting Levels Step Action 1 Drag the Loop Detection object into position in the Rules palette. 2 The Properties for Loop Detection dialog box is displayed. Click Advanced. 3 The Advanced dialog box is displayed. Enter the number of levels of nesting to allow in forwarded s: Default = 3 Maximum = 25 4 Click OK. SurfControl Filter for SMTP Administrator s Guide 187

199 6 RULES OBJECTS Message Size Object Reverse Logic Table 6-24 shows the behavior of reverse logic, where N is the number of occurrences of an . Table 6-24 Reverse Logic Loop Detection object Condition Reverse Logic Result Greater than Disabled If the passes through or Equals filter N times or more, the rule will trigger. Enabled If the passes through filter less than N times, the rule will trigger. Equals Disabled If the passes through Filter exactly N times, the rule will trigger. Enabled If the does not pass through Filter exactly N times, the rule will trigger. MESSAGE SIZE OBJECT The Message Size object enables you to restrict the size of s or of files sent as attachments. You enter a value for the maximum size allowed. Alternatively, you can restrict the size of the largest single file attachment in an . CONFIGURING THE MESSAGE SIZE OBJECT To include the Message Size object in a rule, follow Procedure 6-22: Procedure 6-22: Configuring the Message Size object Step Action 1 Drag the Message Size object into position in the Rules palette. (Sheet 1 of 2) 188 Administrator s Guide SurfControl Filter for SMTP

200 RULES OBJECTS Message Size Object 6 Procedure 6-22: Configuring the Message Size object (Continued) Step Action 2 The Message Size dialog box is displayed. 3 Select what the Message Size object is to check: The total message size The size of the largest attachment. 4 In the Maximum size: field, specify the largest file size (in KB) to allow. 5 Click OK. (Sheet 2 of 2) Reverse Logic Table 6-25 shows the behavior of the Message Size object if you reverse the logic: Table 6-25 Reverse Logic Message Size object Reverse Logic Result Disabled If an is larger than the maximum size you specified, the rule will trigger. Enabled If an is smaller than the maximum size you specified, the rule will trigger. SurfControl Filter for SMTP Administrator s Guide 189

201 6 RULES OBJECTS Number of Recipients Object NUMBER OF RECIPIENTS OBJECT The Number of Recipients object limits the number of users that can receive any one . This is particularly useful if you are trying to manage your corporate bandwidth. CONFIGURING THE NUMBER OF RECIPIENTS OBJECT To include the Number of Recipients object in a rule, follow Procedure 6-23: Procedure 6-23: Configuring the Number of Recipients object Step Action 1 Drag the Number of Recipients object into position in the Rules palette. 2 The Properties for Number of Recipients dialog box is displayed. 3 In the Number of Recipients: field, enter the maximum number of users for any one . If an has more than the specified number of recipients, the rule triggers. 4 Click OK. 190 Administrator s Guide SurfControl Filter for SMTP

202 RULES OBJECTS Internet Threat Database Object 6 Reverse Logic Table 6-26 shows the behavior of the Number of Recipients object if you reverse the logic: Table 6-26 Reverse Logic Number of Recipients object Reverse Logic Disabled Enabled Result If an is sent to more than the maximum number of recipients you specified, the rule will trigger. If an is sent to less than the maximum number of recipients you specified, the rule will trigger. INTERNET THREAT DATABASE OBJECT You can prevent the sending and receiving of inappropriate web links by by using the Internet Threat Database object. This object detects when an contains a URL, and checks that URL against the Internet Threat Database. This database classifies billions of Web sites into the following categories: Adult/Sexually Explicit Criminal Skills Drugs, Alcohol and Tobacco Gambling Hacking/Spyware Intolerance/Hate Violence/Tasteless Weapons You can therefore prevent the sending and receiving of s that contain links to Web sites of this nature. The Internet Threat Database object is an optional component that needs a separate license. If you are an evaluating customer, you can use the Internet Threat Database object for the duration of your 30-day evaluation period. To buy a license, please contact SurfControl Sales. SurfControl Filter for SMTP Administrator s Guide 191

203 6 RULES OBJECTS Internet Threat Database Object CONFIGURING THE INTERNET THREAT DATABASE OBJECT To configure the Internet Threat Database, you need to specify which categories you want to detect. To include the Internet Threat Database object in a rule, follow Procedure 6-24: Procedure 6-24: Configuring the Internet Threat Database object Step Action 1 Drag the Internet Threat Database object into position on the Rules palette. 2 Select the categories of URL you want to detect in s, or select All Categories. 3 Click OK. Reverse Logic Table 6-27 shows the behavior of the Internet Threat Database object if you reverse the logic: Table 6-27 Reverse Logic Internet Threat Database object Reverse Logic Disabled Enabled What it does If the contains a URL that has matches one of the selected categories, the rule will trigger. If the contains a URL that does not match any of the selected categories, the rule will trigger. 192 Administrator s Guide SurfControl Filter for SMTP

204 RULES OBJECTS Virtual Image Agent Object 6 VIRTUAL IMAGE AGENT OBJECT The Virtual Image Agent (VIA) is a powerful image recognition tool that scans graphics files for explicit adult content. The VIA is an optional component that needs a separate license. If you are an evaluating customer, you can use the VIA object for the duration of your 30-day evaluation period. To buy a license contact SurfControl Sales. The VIA uses intelligent scanning technology to analyze images. You decide the sensitivity of the image analysis. A high sensitivity setting will result in more explicit adult images being detected but also more false positives. Setting the slider to Low will result in fewer false positive, but will also detect fewer explicit adult images being detected. CONFIGURING THE VIA OBJECT To include the VIA object in a rule, follow Procedure 6-25: Procedure 6-25: Configuring the VIA object Step Action 1 Drag the Virtual Image Agent object into position in the Rules palette. 2 The Properties for Virtual Image Agent dialog box is displayed. 3 Set the sensitivity, and then click OK. SurfControl Filter for SMTP Administrator s Guide 193

205 6 RULES OBJECTS The Virtual Learning Agent Object Reverse Logic Table 6-28 shows the behavior of the VIA object if you reverse the logic: Table 6-28 Reverse Logic VIA object Reverse Logic Disabled Enabled Result If the contains any images that are caught by the VIA on your chosen setting, the rule will trigger. If the contains any images, and none of them are caught by the VIA on your chosen setting, the rule will trigger. THE VIRTUAL LEARNING AGENT OBJECT The Virtual Learning Agent (VLA) is a unique content development tool that you can train to understand and recognize business-confidential content. Deploying the VLA with SurfControl Filter provides the most comprehensive filtering tool to protect your corporate confidential documents and business-critical information from the security risks arising from confidential data leakage. The VLA object uses the adaptive reasoning technology of the VLA to identify words and phrases in documents you select as representative of your organization's confidential material. You can use the VLA object to determine if an contains confidential data. CONFIGURING THE VLA OBJECT Before you can use the VLA object in a rule, you must train the VLA to recognize the business-confidential content you want to detect. To train the VLA, see Virtual Learning Agent on page 339. When you have trained the VLA, you can use the VLA object to identify business-confidential content. To use the VLA object in a rule, follow Procedure 6-26: Procedure 6-26: Configuring the VLA object Step Action 1 Drag the VLA object into position in the Rules palette. (Sheet 1 of 2) 194 Administrator s Guide SurfControl Filter for SMTP

206 RULES OBJECTS The Virtual Learning Agent Object 6 Procedure 6-26: Configuring the VLA object (Continued) Step Action 2 The VLA object dialog box is displayed. 3 Select the VLA category for the VLA object to detect. 4 Click OK. (Sheet 2 of 2) Reverse Logic Table 6-29 shows the behavior of the VLA object if you reverse the logic: Table 6-29 Reverse Logic VLA object Reverse Logic Disabled Enabled Result If the contains content that the VLA object recognizes as one belonging to a trained VLA category, the rule will trigger. If the doesn t contain any content that the VLA object recognizes as belonging to a trained VLA category, the rule will trigger. SurfControl Filter for SMTP Administrator s Guide 195

207 6 RULES OBJECTS When Object WHEN OBJECT The When object controls the day and time that a rule is active. For example, you can combine a When object with a Message Size object so that large files are sent over your network outside of working hours when demand for bandwidth is lower. CONFIGURING THE WHEN OBJECT To set the time when a rule is active you can specify: The time of day that the rule will start and finish. The days of the week that the rule is active A calendar period when the rule is active. To include a When object in a rule, follow procedure Procedure 6-27: Procedure 6-27: Configuring the When object Step Action 1 Drag the When object into position in the Rules palette. (Sheet 1 of 2) 196 Administrator s Guide SurfControl Filter for SMTP

208 RULES OBJECTS When Object 6 Procedure 6-27: Configuring the When object (Continued) Step Action 2 The Properties for When dialog box is displayed. 3 In the Start and Finish boxes, enter the times you want the rule to start and finish. For example: Start 09:00:00 Finish 17:00:00 Note: The When object uses the 24-hour clock. This means that AM times are and PM times are Enter either: The days of the week you want the rule to be active, such as Monday - Friday. The calendar day you want the rule to start and/or finish. For example: - Trigger after 19 August Trigger before 25 August 2004 This means the rule will be active between August 19 and 25, Click OK. (Sheet 2 of 2) Reverse Logic Table 6-30 shows behavior of the When object when you reverse the logic: Table 6-30 Reverse Logic When object Reverse Logic Enabled Disabled Result If the time is between the start and finish times and dates you specify, the rule will trigger. If the time is outside the start and finish times/dates you specify, the rule will trigger. SurfControl Filter for SMTP Administrator s Guide 197

209 6 RULES OBJECTS Operations Objects OPERATIONS OBJECTS Operations objects make changes to either an or parts of an (such as the header). Table 6-31 details the Operations objects: Table 6-31 Operations objects Operations object What it does Find out more Archive Message Stores a copy of the in a specified location. page 198 Compress Attachments Compresses attachments into a single archive, reducing the s size. page 199 Footers & Banners Adds a footer or a banner to the . page 202 Header Modification Edits, removes or appends header fields. page 204 HTML Stripper Removes active HTML content from the . page 207 Routing Redirects s to the mail server or MTA you specify. page 209 Strip Attachments Removes attachments from an before sending to the recipient. page 211 ARCHIVE MESSAGE The Archive Message object saves a copy of an to the folder you specify, so that you can keep a record of sent or received. CONFIGURING THE ARCHIVE MESSAGE OBJECT When you install filter, the setup program creates a folder at a default location that you can use to archive s. You can specify a different location when you configure the object to use in a rule. You also need to specify how s are archived. You can: Archive the original message Filter will archive the exactly as it was when it was placed in the In folder. For example, if the has had its HTML content stripped by a previous rule, the will be saved with its HTML content still present. Archive the current message state. Save a copy of the in the condition it is in at the current stage of processing. For example, if the has had its HTML content stripped by a preceding rule, the will be saved without its HTML content. 198 Administrator s Guide SurfControl Filter for SMTP

210 RULES OBJECTS Compress Attachments Objects 6 To include the Archive Message object in a rule, follow Procedure 6-28: Procedure 6-28: Configuring the Archive Message object Step Action 1 Drag the Archive Message object into position in the Rules palette. 2 The Properties for Archive Message dialog box is displayed. 3 Enter or browse to the folder where you want to archive s. The default Archive folder is in the SurfControl Filter directory. 4 Select how you want s to be archived: Archive the original message Archive the current message state. 5 Click OK. COMPRESS ATTACHMENTS OBJECTS The Compress Attachments object compresses file attachments, which reduces file size and conserves network bandwidth. CONFIGURING THE COMPRESS ATTACHMENTS OBJECT When you include the Compress Attachments object in a rule, you can specify the types of file to compress. You can: Compress all attachments Compress attachments of the type you specify Compress attachments NOT of the type you specify. SurfControl Filter for SMTP Administrator s Guide 199

211 6 RULES OBJECTS Compress Attachments Objects You can also specify: Whether Filter will create a log entry in the system database to record that it has compressed an attachment. What filename will be given to the file containing the compressed attachments. To include the Compress Attachments object in a rule, follow Procedure 6-29: Procedure 6-29: Configuring the Compress Attachments object Step Action 1 Drag the Compress Attachments object into position on the Rules palette. 2 The Properties for Compress Attachments dialog box is displayed. 3 Select which file types that you want Filter to compress: All attachments Attachments of the type selected Go to step 5. Attachments of the type not selected Go to step 6. If you do not see the file type you want, you can add it. See Adding File Types on page If you select All attachments, the file selection area is unavailable. 5 If you selected Attachments of the type selected, select the file types to compress. You can select groups of file types, such as audio files, or individual file types, such as.mp3 files. 6 If you selected Attachments of the type not selected, select those file types that you do NOT want to compress. 7 Click OK. (Sheet 1 of 2) 200 Administrator s Guide SurfControl Filter for SMTP

212 RULES OBJECTS Compress Attachments Objects 6 Procedure 6-29: Configuring the Compress Attachments object Step Action Advanced Settings 8 Click Advanced properties. The Advanced Properties dialog box is displayed. 9 To record that an attachment has been compressed, select Log this operation to the database. 10 If needed, enter the name of the zip file that will contain the compressed attachments. Default = attachments.zip 11 Click OK. (Sheet 2 of 2) Adding File Types If you have added a file type when configuring the File Attachment object (see File Attachment Object on page 172), the file type will already be included in the Compress Attachments list. To add a file type to the list, follow Procedure 6-30: Procedure 6-30: Adding a file type to the list Step Action 1 In the Properties for Compress Attachments dialog box, click Add Extension. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 201

213 6 RULES OBJECTS Footers and Banners Object Procedure 6-30: Adding a file type to the list (Continued) Step Action 2 The Add File Extension dialog box is displayed. 3 Enter the file type to add to the list. Note: Do not include the period (. ) in the extension. 4 Click OK. The new file type is displayed in the list. By default, the file type is not selected. To include the file type in the rule, select its check box. 5 Click OK. (Sheet 2 of 2) FOOTERS AND BANNERS OBJECT You can add footers and banners to an , for example to act as a disclaimer. A footer is attached at the end of an , a banner at the beginning. CONFIGURING THE FOOTERS AND BANNERS OBJECT When you use the Footers and Banners object in a rule, you need to decide: to add a footer or a banner. if the footer or banner is to be included in all s, or for selected users or groups. the text of the footer or banner. if the footer or banner will override the previous one. Footer and Banner Variables You can enter the following variables into the footer & banner text $B the subject $C the dictionary score $D the date that the was processed $F the filename $N the name of the triggered rule 202 Administrator s Guide SurfControl Filter for SMTP

214 RULES OBJECTS Footers and Banners Object 6 $R the recipient s name $S the sender s name $T the time of processing $V the name of the virus detected by the Anti-Virus Agent $Z the size To include the Footers and Banners object in a rule, follow Procedure 6-31: Procedure 6-31: Configuring the Footers and Banners object Step Action 1 Drag the Footers and Banners object into position in the Rules palette. 2 The Properties for Footers and Banners dialog box is displayed. 3 Specify users that the footer and/or banner will apply to. This can be: a domain, for example mycompany.com an individual user, for example username@mycompany.com Leave the box blank to apply the footer to all users. 4 Type your text in the Text area or import text from a text file (see step 7). 5 By default, a footer is added. To add banner text, select Add text as Banner. 6 If you have several footer objects in your rules, but only want one to be displayed on any individual , select the Override previous footer or banner check box. This adds only the last footer of your rules logic to a . (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 203

215 6 RULES OBJECTS Header Modification Object Procedure 6-31: Configuring the Footers and Banners object Step Action Importing Footer/Banner text from a text file 7 Click Import. The Import Footer dialog box is displayed. 8 Find and select your text file. There is example text for footers and/or banners in \SurfControl Filter\SampleFooter.txt 9 Select the file. The text is displayed in the Text area. 10 Click OK. (Sheet 2 of 2) HEADER MODIFICATION OBJECT The Header Modification object can change header field values, such as the subject, return path or to: fields in the way you specify. For example, if you have a generic account for some incoming , such as customerservices@mycompany.com you can use the Header Modification object to modify the To: field of the and replace it with the address of an individual in your organization. This means that customers can send an to the generic address, but the will always reach an individual who can respond to it. 204 Administrator s Guide SurfControl Filter for SMTP

216 RULES OBJECTS Header Modification Object 6 CONFIGURING THE HEADER MODIFICATION OBJECT To include the Header Modification object in a rule you need to decide: Which field of the you want Filter to change What changes you want to make to that field. Whether there are any exceptions or whether Filter will always change the field. You can change the following fields of an Table fields you can modify Field X-envelope - to To/cc: From Return path Reply-To Subject Received Message ID Description The delivery information of the . The addresses on the To: or cc: list. The sender s identity. The address that replies to the will be sent to. The originator of the . The text in the Subject line of an . The date and time the was received. The identifier. Table 6-33 shows the actions you can perform on header fields. Not all actions are available for every header field, for example, you cannot perform a remove operation on path fields (X-Envelope-To, To/CC, From or Return Path). Table 6-33 Header Modification Actions Action Find/Replace Remove Add/Overwrite (Sheet 1 of 2) What it does Finds specific content in the header field and replaces it with the text you specify. Removes the field. Note: If you remove the Subject field, only the subject description is removed and not the field itself. For example, an with Subject: Hello would read Subject: whereas if you remove the Received and Message ID fields, both the fields and the contents are removed. Overwrites all the contents of the field with the text you specify. SurfControl Filter for SMTP Administrator s Guide 205

217 6 RULES OBJECTS Header Modification Object Table 6-33 Header Modification Actions Action Add/Append Add/Prepend (Sheet 2 of 2) What it does Adds the text you specify after the contents of the field. Adds the text you specify before the contents of the field. To include the header modification object in a rule, follow Procedure 6-32:. Procedure 6-32: Configuring the Header Modification object Step Action 1 Drag the Header Modification object into position in the Rules palette. 2 The Properties for Header Modification dialog box is displayed. Click Add... (Sheet 1 of 2) 206 Administrator s Guide SurfControl Filter for SMTP

218 RULES OBJECTS HTML Stripper 6 Procedure 6-32: Configuring the Header Modification object Step Action 3 The Edit Header Field Modification dialog box is displayed. 4 From the Action drop-down list, select how to change the header field: Find/Replace Remove Add/Overwrite Add/Append 5 Select the header field to change. 6 Enter the Field Parameters. The fields that are available depend on the action that you selected. 7 A summary of your selected action is displayed. For example: Find customerservice@mycompany.com in the To:/cc field and replace with andy@mycompany.com; maewong@mycompany.com 8 Click OK. (Sheet 2 of 2) HTML STRIPPER The HTML Stripper object can remove active HTML content from the body of s. Active content is code that can execute on a client PC (such as JavaScript, VBScript, Java Applets or ActiveX objects), often without the user s permission. Active content can also include malicious actions executed by the mail client when the user is viewing the . SurfControl Filter for SMTP Administrator s Guide 207

219 6 RULES OBJECTS HTML Stripper CONFIGURING THE HTML STRIPPER OBJECT There are two ways to remove active HTML content from s: Remove active HTML components. The HTML Stripper object can remove the following types of active HTML content: Scripts: JavaScript, VBScript, and so on IFrame: independent HTML frames Active links ActiveX and software objects Java applets Remove the HTML from multi-part s and deliver the text-only body. Multipart/alternative s contain both a plain text and a HTML part. Which part is shown to the recipient is determined by their client, and (in some cases) by their choice. The HTML Stripper object can remove the HTML from this kind of so that the recipient can only view the in its plain text form. Non-multipart alternative HTML s will be delivered with no body. The HTML Stripper either: Removes all active HTML components, or Removes the HTML content entirely. This could mean that the is empty. To include the HTML Stripper in a rule, follow Procedure 6-33: Procedure 6-33: Configuring the HTML Stripper object Step Action 1 Drag the HTML Stripper object into position in the Rules palette. (Sheet 1 of 2) 208 Administrator s Guide SurfControl Filter for SMTP

220 RULES OBJECTS Routing Object 6 Procedure 6-33: Configuring the HTML Stripper object (Continued) Step Action 2 The Properties for HTML Stripper dialog box is displayed. 3 Specify how Filter will remove HTML content if the rule is triggered. See Configuring the HTML Stripper Object on page 208 for a description of each option. 4 Click OK. (Sheet 2 of 2) ROUTING OBJECT The Routing object can redirect s that trigger rules to the mail server or MTA of your choice. For example, if your organization has an archiving policy, the Filter can send a copy of s that meet your archiving criteria to the archiving server, while processing the original s as normal. Before you can use the Routing object in rules, you need to configure Smart Host Routing in the Server Configuration console. See Smart Host Routing on page 72. CONFIGURING THE ROUTING OBJECT To include the Routing object in a rule, follow Procedure 6-34: Procedure 6-34: Configuring the Routing object Step Action 1 Drag the Routing object into position in the Rules palette. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 209

221 6 RULES OBJECTS Routing Object Procedure 6-34: Configuring the Routing object (Continued) Step Action 2 The Properties for Routing dialog box is displayed. 3 Select whether you want to redirect: This message Each that triggers the rule. Filter will continue processing the , then redirect the to the server you specify (unless further rules are triggered that lead to the being isolated or discarded). A copy of this message A copy of each that triggers the rule. filter will immediately send a copy of the to the server you specify, without processing it any further. The original will be processed as normal. 4 If you redirect a copy of each that triggers the rule, you now need to select the state of the In current state Filter redirects a copy of the in the condition it is in at the current stage of processing. For example, if the has had its HTML content stripped by a preceding rule, the will be redirected without its HTML content. In original state Filter redirects the exactly as it was when it was placed in the In folder. For example, if the has had its HTML content stripped by a previous rule, the will be delivered with its HTML content still present. 5 Select the server that you want Filter to redirect s to. The Smart Host list is displayed any Smart Hosts that you have configured. To configure a Smart Host see Smart Host Routing on page Click OK. (Sheet 2 of 2) 210 Administrator s Guide SurfControl Filter for SMTP

222 RULES OBJECTS Strip Attachments Object 6 STRIP ATTACHMENTS OBJECT Note: If an archive file (for example, a.zip file) contains a file type that triggers the Strip Attachments object, the archive file is stripped from the . The Strip Attachments object removes attachments from s before allowing them to proceed to their destination. You can remove all attachments or just certain formats. CONFIGURING THE STRIP ATTACHMENTS OBJECT To include the Strip Attachments object in a rule, follow Procedure 6-35: Procedure 6-35: Configuring the Strip Attachments object Step Action 1 Drag the Strip Attachments object into position in the Rules palette. 2 The Properties for Strip Attachments dialog box is displayed. 3 Select the file types that Filter should remove. You can select groups of file types, such as audio files, or individual file types, such as.mp3 files. To remove all attachments, select Remove all message attachments. To add file types to the list, see Adding File Types on page 212. SurfControl Filter for SMTP Administrator s Guide 211

223 6 RULES OBJECTS Strip Attachments Object Adding File Types If you have added a file type when configuring the File Attachment object (see File Attachment Object on page 172), the file type will already be included in the Compress Attachments list. To add a file type to the list, follow Procedure 6-36: Procedure 6-36: Adding a file type to the list Step Action 1 In the Properties for Strip Attachments dialog box, click Add. 2 The Add File Extension dialog box is displayed. 3 Enter the file type to add to the list. Note: Do not include the period (. ) character in the extension. 4 Click OK. The Add File Extension dialog box closes, and the file type is displayed in the list under the File Extensions category. By default, the file type is not selected. Select the check box to include it in the rule. 5 Click OK. 212 Administrator s Guide SurfControl Filter for SMTP

224 RULES OBJECTS Notify Objects 6 NOTIFY OBJECTS The Notify objects enable you to send an notification to a user when a rule has been triggered. There are two kinds of Notify object: Table 6-34 Notify objects Notify object What it does Find out more Blind Copy Copies an that has triggered a rule to an interested third party, such as the systems administrator. page 213 Notification Notifies an interested party that a rule has been triggered, with the details of the rule. page 215 BLIND COPY OBJECT The Blind Copy object sends a blind copy of the that has triggered a rule to the user you specify. CONFIGURING THE BLIND COPY OBJECT When you include the Blind Copy object in a rule you need to decide: Who you want to blind copy the to. For example you might want to blind copy the to your organization s HR manager. Whether you want to replace the subject text You can replace the subject text of the so that the user knows that they are receiving a blind copy notification before they open the . For example, if you were notifying the HR department that a rule had been triggered you could change the subject line to this breaches the AUP. You can also use variables in the subject line: Table 6-35 Subject Line Variables Variable Description $B The subject $C The dictionary score $D The date that the was processed $F The filename $N The name of the triggered rule SurfControl Filter for SMTP Administrator s Guide 213

225 6 RULES OBJECTS Blind Copy Object Table 6-35 Subject Line Variables Variable Description $R The recipient s name $S The sender s name $T The time of processing $V The name of the virus detected by the Anti-Virus Agent $Z The size For example, the text: This has triggered $N and was sent by $S Would show the triggered rule and the sender in the subject line. Whether you want the blind copy recipient to be able to reply directly to the sender, or to the systems administrator. To include the Blind Copy object in a rule, follow Procedure 6-37: Procedure 6-37: Configuring the Blind Copy object Step Action 1 Drag the Blind Copy object into position in the Rules palette. (Sheet 1 of 2) 214 Administrator s Guide SurfControl Filter for SMTP

226 RULES OBJECTS Notification Object 6 Procedure 6-37: Configuring the Blind Copy object (Continued) Step Action 2 The Properties for Blind Copy dialog box is displayed. 3 To blind copy the to the domain administrator, select the Domain Administrator check box. 4 To blind copy another user, enter their address in the Add new bcc recipient field, and then click Add. 5 You will see the address displayed in the address area. To remove an address, select it from the list, and then click Remove. 6 To replace the subject text, select Replace Subject Text, and then enter the new text in the field. 7 If you want replies to the blind copy to be delivered to the Domain Administrator, select Return Path to Domain Administrator. 8 Click OK. (Sheet 2 of 2) NOTIFICATION OBJECT You can use the Filter Notification object to inform users that a rule has been triggered. For example you can notify the sender and the recipient of an , the system administrator and an HR representative. CONFIGURING THE NOTIFICATION OBJECT To include the Notification object in a rule, you need to decide: Who will be notified, for example, the sender and their line manager. The content of the notification . SurfControl Filter for SMTP Administrator s Guide 215

227 6 RULES OBJECTS Notification Object As well as free text, you can use the following variables in the subject line and body of the notification Table Notification object Variables Variable Description $B The subject $C The dictionary score $D The date that the was processed $F The filename $N The name of the triggered rule $R The recipient s name $S The sender s name $T The time of processing $V The name of the virus detected by the Anti-Virus Agent $Y Inserts the first 10k of the body of the . $Z The size Whether you want to include the that triggered the rule in the notification . There are two ways you can do this: Attach the original message. Attach the current message state. To include the Notification object in a rule, follow Procedure 6-38: Procedure 6-38: Configuring the Notification object Step Action 1 Drag the Notification object into position in the Rules palette. (Sheet 1 of 2) 216 Administrator s Guide SurfControl Filter for SMTP

228 RULES OBJECTS Notification Object 6 Procedure 6-38: Configuring the Notification object (Continued) Step Action 2 The Properties for Notification dialog box is displayed. 3 Specify who to send the notification to. You can: Enter one or more recipients in the To: text box. Separate multiple addresses by semicolons, and or Select one or more of the standard options: - The message sender - The message recipients - The domain administrator. 4 Enter the subject of the . By default the subject is: Autonotify $B. To edit the subject line using text or variables, see Table 6-36 on page To attach the that triggered the rule, select Include Message as Attachment, and then select either: Attach original message, or Attach current message state. Note: Do not attach an that you suspect is infected with a virus. 6 Click OK. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 217

229 6 RULES OBJECTS Actions Objects ACTIONS OBJECTS The Actions objects determine what action to take if an meets the conditions of the rule. Without Actions objects, s pass through filter to their destination, even if they trigger a rule. There are four Actions objects: Table 6-37 Actions objects Allow object What it does Find out more Allow Message Places the in the Out page 218 folder for delivery. Delay Message Delays the delivery of the until the time you specify. page 219 Discard Message Irrevocably deletes the page 220 Isolate Message Places the in the folder you specify so that you can review and analyze it. page 221 The Rules service works through each of the enabled rules in order. If an triggers a rule that contains an Action object, no more processing of the rules will take place. ALLOW OBJECT If an triggers a rule that contains an Allow object, no further rules checking takes place on it and the is moved to the \Out folder ready for delivery into the recipient s mailbox. The presence of an Allow object within a rule enables you to define the criteria for mail delivery. This can make it easier to implement your Acceptable Use policy by using positive filtering. For example, you could allow all s from your CEO to pass through SurfControl Filter with the minimum of rules checking, but subject s from other members of your organization to closer scrutiny. 218 Administrator s Guide SurfControl Filter for SMTP

230 RULES OBJECTS Delay Message Object 6 CONFIGURING THE ALLOW OBJECT To include the Allow object in a rule, follow Procedure 6-39: Procedure 6-39: Configuring the Allow object Step Action 1 Drag the Allow object into position in the Rules palette. 2 The Properties for Allow Message dialog box is displayed. 3 To create an entry in the logging database when a is allowed, select Log this Action to Rules Database. 4 Click OK. DELAY MESSAGE OBJECT The Delay Message object enables you to delay sending or receiving s that are likely to place undue load on your network. For example, you could delay the sending of files over a certain size until after work hours. When you use a Delay Message object in a rule, s that trigger the rule will be held in the Delay folder until the time you specify. To specify the time that delayed s will be released, you need to configure the Delay Queue in the Server Configuration dialog. See Queue Management on page 54. SurfControl Filter for SMTP Administrator s Guide 219

231 6 RULES OBJECTS Discard Message Object CONFIGURING THE DELAY MESSAGE OBJECT To include a Delay Message object in a rule, follow Procedure 6-40: Procedure 6-40: Configuring the Delay Message object Step Action 1 Drag the Delay object into position in the Rules palette. 2 The Properties for Delay Message dialog box is displayed. 3 Click OK. DISCARD MESSAGE OBJECT The Discard Message object deletes s. If an triggers a rule that contains a Discard Message object, it will be irrevocably deleted and no further rules will be applied to it. The Discard Message object is useful for destroying s and attachments that are found to be virus infected. If needed, you can log Discard Message activity to the SurfControl Filter database. If your 30-day evaluation period expires, activity logging stops. 220 Administrator s Guide SurfControl Filter for SMTP

232 RULES OBJECTS Isolate Message Object 6 CONFIGURING THE DISCARD MESSAGE OBJECT To include the Discard Message object in a rule, follow Procedure 6-41: Procedure 6-41: Configuring the Discard Message object Step Action 1 Drag the Discard Message object into position in the Rules palette. 2 The Properties for Discard Message dialog box is displayed. 3 If you want to create an entry in the logging database when a is discarded, select Log this Action to Rules Database. 4 Click OK. ISOLATE MESSAGE OBJECT The Isolate Message object places s that have triggered a rule in a separate folder, so you can review and analyze them. When an has been isolated, no further rules are applied to it. SurfControl Filter for SMTP Administrator s Guide 221

233 6 RULES OBJECTS Isolate Message Object CONFIGURING THE ISOLATE MESSAGE OBJECT Note: If you are upgrading Filter from a previous version, the new queues will not be created. When you install Filter, the following queues are created by default: Anti-Spam Agent - DFP Anti-Spam Agent Confidential Delay Dictionaries - Spam File Formats Isolate Network Security URL List - Offensive URL List - Spam Virtual Image Agent Virus VLA-Spam You can create other queues to suit your needs. See Adding a Queue on page 55. When you include the Isolate Message object in a rule you specify which of the available queues will store s that trigger that rule. To include the Isolate Message object in a rule, follow Procedure 6-42: Procedure 6-42: Configuring the Isolate Message object Step Action 1 Drag the Isolate Message object into position in the Rules palette. (Sheet 1 of 2) 222 Administrator s Guide SurfControl Filter for SMTP

234 RULES OBJECTS Isolate Message Object 6 Procedure 6-42: Configuring the Isolate Message object (Continued) Step Action 2 The Properties for Isolate Message dialog box is displayed. 3 Select the Isolate folder you want to use to isolate that triggers the rule. To add a queue, see Adding a Queue on page Click OK. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 223

235 6 RULES OBJECTS Isolate Message Object 224 Administrator s Guide SurfControl Filter for SMTP

236 Chapter 7 Message Administrator In This Chapter page 226 Launching the Message Administrator page 226 Configuring Message Administrator page 227 The Message Administrator Panels page 232 Working with Queues page 238 Working with Logs page 246 Using Queues and Logs with Multiple Servers page 246

237 7 MESSAGE ADMINISTRATOR In This Chapter IN THIS CHAPTER You can use the Message Administrator to review, manage and analyze s that have been placed in queues, and view a record of Filter activity. This chapter explains how to: Configure the Message Administrator Manage s Analyze s. LAUNCHING THE MESSAGE ADMINISTRATOR To launch the Message Administrator, select Start > All Programs > SurfControl Filter > Message Administrator The Message Administrator window is displayed. THE MESSAGE ADMINISTRATOR WINDOW Figure 7-1 shows a typical Message Administrator window: Queues and Logs panel select which queue or log to view. Message List panel displays the s/ log entries in the queue/log you select from the queues and logs panel. Message Parts panel select the components you want to view. The Message Contents panel view the contents of the selected component. Figure 7-1 The Message Administrator Window 226 Administrator s Guide SurfControl Filter for SMTP

238 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 CONFIGURING MESSAGE ADMINISTRATOR You can configure the Message Administrator by using the Options dialog box. LAUNCHING MESSAGE ADMINISTRATOR OPTIONS To launch the Message Administrator options, select Tools > Options The Options dialog box is displayed. GENERAL TAB Use the General tab to: Specify which file SurfControl Filter uses to automatically reply to s. For example, to tell an sender that their has not been delivered. Specify whether files are automatically saved and their location. Figure 7-2 Message Administrator Options General Tab Auto-Reply File: The location of the auto-reply text file used to generate responses to specific types of s; the default is the AutoReply.txt file in your SurfControl Filter root directory. You can edit this file or create a new one by using a text editor, for example, Notepad. See Appendix A for more information. Automatically save files when selected: Check this box to automatically save files to the identified directory when you press the Save button. If this box is not selected, SurfControl Filter will always prompt you to confirm the save operation. Folder to save files: Select the directory where you want to automatically save files. SurfControl Filter for SMTP Administrator s Guide 227

239 7 MESSAGE ADMINISTRATOR Configuring Message Administrator MESSAGES TAB The Messages tab controls: The number of s displayed at one time in the Message List panel. The number of log items displayed at one time in the Message List panel. How SurfControl Filter behaves when you perform an action on an . Figure 7-3 Message Administrator Options Messages Tab The Messages tab contains the following options: Number of messages to display: Specify how many s are shown in the Message List panel at one time. The Message Administrator limits the maximum number of s displayed to make remote administration over slow modem connections easier. If SurfControl Filter is running on the same machine as the Message Administrator, or you have a fast connection, you can increase this number to 100 or more. For slower connections, set a lower number. Number of log records to display: Enter the number of log records to show in the Message List panel when viewing the Rules, SMTP or System logs. Confirm when deleting messages: Select this to be prompted to confirm deletion of the selected . Confirm when releasing all messages: Select this to be prompted to confirm release of s from the selected queue when you click either the Release or Release All buttons. Notify when new messages arrive: Select this to display a notification pop-up when a new arrives at the Message Administrator. 228 Administrator s Guide SurfControl Filter for SMTP

240 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 FILE TYPES TAB The File Types tab controls which file types you can open through the Message Administrator: Figure 7-4 Message Administrator options File Types tab You can view only HTML files within the Message Administrator. To view any other type of file, you need an external viewer installed on your computer. You will be prompted to open non-html files using an external viewer. Click Always Open or Never Open to avoid being prompted. Note: Message Administrator does not control which viewer is used to view files. The viewer is determined by your Windows File Associations. For each file type, you can select one of the following options: Always Prompt: Select this option for the Message Administrator to display a prompt that asks if you want to display the file content for each instance of the file type. Always Open: - Select this option for the Message Administrator to automatically display the file contents of the file type in the associated viewer. Never Open: - Select this option for the Message Administrator to never open files of the selected type. SurfControl Filter for SMTP Administrator s Guide 229

241 7 MESSAGE ADMINISTRATOR Configuring Message Administrator HTML VIEWER TAB The HTML Viewer tab gives you the option of viewing the active HTML content of s while you are reviewing them in the Message Contents panel. This can represent a security risk, as active HTML content can contain malicious code. SurfControl recommend that all the check boxes are cleared, and you avoid viewing active HTML content if possible. Figure 7-5 Message Administrator Options HTML Viewer Tab COLUMNS TAB Use the Columns tab to specify which columns are visible when you are viewing queues and logs. Figure 7-6 shows a typical Columns tab: Figure 7-6 Message Administrator Options Columns Tab From the Change the columns for: drop-down, select which set of columns is to be changed. The visible columns are shown in the Visible Columns list. 230 Administrator s Guide SurfControl Filter for SMTP

242 MESSAGE ADMINISTRATOR Configuring Message Administrator 7 Moving Columns To move a column, follow Procedure 7-1: Procedure 7-1:Moving a column Step Action 1 Select the column in the Visible Columns list. 2 Click the arrows to move the column up or down in the list. Inserting Columns To insert a column, follow Procedure 7-2: Procedure 7-2:Inserting a column Step Action 1 Click Insert to open the Choose a Column... dialog box. 2 Select the column to insert, and then click OK. Hiding Columns To hide a column, follow Procedure 7-3: Procedure 7-3:Hiding a column Step Action 1 Select the column in the Visible Columns list. 2 Click Hide. When you have made your changes, click Apply, and then click OK. The Options dialog box closes and you return to the Message Administrator. SurfControl Filter for SMTP Administrator s Guide 231

243 7 MESSAGE ADMINISTRATOR The Message Administrator Panels THE MESSAGE ADMINISTRATOR PANELS This section describes the four panels in the Message Administrator: Queues and Logs Message List Message Parts Message Contents. THE QUEUES AND LOGS PANEL This panel shows: The Delay and Isolate queues. Any other queues that you have configured using Server Configuration, and the three logs. Figure 7-7 Queues and Logs Panel To the right of each queue is the number of records that it currently contains. Click a queue or log to display its contents in the Message List panel. THE MESSAGE LIST PANEL The Message List panel shows all s in a selected queue or log. Figure 7-8 shows a typical example of s in the Isolate queue: Figure 7-8 Message List Panel Isolate Queue 232 Administrator s Guide SurfControl Filter for SMTP

244 MESSAGE ADMINISTRATOR The Message Administrator Panels 7 Figure 7-9 shows a typical example of s in the Rules Log: Figure 7-9 Message List panel Rules Log Arranging Columns You can show, hide, move or resize columns to show only the information that you need. Showing or Hiding Columns. To hide a column, right-click the column heading, and then select Hide. The column is removed from the Message List panel. To show the column, right-click any column heading, select Insert, and then select the column from the list. Moving Columns. To move a column, click the column heading and drag the column into position. A blue line indicates where the column will be dropped when you release the mouse button. Resizing Columns. To change the width of a column, drag the line between columns. Sorting. You can sort your list of s on any of the column headings displayed. Click the column heading once to sort in ascending order; click the column again to sort in descending order. Figure 7-10 and Figure 7-11 show examples of a list that has been sorted by subject in ascending and then descending order: Figure s sorted by subject in ascending order Figure s sorted by subject in descending order SurfControl Filter for SMTP Administrator s Guide 233

245 7 MESSAGE ADMINISTRATOR The Message Administrator Panels Sorting a column generates a new search and adds it to the query list. You can then save the query by selecting Save Query from the view menu. The next time you open the queue, you can select the query from the list and the results will be sorted again. You can combine sorting with queries to give a powerful searching tool. For example this query shows s isolated on the same day, ordered alphabetically by subject: Figure 7-12 Sorting a query Listing isolated s by subject is a good way to keep track of spam, because spammers change their address regularly. To find out more about searching, see Procedure 7-5 on page 235. Quick Search Using the Shortcut Menu You can use the shortcut menu to search quickly for s with the same criteria, such as a specific date, rule name, subject, and so on. The text in the shortcut menu corresponds to the heading in the table. Example: If you select the Rule Name column for an , the first option in the shortcut list is Show other entries for this rule name. Example: If you select the Sender column for an , the first option in the shortcut list is Show other entries for this sender. Procedure 7-4:Using the Shortcut Menu Step Action 1 Right-click the column for an . The example graphic uses the Loop Detection rule. Select the first option Show other entries for this rule name. 2 The table is sorted to display only entries that have triggered the Loop Detection rule. 3 You can further search this sorted list using other criteria, such as recipients, subject, date, and so on. Example: Search for s that triggered the Adult rule, and then search these s for a specific sender s address. 234 Administrator s Guide SurfControl Filter for SMTP

246 MESSAGE ADMINISTRATOR The Message Administrator Panels 7 Searching for s To search for s, follow Procedure 7-5: Procedure 7-5: Searching for s Step Action 1 To search queues and logs for an or s, select View > Find. The Find dialog box is displayed. 2 From the Search field: drop-down list, select the field to be searched. You can search any of the fields within the Message Administrator. 3 In the Find what: text box, enter the words to search for. 4 Select the Match whole word only check box to find just the results that exactly match the text you have entered will be listed. Otherwise, the search will find text strings that contain the word you have entered; for example, a search for hotmail.com will match on gareth@hotmail.com, Susie@hotmail.com, dave@hotmail.com, and so on. 5 Click Find to start your search. 6 To save your search criteria, select View > Save Query. Enter a name for the query in the Query name: field in the Search dialog box. If you do not name the query, Filter automatically assigns a name. 7 You cannot re-use a search. When you exit Message Administrator, unsaved Search Criteria is cleared. 8 To use your search again, select it from the drop-down list. Saved queries are displayed in blue text in the query list; unsaved queries in black. Unsaved queries are lost if you select a different queue or log, or if you close the Message Administrator. 9 To return to the previous query, click. SurfControl Filter for SMTP Administrator s Guide 235

247 7 MESSAGE ADMINISTRATOR The Message Administrator Panels THE MESSAGE PARTS PANEL Note: The Message Parts panel is only displayed if you are viewing s stored in a queue. If you are viewing a log, the Message Parts panel is not available. The Message Parts panel shows the following parts of the The header The body Attachments. Click the part of the to be displayed: Figure 7-13 Message Parts Panel The contents of the selected part of the in the Message Contents panel. However, if the Message Administrator cannot display the selected component in the Message Contents panel, you are given the option to view the contents in an external viewer for that file type. Viewing Decomposed s When the Document Decomposition object is fully enabled, text, graphics and OLE embedded objects are also shown as parts of the . Figure 7-14 shows a typical decomposed display: Figure 7-14 Decomposed 236 Administrator s Guide SurfControl Filter for SMTP

248 MESSAGE ADMINISTRATOR The Message Administrator Panels 7 THE MESSAGE CONTENTS PANEL Note: If Document Decomposition is enabled, HTML in the body of an or in an attachment is decomposed into two files: sc_text.txt containing the visible text, and sc_urls.txt containing any URLs. See Configuring Document Decomposition on page 120. The Message Contents panel displays the contents of the part of the that you have selected in the Message Parts panel. If available, you can also display attachments. Figure 7-15 and Figure 7-16 show typical displays: Figure 7-15 Message Contents Panel - Typical Header Display Figure 7-16 Message Contents Panel - Typical Attachments Display SurfControl Filter for SMTP Administrator s Guide 237

249 7 MESSAGE ADMINISTRATOR Working with Queues WORKING WITH QUEUES When you are viewing a queue in the Message List panel, you can: View the details of an Viewing Properties on page 239 Forward a copy of an Forwarding a Copy of the Selected on page 241 Reply to the sender of an Replying to the Sender of an on page 242 Submit an to the Anti-Spam Agent database Submitting an to the Anti-Spam Agent Database on page 243 Analyze an to understand why it triggered dictionary rules Analyzing s on page 240 Release individual or multiple s Releasing s on page 243 Move s to a different queue Moving s on page 244 Save a copy of s Saving Copies of s on page 244 Delete s Deleting s on page 244 Release all s from a queue Releasing All s From a Queue on page 245 Work with queues on multiple servers Working with Queues on Multiple Servers on page 245 THE MESSAGE ADMINISTRATOR TOOLBAR The Message Administrator toolbar is only available when viewing the contents of single or multiple s in the Message List panel. Some buttons are available for single selections only. For single selections only Figure 7-17 The Message Toolbar Table 7-1 describes the toolbar buttons: Table 7-1 Message Toolbar Buttons Show information about the selected , including details of recipients and file size. Single selections only. Analyze the contents of the selected using one or more of the SurfControl dictionaries. Single selections only. Forward a copy of the selected to any address. This does not delete the . Single selections only. Reply to the sender. Single selections only. 238 Administrator s Guide SurfControl Filter for SMTP

250 MESSAGE ADMINISTRATOR Working with Queues 7 Table 7-1 Message Toolbar Buttons (Continued) Submit the selected to SurfControl for inclusion in the Anti- Spam Agent database. Single selections only. Release the selected (s) for delivery. Move the selected (s) from the current folder to an alternative folder. For example, move one or more s from the Delay queue to the Isolate queue. Save the selected (s). Delete the selected (s). Release all s from the selected queue to their destination. Delete all s from the selected queue. VIEWING PROPERTIES You can display detailed information about an , including the name of the rule triggered by the , the time and date that the SurfControl Filter engine processed the rule, and the Dictionary score for the if it triggered a Dictionary Threshold rule. Procedure 7-6: Viewing details Step Action 1 Select the from the list. 2 Click. Detailed information about the is displayed in the Properties dialog box. 3 To perform a detailed dictionary analysis on the , click Analyze. See Analyzing s on page 240 for details. 4 Click OK. SurfControl Filter for SMTP Administrator s Guide 239

251 7 MESSAGE ADMINISTRATOR Working with Queues ANALYZING S When you analyze an , you can view each word that has triggered the dictionary rule, how often it occurs and its score: Procedure 7-7: Viewing Analyze Results Step Action 1 Select the from the list. 2 Click. The Analyze File dialog box is displayed. You can filter the results further by selecting from the drop-down lists: Dictionary Message Part Scoring. 3 Select the dictionary that you want to use to analyze the . The list displays statistics for: The words from the that appear in the selected dictionary. The part of the in which the words occur. The value assigned to each word. The number of these words found. The individual word scores. The total word score. 4 From the Message Part drop-down list, you can select which parts of the to scan: The entire The header The body The attachments. 5 From the Scanning drop-down list, select either: Threshold Total Displays the dictionary scoring words from only the highest scoring part of a multi-part alternative with more than one Message Body. Depending on which part of an is the highest scoring part for the selected dictionary will decide from which part of the the words are displayed. Grand Total Displays the dictionary scoring words from all selected parts of an . In the case of a multi-part alternative with more than one Message Body, identical dictionary scoring words from alternative parts will have a cumulative effect on the final score for the selected dictionary. 6 Click OK to return to the Message Administrator. 240 Administrator s Guide SurfControl Filter for SMTP

252 MESSAGE ADMINISTRATOR Working with Queues 7 FORWARDING A COPY OF THE SELECTED You can forward an from a queue. For example, you might want to forward a copy of the that has been isolated for inappropriate content to the sender s manager or the HR department. The is forwarded as an attachment. To forward a copy of an , follow Procedure 7-8: Procedure 7-8: Forwarding s Step Action 1 Select the in the list. 2 Click. The Forward dialog box is displayed. 3 In the To: field, enter the addresses that you want the forwarded to. 4 Specify who you want to receive copies of the . Select any or all of the following: Message Sender Message Recipients Systems Administrator 5 By default, the subject of the forwarded is displayed in the Subject: text field, but you can change it. 6 You can type a message in the Body: text field. For example, This has been isolated because it contains material that could be deemed inappropriate. 7 Click Send. The is sent with annotation that identifies it as being from your Mail Administrator s mailbox. The original remains in its current queue. SurfControl Filter for SMTP Administrator s Guide 241

253 7 MESSAGE ADMINISTRATOR Working with Queues REPLYING TO THE SENDER OF AN To reply to the sender of an , follow Procedure 7-9: Procedure 7-9: Replying to the sender of an Step Action 1 Select the in the list. 2 Click. The Reply to Sender dialog box is displayed. 3 To send a copy of the reply to another person, enter their address in the BCC field. 4 To send a copy of the reply to the Systems Administrator, select the BCC Admin check box. 5 For the , you can either: Select from a range of standard auto-reply messages in the Auto-Reply message format: dropdown list. Select Clear from the Auto-Reply message format: drop-down list, and then enter your own message in the text box. 6 Click Send. The is sent with annotation that identifies it as being from your Mail Administrator s mailbox. The original remains in its current queue. 242 Administrator s Guide SurfControl Filter for SMTP

254 MESSAGE ADMINISTRATOR Working with Queues 7 SUBMITTING AN TO THE ANTI-SPAM AGENT DATABASE To submit an to the Anti-Spam Agent database, follow Procedure 7-10: Procedure 7-10: Submitting an to the Anti-Spam Agent database Step Action 1 Select the in the list. 2 Click. The Submit to Anti-Spam Agent dialog box is displayed. 3 The address and subject are entered automatically by Filter. You can change the Subject: field. 4 Click OK. The is sent to SurfControl, who will assess it for addition to the Anti-Spam Agent categories. The original remains in its current queue. RELEASING S To release one or more s, follow Procedure 7-11: Procedure 7-11: Releasing s Step Action 1 Select one or more s in the list. 2 Click. 3 The is moved to the Send queue. If you have selected the option Confirm when releasing all messages in the Message Administrator options, a confirmation pop-up is displayed. SurfControl Filter for SMTP Administrator s Guide 243

255 7 MESSAGE ADMINISTRATOR Working with Queues MOVING S To move one or more s, follow Procedure 7-12: Procedure 7-12: Moving s to a different queue Step Action 1 Select one or s in the list. 2 Click. The Move to Queue... dialog box is displayed. 3 Select the queue to move the into. You can also drag an into a queue in the Queues and Logs panel. SAVING COPIES OF S To save a copy of one or more s, follow Procedure 7-13: Procedure 7-13: Saving a copy of an Step Action 1 Select either the in the list, or the individual part in the Message Parts panel. 2 Click to open the Save As dialog box. 3 Select the file name and location for the , and then click Save. DELETING S To delete one or more s, follow Procedure 7-14: Procedure 7-14: Deleting an Step Action 1 Select the in the list 2 Click. 3 If you have selected the option Confirm when deleting messages in the Message Administrator options, a confirmation message is displayed. 244 Administrator s Guide SurfControl Filter for SMTP

256 MESSAGE ADMINISTRATOR Working with Queues 7 RELEASING ALL S FROM A QUEUE To release all s from a queue, follow Procedure 7-15: Procedure 7-15: Releasing all s from a queue Step Action 1 Select the queue in the Queues and Logs panel. 2 Click. 3 If you have selected the option Confirm when releasing all messages in the Message Administrator options, a confirmation message is displayed. All s from the selected queue are passed to the Send service for delivery. WORKING WITH QUEUES ON MULTIPLE SERVERS If you have SurfControl Filter installed on more than one server, but sharing an SQL database, the features of Message Administrator are available from any server. For example, an in the Isolate folder on Server A could be released using Message Administrator on Server B. However, you cannot use Message Administrator to move s from one server to another. To use Message Administrator on multiple servers, Filter must be configured as follows: All Filter servers must share the same domain. The Administration Server services on each machine must be logged on using a domain account with network privileges. An account on the local machine, or within a workgroup, is not sufficient. If the server is logging to a remote SQL Server using Windows Authentication, then all the services need to be logged on using this Domain account, and the account must have sufficient database access privileges as well. (You can use SQL Authentication for this). For more information about configuration options, see the SurfControl Filter Installation Guide. SurfControl Filter for SMTP Administrator s Guide 245

257 7 MESSAGE ADMINISTRATOR Working with Logs WORKING WITH LOGS You can view the following logs: The Rules Log Contains details of all s that have triggered rules, the rule triggered, the location of the , the sender and recipients, and the time and date that the was received by SurfControl Filter. The Traffic Log Contains details of every received by Filter, the sender host IP and HostName, and the time and date that the was received by SurfControl Filter. The System Log Contains status information for SurfControl Filter services. To display the properties of an individual log record, double-click the record in the Message List panel. USING QUEUES AND LOGS WITH MULTIPLE SERVERS If you are using more than one Receive service, for example, in a large organization with more than one mail server, it is possible that two different.msg files could be given the same name. To distinguish between servers, you can display the server name for each . Procedure 7-16: Displaying the Server Name in the Queue or Log Step Action 1 Click any log. 2 In the Message List panel, right-click any column heading: 3 Select Insert to display the Choose a Column dialog. 4 Select Server Name, and then click OK. An extra column is displayed on the list panel. This shows the server that each belongs to. 246 Administrator s Guide SurfControl Filter for SMTP

258 Chapter 8 Dictionary Management In This Chapter page 248 Launching Dictionary Management page 248 The Dictionary Management Window page 248 Adding a Dictionary page 249 Adding Words or Phrases to a Dictionary page 249 Editing Dictionary Words page 252 Deleting Words From A Dictionary page 253 Deleting a Dictionary page 254 Importing Dictionaries page 255 Exporting Dictionaries page 258

259 8 DICTIONARY MANAGEMENT In This Chapter IN THIS CHAPTER This chapter explains how to configure the dictionaries used by such tools as the Dictionary Threshold object and the LexiMatch object. By adding dictionaries and words, and by amending the score of words in the pre-configured dictionaries you can optimize filtering results. LAUNCHING DICTIONARY MANAGEMENT To launch Dictionary Management, select Start > All Programs > SurfControl Filter > Utilities > Dictionary Management The Dictionary Management window is displayed. THE DICTIONARY MANAGEMENT WINDOW Figure 8-1 shows a typical Dictionary Management window: If you add a dictionary, it is displayed under Custom Dictionaries. The SurfControl preconfigured dictionaries are listed here. Click a dictionary to display the words it contains and their scores. Initially, the number of words in the dictionaries are displayed. When you click a dictionary in the lefthand panel, the words that it contains and their scores are displayed in the righthand panel. Navigation Panel Display Panel Figure 8-1 The Dictionary Management Window 248 Administrator s Guide SurfControl Filter for SMTP

260 DICTIONARY MANAGEMENT Adding a Dictionary 8 ADDING A DICTIONARY To add a dictionary, follow procedure Procedure 8-1: Procedure 8-1:Adding a Dictionary Step 1 Action Click. The Add/Edit Dictionary dialog box is displayed. 2 Enter a name and a description for the dictionary. 3 If needed, you can add a warning message that is displayed when the dictionary is opened. For example, This dictionary contains bad jokes. Select Display this message when dictionary launches. 4 Click OK. The new dictionary is displayed under Custom Dictionaries. You can now also select the dictionary when using the dictionary-based rules objects, for example, the LexiMatch object. 5 Click to save your changes. ADDING WORDS OR PHRASES TO A DICTIONARY Note: To use the Confidential dictionary in rules, you need to add the words and phrases that signify confidential content in your organization. You can add words or phrases to a dictionary and give them a score. You can also use number pattern recognition, wildcards and/or binary sequences to make dictionary scanning tools more powerful. SurfControl Filter for SMTP Administrator s Guide 249

261 8 DICTIONARY MANAGEMENT Adding Words or Phrases to a Dictionary Using Number Pattern Recognition You can add any pattern of numbers to a dictionary by using the # character to signify a single number. For example #### #### #### #### would find the credit card number , but not the string abcd 1234 defg Using number pattern recognition can prevent users from transmitting potentially sensitive data, such as credit card details, account numbers or patient file numbers. Using Wildcards You can use wildcards to make the SurfControl Filter dictionary scanner more extensive. With no wildcards, a word is assumed complete and separated by white space or punctuation marks. With wildcards, you can scan parts of words. You can use the following wildcard characters: Note: You cannot place one wildcard character immediately next to another. Table 8-1 Wildcard Wildcards Description and example * One or more characters at the beginning or end of a word or phrase. Example: sex* finds sexy or sexily, but not Essex.? A single character in a word or phrase. Example: jo?n would match john and joan, but not johann. ^ One or more white-space characters.! A single white-space or punctuation character. \ An escape character. Using Binary Sequences You can also search for binary sequences. Use this ability to identify specific binary file sequences expressed as hexadecimal sequences. To enter a binary sequence, enter `~ followed by an even number of hexadecimal characters that represent the search sequence. For example `~ is the Binary representation of abcd A rule to detect this binary sequence would trigger if an contained the following strings: abcd abcdxxxabcdxxx The phrase ABCD would not trigger the rule because the binary code distinguishes between upper and lower case letters. 250 Administrator s Guide SurfControl Filter for SMTP

262 DICTIONARY MANAGEMENT Adding Words or Phrases to a Dictionary 8 To add words or phrases to a dictionary, follow Procedure 8-2: Procedure 8-2:Adding Words or Phrases to a Dictionary Step Action 1 Click the dictionary in the left-hand panel. The list of existing words and scores in the dictionary is displayed in the right-hand panel. 2 Click. The Add/Edit Phrase dialog box is displayed. 3 Enter the word or phrase to be included in the dictionary. 4 Enter a value between 0 and 100 for the word or phrase. The higher the score, the fewer instances of the word or phrase need to appear in an to trigger a Dictionary Threshold rule. 5 Click OK. The word or phrase is added to the list of words in the dictionary. 6 Click to save your changes. SurfControl Filter for SMTP Administrator s Guide 251

263 8 DICTIONARY MANAGEMENT Editing Dictionary Words EDITING DICTIONARY WORDS To change a dictionary word or its score, follow procedure Procedure 8-3: Procedure 8-3:Editing Dictionary Words Step Action 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Double-click a word or score, and then change the details. 3 Click to save your changes. 252 Administrator s Guide SurfControl Filter for SMTP

264 DICTIONARY MANAGEMENT Deleting Words From A Dictionary 8 DELETING WORDS FROM A DICTIONARY To delete words from a dictionary, follow procedure Procedure 8-4. If you delete words used by objects in an enabled rule, the rule will be ineffective and the will ignore it and move on to the next processing step. Procedure 8-4:Deleting Words from a Dictionary Step Action 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Select one or more words to delete. You can select multiple words by using Shift or Ctrl. 3 Click. 4 The selected words are removed from the dictionary. 5 Click to save your changes. SurfControl Filter for SMTP Administrator s Guide 253

265 8 DICTIONARY MANAGEMENT Deleting a Dictionary DELETING A DICTIONARY You can delete any of the dictionaries. If you delete a dictionary, rules that use threshold scores from that dictionary or LexiMatch object will not be effective. If you delete a dictionary by mistake, you can restore it by importing the SurfControl dictionary pack. See Importing a SurfControl Dictionary Pack on page 255. Procedure 8-5:Deleting a Dictionary Step Action 1 Click the dictionary in the left-hand panel. The list of words in the dictionary and their scores is displayed in the right-hand panel. 2 Click. 3 A confirmation message is displayed. Click Yes to delete the dictionary. 4 Click to save your changes. 254 Administrator s Guide SurfControl Filter for SMTP

266 DICTIONARY MANAGEMENT Importing Dictionaries 8 IMPORTING DICTIONARIES There are two ways to import dictionaries into Filter: Import a SurfControl dictionary pack. Import a Unicode text file. Note: You can import a Unicode text file to create a new dictionary or overwrite the contents of an existing dictionary. IMPORTING A SURFCONTROL DICTIONARY PACK By default, the product installs the English language dictionaries. You can add other language dictionaries using the Import-Export utility. SurfControl Filter 5.1 provides language dictionaries for the following languages: Dutch French German Italian Japanese Korean Portuguese Russian Spanish Traditional Chinese Simplified Chinese. To import a SurfControl dictionary pack, follow Procedure 8-6: Procedure 8-6:Importing a SurfControl Dictionary Pack Step Action 1 From the Dictionary Management window, select File > Import/Export dictionary pack The Import/Export Utility wizard opens. Click Next. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 255

267 8 DICTIONARY MANAGEMENT Importing Dictionaries Procedure 8-6:Importing a SurfControl Dictionary Pack (Continued) Step Action 2 The Select Source and Target dialog box is displayed. 3 Select Import from file. Enter or browse to the location of the dictionary file to import. By default, the SurfControl dictionaries are in the folder SurfControl Filter\Language Packs 4 The file is displayed in the File name: text box. 5 Click Next. 6 The Select Dictionaries dialog box is displayed. Select the dictionaries to be imported, or click Select All. By default, the Import/Export wizard will import only those dictionary words which you have not changed. To import the entire dictionary and overwrite your changes select Import all words and overwrite any modifications 7 Click Next. 8 A summary screen is displayed, which lists your selections. Click Finish to import the dictionaries, or Back to change your settings. (Sheet 2 of 2) 256 Administrator s Guide SurfControl Filter for SMTP

268 DICTIONARY MANAGEMENT Importing Dictionaries 8 IMPORTING A UNICODE TEXT FILE Importing a unicode text file is an easy way to add a large number of words or phrases to an existing custom dictionary, or create a new one. Note: To create a new custom dictionary, see Adding a Dictionary on page 249. To import a Unicode text file, follow Procedure 8-7: Procedure 8-7:Importing a Unicode Text File Step Action 1 Open a text editor, such as Notepad. 2 Enter the words and scores in a list. The format must be Word or Phrase [tab space]score Examples: Football 30 Baseball 40 3 Save the file as file type Unicode. Note: If the file is not saved as Unicode, the dictionary cannot be imported. 4 Launch the Dictionary Management window. Overwriting an existing dictionary make sure that you have selected the correct dictionary in the left-hand panel. Creating a new dictionary select either SurfControl Dictionaries or Custom Dictionaries in the left-hand panel. Select File > Import Unicode TXT file 5 Select the file to import. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 257

269 8 DICTIONARY MANAGEMENT Exporting Dictionaries Procedure 8-7:Importing a Unicode Text File (Continued) Step Action 6 The Import Dictionary dialog box is displayed. New Creates a new dictionary under Custom Dictionaries in the left-hand panel. Overwrite Overwrites the contents of the existing dictionary that you have selected in the left-hand panel. 7 To import the Unicode file as a new dictionary, click New. You will be asked to give your new dictionary a name and descriptions. Click OK. You will see your new dictionary displayed in the Dictionary Management Window. 8 To overwrite the dictionary that is currently selected, click Overwrite. The selected dictionary is replaced by the new dictionary. 9 If your file cannot be imported successfully, an error message is displayed. Check the format of the entries in the file (see step 2), and check that the file is saved as Unicode. (Sheet 2 of 2) EXPORTING DICTIONARIES Exporting dictionaries is useful if you have multiple installations of Filter; you can edit one or more dictionaries and export them from one installation, and then import them into the other installations. Therefore, you only have to edit once. There are two ways of exporting dictionaries: As a SurfControl dictionary pack (an XML file) As a Unicode file. You can only export one dictionary at a time to a Unicode file. 258 Administrator s Guide SurfControl Filter for SMTP

270 DICTIONARY MANAGEMENT Exporting Dictionaries 8 EXPORTING A DICTIONARY AS A DICTIONARY PACK To export a dictionary as a dictionary pack, follow procedure Procedure 8-8: Procedure 8-8:Exporting a SurfControl Dictionary Pack Step Action 1 From the Dictionary Management window, select File > Import/Export dictionary pack The Import/Export Utility wizard opens. Click Next. 2 The Select Source and Target dialog box is displayed. 3 Select Export to file. Enter or browse to the location of the dictionary file to export into. By default, the SurfControl dictionaries are in the folder SurfControl Filter\Language Packs 4 The file is displayed in the File name: text box. 5 Click Next. 6 The Select Dictionaries dialog box is displayed. Select the dictionaries to be exported, or click Select All. 7 Click Next. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 259

271 8 DICTIONARY MANAGEMENT Exporting Dictionaries Procedure 8-8:Exporting a SurfControl Dictionary Pack (Continued) Step Action 8 A summary screen is displayed, which lists your selections. Click Finish to export the dictionaries, or Back to change your settings. (Sheet 2 of 2) EXPORTING A DICTIONARY AS A UNICODE FILE To export a dictionary as a Unicode file, follow procedure Procedure 8-9: Procedure 8-9:Exporting a Dictionary as a Unicode File Step Action 1 Launch the Dictionary Management window. Select a dictionary in the left-hand panel, and then select File > Export Unicode TXT file 2 Save the file as a Unicode file type. Either use the default file name, or enter a different file name. 3 A confirmation message is displayed telling you that the file has been exported successfully. 260 Administrator s Guide SurfControl Filter for SMTP

272 Chapter 9 Scheduler In This Chapter page 262 Launching the Scheduler page 262 Scheduler Window page 262 Scheduled Events page 263 Scheduling Anti-Virus Agent Updates page 264 Scheduling Anti-Spam Agent Updates page 266 Scheduling Internet Threat Database Updates page 270 Scheduling Queue Synchronization page 272 Scheduling Database Management Tasks page 276 Purging the Database page 276 Archiving the Database page 279 Shrinking the Database page 282

273 9 SCHEDULER In This Chapter IN THIS CHAPTER This chapter explains how to use the Scheduler for easy and effective management of SurfControl Filter. You can use the Scheduler to: Update tools that use SurfControl Content, such as the Anti-Virus Agent, ensuring that Filter is armed with the most up to date information about new kinds of spam and other threats. Automatically manage queues to avoid congestion and keep your system running efficiently. Manage the logging and configuration database. LAUNCHING THE SCHEDULER To launch the Scheduler, select Start > All Programs > SurfControl Filter > Scheduler. The Scheduler window is displayed. SCHEDULER WINDOW Figure 9-1 shows a typical Scheduler window: Use the buttons to create and configure scheduled tasks The list displays scheduled tasks. Figure 9-1 The Scheduler Window 262 Administrator s Guide SurfControl Filter for SMTP

274 SCHEDULER Scheduled Events 9 SCHEDULED EVENTS You can use the Scheduler to schedule the following events: Table 9-1 Scheduled Events Event What it does Find out more Anti-Virus Agent Update Anti-Spam Agent Update Internet Threat Database Update Queue Synchronization Database Management Download the latest Anti-Virus Agent files. Download the latest Anti-Spam Agent files. Download the latest Internet Threat Database files. Synchronizes the database with the actual status of the server. Purge, archive or shrink the logging database. page 264 page 266 page 270 page 272 page 276 During installation, SurfControl Filter automatically sets up the following scheduled events: Table 9-2 Default Scheduled Events Default Event Time Anti-Virus Agent Daily every hour, seven days a week. update Anti-Spam Agent Daily every two hours, seven days a week. update Internet Threat Daily every 12 hours, seven days a week. Database update Queue synchronization Weekly on Monday at 02:00. Purge database Weekly on Monday at 07:00. Purge data older than 30 days. Shrink database Weekly on Monday, one hour after purge. SurfControl Filter for SMTP Administrator s Guide 263

275 9 SCHEDULER Scheduling Anti-Virus Agent Updates SCHEDULING ANTI-VIRUS AGENT UPDATES SurfControl constantly updates the Anti-Virus Agent files to ensure that you have access to the latest protection against viruses. You should regularly update your Anti-Virus Agent to also keep your system up-todate with the latest protection. Procedure 9-1:Scheduling Anti-Virus Agent Updates Step Action 1 In the Scheduler window, click Add Item... 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Anti-Virus Agent Update from the drop-down list. (Sheet 1 of 3) 264 Administrator s Guide SurfControl Filter for SMTP

276 SCHEDULER Scheduling Anti-Virus Agent Updates 9 Procedure 9-1:Scheduling Anti-Virus Agent Updates (Continued) Step Action 4 Select the frequency of the update: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure. (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 265

277 9 SCHEDULER Scheduling Anti-Spam Agent Updates Procedure 9-1:Scheduling Anti-Virus Agent Updates (Continued) Step Action 7 The Product Registration dialog box is displayed. You must register for Anti-Virus Agent updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. If the fields are blank, enter your details. Click OK to return to the Scheduler Item Configuration dialog box. 8 Click OK. The update event is listed in the Scheduler window. (Sheet 3 of 3) SCHEDULING ANTI-SPAM AGENT UPDATES SurfControl constantly updates the Anti-Spam Agent files to ensure that you have access to the latest protection against spam. You should regularly update your Anti-Spam Agent to also keep your system up-todate with the latest protection. Procedure 9-2:Scheduling Anti-Spam Agent Updates Step Action 1 In the Scheduler window, click Add Item... (Sheet 1 of 4) 266 Administrator s Guide SurfControl Filter for SMTP

278 SCHEDULER Scheduling Anti-Spam Agent Updates 9 Procedure 9-2:Scheduling Anti-Spam Agent Updates (Continued) Step Action 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Anti-Spam Agent Update from the drop-down list. (Sheet 2 of 4) SurfControl Filter for SMTP Administrator s Guide 267

279 9 SCHEDULER Scheduling Anti-Spam Agent Updates Procedure 9-2:Scheduling Anti-Spam Agent Updates (Continued) Step Action 4 Select the frequency of the update: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure. (Sheet 3 of 4) 268 Administrator s Guide SurfControl Filter for SMTP

280 SCHEDULER Scheduling Anti-Spam Agent Updates 9 Procedure 9-2:Scheduling Anti-Spam Agent Updates (Continued) Step Action 7 The Product Registration dialog box is displayed. You must register for Anti-Spam Agent updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. If the fields are blank, enter your details. Click OK to return to the Scheduler Item Configuration dialog box. 8 Click OK. The update event is listed in the Scheduler window. (Sheet 4 of 4) SurfControl Filter for SMTP Administrator s Guide 269

281 9 SCHEDULER Scheduling Internet Threat Database Updates SCHEDULING INTERNET THREAT DATABASE UPDATES SurfControl constantly updates the Internet Threat Database files to ensure that you have access to the latest protection against Internet threats, such as s that contain links for inappropriate Web sites. You should regularly update your Internet Threat Database to also keep your system up-to-date with the latest protection. Procedure 9-3:Scheduling Internet Threat Database Updates Step Action 1 In the Scheduler window, click Add Item. 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Internet Threat Database Update from the drop-down list. (Sheet 1 of 3) 270 Administrator s Guide SurfControl Filter for SMTP

282 SCHEDULER Scheduling Internet Threat Database Updates 9 Procedure 9-3:Scheduling Internet Threat Database Updates Step Action 4 Select the frequency of the update: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 271

283 9 SCHEDULER Scheduling Queue Synchronization Procedure 9-3:Scheduling Internet Threat Database Updates Step Action 7 The Product Registration dialog box is displayed. 8 You must register for Internet Threat Database updates. The fields are populated if you filled in the registration details when you installed Filter. However, you can change your details if needed. If the fields are blank, enter your details. 9 Click OK to return to the Scheduler Item Configuration dialog box. 10 Click OK. The update event is listed in the Scheduler window. (Sheet 3 of 3) SCHEDULING QUEUE SYNCHRONIZATION Note: You should schedule this event at a time when there is little or no traffic on the network. The contents of the queues can sometimes be different from the s listed in the STEMLog database, for example if you delete s directly from the Queue folders. The Queue Synchronization event synchronizes the two. This improves the performance of the Message Administrator and supports the use of multiple servers. It also maintains the integrity between database and s files so that they are unlikely to be lost. However, queue synchronization can also retrieve lost s. Manage your queued s to avoid large numbers of delayed or isolated s; this reduces the time taken for queue synchronization to complete. 272 Administrator s Guide SurfControl Filter for SMTP

284 SCHEDULER Scheduling Queue Synchronization 9 To schedule a Queue Synchronization event, follow Procedure 9-4: Procedure 9-4:Scheduling a Queue Synchronization Event Step Action 1 In the Scheduler window, click Add Item. 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Queue Synchronization from the drop-down list. (Sheet 1 of 3) SurfControl Filter for SMTP Administrator s Guide 273

285 9 SCHEDULER Scheduling Queue Synchronization Procedure 9-4: Scheduling a Queue Synchronization Event (Continued) Step Action 4 Select the frequency of the synchronization: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure... 7 The Queue Synchronization dialog box is displayed. By default, all queues are synchronized. To exclude one or more queues from the synchronization, click Add. (Sheet 2 of 3) 274 Administrator s Guide SurfControl Filter for SMTP

286 SCHEDULER Scheduling Queue Synchronization 9 Procedure 9-4: Scheduling a Queue Synchronization Event (Continued) Step Action 8 The Add Queue dialog box is displayed. 9 Select the queue you do not want to be synchronized., and then click OK. Note: You can only select one queue at a time. 10 Repeat steps 7, 8 and 9 for all the queues that you do not want to synchronize. 11 The excluded queues are shown in the Exclude selected queues: list. 12 Set the maximum number of s to be synchronized. Default = Click OK to return to the Scheduler Item Configuration dialog box. 14 Click OK. The Queue Synchronization event is listed in the Scheduler window. (Sheet 3 of 3) SurfControl Filter for SMTP Administrator s Guide 275

287 9 SCHEDULER Scheduling Database Management Tasks SCHEDULING DATABASE MANAGEMENT TASKS Note: SurfControl Filter services stop when database management tasks are running. Therefore, you should schedule these tasks at times of low traffic so that they have minimal impact on your system. SurfControl Filter continually records a log of all traffic in your system and stores the data in a database. As the size of this database increases very quickly, you should schedule the Database Management event to perform regular management tasks. There are three database management tasks that you can automate using the Scheduler: Table 9-3 Database Management Tasks Task Purge Database Archive Database Shrink Description Deletes selected data from the database. Copies or moves selected data from the database to a specified file. Reduces the size of the database by removing redundant space, but does not delete any data from the database. PURGING THE DATABASE The data that you delete from the database will not be available for reports. To delete data from the logging database, follow Procedure 9-5: Procedure 9-5: Purging the Database Step Action 1 In the Scheduler window, click Add Item. (Sheet 1 of 3) 276 Administrator s Guide SurfControl Filter for SMTP

288 SCHEDULER Purging the Database 9 Procedure 9-5:Purging the Database (Continued) Step Action 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Database Management from the drop-down list. 4 Select the frequency of the task: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure... (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 277

289 9 SCHEDULER Purging the Database Procedure 9-5:Purging the Database (Continued) Step Action 7 Click Purge Database... 8 The Purge dialog box is displayed. 9 Select one option for the data to delete: Purge All Deletes all database entries. Purge data older than 24 hours. Purge data older than n days Deletes data older than the number of days that you set. Purge data older than date Deletes data older than the date that you set. Purge Range Deletes data between the two dates that you set. 10 To remove all address data that is not currently being used by the database, select Purge unused address data. Example: You might use this after your system has been subject to a large spam attack, which has filled the database. 11 Click OK to return to the Scheduler Item Configuration dialog box. 12 Click OK. The Purge Database event is listed in the Scheduler window. (Sheet 3 of 3) 278 Administrator s Guide SurfControl Filter for SMTP

290 SCHEDULER Archiving the Database 9 ARCHIVING THE DATABASE You can copy or move all or specific data from the database into a specific file. To archive the database, follow Procedure 9-6: Procedure 9-6:Archiving the Database Step Action 1 In the Scheduler window, click Add Item. 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Database Management from the drop-down list. (Sheet 1 of 3) SurfControl Filter for SMTP Administrator s Guide 279

291 9 SCHEDULER Archiving the Database Procedure 9-6:Archiving the Database Step Action 4 Select the frequency of the task: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure... 7 Click Archive Database... (Sheet 2 of 3) 280 Administrator s Guide SurfControl Filter for SMTP

292 SCHEDULER Archiving the Database 9 Procedure 9-6:Archiving the Database Step Action 8 The Archive dialog box is displayed. 9 Select one option for the data to archive: Archive All Archives all database entries. Archive data older than 24 hours. Archive data older than n days Archives data older than the number of days that you set. Archive data older than date Archives data older than the date that you set. Archive Range Archives data between the two dates that you set. 10 Enter or browse to the location of the archive file. The default archive folder is C:\Program files\surfcontrol Filter\Archive To automatically base the archive file name on the date that the archive is performed, select Unique date-based filename. To delete the original data from the logging database, select Purge Archived Data. 11 Click OK to return to the Scheduler Item Configuration dialog box. 12 Click OK. The Archive Database event is listed in the Scheduler Window. (Sheet 3 of 3) SurfControl Filter for SMTP Administrator s Guide 281

293 9 SCHEDULER Shrinking the Database SHRINKING THE DATABASE Shrinking reduces the file size of the database by eliminating redundant space but without removing any useful data. To shrink the database, follow Procedure 9-7: Procedure 9-7:Shrinking the Database Step Action 1 In the Scheduler window, click Add Item 2 The Scheduler Item Configuration dialog box is displayed. 3 Select Database Management from the drop-down list. (Sheet 1 of 3) 282 Administrator s Guide SurfControl Filter for SMTP

294 SCHEDULER Shrinking the Database 9 Procedure 9-7:Shrinking the Database (Continued) Step Action 4 Select the frequency of the task: Daily You can set either: - A specific time on one or more days, by selecting the day(s) and then setting the hour and minute, or - A specific interval, by selecting the Every HH:MM check box, and then setting the interval in hours and/or minutes. Weekly You can set a specific day, and the hour and minute on that day. Monthly You can set either: - A specific date in every month and the hour and minute on that date, or - Automatically at the end of the month, by selecting the End of Month check box, and then setting the hour and minute. Yearly You can set either: - A specific date in a specific month and the hour and minute on that date, or - Automatically at the end of a specific month, by selecting the End of Month check box, and then setting the hour and minute. 5 Enter a description in the Description field. This helps you to recognize this event in the Scheduler window. 6 Click Configure... 7 Click Shrink... (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 283

295 9 SCHEDULER Shrinking the Database Procedure 9-7:Shrinking the Database (Continued) Step Action 8 The Shrink/Compact Database dialog box is displayed. 9 Specify by how much you want to shrink the database (between 1% and 99%). Default = 10% 10 Click OK to return to the Scheduler Item Configuration dialog box. 11 Click OK. The Shrink Database event is listed in the Scheduler window. (Sheet 3 of 3) 284 Administrator s Guide SurfControl Filter for SMTP

296 Chapter 10 Reporting In This Chapter page 286 Installing Report Central page 286 Managing Database Disk Space page 286 Logging On for the First Time page 287 Remote Access page 287 Getting Started With Report Central page 288 Configuration Options page 290 Setting Up Users page 291 Changing User Details page 294 Specifying a Mail Server page 295 Databases page 295 Resolving Database Memory Issues page 296 Archiving/Deleting Reports page 298 Reporting page 300 Rules Reports page 301 Traffic Statistics Reports page 303 Generating Reports page 320 Saving Reports page 321

297 10 REPORTING In This Chapter IN THIS CHAPTER This chapter explains how to use SurfControl Report Central alongside Filter to create reports that give you an in-depth view of how is being used in your organization. INSTALLING REPORT CENTRAL See the SurfControl Filter Installation Guide or the SurfControl Report Central Installation Guide for instructions on how to install Report Central. MANAGING DATABASE DISK SPACE When generating reports, SQL Server can fail to execute SRC queries if the SQL Server TempDB transaction log does not have enough disk space allocated to it. To allocate more disk space, follow Procedure 10-1: Procedure 10-1: Allocating disk space to the tempdb transaction log file Step Action 1 Launch SQL Server Enterprise Manager. 2 Select TempDB from the database list. 3 Right-click on TempDB and select Properties from the shortcut menu. The TempDB dialog box is displayed. 4 Select the Transaction Log tab. 5 Under Space Allocated (MB), enter a value of 15 or above. 6 Click OK. 286 Administrator s Guide SurfControl Filter for SMTP

298 REPORTING Logging On for the First Time 10 LOGGING ON FOR THE FIRST TIME When you log on to SurfControl Report Central for the first time, use the Admin account details you set up during installation. This will give access to all the configuration options. The first time you run Report Central, you will be asked to install the Java Runtime Environment v if this is not already installed on your machine. Follow the steps in the Setup program, accepting the defaults on each screen. REMOTE ACCESS Users who do not have SurfControl Report Central installed can generate reports using remote access, without installing any software on their computers. You can give users remote access to SurfControl Report Central by distributing the hyperlink as shown on the next page. SYSTEM REQUIREMENTS FOR REMOTE ACCESS If a user wants to access Report Central remotely, their computer must meet the following system requirements. Table 10-1 Remote access system requirements Operating System Applications Windows XP Windows 2000 Server SP3 Windows 2000 Advanced Server SP3 Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Internet Explorer 5.0 or later. Adobe Reader 6.0 or later to read reports in PDF format. To distribute the remote access shortcut, follow Procedure Procedure 10-2: Distributing the remote access shortcut Step Action 1 In your Windows operating system, select Start > All Programs > SurfControl Report Central 2 Right-click Filter 5.2 Client Shortcut, and then select Send To from the menu. 3 Select Mail Recipient. 4 Your program (for example, Microsoft Outlook) will open a new . The body of the will contain a link to Report Central. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 287

299 10 REPORTING Getting Started With Report Central Procedure 10-2: Distributing the remote access shortcut (Continued) Step Action 5 Enter the addresses of the users you want to receive the link, and send the . 6 To use Report Central, users must have the Java Runtime Environment installed on their computer. If users do not have this component, they will be prompted to install it the first time they try to log on to Report Central. They should accept any requests to download and install files, and select the Typical install option. 7 Although you can send the remote access shortcut to many users at once, it is better to send it to one user at a time, along with their user name and password. See the SurfControl Report Central Administrator s Guide for details. (Sheet 2 of 2) Warning: Internet Explorer users if you want to use SurfControl Filter Web Reports as well as Report Central, make sure that Sun Java is enabled. Select Internet Explorer >Tools >Options, and then select Enable Java 2 SDK You will need to re-send the remote access shortcut if you edit any of the following settings on the computer where Report Central is installed: IP address of host computer. Tomcat Web Server Port Number. GETTING STARTED WITH REPORT CENTRAL LAUNCHING SURFCONTROL REPORT CENTRAL From the Start menu, select: All Programs > SurfControl Report Central > Filter 5.2 Reports Warning: To log on to Report Central you must have ActiveX controls and Plug-ins enabled in Internet Explorer. Check the settings in Internet Explorer > Tools >Internet Options > Security > Custom Level. You will be asked to log on. When you log on for the first time, use the authentication details that you set up when you were installing Report Central. 288 Administrator s Guide SurfControl Filter for SMTP

300 REPORTING Getting Started With Report Central 10 FINDING YOUR WAY AROUND Figure 10-1 shows a typical Report Central screen in a browser window: Click Configuration to set up and administrate Report Central. The left-hand panel shows the reports. When you launch Report Central these are rolled up into folders. Click a folder to expand the list. Specify report criteria in the right-hand panel. Figure 10-1 Report Central browser window Figure 10-1 shows a typical Report Central screen showing report criteria: Use these settings to customize your report. Figure 10-2 Report Central report criteria SurfControl Filter for SMTP Administrator s Guide 289

301 10 REPORTING Configuration Options CONFIGURATION OPTIONS To configure SurfControl Report Central, select Configuration > Options The Configuration Options dialog box is displayed. Figure 10-3 Report Central Configuration Options dialog box There are four tabs in the dialog: Users add, edit and delete users. See Setting Up Users on page 291. Database Connection change the database that Report Central connects to. Mail Settings set up a connection to your mail server to enable reports to be sent by . See Specifying a Mail Server on page 295. Archive/Delete manage the reports you have generated. See Archiving/Deleting Reports on page Administrator s Guide SurfControl Filter for SMTP

302 REPORTING Setting Up Users 10 SETTING UP USERS The first thing you need to do after installing Report Central is set up user accounts. There are three stages to this process: 1 Specify logon details 2 Specify user permissions 3 Specify report permissions These stages are described in detail on the following pages. SPECIFYING LOGON DETAILS To create logon details for a new user account, follow Procedure 10-3: Procedure 10-3: Specifying logon details Step Action 1 Log on using the Admin account. 2 Select Configuration > Options to display the Configuration Options dialog. 3 On the Users tab, click New. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 291

303 10 REPORTING Setting Up Users Procedure 10-3: Specifying logon details (Continued) Step Action 4 The User Configuration dialog box is displayed. Select the General tab. 5 Enter the following information: User Name Password Confirm Password (Sheet 2 of 2) SPECIFYING USER PERMISSIONS When you are creating user accounts, you can set the following user permissions: Table 10-2 User permissions Permission Setting Act as global administrator Able to change database used for reports Able to create reports in a private view Able to create and share reports in a public view Restricted User Permitted Actions The user can create and edit users. The user can run reports from any database on the list. They can also edit and delete database connections. The user can create reports and folders that only they can access. The user can create reports that all users can access. The user can run reports but cannot change any report criteria. Use this option if you want a user to run only specific reports that have been set up by a global administrator and saved in the Public folder. 292 Administrator s Guide SurfControl Filter for SMTP

304 REPORTING Setting Up Users 10 To set user permissions, follow Procedure 10-4: Procedure 10-4: Specifying user permissions Step Action 1 On the User Configuration dialog, select the General tab. 2 Select the level of access you want the user to have by selecting the check boxes. SPECIFYING REPORT PERMISSIONS There are two kinds of report; standard and custom. Standard Reports Standard reports are the pre-set reports that are installed with Report Central. They are divided into two groups: Rules Reports Traffic Statistics Reports You can specify whether or not a user has access to a group of reports, or you can specify which individual reports in each group you want users to be able to access. This means that nobody in your organization can view sensitive user information unless they are qualified or authorized to do so. For a detailed description of each group and report, see the SurfControl Report Central Administrator s Guide for details. Custom Reports Custom reports are defined by the user. You can allow users to specify their own reports, or you can restrict them to using only the standard ones. To specify report permissions, follow these steps: Procedure 10-5: Specifying report permissions Step Action 1 Select the Reports tab. 2 Select check boxes of the reports to which users should have access: Check Select All to give the user access to all reports. Check a category to give the user access to all reports in that group Click on the group to expand it, and check an individual report to give the user access to only that report. SurfControl Filter for SMTP Administrator s Guide 293

305 10 REPORTING Changing User Details CHANGING USER DETAILS Users with Global Administrator status can edit user details or delete user accounts. To edit user details, follow Procedure 10-6: Procedure 10-6: Editing User Details Step Action 1 From the Configuration Options Users tab, highlight the user in the Existing Users panel. 2 Click Edit. The User Configuration dialog box is displayed showing the user s existing details. 3 You can change all existing General and Report settings for the user, except for the User Name. 4 Click OK. To delete users, follow Procedure 10-7: Procedure 10-7: Deleting a User Step Action 1 From the Configuration Options Users tab, click the user in the Existing Users panel. 2 Click Delete. A Confirm Delete warning is displayed. 3 Click Yes to confirm the deletion, or No to cancel. 294 Administrator s Guide SurfControl Filter for SMTP

306 REPORTING Specifying a Mail Server 10 SPECIFYING A MAIL SERVER To be able to send reports attached to an , you need to specify a mail server. To specify a mail server, follow Procedure Procedure 10-8: Specifying a Mail Server Step Action 1 On the Configuration Options dialog, select the Mail Settings tab 2 In the Hostname field, enter the server name of the mail server you want to use to distribute reports, for example myserver.mycompany.com 3 In the Port field, enter the number of the port you want to use to send outbound . This is usually port In the Senders Address field, enter the address you want to send reports from, for example reporting@reportcentral.com 5 Click OK to confirm your changes. DATABASES The Database Connection tab shows the following information: The current database being used for reporting. The authentication details of the current database. A list of databases that can be used for reporting. From this tab you can select a different database to connect to. SurfControl Filter for SMTP Administrator s Guide 295

307 10 REPORTING Resolving Database Memory Issues CONNECTING TO A DIFFERENT DATABASE To report on a new database, you must first add the database connection details to the list. You can only add a database connection if you are either: A global administrator, or A user with the Able to change database used for reports privilege. Details of the current database are shown in the Current Database box. To connect to a different database, follow Procedure 10-9: Procedure 10-9: Connecting to a different database Step Action 1 Select Configuration g Options. The Configuration Options dialog box is displayed. 2 Select the Database Connections. 3 In the Server box, enter the name of the server where the database is running. 4 Enter the Hostname. This is either the IP address or name of the SQL Server that Report Central will connect to. 5 In the Authentication area, select the authentication method for connecting to the server. If you select SQL Authentication, enter a user name and password. 6 The available databases is displayed in the Database menu. Select the database you want to connect to and click Select. 7 Click OK. RESOLVING DATABASE MEMORY ISSUES INCREASING MEMORY TO THE JAVA VIRTUAL MACHINE If your database is very large, the following message might be displayed when you try to generate a report with a large list of criteria, for example over 500,000 senders: To display the criteria list you need to increase the amount of Java Virtual Memory. 296 Administrator s Guide SurfControl Filter for SMTP

308 REPORTING Resolving Database Memory Issues 10 To increase the amount of memory available to the Java Virtual Machine follow Procedure 10-10: Procedure 10-10: Increasing the Java Virtual Memory Step Action 1 From the Start Menu, select Settings g Control Panel g Java Plug-in. The Java Plug-in Control Panel will open. 2 Select the Advanced tab. 3 In the Java Runtime Parameters field, enter the following: -Xms256m -Xmx512m This will set the amount of memory available to the Java Virtual Machine to a minimum of 256MB and allow it to expand to 512MB. You can allocate more memory by changing 512 to a higher value, but make sure there is enough system memory available before you do this. INCREASING THE TEMPDB TRANSACTION FILE The following reports can generate high volumes of data. Table 10-3 High-volume reports Report type Rules reports Traffic statistics reports Report name Rules by date Rules by sender summary Rules by sender detail Rules by sender showing recipient Messages by size If your database does not have enough memory, it will be unable to generate the report. To increase the amount of memory, follow Procedure 10-1 on page 286. SurfControl Filter for SMTP Administrator s Guide 297

309 10 REPORTING Archiving/Deleting Reports ARCHIVING/DELETING REPORTS You can specify how SurfControl Report Central deals with reports that are no longer current. When you have enabled archiving or deletion (Procedure 10-11), use the Archive/Delete options to specify: Which reports are deleted or archived. When deletion or archiving takes place. ENABLING REPORT ARCHIVING/DELETION Note: Reports are archived individually, in their originally created format. To delete or archive reports, you must first enable the Archive/Delete feature: Procedure 10-11:Enabling Report Archiving/Deletion Step Action 1 On the Configuration Options dialog, select the Archive/Delete tab. 2 Select Enable Automatic Report Cleanup. The Delete and Archive options become available. 3 Select to Delete or Archive reports. The settings for the selected option become available. Note: By default, Automatic Report Cleanup is unavailable. When you enable it, the Archive Reports option is selected by default. Set the archive/delete options by following the procedures on the following pages. 298 Administrator s Guide SurfControl Filter for SMTP

310 REPORTING Archiving/Deleting Reports 10 DELETING REPORTS When you have chosen to delete reports, use the Delete Options tab to specify which reports are deleted, and when. Procedure 10-12:Deleting reports Step Action Specifying which reports are deleted 1 On the Configuration Options dialog, select the Archive/Delete tab. 2 Make sure the Enable Automatic Report Cleanup and Delete Reports options are selected. 3 Select the Delete Options tab. 4 To select which reports are deleted, select one of the following: All (the default setting) Before today Older than last 7 days Older than last full month. Specifying the date and time you want reports to be deleted 5 Select the Date/Time tab. 6 In the Time of Day area, specify a time of day (using the 24hr clock) to delete your reports. 7 If you want the selected reports to be deleted on a certain day or days of the week, select Daily/Weekly, and use the check box to specify the days you want. If you want the reports to be deleted every day, select all the check boxes. 8 If you want the selected reports to be deleted on a certain day in the month, select Monthly and use the Day field to specify which day of the month you want. Alternatively, if you want the reports to be deleted on the last day of each month, select End of Month. 9 Click OK. SurfControl Filter for SMTP Administrator s Guide 299

311 10 REPORTING Reporting ARCHIVING REPORTS When you have chosen to archive reports, use the Archive Options tab to specify: which reports are archived, and when. Procedure 10-13:Choosing which reports are archived Step Action 1 On the Configuration Options dialog, select the Archive/Delete tab. 2 Make sure the Enable Automatic Report Cleanup and Archive Reports options are selected. 3 Select the Archive Options tab. 4 To select which reports are archived, select one of the following: All (the default setting). Before today. Older than last 7 days. Older than last full month. 5 In the Archive Location field, specify a folder where you want archived reports to be stored. 6 Select the Date/Time tab. 7 In the Time of Day area, specify a time of day (using the 24hr clock) to archive your reports. 8 If you want the selected reports to be archived on a certain day or days of the week, select Daily/Weekly, and use the check box to specify the days you want. If you want the reports to be archived every day, select all the check boxes. 9 If you want the selected reports to be archived on a certain day in the month, select Monthly and use the Day field to specify which day of the month you want. Alternatively, if you want the reports to be archived on the last day of each month, select End of Month. 10 Click OK. REPORTING There are two kinds of report: Standard reports generated using pre-set criteria. Custom reports generated using criteria you have previously entered and saved. This means you can generate the same report many times without having to re-enter the criteria. 300 Administrator s Guide SurfControl Filter for SMTP

312 REPORTING Rules Reports 10 The reports are displayed in the left pane of the work area: Report Central has the same range of reports as Web Reports for SurfControl Filter, but the reports have been improved and given more descriptive names. The report listings for rules and traffic statistics ( Rules Reports on page 301 and Traffic Statistics Reports on page 303) show the new name for each report and also the previous name as used in Web Reports. If there is a Web report you use regularly, check the Formerly known as column to find out whether the name has changed. STANDARD REPORTS Standard Reports are split into two categories: Rules Reports Traffic Statistics Reports RULES REPORTS Rules reports give information about rules which rules are being broken, how often and by whom. Table 1 lists the Rules Reports. Table 10-4 Rules Reports Report name Type Formerly known as Data Ordered by Rules by Date Table Detailed messages by broken rules Rules by Sender Summary (Sheet 1 of 2) Table Full report summary Rule name Date Sender Recipient Subject Sender Rule name Number of messages Total size Rule name Sender SurfControl Filter for SMTP Administrator s Guide 301

313 10 REPORTING Rules Reports Table 10-4 Rules Reports (Continued) Report name Type Formerly known as Data Ordered by Rules by Sender Detail Rules by Sender Showing Recipient Top N Incoming IPs by Rule Table Full report detail Sender Rule name Date Time Action Recipient Table Table Detail for specific rules Top N incoming host IPs by rules triggered. Sender Rule name Date Recipient Size IP address Host name Rule name Number of times rule triggered Top 15 Rules Bar chart Top 20 broken rules 15 rules most often triggered by all messages Top N Rules Table Top N rules N rules most often triggered, by incoming/outgoing messages. Time the rule was triggered. Top N Rules by Incoming IP Top 10 Rules by Percent Top 15 Senders by Rules Triggered (Sheet 2 of 2) Table Bar chart Bar chart Top N triggered rules showing incoming host IPs Percentage of messages by top 10 rules Top 20 senders by message Rule name IP address Host name Number of times rule triggered Top 10 most frequently triggered rules and the percentage of messages triggering them. Top 15 senders broken down by the percentage of messages triggering each rule. Sender Sender IP address Number of rulebreaking messages Time triggered Rule name N/A Number of messages sent. 302 Administrator s Guide SurfControl Filter for SMTP

314 REPORTING Traffic Statistics Reports 10 TRAFFIC STATISTICS REPORTS Traffic Statistics Reports give information on the volume of traffic passing through your system. Table 2 lists the Traffic Statistics Reports. Table 10-5 Traffic Statistics Reports Report name Type Formerly known as Data Ordered by Bandwidth by Date Bandwidth by Hour Messages by Weekday Messages by Size Top N Incoming IPs Top 15 Recipients by Total Messages Top 15 Recipients by Total Size Top 15 Senders by Percent Top 15 Senders by Total Messages Top 15 Senders by Total Size Bar chart Bar chart Bar chart Table Table Bar chart Bar chart Bar chart Bar chart Bar chart bandwidth by date bandwidth by hour Number of messages by weekday Message size by sender Top N incoming host IPs Volume by recipient summary Volume by recipient detail Percentage of messages by sender. Top 20 senders by number of messages Top 20 senders by volume of messages Total number of messages per day. Total number of messages per hour Total number of messages per day of the week Message size Sender Message date Message time IP address Host name Number of messages sent Volume of messages sent Top 15 recipients by number of messages received. Top 15 recipients by volume of messages in bytes. Top 15 message senders and the percentage of messages sent by them. Top 15 senders Top 15 senders and the volume of sent by them in bytes. Date Time Day Message size Number of messages sent Number of messages received. Volume of messages received. N/A Total number of messages sent. Volume of sent. SETTING UP REPORTS There are four stages to setting up a report: 1 Select the report you want to run 2 Specify report criteria 3 Specify running options 4 Specify scheduling options SurfControl Filter for SMTP Administrator s Guide 303

315 10 REPORTING Traffic Statistics Reports SELECTING A REPORT To select a report, click on it. The criteria for that report is displayed in the right-hand panel. Warning: The date on the computer where Report Central is installed must be the same as on the SQL server, otherwise the time and date may not be reported accurately. When you select a report, SurfControl Report Central retrieves the Time and Date information from the database. If you receive the following error message: Date and Time information cannot be retrieved from the database there is a problem with your database connection. You should check the following: Report Central is connecting to a valid database (Configuration Options dialog). The server is running correctly (SQL Service Manager). SPECIFYING REPORT CRITERIA You can specify the following report criteria, depending on the type of report you are generating, and your access privileges: Date/Time Senders Sender Domains Rules Weekday Recipients Recipient Domains Options Database (Custom Reports Only) 304 Administrator s Guide SurfControl Filter for SMTP

316 REPORTING Traffic Statistics Reports 10 Date/Time Table 3 shows the Date/Time criteria Table 10-6 Date/Time criteria All Available Today Yesterday Last 7 Days Last full month Custom Report on all available s stored on the database. Report on all s logged to the database today. Report on all s logged to the database yesterday (between 00hrs and 24hrs). Report on all s logged to the database in the last seven days. (the default setting). Report on all s logged to the database in the last full month. Report on all s logged to the database in the time period you specify. See Procedure on page 305. Specifying a Custom Time Period for Reports You can report on any time period by using the Custom option. Procedure 10-14:Specifying a custom time period for reports Step Action 1 Select a Start Date by clicking the calendar button. 2 Select an End Date by clicking the calendar button. 3 Specify a Start Time (in 24 hr clock). 4 Specify an End Time (in 24 hr clock). 5 If you want the report to take data from the same time period each day, select Use same start and end times each day. See Table 10-7 on page 306 for an explanation of this feature. 6 If you want the report to take data from outside the time period you specify, select Exclude Time Range. See Table 10-8 on page 306 for an explanation of this feature. SurfControl Filter for SMTP Administrator s Guide 305

317 10 REPORTING Traffic Statistics Reports Use Same Start and End Times Per Day You can specify that the report uses data from the same time frame each day. Table 10-7 Use same start and end times per day check box Check box What happens Example Cleared SurfControl Report Central will use report data from the entire date range you specify, beginning at the start time on the start date and ending at the end time on the end date. Between 9am on day 1 and 5pm on day 3. Selected SurfControl Report Central will use report data from the time period you specify, for each day between the start and end date. Between 9am and 5pm on day 1, 9am and 5pm on day 2, and so on. Exclude Time Range You can use the Exclude Time Range check box independently of the Use same start and end times per day check box. Table 10-8 Exclude Time Range check box Check box What happens Example Cleared The report will use data from Between 9am and 5pm on the time period you specify. day 1. Selected report will use any data excluded by the Use same start and end times per day options. Midnight until 9am and 5pm till 11:59pm on day 1. Senders By default, all senders monitored by SurfControl Filter are included in reports and all new senders are automatically included, but you can also: Include only the senders you specify in the report Exclude the senders you specify from the report. Figure 10-4 Senders tab 306 Administrator s Guide SurfControl Filter for SMTP

318 REPORTING Traffic Statistics Reports 10 Specifying Senders in a Report Procedure 10-15: Specifying senders in a report Step Action 1 Select the Senders tab. 2 By default, all senders are included in the report. You can also: Include selected items. Exclude selected items. (Sheet 1 of 3) SurfControl Filter for SMTP Administrator s Guide 307

319 10 REPORTING Traffic Statistics Reports Procedure 10-15:Specifying senders in a report (Continued) Step Action Including Selected Items 3 Select Include selected items. The Choose Criteria: Senders is displayed. Note: Restricted users cannot change Sender criteria. 4 In the Search area, enter text to search for, and the number of results that are shown. Retrieve N criteria (number of results): Default = 50 Maximum = Click Search. 6 The available senders are displayed in the Available Criteria box. Select the senders you want to include in the report, and then click Add. 7 The senders you selected are displayed in the Selected Criteria box. 8 Click OK. Only the senders you selected will be included in the report. (Sheet 2 of 3) 308 Administrator s Guide SurfControl Filter for SMTP

320 REPORTING Traffic Statistics Reports 10 Procedure 10-15:Specifying senders in a report (Continued) Step Action Excluding Selected Items 9 Select Exclude selected items. The Choose Criteria: Senders is displayed. 10 Select which senders you want to exclude by following steps Click OK. The report will include all senders except the ones you specified. (Sheet 3 of 3) Sender Domains By default, all sender domains are included in the report, but you can also: Include only the sender domains you specify in the report Exclude the sender domains you specify from the report Procedure 10-16: Specifying sender domains in a report Step Action Action 1 Select the Sender Domains tab. 2 By default, all sender domains are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 309

321 10 REPORTING Traffic Statistics Reports Procedure 10-16: Specifying sender domains in a report Step Action Action 3 Select Include selected items. The Choose Criteria: Sender Domains dialog box is displayed. 4 In the Search area, enter text to search for, and the number of results that are shown. Retrieve N criteria (number of results): Default = 50 Maximum = Click Search. 6 The available sender domains are displayed in the Available Criteria box. Select the sender domains to include in the report, and then click Add. 7 The sender domains you selected are displayed in the Selected Criteria box. 8 Click OK. Only the sender domains that you selected are included in the report. Excluding Selected Items 9 Select Exclude selected items. The Choose Criteria: Sender Domains dialog box is displayed. 10 Select which sender domains to exclude (see steps 4-6). 11 Click OK. The report will include all sender domains except the ones you specified. (Sheet 2 of 2) 310 Administrator s Guide SurfControl Filter for SMTP

322 REPORTING Traffic Statistics Reports 10 Rules By default, all rules that have been triggered are included in reports, but you can also: Include only the triggered rules you specify in the report Exclude the triggered rules you specify from the report. Procedure 10-17:Specifying rules criteria in a report Step Action 1 Select the Rules tab. 2 By default, all triggered rules are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Rules dialog box is displayed. 4 In the Search area, enter text to search for, and the number of results that are shown. Retrieve N criteria (number of results): Default = 50 Maximum = Click Search. 6 The triggered rules available for selection are displayed in the Available Criteria box. Select the sender domains to include in the report, and then click Add. 7 The sender domains you selected are displayed in the Selected Criteria box. 8 Click OK. Only the triggered rules you specify will be included in the report. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 311

323 10 REPORTING Traffic Statistics Reports Procedure 10-17:Specifying rules criteria in a report (Continued) Step Action Excluding Selected Items 9 Select Exclude selected items. The Choose Criteria: Rules dialog box is displayed. 10 Select which triggered rules to exclude (see steps 4-6). 11 Click OK. The report will include all triggered rules except the ones you specified. (Sheet 2 of 2) Weekday By default all available days of the week are included in the report, but you can: Include only the weekdays you specify in the report. Exclude the weekdays you specify from the report. Procedure 10-18:Specifying days of the week in a report Step Action Action 1 Select the Weekday tab. 2 By default, all weekdays are included in the report, but you can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Weekday dialog box is displayed. 4 The days of the week available for selection are displayed in the Available Criteria box. Select the days to include in the report, and then click Add. 5 The days you selected are displayed in the Selected Criteria list box. 6 Click OK. Only the specified days are included in the report. (Sheet 1 of 2) 312 Administrator s Guide SurfControl Filter for SMTP

324 REPORTING Traffic Statistics Reports 10 Procedure 10-18:Specifying days of the week in a report (Continued) Step Action Action Excluding Selected Items 7 Select Exclude selected items. The Choose Criteria: Weekday dialog box is displayed. 8 Select which days to exclude (steps 4-6). 9 Click OK. The report will include all weekdays except the ones that you specified. (Sheet 2 of 2) Recipients By default all recipients are included in a report, but you can also: Include only the recipients you specify in the report. Exclude the recipients you specify from the report. Procedure 10-19: Specifying recipients in a report Step Action 1 Select the Recipients tab. 2 By default, all recipients are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 313

325 10 REPORTING Traffic Statistics Reports Procedure 10-19:Specifying recipients in a report (Continued) Step Action 3 Select Include selected items. The Choose Criteria: Recipients is displayed. 4 In the Search area, enter text to search for, and the number of results that are shown. Retrieve N criteria (number of results): Default = 50 Maximum = Click Search. 6 The available recipients are displayed in the Available Criteria box. Select the recipients to include in the report, and then click Add. 7 The recipients you selected are displayed in the Selected Criteria box. 8 Click OK. Only the recipients you selected are included in the report. Excluding Selected Items 9 Select Exclude selected items. The Choose Criteria: Recipients is displayed. 10 Select which recipients to exclude (see steps 4-6). 11 Click OK. The report will include all recipients except the ones you specified. (Sheet 2 of 2) 314 Administrator s Guide SurfControl Filter for SMTP

326 REPORTING Traffic Statistics Reports 10 Recipient Domains By default, all recipient domains are included in the report, but you can also: Include only the recipient domains you specify in the report Exclude the recipient domains you specify from the report Procedure 10-20: Specifying recipient domains in a report Step Action Action 1 Select the Recipient Domains tab. 2 By default, all recipient domains are included in the report. You can also: Include selected items. Exclude selected items. Including Selected Items 3 Select Include selected items. The Choose Criteria: Recipient Domains dialog box is displayed. 4 In the Search area, enter text to search for, and the number of results that are shown. Retrieve N criteria (number of results): Default = 50 Maximum = Click Search. 6 The available recipient domains are displayed in the Available Criteria box. Select the recipient domains to include in the report, and then click Add. 7 The recipient domains you selected are displayed in the Selected Criteria box. 8 Click OK. Only the recipient domains you selected will be included in the report. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 315

327 10 REPORTING Traffic Statistics Reports Procedure 10-20: Specifying recipient domains in a report (Continued) Step Action Action Excluding Selected Items 9 Select Exclude selected items. The Choose Criteria: Recipient Domains dialog box is displayed. 10 Select which recipient domains to exclude (see steps 4-6). 11 Click OK. The report will include all recipient domains except the ones you specified. (Sheet 2 of 2) Options The options tab shows options for the report you are generating. There are two possible options you may see here: Exclude Postmaster: use this field to exclude s to and from the Postmaster account. Enter the address of the Postmaster, for example, postmaster@mycompany.com. Top N Rules: enter how many of the most frequently triggered rules you want to include in the report; for example enter 10 to include the top 10. Most reports have one option or the other, some have both. Some reports do not have any options, in which case the tab will not be visible. Database (Custom Reports Only) When you have saved custom report criteria in the public or private folder, the Database tab will become available. The Database tab shows you which database is being used for reports. SurfControl recommends that you do not attempt to change databases if reports are potentially being generated from the current one. Procedure 10-21:Changing the database used for reports Step Action 1 Select the Database tab. 2 Click Change Database. If you have set up any report criteria, these will be lost. You will be asked to confirm that you want to change databases. 3 The Choose Database dialog is displayed. Select the database you want to use for reports. If the database is not listed, use the configuration options to add the database. See the SurfControl Report Central Administrator s Guide for details. 316 Administrator s Guide SurfControl Filter for SMTP

328 REPORTING Traffic Statistics Reports 10 SPECIFYING RUNNING OPTIONS The Running Options tab controls how your report is produced and where it is saved. Display Selected Criteria Note: If you use the default setting of including all criteria, the selected criteria will not be shown, even if you select Display Selected Criteria. You can select if the criteria you have chosen for the report is to be displayed on the first page. If you choose to do this, the criteria you have excluded will be printed. For example, if you choose to generate a report on senders 1, 2 and 3, the criteria displayed on your report will show: Excluded senders: sender 4, sender 5, sender 6 Format You can generate reports in the following formats: Table 10-9 Report formats Format.csv html.pdf.rtf Details Stands for Comma Separated Value a text format that can be used by spreadsheet and database programs such as Microsoft Excel and Access. You can view the report in HTML format using a web browser. Portable Document Format is the default format. You need a reader such as Adobe Acrobat Reader (available as a free download from to view PDF documents. Rich Text Format is a format that can be viewed in word processors such as MS Word. SurfControl Filter for SMTP Administrator s Guide 317

329 10 REPORTING Traffic Statistics Reports Destination Type Warning: Some programs may not display bar chart reports in html format correctly. To display the report, save all the ed files to the same folder and open them from there. It is better to bar charts as PDFs. You can specify how you want a report to display. If you choose to a report, note that reports are ed in their native format and will not be compressed. If you are unsure about the size of a report to , save the report to your machine using the Schedule options. You can then check the size of the report before you send it. Table Destination type options Option Show in Browser (default) Send by Details Reports in html and pdf format will open automatically in a browser window. The csv and rtf formats will ask whether you want to open the file or save it on your computer. The report will be sent as an attachment to the address you specify. To specify running options, follow Procedure 10-22: Procedure 10-22:Specifying Running Options Step Action 1 Select the Running Options tab. 2 If you want to display the report criteria, select Display Selected Criteria. 3 Select a report format from the list. 4 From the Destination Type menu, select how you want the report to be displayed. 5 If you have chosen to send the report as an , enter an address in the Receiver s Address field. Note: If you send a table report of more than two pages by , the navigation buttons will work only if the recipient saves the report to a folder on their local machine. 6 Click Run to run the report. 318 Administrator s Guide SurfControl Filter for SMTP

330 REPORTING Traffic Statistics Reports 10 SCHEDULE OPTIONS You can set up reports to run automatically at the time or date you select. The Schedule Options tab is used to schedule reports. Enabling Report Scheduling To enable report scheduling, select the Schedule Report check box. When you enable report scheduling, two tabs will become available: Date/Time Save Options Date/Time On this tab you can specify the following: Time of Day - specify the hour and minute you want to run a report (using the 24 hr clock). Daily/Weekly - specify which days of the week you want to run a report. You can run reports every day, once a week or on selected days. Monthly - specify a day of the month to run a report, or run a report on the last day of the month. If you select the monthly check box, the Daily/Weekly options are unavailable. Save Options When the report you have scheduled is generated you can automatically save it to your hard drive by specifying save options. Table Save Options Option Format Destination type Details You can save the report in the following formats:.csv.html.pdf.rtf See Format on page 317 for information about each format. Save on Hard drive the report will be saved to your computer s hard drive. This is useful if you want to check the size of the file before sending it by . Sent by the report will be sent as an attachment to the address you specify. SurfControl Filter for SMTP Administrator s Guide 319

331 10 REPORTING Generating Reports GENERATING REPORTS When you have set up your criteria, you are ready to generate the report. Note: You can check the size of a report by printing it to file see Save Options on page 319. You can then view the report without having to print it out, or print only selected pages. Managing Large Reports Some reports will generate extremely large volumes of data, especially in large organizations with heavy traffic. Generating reports that run to many thousands of pages can slow down Report Central, and are also difficult to print and view. Table shows the reports that are likely to generate high volumes of data. Table High-volume reports Report type Rules reports Traffic statistics reports Report name Rules by date Rules by sender summary Rules by sender detail Rules by sender showing recipient Messages by size If the report contains more than 20,000 records you will see the following message at the top of your report: This report shows only the first 20,000 records from a total of x records. Limiting the report criteria will show more records. Where x is the total number of records available To show more records, limit the report criteria, for example, reduce the number of senders. When you have set up your report, click Run. Alternatively, if you want to return all the report options to their default settings, click Revert to Default. 320 Administrator s Guide SurfControl Filter for SMTP

332 REPORTING Saving Reports 10 SAVING REPORTS When you have set up your report, you can save a copy to your hard drive. There are two ways to save a report: Save the report to a Public folder. Save the report to a Private folder. See the SurfControl Report Central Administrator s Guide for more information about folders and permissions. Procedure details how to save a report. PUBLIC FOLDER Any user can view report criteria saved in the Public folder. Users with the necessary permissions can also change the report criteria. Note: If you change a report from the Public folder, save it with a different name to make sure that you do not overwrite another user s report. PRIVATE FOLDER A report saved to the Private folder can be viewed only by the user who created it. To save a report: Procedure 10-23:Saving a Report Step Action 1 Set up the report using your required criteria and options. 2 Click Save As. The Save Report dialog box opens. 3 Select the folder in which to save the report. 4 In the Report Name field, enter a name for your report. 5 Click Save. The Completed Reports tab is displayed in the dialog box. SurfControl Filter for SMTP Administrator s Guide 321

333 10 REPORTING Saving Reports SUB-FOLDERS You can organize reports in the public or private folders by creating sub-folders. Procedure 10-24: Creating sub-folders Step Action 1 Click Public or Private reports, as appropriate. The New Folder button becomes available. 2 Click New Folder. Enter the name of the new folder in the dialog that is displayed. The name of the folder must not be longer than 50 characters. Note: The total number of characters used in the filename of a sub-folder and any folders beneath it cannot exceed 110 characters. For example: File abc123 = 6 characters File abcd1234 = 8 characters File abcde12345 = 10 characters Total = 24 characters 3 Click OK to confirm. The new folder is added in the left hand pane of the work area. To delete a folder, highlight it and click Delete. You cannot delete the top level Public or Private folders. COMPLETED REPORTS Note: Only reports that have been saved into the Public or Private folders are displayed in the Completed Reports tab. Reports sent as are not displayed. When you have saved a report to the Public or Private folders, a new tab, Completed Reports, is added to the dialog. This tab shows which reports have been generated. 322 Administrator s Guide SurfControl Filter for SMTP

334 Chapter 11 Remote Administration In This Chapter page 324 Administration Client page 324 Web Administrator page 325 Message Administrator page 327 Dictionary Management page 331 Viewing Logs page 334

335 11 REMOTE ADMINISTRATION In This Chapter IN THIS CHAPTER This chapter describes how to administrate SurfControl Filter from a remote computer using: Administration Client Web Administrator. ADMINISTRATION CLIENT Note: When you install the Administration Client on the remote computer(s), you can select the components that you need to administrate. See the SurfControl Filter Installation Guide for instructions. Depending on the Filter components that you selected, using the Administration Client, you have remote access to the following functions: Message Administrator See the chapter Message Administrator on page 225. Rules Administrator See the chapter The Rules Administrator on page 99. Monitor (including Server Configuration) See the chapter The Monitor on page 87. Dictionary Management See the chapter Dictionary Management on page 247. You can also configure administrators. To set up remote users and specify their access permissions, see Configuring Administrators on page Administrator s Guide SurfControl Filter for SMTP

336 REMOTE ADMINISTRATION Web Administrator 11 WEB ADMINISTRATOR The Web Administrator enables you to access the following Filter functions from a remote computer: Message Administrator Dictionary Management View logs. For more detailed information of these functions, see Message Administrator on page 225. LAUNCHING WEB ADMINISTRATOR You can launch Web Administrator from either: The Filter server, or A remote computer. For both methods, the Web Administrator Start screen is displayed in your Web browser, see Web Administrator Start screen on page 326. Launching Web Administrator From the Filter Server To launch Web Administrator from the Filter server, select Start > All Programs > SurfControl Filter > SurfControl Web Administrator Launching Web Administrator From a Remote Computer Before you can use Web Administrator remotely, you need to set up Administrators in the Server Configuration console. The Administrator s permission settings must include Message Administration. See Configuring Administrators on page 79. Enter the following address into your internet browser: address of your SurfControl Filter server>:<standard port number>/index.htm. For example, to access an installation on a server with an IP address of and a standard port of 82 specified during installation, the URL would be: SurfControl Filter for SMTP Administrator s Guide 325

337 11 REMOTE ADMINISTRATION Web Administrator The log on screen is displayed: Figure 11-1 Web Administrator log on screen Enter your username and password. When you have logged on, the Web Administrator Start screen is displayed in your browser window: Figure 11-2 Web Administrator Start screen Note: You can access all of these features through any screen in the Web Administrator. 326 Administrator s Guide SurfControl Filter for SMTP

338 REMOTE ADMINISTRATION Message Administrator 11 MESSAGE ADMINISTRATOR Use the Message Administrator functions to manage s within queues. Figure 11-3 shows a typical Message Administrator browser screen: Select the actions to apply to s Use these links to: Work with queues The Message List, Logs or dictionaries are displayed here. View logs Manage dictionaries Figure 11-3 Remote Message Administrator functions For more details of working with queues, see Working with Queues on page 238. SORTING S To sort the list, click a column heading. For example, if you click the Subject heading once, the whole list is sorted by subject in descending order; click the column heading again to reverse the sort order. MOVING, RELEASING AND DELETING S You can move, release or delete any or all of the in the list: Procedure 11-1: Moving, releasing or deleting s Step Action 1 Select the check box of each that you need. Alternatively, select all the s on the list by selecting the Select all displayed messages check box. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 327

339 11 REMOTE ADMINISTRATION Message Administrator Procedure 11-1: Moving, releasing or deleting s (Continued) Step Action 2 In the Action: drop-down, select what you want to do with the selected s: Release Moves the s into the Send queue, which enables them to be sent to their destination. Delete Deletes the s. Note: You cannot retrieve deleted s. Move Moves the s to another queue. Each queue is listed separately. 3 To complete the action, click the button next to the Action: drop-down list. (Sheet 2 of 2) VIEWING THE PROPERTIES OF INDIVIDUAL S Click an to view its properties: Actions: A list of the actions you can perform on the . File area: Displays the filename, the address it was sent from, and the date it was received. Message Contents: If Document Decomposition is enabled, you can view the component parts of the here. Rule log information: Brief information from the rule log, such as the name of the rule triggered and the action taken. Message Header Figure Properties For details of how to enable document decomposition, see Configuring Document Decomposition on page Administrator s Guide SurfControl Filter for SMTP

340 REMOTE ADMINISTRATION Message Administrator 11 The actions that you can perform on an are listed in the Actions: panel. These actions are the same as the actions in Message Administrator. Table actions Action Properties... Release Send reply Forward copy Submit... Delete Delay Analyze Return to message list Description Shows information about the selected , including details of recipients and file size. Place the in the Send queue so that it can proceed to its destination. Send a reply to the sender of the . An form will open for you to type your text. You can either enter the text manually, or use pre-set text. Forward a copy of the to another user. You can enter an address in the To: field as well as using the check boxes to send the to: The message sender The message recipient The systems administrator. Report the to SurfControl as Spam. SurfControl will analyze the and any attachments for inclusion in the Anti-Spam Agent signature file. Delete the . You will be asked to confirm your choice before the is deleted. Move the into the delay queue. You will be asked to confirm your choice before the is delayed. Shows each word in the that has triggered the dictionary rule, how often it occurs and its score. Clears the details screens and returns to the list display. SurfControl Filter for SMTP Administrator s Guide 329

341 11 REMOTE ADMINISTRATION Message Administrator ANALYZING S When you analyze an , you can view each word that has triggered the dictionary rule, how often it occurs and its score. You can analyze any ; they do not need to have triggered a rule: Procedure 11-2: Analyzing s with Web Administrator Step Action 1 Click Analyze. The Analyze page is displayed. 2 Select the dictionary to be used to analyze the . 3 The screen displays an analysis of the The words from the that appear in the selected dictionary The message part in which the words occur The value assigned to each word The number of these words found The individual word scores The total word score. 4 From the Message part: drop-down list, select which parts of the to scan: Entire Message Header Body Attachments. (Sheet 1 of 2) 330 Administrator s Guide SurfControl Filter for SMTP

342 REMOTE ADMINISTRATION Dictionary Management 11 Procedure 11-2: Analyzing s with Web Administrator (Continued) Step Action 5 From the Scoring: drop-down list, select either: Threshold total If the is in a multipart alternative format, you can display only the words from the part that scored highest. Grand total Display the dictionary scoring words from all selected parts of an . In the case of multi-part alternative s, identical dictionary scoring words from alternative parts will have a cumulative effect on the final score for the selected dictionary. 6 Click OK to return to the list. (Sheet 2 of 2) DICTIONARY MANAGEMENT Use the Dictionary Management functions to create and edit dictionaries. Figure 11-5 shows a typical Dictionary Management browser screen: Figure 11-5 Dictionary Management screen For more details of how to manage dictionaries, see Dictionary Management on page 247. SurfControl Filter for SMTP Administrator s Guide 331

343 11 REMOTE ADMINISTRATION Dictionary Management ADDING A DICTIONARY To add a dictionary, follow Procedure 11-3: Procedure 11-3: Adding a Dictionary Step Action 1 Click Add new dictionary The Add dictionary screen is displayed. 2 Enter a name and a description for the dictionary. 3 If needed, you can add a warning message that is displayed when the dictionary is opened. For example, This dictionary contains bad jokes. If you added a warning, select Show warning:. 4 Click OK. 5 To be able to use the dictionary, click Commit Dictionary Changes. The new dictionary is added to the list. You can now add words, phrases and scores to the dictionary. ADDING WORDS OR PHRASES TO A DICTIONARY Note: To use the Confidential dictionary in rules, you need to add the words and phrases that signify confidential content in your organization. You can add words or phrases to a dictionary and give them a score. You can also use number pattern recognition, wildcards and/or binary sequences to make dictionary scanning tools more powerful. 332 Administrator s Guide SurfControl Filter for SMTP

344 REMOTE ADMINISTRATION Dictionary Management 11 Using Number Pattern Recognition You can add any pattern of numbers to a dictionary by using the # character to signify a single number. For example #### #### #### #### would find the credit card number , but not the string abcd 1234 defg Using number pattern recognition can prevent users from transmitting potentially sensitive data, such as credit card details, account numbers or patient file numbers. Using WildCards You can use wildcards to make the SurfControl Filter dictionary scanner more extensive. With no wildcards, a word is assumed complete and separated by white space or punctuation marks. With wildcards, you can scan parts of words. You can use the following wildcard characters: Note: You cannot place one wildcard character immediately next to another. Table 11-2 Wildcard Wildcards Description * One or more characters at the beginning or end of a word or phrase. Example: sex* finds sexy or sexily, but not Essex.? A single character in a word or phrase. Example: jo?n would match john and joan, but not johann. ^ One or more white-space characters.! A single white-space or punctuation character. \ An escape character. Using Binary Sequences You can also search for binary sequences. Use this ability to identify specific binary file sequences expressed as hexadecimal sequences. To enter a binary sequence, enter `~ followed by an even number of hexadecimal characters that represent the search sequence. For example `~ is the Binary representation of abcd A rule to detect this binary sequence would trigger if a contained the following strings: abcd abcdxxxabcdxxx SurfControl Filter for SMTP Administrator s Guide 333

345 11 REMOTE ADMINISTRATION Viewing Logs The phrase ABCD would not trigger the rule because the binary code distinguishes between upper and lower case letters. To add words or phrases to a dictionary, follow Procedure 11-4: Procedure 11-4: Adding Words or Phrases to a Dictionary Step Action 1 Click the dictionary in the list. A screen shows the existing words and scores in the dictionary. 2 Click Add Word. The Add phrase screen is displayed. 3 Enter a word or phrase. 4 Enter a value between 0 and 100 for the word or phrase. The higher the score, the fewer instances of the word or phrase need to appear in an to trigger a Dictionary Threshold rule. 5 Click OK. The word and its value are displayed in the dictionary. 6 To be able to use the word, click Commit Dictionary Changes. VIEWING LOGS You can view the following logs: The Rules Log Contains details of all s that have triggered rules, the rule triggered, the location of the , the sender and recipients, and the time and date that the was received by SurfControl Filter. The Traffic Log Contains details of every received by Filter, the sender host IP and HostName, and the time and date that the was received by SurfControl Filter. The System Log Contains status information for SurfControl Filter services. Click a link to display the properties of an individual log. 334 Administrator s Guide SurfControl Filter for SMTP

346 Chapter 12 Performance Monitoring In This Chapter page 336 Windows Performance Monitoring page 336

347 12 PERFORMANCE MONITORING In This Chapter IN THIS CHAPTER This chapter explains how to use the Microsoft Windows Performance tool to display statistics on the performance of your system and the volume of mail being processed. To find out more about Performance, consult Windows Help and documentation. WINDOWS PERFORMANCE MONITORING You can use the Windows Performance tool to show the performance of your system, and display statistics on the volume of mail being processed. Procedure 12-1: Using the Windows Performance Tool Step Action 1 In your operating system screen, select Start > Settings > Control Panel > Administrative Tools > Performance The Performance console is displayed. 2 In the navigation panel, select System Monitor. The system activity is displayed in the right-hand panel. 3 Right-click anywhere in the right-hand panel. A shortcut menu is displayed. 4 In the shortcut menu, select Add Counters 5 The Add Counters dialog box is displayed. 6 To count the number of s processed, select the computer where SurfControl Filter is installed. 7 Select SurfControl Filter from the Performance object: drop-down list. 8 Select the type(s) of counter to be used to monitor your system. If you need a description of a counter, select the counter in the list, and then click Explain. 9 Click Add to add the counters to the Performance tool. (Sheet 1 of 2) 336 Administrator s Guide SurfControl Filter for SMTP

348 PERFORMANCE MONITORING Windows Performance Monitoring 12 Procedure 12-1: Using the Windows Performance Tool (Continued) Step Action 10 The counters are displayed in the lower right-hand panel of the Performance console. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 337

349 12 PERFORMANCE MONITORING Windows Performance Monitoring 338 Administrator s Guide SurfControl Filter for SMTP

350 Chapter 13 Virtual Learning Agent In This Chapter page 340 Workflow page 340 Before You Begin page 341 VLA Tutorial page 342 Counter Category page 351 Trivial Words page 351

351 13 VIRTUAL LEARNING AGENT In This Chapter IN THIS CHAPTER The VLA is a powerful tool that you can train to recognize specific types of content you want to filter, for example, confidential documents specific to your organization. This chapter explains how to set up the VLA so you can use the VLA object in rules. The example used throughout this chapter is the creation of a category called Confidential Travel. All the material you need to create this category is supplied in the SurfControl Filter\Resources\VLA Examples folder. WORKFLOW Before you can use the VLA object to construct rules, you need to set up the VLA so that it recognizes the kind of content you want to detect. The VLA wizard automatically works through the setup process using the information and materials you supply. The VLA wizard works through the following steps: Add a category name and description Add documents to the category. Add documents to the counter category. Train the VLA. Test the VLA using additional documents. 340 Administrator s Guide SurfControl Filter for SMTP

352 VIRTUAL LEARNING AGENT Before You Begin 13 BEFORE YOU BEGIN Before you start creating a VLA category, you should gather the following materials: Training Documents The VLA uses training documents to learn about the content in your category. You will need: s or documents that contain content that describes the category you want to create s or documents that contain content that does not describe the new category. These will be added to the counter category. Testing Documents When you have trained the VLA, you need to test it to check that it can identify content from your category accurately enough to be used in rules. You will need: additional category documents or s that can be used to test the VLA to check that it can correctly identify content belonging to the category additional counter category documents or s. If you are creating following the VLA tutorial to create the sample category Confidential Travel, all the files you need are supplied with the product. LAUNCHING THE VLA TRAINING WIZARD To launch the VLA training wizard, select Start > All Programs > SurfControl Filter > Virtual Learning Agent The VLA Welcome screen is displayed. SurfControl Filter for SMTP Administrator s Guide 341

353 13 VIRTUAL LEARNING AGENT VLA Tutorial VLA TUTORIAL To help you learn to use the wizard, SurfControl provides documents that you can use to create a sample category called Confidential Travel. When you installed Filter these files were placed in the following folder: SurfControl Filter\Resources\VLA Examples Procedure 13-1: VLA Tutorial Step Action 1 In the Welcome screen, click Next. 2 The Configure VLA Categories screen is displayed. Click Add to start the New Category wizard. (Sheet 1 of 8) 342 Administrator s Guide SurfControl Filter for SMTP

354 VIRTUAL LEARNING AGENT VLA Tutorial 13 Procedure 13-1: VLA Tutorial (Continued) Step Action Define the Category Name and Description 3 Enter the following information: Category Name: = Confidential Travel Description: = Sample SurfControl VLA Category 4 Click Next. Add Category Training Files 5 In the Add Training Files screen, you select positive documents or s that define the content of the Confidential Travel category. Click Add 6 Change the Files of type: to All Files (*.*), and then select all the files in the folder SurfControl Filter\Resources\VLA Examples\Confidential Travel Training 7 The files are displayed in the Add Training Files screen. Click Next. (Sheet 2 of 8) SurfControl Filter for SMTP Administrator s Guide 343

355 13 VIRTUAL LEARNING AGENT VLA Tutorial Procedure 13-1: VLA Tutorial (Continued) Step Action Choose Keywords 8 The Choose Keywords screen is displayed. Select words that will help to identify content that belongs to the new category. 9 Select the keywords from the left-hand panel, and then click Add. To select multiple keywords, use Shift or Ctrl. The selected words are marked in the left-hand panel and displayed in the right-hand panel. For a list of keywords for this tutorial, see the list in Table 13-1 on page 349. For details of trivial words, see Trivial Words on page Click Next. Add Testing Files 11 In the Add Testing Files screen, you add the files that the VLA will use to test itself. These test files are different from the training files but should contain similar content. Click Add Change the Files of type: to All Files (*.*), and then select all the files in the folder SurfControl Filter\Resources\VLA Examples\Confidential Travel Test 13 The files are displayed in the Add Testing Files screen. Click Next. 14 In the final wizard screen, click Finish. 15 The Confidential Travel category is listed in the Configure VLA Categories screen. 16 Click Next to add counter examples. (Sheet 3 of 8) 344 Administrator s Guide SurfControl Filter for SMTP

356 VIRTUAL LEARNING AGENT VLA Tutorial 13 Procedure 13-1: VLA Tutorial (Continued) Step Action Define Counter Examples 17 In the Define Counter-Examples screen, you define content that is not a match for the new category. Click Configure... to start the VLA Counter Category wizard. 18 Click Next. 19 In the Add Counter-Category Training Files screen, you select documents or s that are opposite to the content of the Confidential Travel category. Click Add 20 Change the Files of type: to All Files (*.*), and then select all the files in the folder SurfControl Filter\Resources\VLA Examples\Non- Travel Training 21 The files are displayed in the Add Counter Category Training Files screen. Click Next. (Sheet 4 of 8) SurfControl Filter for SMTP Administrator s Guide 345

357 13 VIRTUAL LEARNING AGENT VLA Tutorial Procedure 13-1: VLA Tutorial (Continued) Step Action 22 The Choose Keywords screen is displayed. Select words that do not belong to the new category. 23 Select the keywords from the left-hand panel, and then click Add. To select multiple keywords, use Shift or Ctrl. The selected words are marked in the left-hand panel and displayed in the right-hand panel. For a list of keywords for this tutorial, see the list in Table 13-2 on page 350. For details of trivial words, see Trivial Words on page Click Next. (Sheet 5 of 8) 346 Administrator s Guide SurfControl Filter for SMTP

358 VIRTUAL LEARNING AGENT VLA Tutorial 13 Procedure 13-1: VLA Tutorial (Continued) Step Action Add Counter Category Testing Files 25 In the Add Counter Category Testing Files screen, you add the files that the VLA will use to test itself. These test files are different from the training files but should contain similar content. Click Add Change the Files of type: to All Files (*.*), and then select all the files in the folder SurfControl Filter\Resources\VLA Examples\Non- Travel Test 27 The files are displayed in the Add Counter Category Testing Files screen. Click Next. 28 In the final wizard screen, click Finish. 29 The Confidential Travel category is listed in the Configure VLA Categories screen. Click Next. 30 The details of the counter-examples a displayed in the Define Counter-Examples screen. Click Next. Click OK in the confirmation message to start to train the VLA. (Sheet 6 of 8) SurfControl Filter for SMTP Administrator s Guide 347

359 13 VIRTUAL LEARNING AGENT VLA Tutorial Procedure 13-1: VLA Tutorial (Continued) Step Action 31 The Training VLA screen shows a progress bar for training files processed. 32 When the training is complete, a message box is displayed. Click OK. 33 Click Next to start testing the VLA. This test is to ensure that the category is accurate enough to use in the rules. 34 The Testing screen will show the progress of the testing process. When the progress bar shows 100%, click Next. 35 The Testing Files Results screen shows how many testing files the VLA has categorized as correctly belonging to the new category. Correctly categorized files = green tick Incorrectly categorized files = red exclamation mark. Click Next. 36 The VLA Training Completed screen displays the accuracy score of the category and the counter category. See Table 13-3 on page 350 for an explanation of the accuracy score. Click Finish. (Sheet 7 of 8) 348 Administrator s Guide SurfControl Filter for SMTP

360 VIRTUAL LEARNING AGENT VLA Tutorial 13 Procedure 13-1: VLA Tutorial (Continued) Step Action 37 Launch the Rules Administrator and use the Virtual Learning Agent object. The Confidential Travel category is available in the Properties dialog box. (Sheet 8 of 8) TRAINING FILE KEYWORDS If you are creating the sample category, Confidential Travel, you should select the keywords listed below for the category and the counter category. Table 13-1 Sample category keywords accommodation carriage fares seat stansted air conditions flight passenger terminal airfare confirmation flights passenger ticket s airline connect hotel photo tickets airlines deals hotels receipt transfer airport departure internation al refund travel baggage destinations london reservatio n banners domestic miles reservatio ns travelad ge board europe navigant room vacation boarding expedia nights ryanair valid boeing fare open seattle world trip SurfControl Filter for SMTP Administrator s Guide 349

361 13 VIRTUAL LEARNING AGENT VLA Tutorial Table 13-2 Sample Counter Category Keywords account individual phone terms agent investment plain training apply job plugin unknown checked letters product users columbia manager products virtual connect manutd resources terms cost news rules virus customer newsletter salary checked database number security ware days original server work filtering path software writer following permanent technology years VLA ACCURACY The VLA trains itself by categorizing the testing files and measuring how many of the files it categorized correctly as belonging to the new category. The VLA then displays a percentage score that you can use to determine whether the VLA has been trained enough to be incorporated into rules. Table 13-3 explains how you should interpret the VLA accuracy score. Table 13-3 VLA Accuracy Score What it means 85% or higher You can confidently use this VLA category to build rules. 65% 85% This is acceptable, but you could increase accuracy by: Selecting additional training documents Reviewing all keywords. Less than 65% This VLA category is not accurate enough to be used in rules. You should retrain the VLA until you get a higher rating for the category. To increase the accuracy: Review your training files to make sure they accurately represent the category. Review the counter-category training files to make sure they do not represent the category. Review the keywords for the categories and countercategories. 350 Administrator s Guide SurfControl Filter for SMTP

362 VIRTUAL LEARNING AGENT Counter Category 13 COUNTER CATEGORY The VLA only uses one counter category, which must not contain any material that is representative of any VLA category. Therefore, when you create a new category, it is important that you review the details of the counter category. TRIVIAL WORDS Trivial words are words that can be found in documents of all types and categories. Therefore, trivial words cannot be used to by the VLA to evaluate whether an belongs to a category. The VLA has a pre-defined list of common trivial words such as and, but, because, and so on. You can add more trivial words to this list when you are selecting keywords. To add trivial words, follow Procedure 13-2: Procedure 13-2: Adding Trivial Words to the VLA Step Action 1 In either of the Choose Keyword screens, click Trivial Words. 2 Select the words that should not be available in the word lists. 3 Click Exclude. The words are removed from all word lists, including the current list displayed. SurfControl Filter for SMTP Administrator s Guide 351

363 13 VIRTUAL LEARNING AGENT Trivial Words 352 Administrator s Guide SurfControl Filter for SMTP

364 Chapter 14 Database Tools In This Chapter page 354 Launching Database Tools page 354 Configuration Database Management page 355 Log Database Management page 358 SQL User Management page 367

365 14 DATABASE TOOLS In This Chapter IN THIS CHAPTER This chapter describes the contents of the Filter databases will explain how to use the Database Tools to manage the Filter databases. There are three database tools: Configuration Database Management This tool enables you to: Back up the configuration database Restore a previously backed up configuration database. Log Database Management This tool enables you to: Create a new log database Back up the log database Restore a log database backup file Delete a log database Truncate the log database transaction log. SQL User Management This tool enables you to set up and manage SQL user accounts, which are used to access the configuration and log databases. LAUNCHING DATABASE TOOLS To launch Database Tools, select: Start Menu > All Programs > SurfControl Filter > Database Tools. Figure 14-1 Launching Database Tools Select the database tool that you need; each tool has a wizard. 354 Administrator s Guide SurfControl Filter for SMTP

366 DATABASE TOOLS Configuration Database Management 14 CONFIGURATION DATABASE MANAGEMENT The Configuration database stores the details of Filter server setup and configuration options. You can use the Configuration Database Management tool to: Back up the configuration database. Restore a previously backed up database. BACKING UP THE CONFIGURATION DATABASE It is useful to make a backup of your Filter system configuration to enable you to: Replicate the same configuration on each Filter server in your organization. Restore your configuration if you need to reinstall Filter. To back up the Configuration database, follow Procedure 14-1: Procedure 14-1: Backing up the Configuration Database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Configuration Database Management. The Configuration Database wizard opens. 2 Select Backup database to a file. 3 The SQL/MSDE Server details screen is displayed. Specify the location of the server that contains the database to be backed up: To connect to the server through a trusted connection, select the Use trusted connection check box. To connect to the server using the username and password you specify, clear the Use trusted connection check box and enter the username and password. 4 Click Next. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 355

367 14 DATABASE TOOLS Configuration Database Management Procedure 14-1: Backing up the Configuration Database (Continued) Step Action 5 The Configuration Database Backup Details dialog box is displayed. Select the database from the drop-down list. Default = STEMConfig 6 Enter or browse to the location of the file where the database is to be saved. Default = Program files\surfcontrol Filter\Database\STEMConfig.bak 7 Click Next. 8 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 9 The progress is displayed. 10 A confirmation screen is displayed when the backup is complete. Click Finish. (Sheet 2 of 2) 356 Administrator s Guide SurfControl Filter for SMTP

368 DATABASE TOOLS Configuration Database Management 14 RESTORING THE CONFIGURATION DATABASE You can restore a previous backup file to the configuration database. If you do this, your current configuration settings will be replaced by the ones specified in the backup file. To restore the Configuration database, follow Procedure 14-2: Procedure 14-2: Restoring the Configuration Database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Configuration Database Management. The Configuration Database wizard opens. 2 Select Restore Database from a File. 3 Click Next. 4 The Restore Details screen is displayed. Select the backup file to restore. By default, this is the most recent backup file you created. 5 Select the database to restore Default = STEMConfig. 6 Click Next. 7 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 357

369 14 DATABASE TOOLS Log Database Management Procedure 14-2: Restoring the Configuration Database (Continued) Step Action 8 When the database has been restored, you need to stop and re-start the Filter services. To re-start the Filter services immediately after the database has been restored, select Restart Filter Services Now. If you want to re-start the Filter services manually later on, select Restart Filter Services Later. (Sheet 2 of 2) LOG DATABASE MANAGEMENT The log database records details of s passing through Filter, and how Filter handles s that trigger rules. You can use the Log Database Management tool to: Create a new log database Back up the log database Restore a log database backup file Delete a log database Truncate the log database transaction log. 358 Administrator s Guide SurfControl Filter for SMTP

370 DATABASE TOOLS Log Database Management 14 CREATING A NEW LOG DATABASE To create a new log database, follow procedure Procedure 14-3: Procedure 14-3: Creating a new log database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Log Database The Database wizard opens. 1 Select Create a new log database, and then click Next. 2 In the MSDE/SQL Server Details screen: From the Server: drop-down list, select the server that contains the database. You can connect to the server using: A trusted connection, or A username and password that you supply. 3 Click Next. 4 Enter a name and a DSN name for your new database. These must be different from the name and DSN name of your existing database. To use the default file location, select the Use default file location check box, and then click Next. Go to step 5. To specify file locations, clear the Use default file location check box, and then click Next. Go to step 6. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 359

371 14 DATABASE TOOLS Log Database Management Procedure 14-3: Creating a new log database (Continued) Step Action 5 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 6 Enter the file name and location for: The database file The transaction log file. 7 A confirmation screen is displayed when the new log database has been created. Click Finish. (Sheet 2 of 2) 360 Administrator s Guide SurfControl Filter for SMTP

372 DATABASE TOOLS Log Database Management 14 ARCHIVING THE LOG DATABASE To archive the log database to a file, follow Procedure 14-4: Procedure 14-4: Archiving the Log Database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Log Database The Database wizard opens. 2 Select Archive the log database to a file. 3 Click Next. 4 The MSDE/SQL Server Details screen is displayed. From the Server: drop-down list, select the server that contains the log database. 5 Connect to the server using either: A trusted connection, or A username and password you supply. 6 Click Next. 7 Select the log database to archive. 8 Browse to the location where you want the archive file to be stored. 9 Click Next. (Sheet 1 of 2) SurfControl Filter for SMTP Administrator s Guide 361

373 14 DATABASE TOOLS Log Database Management Procedure 14-4: Archiving the Log Database (Continued) Step Action 10 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 11 A confirmation screen is displayed when the log database has been successfully archived. Click Finish. (Sheet 2 of 2) RESTORING AN ARCHIVED LOG DATABASE To restore a database you have previously backed up, follow Procedure 14-5: Procedure 14-5: Restoring an Archived Log Database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Log Database The Database wizard opens. 2 Select Restore Archived Log Data to a Database. 3 Click Next. (Sheet 1 of 3) 362 Administrator s Guide SurfControl Filter for SMTP

374 DATABASE TOOLS Log Database Management 14 Procedure 14-5: Restoring an Archived Log Database (Continued) Step Action 4 In the MSDE/SQL Server Details screen: From the Server: drop-down list, select the server that contains the log database. 5 Connect to the server using either: A trusted connection, or A username and password you supply. 6 Click Next. 7 Select the SQL database in which to restore the archived data. 8 Enter or browse to the log file to be restored, and select the database in which to restore it. To restore the archived file to the file location specified in the archive file, select the Use original file location check box, and then click Next. Go to step 9. To specify the file location that the archived file will be restored to, clear the Use original file location check box, and then click Next. Go to step A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. (Sheet 2 of 3) SurfControl Filter for SMTP Administrator s Guide 363

375 14 DATABASE TOOLS Log Database Management Procedure 14-5: Restoring an Archived Log Database (Continued) Step Action 10 Enter: The file location that the archived file will be restored to. The file location of the transaction log. Note: If you are restoring a large database, make sure you specify a location that has enough disk space to hold the restored database. 11 Click Next. 12 A confirmation screen is displayed when the archived data has been successfully restored to the database. You then need to stop and re-start the Filter services: To re-start the Filter services immediately after the database has been restored, select Restart Filter Services Now. To re-start the Filter services manually later, select Restart Filter Services Later. 13 Click Finish. (Sheet 3 of 3) DELETING A LOG DATABASE To delete a log database, follow procedure Procedure 14-6: Procedure 14-6: Deleting a Log Database Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Log Database The Database wizard opens. 2 Select Delete an Existing Log Database. 3 Click Next. (Sheet 1 of 2) 364 Administrator s Guide SurfControl Filter for SMTP

376 DATABASE TOOLS Log Database Management 14 Procedure 14-6: Deleting a Log Database (Continued) Step Action 4 Select the database to be deleted, and then click Next. 5 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 6 A confirmation screen is displayed when the database has been deleted. Click Finish. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 365

377 14 DATABASE TOOLS Log Database Management TRUNCATING THE LOG DATABASE TRANSACTION LOG The Log Database s transaction log can grow very quickly, which can affect performance. To prevent this happening, you can truncate it. To truncate the Log Database transaction log, follow Procedure 14-7: Procedure 14-7: Truncating the Log Database Transaction Log Step Action 1 From the Start menu, select All Programs > SurfControl Filter > Database Tools > Log Database The Database wizard opens. 2 Select Truncate the log database transaction log. Click Next. 3 Select the database that contains the transaction log. Default = STEMLog. Click Next. 4 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 5 The progress is displayed. (Sheet 1 of 2) 366 Administrator s Guide SurfControl Filter for SMTP

378 DATABASE TOOLS SQL User Management 14 Procedure 14-7: Truncating the Log Database Transaction Log Step Action 6 A confirmation message is displayed when the transaction log has been truncated successfully. Click Finish. (Sheet 2 of 2) SQL USER MANAGEMENT filter must be able to read and write to the logging and configuration databases. To access these databases it uses SQL User Accounts. The SQL User Management Tool enables you to set up and manage these accounts. To manage the SQL/MSDE User account used by Filter, you can: Create a new SQL user account Change the password on a SQL user account Delete a SQL user account. SurfControl Filter for SMTP Administrator s Guide 367

379 14 DATABASE TOOLS SQL User Management CREATING A NEW SQL USER ACCOUNT To create an new account, follow Procedure 14-8: Procedure 14-8: Creating a New SQL User Account Step Action 7 From the Start menu, select SurfControl Filter > Database Tools > SQL User Management The SQL User Management welcome screen is displayed. Select Manage an MSDE/SQL Server User Account. Click Next. 8 Select Create a SQL User account. 9 Click Next. 10 The MSDE/SQL Server Details screen is displayed. Select the server that contains the database. Connect to the server using either: A trusted connection, or A username and password you supply. (Sheet 1 of 2) 368 Administrator s Guide SurfControl Filter for SMTP

380 DATABASE TOOLS SQL User Management 14 Procedure 14-8: Creating a New SQL User Account (Continued) Step Action 11 The Create a SQL User Account screen is displayed. Enter the user name, the password and a confirmation of the password. 12 Click Next. 13 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 14 The progress is displayed. 15 A confirmation message is displayed when the Database wizard has created the new account. Click Finish. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 369

381 14 DATABASE TOOLS SQL User Management CHANGING THE PASSWORD ON A SQL USER ACCOUNT To change the password of any of the user accounts that you have set up, follow Procedure 14-9: Procedure 14-9: Changing the Password on a SQL User Account Step Action 1 From the Start menu, select SurfControl Filter > Database Tools > SQL User Management 2 The SQL User Management welcome screen is displayed. Select Manage an MSDE/SQL Server User Account. 3 Click Next. 4 Select Change Password for a SQL User Account. 5 Click Next. 6 The MSDE/SQL Server Details screen is displayed. Select the server that contains the database. Connect to the server using either: A trusted connection, or A username and password you supply. 7 Click Next. (Sheet 1 of 2) 370 Administrator s Guide SurfControl Filter for SMTP

382 DATABASE TOOLS SQL User Management 14 Procedure 14-9: Changing the Password on a SQL User Account Step Action 8 The Change password for a SQL User Account screen is displayed. Enter the user name, the password and a confirmation of the password. Click Next. 9 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 10 The progress is displayed. 11 A confirmation message is displayed when the Database wizard has changed the password. Click Next. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 371

383 14 DATABASE TOOLS SQL User Management DELETING A SQL/MSDE ACCOUNT To delete a SQL/MSDE user account, follow Procedure 14-10: Procedure 14-10:Deleting a SQL/MSDE Account Step Action 1 From the Start menu, select SurfControl Filter > Database Tools > SQL User Management The SQL User Management welcome screen is displayed. Select Manage an MSDE/SQL Server User Account. Click Next. 2 From the options that display, select Delete a SQL user account Click Next. 3 The MSDE/SQL Server Details screen is displayed. Select the server that contains the database. Connect to the server using either: A trusted connection, or A username and password you supply. 4 Click Next. (Sheet 1 of 2) 372 Administrator s Guide SurfControl Filter for SMTP

384 DATABASE TOOLS SQL User Management 14 Procedure 14-10:Deleting a SQL/MSDE Account (Continued) Step Action 5 Enter the username and password of the account to delete. Click Next. 6 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 7 The progress is displayed. 8 A confirmation screen is displayed when the account has been deleted successfully. Click Finish. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 373

385 14 DATABASE TOOLS SQL User Management MANAGING DATABASE AUTHENTICATION Warning: You cannot set up SQL or NT authentication from a remote computer. The Database Authentication settings control how Filter connects to the database. Filter can connect to the database using: SQL Authentication NT Authentication To use SQL Authentication, follow Procedure 14-11: Procedure 14-11:Setting up SQL Authentication Step Action 1 From the Start menu, select SurfControl Filter > Database Tools > SQL User Management 2 The SQL User Management welcome screen is displayed. Select Manage Database Authentication. 3 Click Next. 4 Select SQL Authentication. 5 Click Next. (Sheet 1 of 2) 374 Administrator s Guide SurfControl Filter for SMTP

386 DATABASE TOOLS SQL User Management 14 Procedure 14-11:Setting up SQL Authentication (Continued) Step Action 6 Enter the username and password of the account that Filter will use to connect to the database. Click Next. 7 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. 8 A confirmation message is displayed when Filter has updated the authentication method. Click Finish. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 375

387 14 DATABASE TOOLS SQL User Management To use NT Authentication, follow Procedure 14-12: Procedure 14-12:Setting up NT Authentication Step Action 1 From the Start menu, select SurfControl Filter > Database Tools > SQL User Management The SQL User Management Welcome screen is displayed. 2 Select Manage Database Authentication. 3 Click Next. 4 Select NT Authentication. 5 Click Next. 6 A summary of your options is displayed. If the options are correct, click Next. If you need to change any details, click Back. (Sheet 1 of 2) 376 Administrator s Guide SurfControl Filter for SMTP

388 DATABASE TOOLS SQL User Management 14 Procedure 14-12:Setting up NT Authentication (Continued) Step Action 7 A confirmation screen is displayed when the Database wizard has updated the authentication method. Click Finish. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 377

389 14 DATABASE TOOLS SQL User Management 378 Administrator s Guide SurfControl Filter for SMTP

390 A Appendix A Anti-Spam Agent Categories and Criteria 380

391 A APPENDIX A Anti-Spam Agent Categories and Criteria ANTI-SPAM AGENT CATEGORIES AND CRITERIA Table A-1 shows a summary of the Anti-Spam Agent categories. Table A-1 Summary of Anti-Spam Agent categories Overall category Contains these categories Core/Liability categories Adult Gambling Illegal material Offensive. Productivity categories Chain letters Games/interactive Novelty software Computing/Internet Health/medicine Personal/dating Entertainment Phishing/fraud Products/services Finance/home business Humor Special events Other. For a detailed description of each category, see Table A-2 and Table A Administrator s Guide SurfControl Filter for SMTP

392 APPENDIX A Anti-Spam Agent Categories and Criteria A CORE/LIABILITY CATEGORIES Table A-2 describes the Core/Liability categories Table A-2 Core/Liability categories Category Media Type Definition Adult Executable Graphics Movies Sound Text Gambling Executables Text Illegal Material Executables Graphics Movies Text Offensive Executables Graphics Movie Sound Text Adult humor, erotic stories, cartoons and animation or erotic chat. Adult products including sex toys, CD-ROMs and videos Child pornography. Depictions or images of sexual acts, including sadism, bestiality or any form of fetish. Sexually exploitative or sexually violent text or graphics. Sexually oriented or erotic full or partial nudity. Online gambling or lottery sites that invite the use of real or virtual money. Virtual casinos. Fantasy sports leagues, sports picks and betting pools. Information or advice for placing wagers, participating in lotteries, or gambling, or running numbers. Advice on performing illegal acts or obtaining illegal objects. Advocating, instructing, or giving advice on performing illegal acts such as phone, service theft, evading law enforcement, lock-picking, fraud, plagiarism/cheating, and burglary techniques. Displaying, selling, or detailing the use of guns, weapons, ammunition or poisonous substances. Displaying, selling, or detailing use of drug paraphernalia. Hacking. Promoting a political or social agenda that is supremacist in nature and exclusionary of others based on their race, religion, nationality, gender, age, disability, or sexual orientation. For example, bigotry and racism. Grotesque depictions. Offensive jokes and humor. SurfControl Filter for SMTP Administrator s Guide 381

393 A APPENDIX A Anti-Spam Agent Categories and Criteria PRODUCTIVITY CATEGORIES Table A-3 describes the Productivity categories Table A-3 Productivity categories Category Media Type Description Chain Letters Executables Mass ed chain letters. Text Computing/ Internet Executables Graphics Movies Sound Text Entertainment Graphic Text Finance /Home Business Executables Graphics Movies Text Games/Interactive Graphics Text Health/Medicine Graphics Text Phishing/fraud Graphics Movies Sound Text Humor Executables Graphics Movies Spy software (spyware). Hardware and software advertisements. Web hosting and Web design services. Questionnaires. Entertainment and celebrity news. Promotions. Horoscopes, psychic readings and Chinese astrology. Hobbies and recreation. Get-rich-quick schemes and multi-level marketing (MLM). Debt consolidations and refinance schemes. Mortgage and loans promotional services. Stock quotes, stock tickers, and fund rates. Term life Insurance. Work-at-home business reports & promotions. Online games and puzzles. Interactive quizzes, movies and programs. Prescription medicines promotions (for example, Viagra). Weight loss, health supplements. Medical product promotions. Medical, dental and health Insurance. Body modification and sexual enhancements. Virus hoaxes. Phishing scams. Deceptive or fraudulent information. Urban legends (for example, 419 scam and International Lottery scam). Jokes and pranks (non-sexually explicit). Humorous and satirical awards. Cartoons and humorous pictures. Novelty Software Text Cursor-changing software. Other software and gadgets intended for entertainment value rather than system performance. Personal /Dating Text Singles listings, matchmaking and dating services. Personal chat lines. Products /Services Executables Graphics Movies Text Special Events Graphics Movies Sound Text (Sheet 1 of 2) General product & service sales and advertisements. Promotions and commercials. Festive and seasonal s, files, promotions. s relating to a current event that may be objectionable, based on content, bandwidth, or negative impact on productivity such as a major sports event. 382 Administrator s Guide SurfControl Filter for SMTP

394 APPENDIX A Anti-Spam Agent Categories and Criteria A Table A-3 Productivity categories (Continued) Category Media Type Description Other Text Items that do not fit into the other categories: Job search. E-greeting cards and wishes. Questionnaires, polls and surveys. Stories, quotes, riddles, quizzes. (Sheet 2 of 2) SurfControl Filter for SMTP Administrator s Guide 383

395 A APPENDIX A Anti-Spam Agent Categories and Criteria 384 Administrator s Guide SurfControl Filter for SMTP

396 B Appendix B Supported File Types page 386

397 B APPENDIX B Supported File Types SUPPORTED FILE TYPES FILE ATTACHMENTS OBJECT Table B-1 shows the file types that Filter can analyze and detect. The File Attachments object can analyze a file in its native format even if its extension has been renamed. If a file type you want to detect is not listed here, you can add it to the file attachments object manually. Table B-1 File Types Supported by the File Attachments object File Groups File Types Extensions Audio Files AIFF Audio file.aif,.aiff CD Audio file.cda MIDI Music file.mid/.rmi/. midi MPEG Audio file.mp3,.mp2,.mp1 Ogg Vorbis Audio file.ogg Sun/Next Audio file.au Waveform audio file.wav Windows Media file.wma Windows MIDI file.mid Archive Files ARC compressed file.arc,.pak archive BZIP compressed file.bz,.bz2 LHZ archive compressed.lha,.lzh file archive Microsoft compressed.cab archive RAR compressed file.rar archive Tape archive file.tar UUE archive.uue ZOO compressed file.zoo archive Compressed Files ARJ compressed file.arj InstallShield compressed.cab file GZIP compressed file.gzip,.gz LU compressed file.lbr ZIP file.zip,.jar (Sheet 1 of 4) 386 Administrator s Guide SurfControl Filter for SMTP

398 APPENDIX B Supported File Types B Table B-1 File Types Supported by the File Attachments object (Continued) File Groups File Types Extensions Executable Files Batch file.bat,.cmd Executable file.exe,.dll,.vxd,.sys,.cpl,.scr,.ocx,.oca,.com,.drv,.msi,.fon HTML Application.htm,.html Java class file.class JScript File.js,.jse Netware loadable module.nlm OLE object.ole SHS scrap object.shs,.shb VB Script file.vbs,.vbe Windows script file.wsf,.wsh Image Files Adobe PhotoShop.psd,.pdd Adobe PostScript.ps,.eps Bitmap.bmp,.dib Cursor file.ani,.cur GIF.gif Icon file.ico JPEG.jpg,.jpe,.jpg Paint Shop Pro.psp PC Paintbrush Bitmap.pcx Graphic Portable Network Graphic.png Targa version 2.tga,.vda,.icb,.vst TIFF.tif.tiff Windows Metafile.wmf 3DstudioMAX file.max Web Files Cascading style sheet.css ColdFusion file.cfm HTML file.htm,.html,.shtml,.asp,.php,.url Single file web page.mht,.mhtml HTML application.hta (Sheet 2 of 4) SurfControl Filter for SMTP Administrator s Guide 387

399 B APPENDIX B Supported File Types Table B-1 File Types Supported by the File Attachments object (Continued) File Groups File Types Extensions Document Files Adobe PDF document.pdf Compiled HTML Help file.chm Microsoft Access.mdb database Microsoft Excel.xls spreadsheet Microsoft Excel spreadsheet with password.xls (Sheet 3 of 4) Microsoft Excel spreadsheet with VBA Microsoft PowerPoint presentation Microsoft Project document Microsoft Word document Microsoft Word document with password Microsoft Word document with VBA Outlook message file Rich-text format document SurfControl Filter message file Text file Windows Help file Windows Write document WordPad document WordPerfect document XML document.xlv.ppt.mpp.doc.doc.doc.msg.rtf.msg.txt.hlp.wri.rtf,.txt.wpf.xml 388 Administrator s Guide SurfControl Filter for SMTP

400 APPENDIX B Supported File Types B Table B-1 File Types Supported by the File Attachments object (Continued) File Groups File Types Extensions Data Files Data file.dat Information/setup file.inf Program Information file.pif Font file.fnt,.ttf Windows ASF file.asf Windows initialization file.ini Windows registry file.reg Windows shortcut.lnk Video Files Audio Video Interleave/.avi Video for Windows DVM movie.dvm MPEG.mpe,.mpeg,.mpg QuickTime.qt,.mov RealMedia.rm ShockWave file.swf Windows Media ASX file.asx Source Code Files C/C++.c,.cpp,.h,.hpp.mak,.def,.idl,.rc,.rc2,.dsp;.dsw;.mdp Java.java Perl.pl Visual Basic.vb,.bas,.frm,.frx,.vbp,.vbz Drawing Files AutoCAD.dwg,.dxf Corel Draw.cdr,.cdt Visio.vsd,.vst,.vsw Fax Files DCX.dcx (Sheet 4 of 4) SurfControl Filter for SMTP Administrator s Guide 389

401 B APPENDIX B Supported File Types DOCUMENT DECOMPOSITION Microsoft Office Documents Table B-2 Table B-4 show the Microsoft Office Files that SurfControl Filter can decompress using document decomposition. Table B-2 shows the PowerPoint versions that Document Decomposition supports: Table B-2 Document Decomposition: Supported PowerPoint Files PowerPoint Version Document Data OLE objects* Text Pictures Excel Word PowerPoint.exe/.zip Pictures 2K/XP Y Y Y Y Y Y Y 97 N N Y Y Y Y Y 95 N N Y Y Y Y Y 4 N N Y Y Y Y Y Table B-3 shows the Word versions that Document Decomposition supports: Table B-3 Document Decomposition: Supported Word Files Document Data OLE objects Word Version Text Pictures Excel Word PowerPoint.exe/zip Pictures 97/2K/XP Y Y Y Y Y Y Y 6/95 Y N Y Y Y Y Y 2 Y N N N N N N 390 Administrator s Guide SurfControl Filter for SMTP

402 APPENDIX B Supported File Types B Table B-4 shows the Excel versions that Document Decomposition supports. Table B-4 Document Decomposition: Supported Excel Files Excel Document Data OLE objects Version Text Pictures Excel Word PowerPoint.exe/zip Pictures 2K-XP Y Y Y Y Y Y Y 97 Y Y Y Y Y Y Y 95 N N Y Y Y Y Y 4 N N N N N N N 3 N N N N N N N 2.1 N N N N N N N * When Document Decomposition is ON, Filter will scan and decompose PowerPoint files that contain OLE objects. When Document Decomposition is OFF, PowerPoint files that contain OLE objects will be checked against enabled rules, but the OLE files will not be scanned because of the way they are compressed. Microsoft Mail Message Data Filter can decompose s in TNEF format, supporting Exchange servers 5.5, 2000 and PDF Documents Filter can decompose PDFs created using PDF protocol Rich Text Format Files Filter can decompose all.rtf files from version 1.0 onwards Web Archives Filter can decompose web archive files formatted using MIME 1.0 onwards. SurfControl Filter for SMTP Administrator s Guide 391

403 B APPENDIX B Supported File Types 392 Administrator s Guide SurfControl Filter for SMTP

404 Chapter C Appendix C Anti-Virus Return Codes page 394

405 C APPENDIX C Anti-Virus Return Codes ANTI-VIRUS RETURN CODES Table C-1 lists the evaluation codes that the Anti-Virus Scanning object can return. When you include the Anti-Virus Scanning object in a rule, use these codes to specify what conditions will trigger the rule. Table C-1 Anti-Virus return codes Return Code Definition 0 No virus found Virus found 1 Virus found 3 Damaged file 5 Dangerous virus 6 Uncertified macros 7 Encrypted file 10 Virus found and repaired 11 Uncertified macros repaired 12 Auto-cured 15 Dangerous virus found and repaired 18 Boot virus found 19 Memory virus found Anti-Virus 30-day evaluation period expired day evaluation period has expired Virus Scanning Error 21 Outdated virus data 22 Scan failed 23 Scan aborted 24 No DLL found 25 File not scanned 26 File not found (file/disk access error) 27 No signatures 28 No interface 29 Incompatible version 30 Wrong thread 31 The queried interface is not supported 32 Initialization failure 33 Not initialized 34 The main body of virus data is missing (Sheet 1 of 2) 394 Administrator s Guide SurfControl Filter for SMTP

406 APPENDIX C Anti-Virus Return Codes C Table C-1 Anti-Virus return codes (Continued) Return Code 35 The virus data was corrupt 36 Some encryption error occurred. Probably a mismatch between NSE_xxx.LIB and NSE.DLL 37 Bad DLL format 38 I/O error during scan 39 Invalid parameter 40 Invalid structure 41 File is directory 42 File is protected 43 Access denied 44 Unexpected error 45 STRUCT.usSze not as expected by NSE 46 Error reading MCAFEE.MSG 47 Upgrade failed 48 Already initialized 49 Memory low 50 Cure failed 51 Cannot repair 52 Error during repair 53 McAfee: /FREQUENCY prevents scanner from proceeding 54 Cannot move virus pattern file (Sheet 2 of 2) Definition SurfControl Filter for SMTP Administrator s Guide 395

407 C APPENDIX C Anti-Virus Return Codes 396 Administrator s Guide SurfControl Filter for SMTP

408 Chapter D Appendix D Editing Autoreply.txt page 398

409 D APPENDIX D Editing Autoreply.txt EDITING AUTOREPLY.TXT Autoreply.txt is a plain text file that contains messages for use with Rules Administrator objects and in the Message Administrator. Autoreply.txt contains messages that you can use in notification and forwarded s in a range of circumstances. It is stored in the installation directory of SurfControl Filter and you can edit it with a text editor, for example, Notepad. You can also remove these preset messages and replace them with new ones so long as the heading format remains the same. [GENERAL] <Your Company> filters all automatically. This contained non business related attachments or content and has been deleted. Do Not resend. [END] [VIRUS] <Your Company> filters all automatically. This contained non-business related attachments or content that are suspected of having virus content. The event has been logged and has been deleted. Please do NOT resend. [END] [GRTR4MB] This is an automatic message. The files sent have been delayed until 9pm Sydney time due to the size > 4MB. Contact postmaster@<your Company>.com to send message immediately. Please ensure that any attachments are as small as possible prior to transmission. Files > 10MB will be deleted. [END] [OFFENSIVE] This contains material which could be deemed inappropriate and is isolated. It will be reviewed and deleted if found to be inappropriate. [END] [JOKES] This contains material which could be deemed inappropriate and is isolated.it will be reviewed and deleted if found to be inappropriate. [END] [DEROGATORY] This contains material which could be deemed inappropriate and is isolated.it will be reviewed and deleted if found to be inappropriate. [END] [GRAPHICS] This contains material which could be deemed inappropriate and is isolated. It will be reviewed and deleted if found to be inappropriate. [END] [BLKMSITE] This is an unsolicited . Please remove the intended recipient from your list. [END] 398 Administrator s Guide SurfControl Filter for SMTP

410 Chapter E Appendix E Third-Party Reporting page 400 Database Schema page 400 SMTP Relationships page 401 System Log Relationships page 401 Message Relationships page 402

411 E APPENDIX E Third-Party Reporting THIRD-PARTY REPORTING You can use a third party database reporting tool such as Crystal Reports to create custom reports from the Filter STEMLog database. The diagrams on the pages that follow show the structure of the database. DATABASE SCHEMA Figure E-1 shows the structure of the database. Figure E-1 Database Structure 400 Administrator s Guide SurfControl Filter for SMTP

412 APPENDIX E SMTP Relationships E SMTP RELATIONSHIPS Figure E-2 shows tables related to the SMTP table. Figure E-2 SMTP Relationships SYSTEM LOG RELATIONSHIPS Figure E-3 shows tables related to the System Log table. Figure E-3 System Log Relationships SurfControl Filter for SMTP Administrator s Guide 401