Symantec 10744983 - Mail Security 8320, Administration Manual

Page 1: ...Symantec Mail Security Administration Guide...

Page 2: ...ing its use copying distribution and decompilation reverse engineering No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation a...

Page 3: ...c software upgrade protection Global support that is available 24 hours a day 7 days a week worldwide Support is provided in a variety of languages for those customers that are enrolled in the Platinu...

Page 4: ...e following URL www symantec com techsupp ent enterprise html Select your region or language under Global Support and then select the Licensing and Registration page Customer service Customer service...

Page 5: ...y Enterprise services that are available include the following These solutions provide early warning of cyber attacks comprehensive threat analysis and countermeasures to prevent attacks before they o...

Page 6: ...To access more information about Enterprise services please visit our Web site at the following URL www symantec com Select your country or language from the site index...

Page 7: ...cense Agreement Symantec Mail Security or SMTP 1 License You may You may not 2 Limited Warranty 3 Disclaimer of Damages 4 U S Government Restricted Rights 5 Export Regulation 6 General 7 Additional Us...

Page 8: ......

Page 9: ...r settings 27 Configuring Default SMTP Settings 31 Configuring internal mail hosts 35 Testing Scanners 35 Configuring LDAP settings 36 Configure LDAP settings 37 Synchronization status information 43...

Page 10: ...anning settings 66 Configuring container settings 66 Configuring content filtering settings 67 Chapter 4 Configuring email filtering About email filtering 69 Notes on filtering actions 78 Multiple act...

Page 11: ...figuring Spam Quarantine 140 Delivering messages to Spam Quarantine from the Scanner 140 Configuring Spam Quarantine port for incoming email 141 Configuring Spam Quarantine for administrator only acce...

Page 12: ...out charts and tables 188 Setting the retention period for report data 188 Running reports 189 Saving and editing Favorite Reports 190 Running and deleting favorite reports 190 Troubleshooting report...

Page 13: ...the amount of information in BrightmailLog log 211 Starting and stopping UNIX and Windows services 213 Starting and stopping Windows services 213 Starting and stopping UNIX services 215 Periodic syste...

Page 14: ...Glossary Index Contents 14...

Page 15: ...Antispam technology Symantec s state of the art spam filters assess and classify email as it enters your site Antivirus technology Virus definitions and engines protect your users from email borne vi...

Page 16: ...d virus definitions if available This feature tcan be effective in defeating virus attacks before conventional signatures are available View a list of available virus definition updates Improved virus...

Page 17: ...More than 50 graphical reports that you can generate ad hoc or on a scheduled basis Reports can be exported for offline analysis and emailed Extensive set of pre built reports scheduled reporting and...

Page 18: ...he status of all Symantec Mail Security hosts in your system including system logs and extensive customizable reports Use the Control Center to configure both system wide and host specific details The...

Page 19: ...the Symantec Mail Security filters Architecture Figure 1 1 shows how a Symantec Mail Security installation processes an email message assuming the sample message passes through the Filtering Engine t...

Page 20: ...ssage is spam At this point the message may also be checked against end user defined Language settings The Transformation Engine performs actions per recipient based on filtering results and configura...

Page 21: ...tact Symantec License Administration www enterprisesecurity symantec com Provides product news and updates www symantec com security_response Provides access to the Virus Encyclopedia which contains i...

Page 22: ...About Symantec Mail Security Where to get more information 22...

Page 23: ...ssages outbound messages and message delivery Assign this certificate from the Inbound Mail Settings and Outbound Mail Settings portions of the SMTP tab on the Settings Hosts Edit Host Configuration p...

Page 24: ...y or use a domain name to be sure 5 Click Create To add a Certification Authority Signed certificate to the list 1 In the Control Center click Settings Certificates 2 Click Add 3 In the Certificate ty...

Page 25: ...ryption as appropriate 5 Choose the TLS certificate from the Certificate drop down list for the inbound or outbound MTA 6 Click Save To assign a user interface HTTPS certificate 1 In the Control Cente...

Page 26: ...the following procedures from the Services tab to manage individual Scanner services replication and stop the flow of messages through a Scanner Replication synchronizes Scanner directory data with L...

Page 27: ...and receive filter updates from Symantec If you need to add proxy and or other security settings to your server definition follow the steps below To change or add proxy information 1 In the Control C...

Page 28: ...ompliance policies resulting in fewer messages filtered through Content Compliance policies To modify SMTP settings for a Scanner 1 In the Control Center click Settings Hosts 2 Check the Scanner to ed...

Page 29: ...ains box are accepted Click Add to add an entry or Remove to delete one If you specify one or more IP addresses you must include the IP address of the Control Center so that Spam Quarantine and Suspec...

Page 30: ...must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages After you add the first entry the IP address of the Control Center is added...

Page 31: ...lable on Windows systems Sets the maximum number of simultaneous inbound connections allowed from a single IP address Additional connections for the same IP address will be rejected The default is 20...

Page 32: ...t domain for sender addresses with no domain Places a RECEIVED header in the message during outbound SMTP processing when checked When unchecked no RECEIVED header is inserted during outbound SMTP pro...

Page 33: ...er of connections per single internal mail server Sets the smallest interval the SMTP server waits before trying to deliver a message again The default is 15 minutes Minimum retry interval Sets the ti...

Page 34: ...ins from which you may require encryption Check the names of those domains from which information must currently be encrypted Leave unchecked to currently except listed domains from this requirement P...

Page 35: ...lick Save to store the information To delete an internal mail host 1 From the Control Center click Settings Hosts 2 Check the Scanner you want to configure 3 Click Edit 4 Click the Internal Mail Hosts...

Page 36: ...er authenticates users by checking their user name and password data directly against the LDAP source Authentication LDAP user and group data is used to apply group policies recognize directory harves...

Page 37: ...lly as shown on the LDAP Synchronization page and the number of rejected entries is 0 or stays constant after successive synchronization changes If synchronization has not completed successfully a sta...

Page 38: ...s server definition Authentication Synchronization Authentication and Synchronization LDAP Server Anonymous bind Allows you to login to an LDAP server without providing specific user ID and password i...

Page 39: ...the fields for you to modify as needed You can have only one authentication server defined in the Control Center Specify the queries to use You have the following options when selecting what authentic...

Page 40: ...the point in the directory from which to start searching for entries with email addresses aliases or groups To use this field begin by clicking Auto Fill for the naming contexts of the directory Reduc...

Page 41: ...nd guarantee full authentication by the LDAP server For an Active Directory server the full DN or logon name with User Principal Name suffix may be required Password Password information that allows y...

Page 42: ...ization is checked for Usage It allows for the following definitions governing synchronization behavior Synchronize every Specifies how often scheduled synchronization occurs You can specify a number...

Page 43: ...the Control Center you wish to cancel To delete an LDAP server 1 In the Control Center click Status Synchronization Check to be sure that no synchronization is processing You cannot delete a synchron...

Page 44: ...on server and the process is under way Success The synchronization has completed successfully Failed The synchronization has failed Consult your logs to identify possible causes Status The time at whi...

Page 45: ...ile error log X where X is a number Rejected Replicating data to Scanners After an LDAP server has been defined to the Control Center and after the synchronization of LDAP data between the LDAP server...

Page 46: ...tion status information In the Control Center click Status Scanner Replication The following information is displayed Description Item Status can indicate any of the following states Idle Nothing is h...

Page 47: ...s occurred 2 If a successful synchronization has occurred check your replication status and take one or more of the actions described below To verify that synchronization has completed successfully 1...

Page 48: ...om the Control Center database to a Scanner database 3 If you see the message No scanners configured for replication make sure you have successfully added an LDAP synchronization server that the initi...

Page 49: ...ify Control Center access or to regain access to the Control Center To specify Control Center access 1 In the Control Center click Settings Control Center 2 Check All hosts to allow any host access to...

Page 50: ...ation happens more frequently on private networks than on the public Internet Control Center certificate Through the Control Center you can designate a user interface HTTPS certificate This enhances t...

Page 51: ...12 hours setting the LDAP synchronization schedule to 53 minutes will help prevent one from starting while the other is in progress 4 Click ReplicateNow to have LDAP data replicated to all attached a...

Page 52: ...address or fully qualified domain name of a computer that has a working MTA on it Change this information from the default if the Control Center doesn t have a working Scanner Specify the port to use...

Page 53: ...e mail gateway by assigning replacement values to them Symantec Mail Security lets you implement address masquerading on inbound mail outbound mail or both A typical use of address masquerading is to...

Page 54: ...s or a combination of spaces and tabs Commas or semicolons are not valid delimiters Note You cannot import a file with extended ASCII or non ASCII characters you can only import files encoded in US AS...

Page 55: ...il address that translates to one or more other email addresses Windows users may understand this concept as a distribution list You can add an alias as a convenient shortcut for typing a long list of...

Page 56: ...message To and Cc headers are ignored and not changed Inbound address masquerading has precedence over aliases If the same original email address or domain exists in both the address masquerading lis...

Page 57: ...s page modify the text in the Aliasdomainoremailaddress box as desired 4 Modify the text in the Domainoremailaddressesforthisalias box as desired 5 Click Save Importing aliases Aliases can be imported...

Page 58: ...Configuring local domains On the Local Domains page you can view add edit and delete local domains and email addresses for which inbound messages are accepted When adding or editing a local domain yo...

Page 59: ...l as enable MX lookup If you do not specify a destination host here the domain or email address is routed to the Inbound Relay you configure on the SMTP Settings page See SMTP Scanner settings 4 Click...

Page 60: ...com smtp 192 168 248 105 local6 com smtp 192 168 248 106 60 To import a list of local domains 1 In the Control Center click Settings Local Domains 2 Click Import 3 On the Import Local Domains page en...

Page 61: ...will consider this message to be suspected spam and will apply the action you have in place for suspected spam messages such as Modify the Message tagging the subject line Messages that score 90 or a...

Page 62: ...ngs for suspected spam language identification and software acceleration To configure spam settings 1 In the Control Center click Settings Spam 2 Under Do you want messages to be flagged as suspected...

Page 63: ...On the LiveUpdate tab click Enable Rapid Response updates Symantec Mail Security checks every 10 minutes after this setting is saved 3 Click Save Working with LiveUpdate Follow these procedures to vie...

Page 64: ...ch as Sound File Format 6 If you choose to exclude specific file classes you can also select the types of files in that class to be excluded in the File Type list 7 Click the Add File Classes or Add F...

Page 65: ...ymantec Mail Security generates a bounce message for the recipient Upon receiving the bounce message the sender can resend the original message with the correct address However messages with invalid r...

Page 66: ...Symantec Mail Security processes certain zip files and other types of compressed files these files can expand to the point where they deplete system memory Such container files are often referred to a...

Page 67: ...filesizewhenopened box and click KB MB or GB A container is unscannable for viruses if any individual component of the container when unpacked exceeds the size specified 5 Specify a number in the Maxi...

Page 68: ...Configuring email settings Configuring scanning settings 68...

Page 69: ...d viruses to suit your requirements Content filtering and Email Firewall policies offer further methods of managing mail flow into and out of your organization Symantec Mail Security provides a wide v...

Page 70: ...d because it contains a virus based on current Symantec virus filters Virus Virus Email is flagged because it contains a mass mailing worm based on current virus filters from Symantec Mass mailing wor...

Page 71: ...hments Attachment content Email is flagged based on the text in the Subject line Subject Email is flagged based on the text in the From address From Address Email is flagged based on the text in the T...

Page 72: ...escribes the filtering actions available for each verdict Table 4 2 Filtering actions by verdict Verdict Description Action Content Compliance Spam Suspected Spam Virus Virus attack Directory harvest...

Page 73: ...message Delete the message x x x x x Deliver the message Viruses and mass mailing worms are neither cleaned nor deleted Deliver the message normally x x x x x Deliver the message to end user Spam fol...

Page 74: ...us attachment verdict Hold message in Suspect Virus Quarantine x x x x x Add a tag to the message s Subject line Modify the Subject line x x Using a 5xx SMTP response code notify the sending MTA that...

Page 75: ...n the Scanner computer On Solaris or Linux you must specify a writable directory Save to disk x x x x x Return the message to its From address with a custom response and deliver it to the recipient Op...

Page 76: ...t is six hours Message is released and then rescanned after configured number of hours Only available for the suspicious attachment verdict Strip and hold in Suspect Virus Quarantine x x x Remove all...

Page 77: ...message direction Treat as a mass mailing worm x Process the message using the action s specified in the domain based Allowed Senders List Applies even if the domain based Allowed Senders List is disa...

Page 78: ...y if the suspected spam policy is disabled or does not apply because of message direction Treat as suspected spam Notes on filtering actions When using Table 4 2 consider the following limitations All...

Page 79: ...multiple actions for a particular verdict An example follows 1 Defining a virus policy the administrator selects the Virus verdict and then assigns the actions Clean Add annotation and Send notificat...

Page 80: ...s Spam folder Yes Any except Delete the message Forward the message No Any except Hold message in Suspect Virus Quarantine Deliver the message normally Delete the message Strip and delay If used with...

Page 81: ...ns Treat as a mass mailing worm No Can t be used with other actions Treat as an allowed sender No Can t be used with other actions Treat as a virus No Can t be used with other actions Treat as spam No...

Page 82: ...rdict Description Category Stand alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the user s knowledge Adware might monit...

Page 83: ...ject the one of those verdicts that appears first in the precedence list see below takes precedence If no matching verdict calls for an action of defer or reject then the matching verdict that appears...

Page 84: ...ble end user preferences Also lists that you create have precedence over lists created by Symantec However third party DNS blacklists do not have priority over all Symantec lists In the event of a con...

Page 85: ...p Policy you want to edit 3 Ensure that the Members tab is displayed and click Add 4 Specify members using one or both of the following methods Type email addresses domain names or both in the box To...

Page 86: ...rom a file 1 On the Members tab of the Add Group page click Import 2 Enter the appropriate path and filename or click Browse to locate the file on your hard disk and then click Import Separate each do...

Page 87: ...d compliance filter policies on page 94 Selecting virus policies for a group Virus policies determine what to do with inbound and outbound messages that contain any of six categories of threats Table...

Page 88: ...nbound virus policy Inbound mass mailing worm policy Inbound unscannable message policy Inbound encrypted message policy Inbound suspicious attachment message policy Inbound spyware adware message pol...

Page 89: ...ncoming email 5 Select the desired policy from each of the following drop down lists Inbound spam policy Inbound suspected spam policy 6 If desired check Enable outbound spam scanning for this group t...

Page 90: ...dit Group page Although you can add existing policies to the lists on this page you cannot add new compliance policies from this page See Creating compliance policies on page 98 Enabling and disabling...

Page 91: ...s Lists and block or allow email in specified languages At least one LDAP SyncService server must be configured and enabled In Settings LDAP settings an LDAP source configured for Authentication or Au...

Page 92: ...uage identification set Language Identification to No on the Spam Settings page That will make the Language tab accessible See Choosing language identification type on page 61 To allow or block email...

Page 93: ...cy is always the last Group Policy in the list You cannot change the precedence of the Default Group Policy To edit an existing Group Policy On the Group Policy page click the policy name or check the...

Page 94: ...r Policies Filter Policies contains a table that indicates the status of defined virus spam or compliance policies Table 4 6 describes the options available on the Policy status page Table 4 6 Policy...

Page 95: ...onditions select one of the following six conditions The message contains a virus If a message contains a virus The message contains a mass mailing worm a worm that propagates itself to other systems...

Page 96: ...s until a later time when updated virus definitions may be available This provides enhanced protection against new and emerging virus threats By default these messages are held in the Suspect Virus Qu...

Page 97: ...ups check one or more groups to which this policy should apply You can also add a spam policy to a group on the Spam tab of the Edit Group page 6 Under Conditions select one of the following three con...

Page 98: ...n keywords that match regular expressions in their headers bodies or attachments Actions specified for custom filter matches will not override actions resulting from matches in your Blocked Senders Li...

Page 99: ...ant to set your policies so that messages that are matched by compliance policies are quarantined or modified instead of deleted When you are sure the compliance policies are working correctly you can...

Page 100: ...If you tested that the subject contains this string inkjet Inkjet INKJET Then any message subject containing these strings would be matched INKJET If you tested that a subject contains this string ink...

Page 101: ...ind all attachments that contain the word discount more than three times Text within an attachment file Attachment content script vbs application octet stream An attachement list file name or MIME typ...

Page 102: ...ditions For all messeges jane example com jane example com From message header From address jane example com jane example com From To Cc andBcc message headers From To Cc Bcc address Reply To reply to...

Page 103: ...s or does not match and type a regular expression Attachment content Bcc address Body Cc address Envelope HELO Envelope recipient Envelope sender From address From To Cc Bcc address Subject To address...

Page 104: ...nt to text wildcard test using matches exactly Starts with does not start with Equivalent to text wildcard test using matches exactly Ends with does not end with Exact match for the supplied text Matc...

Page 105: ...period b b Match an asterisk 18 18 Match a plus character 18 18 Match a forward slash 123 45 6789 0 9 3 0 9 2 0 9 4 Match any numeral n times for example match a social security number 0 9 n Note Syma...

Page 106: ...additional information in fields that appear below the condition 7 Click Add Condition and add additional conditions if desired 8 Under Perform the following action click an action For some actions yo...

Page 107: ...be checked against Open Proxy Senders Suspected Spammers and Safe Senders lists maintained by Symantec Sender authentication provides a way to block forged email Configuring attack recognition Symant...

Page 108: ...ect all attack types 3 Click Enable to enable the checked attack types or click Disable to disable the checked attack types To configure directory harvest spam and virus attack recognition 1 In the Co...

Page 109: ...es sent from trusted senders will be treated as spam or filtered in any way Define allowed senders Symantec Mail Security supports a number of actions for mail from a sender or connection in a Blocked...

Page 110: ...ist that now contains it then add it to the other list Similar entries If you have two entries such as a b com and b com in the two different lists the list with higher precedence wins See About prece...

Page 111: ...dividual is sending unwanted mail to people in your organization 218 187 0 0 255 255 0 0 After analyzing the received headers to determine the sender s network and IP address add the IP address and ne...

Page 112: ...t example org Third party services Specify sender addresses or domain names Symantec Mail Security checks the following characteristics of incoming mail against those in your lists MAIL FROM address i...

Page 113: ...d your network Your network is based on the internal address ranges that you supply to Symantec Mail Security when setting up your Scanners This is why it is important that you accurately identify all...

Page 114: ...ssage normally if desired 7 Click Save on the Edit Sender Group page Deleting senders from lists Follow the steps below to delete senders To delete senders from your Blocked Senders Lists or Allowed S...

Page 115: ...2 Click one of the Blocked or Allowed Sender groups depending on the list that you want to work with A red x in the Enabled column indicates that the entry is currently disabled A green check in the...

Page 116: ...lation Do not change the first three uncommented lines dn cn mailwall uninvitedads com ou bmi objectclass top objectclass uiaBlackWhiteList After the header each line contains exactly one attribute al...

Page 117: ...connection or network Specify a numerical IP address numerical IP address and network mask or CIDR IP address RC AS example com AS spammer example org AS john example com Allowed sender Specify an em...

Page 118: ...m your Blocked Senders Lists or Allowed Senders Lists 1 In the Control Center click Policies Sender Groups 2 Click any of the Blocked Senders or Allowed Senders Lists The entries for all Blocked Sende...

Page 119: ...udes a hard outbound email policy one that requires compliance and it does not match the sending IP address the specified action is taken on the message If the IP address matches or the domain publish...

Page 120: ...e Managing policy resources The settings under Policy Resources are used in the conditions or actions for policies Annotating messages Annotations are phrases or paragraphs that are placed at the begi...

Page 121: ...art annotation For messages containing both text and HTML MIME parts the configuration of each recipient s email client e g Microsoft Outlook may determine which part is displayed Annotation guideline...

Page 122: ...ion text in the HTML box You can use HTML formatting tags if desired See How plain text and HTML text is added to messages on page 120 7 Choose a character encoding for the HTML annotation if you ve s...

Page 123: ...he archive server host in the Archive server port box Port 25 the usual port for SMTP messages is the default 5 Check or uncheck Enable MX Lookup to enable or disable MX lookup for the archive server...

Page 124: ...pecific types of email attachments For example you could create an attachment list that matches messages containing exe files By adding that attachment list to a policy you could strip attachments fro...

Page 125: ...ly three letters at the end of a file that by convention indicates the type of the file Extension text plain image gif application msword application octet stream The MIME type of the attachment in th...

Page 126: ...f the page 6 Repeat steps 4 and 5 to add more conditions as desired If needed you can click on a condition in the list and click Delete to delete that condition 7 Click Save Configuring dictionaries A...

Page 127: ...Policies Dictionaries 2 Click Add 3 In the Dictionary name field type a name for the dictionary This is the name that appears on the Dictionaries page and in the drop down list for the Any part of the...

Page 128: ...ts Alerts are sent automatically when certain system problems occur such as low disk space Note that the original message is delivered to the original recipients unless you specify an additional actio...

Page 129: ...rs 6 Choose a character encoding for the Subject ISO 8859 1 and UTF 8 are appropriate for European languages Windows 31j EUC JP and ISO 2022 JP are appropriate for Japanese 7 In the Subject box type t...

Page 130: ...Configuring email filtering Managing policy resources 130...

Page 131: ...ontrol Center You can route spam suspected spam or both to Spam Quarantine so that administrators and users at your site can check for false positives meaning messages that have been marked as spam th...

Page 132: ...al fashion See Notification for distribution lists aliases on page 144 Working with messages in Spam Quarantine for administrators This section describes how Spam Quarantine works for administrators O...

Page 133: ...From Subject or Date column heading to select the column by which to sort A triangle appears in the selected column that indicates ascending or descending sort order Click on the selected column head...

Page 134: ...ed messages To search messages Type in one of the search boxes or specify a date range to search messages for a specific recipient sender subject message ID or date range See Searching messages on pag...

Page 135: ...ox When a Quarantine administrator clicks Release the message is delivered to the inbox of each of the intended recipients The administrator message list page includes a To column containing the inten...

Page 136: ...message to the intended recipient This also removes the message from Spam Quarantine Depending on how you configured Spam Quarantine a copy of the message may also be sent to an administrator email ad...

Page 137: ...only have access to Spam Quarantine not the rest of the Control Center Searching messages Type in one or more boxes or choose a time range to display matching messages in the administrator Spam Quaran...

Page 138: ...sually forged The visible message From header may contain different information than the message envelope To search subject headers Type in the Subject box to search the Subject header in all messages...

Page 139: ...ntics Searching for a subject with the search target in will match Lowest rate in 45 years RE re Sublime Bulletin verification Up to 85 off Ink Cartridges no shipping and Re finance at todays super lo...

Page 140: ...isidentified messages However an SMTP mail server must be available to receive notifications and misidentified messages sent by Spam Quarantine Set this SMTP server on the Control Center Settings page...

Page 141: ...ise quarantined messages back up in the delivery MTA queue until the expiration time elapses and then bounced back to the original sender Configuring Spam Quarantine for administrator only access If y...

Page 142: ...in a new window You can customize the login help by specifying a custom login help page This change only affects the login help page not the rest of the online help This method requires knowledge of H...

Page 143: ...To send copies of misidentified messages to a local administrator under Misidentified Messages click Administrator and type the appropriate email address These messages should be sent to someone who...

Page 144: ...n digest can view all the quarantined distribution list messages If the Include Release link box is selected recipients of the notification digest can release quarantined distribution list messages If...

Page 145: ...art time drop down lists 5 Click Save Changing the notification digest templates The notification digest templates determine the appearance of notification messages sent to users as well as the messag...

Page 146: ...umber of days messages in Spam Quarantine will be kept After that period messages will be purged QUARANTINE_DAYS URL that the user clicks on to display the Spam Quarantine login page QUARANTINE_URL Us...

Page 147: ...changes to the notification template and close the template editing window Cancel 8 Click Save on the Quarantine Settings page Enabling notification for distribution lists You can configure Spam Quar...

Page 148: ...summary When a user clicks on the View link in a notification digest message the selected message is displayed in Spam Quarantine in the default browser This check box is only available if you choose...

Page 149: ...t 10 000 messages can be deleted Increase the Expunger frequency if your organization receives a very large volume of spam messages To set the Spam Quarantine message retention period 1 In the Control...

Page 150: ...When a new message arrives after the threshold has been reached a group of the oldest messages are deleted and the new message is kept Maximum number of messages Maximum number of quarantine messages...

Page 151: ...sages If you check the log file as described in Checking the Control Center error log and see lines similar to those listed below the messages forwarded from the Scanner to Spam Quarantine are larger...

Page 152: ...istribution lists aliases on page 144 Undeliverable quarantined messages go to Spam Quarantine postmaster If Spam Quarantine can t determine the proper recipient for a message received by Symantec Mai...

Page 153: ...spam messages but others get a message saying that there are no messages to display after logging in to Spam Quarantine there may be a problem with the Active Directory LDAP configuration If the user...

Page 154: ...messages appear in Spam Quarantine You may notice multiple copies of the same message when logged into Spam Quarantine as an administrator When you read one of the messages all of them are marked as r...

Page 155: ...e email address make sure the email address is not an email alias The administrator email address for misidentified messages must be a primary email address including the domain name such as admin exa...

Page 156: ...Working with Spam Quarantine Configuring Spam Quarantine 156...

Page 157: ...examination in the Suspect Virus Quarantine for up to 24 hours Suspect Virus Quarantine functions are governed in part by specific settings and in part by defined virus filter policies associated wit...

Page 158: ...not make changes to those settings and they cannot release or delete messages Checking for new Suspect Virus Quarantine messages New messages that have arrived since logging in and checking quarantine...

Page 159: ...nded recipient This also removes the message from Suspect Virus Quarantine Note Releasing messages requires access to the IP address of the Control Center If you are limiting inbound or outbound SMTP...

Page 160: ...Suspect Virus Quarantine behavior When you navigate to a different page of messages the status of the check boxes in the original page is not preserved For example if you select three messages in the...

Page 161: ...ail Security searches only for the user name portion of user_name example com The search is limited to the envelope To which may contain different information than the header To displayed on the messa...

Page 162: ...he amount of time required for the search is dependent on how many search boxes you filled in and the number of messages in the current mailbox Searching in the administrator mailbox will take longer...

Page 163: ...Otherwise quarantined messages back up in the delivery MTA queue until the expiration time elapses and then bounce back to the original sender Configuring the size for Suspect Virus Quarantine You can...

Page 164: ...Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine 164...

Page 165: ...TP Service or your installed MDA is working properly with the Scanner to deliver legitimate mail by sending an email to a user To test delivery of legitimate mail 1 Send an email with the subject line...

Page 166: ...account used in step 5 8 In the Control Center click Status Overview after several minutes have passed The Spam counter on the Overview page increases by one if filtering is working Testing antivirus...

Page 167: ...y newly arrived messages are added to the message list and displayed in accordance with the sorting order Symantec Mail Security must be configured to forward spam messages to Spam Quarantine If the d...

Page 168: ...that does not contain any viruses 6 In the Control Center click Quarantine Spam Quarantine 7 Click Show Filters and type Test Spam Message in the Subject box 8 Click Display Filtered Testing Symantec...

Page 169: ...Table 8 1 describes the available alert settings Table 8 1 Alert settings Explanation Alert setting The email address that appears in the notification s From header Send from The number of virus outbr...

Page 170: ...n errors have been logged These errors are caused by problems in the replication of LDAP data from the Control Center to attached and enabled Scanners Only messages that log at the error level cause a...

Page 171: ...cations 1 In the Control Center click Settings Alerts 2 Under Notification Sender enter an email address in the Send from field To specify alert conditions 1 Under Alert Conditions check the alert con...

Page 172: ...the Control Center the database and LDAP Quarantine Release logs indicate which mail messages were released from the Quarantine and when Log type drop down Select the type of actions to log system eve...

Page 173: ...mation is displayed when you click Display wait a few minutes then click Display again About logs You can configure log settings for Symantec Mail Security components on each Scanner in your system an...

Page 174: ...slog Unix Linux Enable logging to Event Viewer Syslog To configure log settings for host 1 In the Control Center click Settings Logs 2 Under System Logging choose a host from the Host drop down list 3...

Page 175: ...e logging to System Event Viewer running on Windows or to Syslog running on Unix or Linux check Enable logging to Event Viewer Syslog 10 Click Save to save your settings Warning Because logging data f...

Page 176: ...Configuring alerts and logs About logs 176...

Page 177: ...nting saving and emailing reports Scheduling reports to be emailed About reports Symantec Mail Security reporting capabilities provide you with information about filtering activity at your site includ...

Page 178: ...store report data In particular the sender statistics usually consume a large amount of disk space See Setting the retention period for report data on page 188 To enable data tracking for reports 1 In...

Page 179: ...nd content compliance policy Overview None The average size of messages in KB Average Message Size None Total size in KB of all messages in the report and total size of each grouping Total Message Siz...

Page 180: ...maximum number of IP addresses to list for the specified time range Top Sender IP Connections Recipient domains Recipient domains for which the most messages have been processed For each recipient do...

Page 181: ...and unscannable messages are listed Specify the maximum number of email addresses to list for the specified time range Top Senders Senders Sender domains Number of virus messages detected from a send...

Page 182: ...ages detected for a recipient email address that you specify For each grouping the virus to total processed percentage total processed and the number of viruses worms and unscannable messages are list...

Page 183: ...each HELO domain the spam to total processed percentage total processed and the number of spam suspected spam blocked and allowed messages are listed Specify the maximum number of HELO domains to list...

Page 184: ...iance reports Table 9 4 Available Content Compliance reports Required Data Storage Options Displays Report Type None Total messages processed and number and percentage of content compliance policies t...

Page 185: ...cipient domain the total messages processed and number and percentage of content compliance policies triggered are listed Specify the maximum number of recipient domains to list for the specified time...

Page 186: ...he total messages processed and number and percentage of spam attacks are listed Top Spam Attacks Table 9 6 describes the available Sender Authentication reports Table 9 6 Available Sender Authenticat...

Page 187: ...thentication attempts are listed Top Failed Senders Table 9 7 describes the available SMTP connection reports Table 9 7 Available SMTP connection reports Required Data Storage Options Displays Report...

Page 188: ...ums and averages for the entire time period listed in the overview table Chart overview Displays bar graph s for each item in the report type chosen A maximum of 20 items can be displayed in a bar gra...

Page 189: ...ew Reports 3 Click a report in the Report drop down list See tables Table 9 1 through Table 9 8 for a description of each report 4 For reports that filter on specific recipients such as Spam Specific...

Page 190: ...later and also edit saved reports Follow these steps to save or edit Favorite Reports To save a Favorite Report 1 Follow steps 1 through 10 in Running reports 2 Click Add to Favorites The fields unde...

Page 191: ...ts even if you are not currently tracking data This will happen if you were collecting data in the past and then turned off data tracking The data collected are available for report generation until t...

Page 192: ...on where the report is generated If the Control Center is in Greenwich the resulting report counts it in GMT the local time zone so it increases the spam count for April 24 If the Control Center is i...

Page 193: ...t counted as received If 100 messages are deferred or rejected the recipient count for those messages is 0 Reports limited to 1 000 rows The maximum size for any report including a scheduled report is...

Page 194: ...To save a report 1 After creating and running a report as described in Running reports click the desired save button 2 Choose the appropriate options on the Save dialog box To email reports 1 After cr...

Page 195: ...nder Report Format click one of the following to specify the format HTML formats the report in HTML format Check Chart Table or both See About charts and tables on page 188 CSV formats the report in c...

Page 196: ...so click the underlined report name to jump directly to the edit page for the report 3 Make any changes to the settings 4 Click Save To delete a scheduled report 1 In the Control Center click Reports...

Page 197: ...e means of checking and displaying system host and message status Status information is combined with options for changing what is displayed as well as with actions you can take based on the informati...

Page 198: ...ast 24 hours not including the current hour The Last 30 Days graph displays data for the past 30 days not including today At the next hour data from 00 to 59 minutes will be displayed in the Last 24 H...

Page 199: ...d messages such as alerts emailed reports and messages forwarded to the Spam Quarantine To view totals information In the Control Center click Status Message Details Message queues You can view messag...

Page 200: ...from standard scanner logging is that logged information is specifically associated with a message Note Log entries for messages are created after all policy actions applicable to a message have take...

Page 201: ...that message searches not exceed one week Time range See Table 10 1 Mandatory filter See Table 10 2 Optional filter Table 10 1 describes the items you can choose from for your single required filter T...

Page 202: ...he message Group policy Name of the filter policy applied to the message Filter policy Name of the virus attached to the message Virus Name of a file attached to the message Attachment Whether the mes...

Page 203: ...le hosts 1 In the Control Center click Status Host Details 2 Choose a host to examine To view additional component information Click the plus sign where available next to any component to view additio...

Page 204: ...he Synchronize Changes button is not available to Domino users Use Full Synchronization instead To synchronize more than 1 000 directory entries before the next update On the LDAP Synchronization page...

Page 205: ...ication page The following steps describe how to perform some common tasks on the Scanner Replication page To view the status of replication for a host In the Control Center click Status Scanner Repli...

Page 206: ...the Control Center click Status Host Details 2 Select a host from the drop down list 3 Click Configure Host 4 Make any changes to the host or its included components and services See To edit a Scanne...

Page 207: ...indicates that the Scanner is enabled 2 To disable a Scanner that is currently enabled check the box next to the Scanner and click Edit 3 Click Do not accept incoming messages 4 Click Save 5 Allow mes...

Page 208: ...he Control Center click Administration Administrators 2 Click Add 3 Type the user name and password and confirm the password 4 Enter the email address of the administrator 5 If this administrator is t...

Page 209: ...ensed entry a status of Licensed is shown For an unlicensed product ask your Symantec representative about getting a license file through which to register the product License files must be placed on...

Page 210: ...r use sudo to run the following command etc init d smssmtp_mysql start To stop Control Center processes 1 To stop Tomcat and related processes such as the Expunger and Notifier on Windows use the Cont...

Page 211: ...Source at com brightmail dl jdbc impl DatabaseSQLManager handleUpdate Unknown Source at com brightmail dl jdbc impl DatabaseSQLTransaction create Unknown Source at com brightmail bl bo impl SpamManag...

Page 212: ...10 7 Change the number after MaxBackupIndex to the desired number such as 40 This setting determines the number of saved BrightmailLog log files For example if you specify 2 BrightmailLog log contains...

Page 213: ...f can t be stopped using the Control Center Starting and stopping Windows services Table 10 3 describes the Windows services of Symantec Mail Security Table 10 3 Windows services Description Process i...

Page 214: ...Server Provides unified view of LDAP data to SyncService Enquire exe SMSENQUIRESVC SMS Virtual Directory Server Start or stop Windows services You can start and stop Windows services from the Service...

Page 215: ...and antispam filters smssmtpconnector Mail transfer agent that routes email smssmtpmta Start or stop UNIX services Follow these procedures to start or stop UNIX services To start UNIX services Log in...

Page 216: ...he Symantec software is running MySQL must be running when you perform backups For complete instructions on performing backups of MySQL data see MySQL documentation The following MySQL commands are su...

Page 217: ...TP tomcat work Catalina localhost brightmail dzq Windows C Program Files Symantec SMSSMTP tomcat work Catalina localhost brightmail dzq To restore Spam Quarantine and Suspect Virus Quarantine tables f...

Page 218: ...sword PASSWORD host 127 0 0 1 brightmail spam_quarantine sql To save Suspect Virus Quarantine tables 1 Type the following command mysqldump user brightmailuser password PASSWORD opt brightmail setting...

Page 219: ...tware UNIX opt Symantec SMSSMTP tomcat work Catalina localhost brightmail dzq Windows C Program Files Symantec SMSSMTP tomcat work Catalina localhost brightmail dzq Maintaining adequate disk space Use...

Page 220: ...Administering the system Periodic system maintenance 220...

Page 221: ...products to provide a central point of control of security within an organization It provides a common management framework for Information Manager enabled security products such as Symantec Mail Secu...

Page 222: ...is purchased and installed separately The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to the SSIM For more information see the Symant...

Page 223: ...sage statistics Table A 1 Settings for Message statistics Value Setting Message stats Type opt Symantec SMSSMTP scanner stats Path for Linux Solaris c Program Files Symantec SMSSMTP scanner stats Path...

Page 224: ...ty Event ID SES_EVENT_ Unique ID Connection Permitted symc_firewall_network Informational SES_EVENT_CONNECTION_ACCEPTED 512000 Connection Rejected symc_firewall_network Informational SES_DETAIL_CONNEC...

Page 225: ...events that Symantec Mail Security for SMTP can send to the Information Manager Table A 6 Message events that are sent to the Information Manager Rule Description Reason sent Event class Severity Eve...

Page 226: ...SES_EVENT_HOST_INTRUSION 1032000 User login failed symc_host_intrusion Warning SES_EVENT_HOST_INTRUSION 1032000 Enable add host symc_config_update Informational SES_EVENT_CONFIGURATION_CHANGE 92008 D...

Page 227: ...ers imported symc_config_update Informational SES_EVENT_CONFIGURATION_CHANGE 92008 Group policy members imported symc_config_update Informational SES_EVENT_CONFIGURATION_CHANGE 92008 Component is not...

Page 228: ...Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager 228...

Page 229: ...omputer viruses API application programming interface The specific methodology by which a programmer writing an application program can make requests of the operating system or another application arc...

Page 230: ...tificate A file that is used by cryptographic systems as proof of identity It contains a user s name and public key Certificate Authority signed SSL A type of Secure Sockets Layer SSL that provides au...

Page 231: ...rk and an external network to provide an additional layer of security Sometimes called a perimeter network DNS Domain Name Server proxy An intermediary between a workstation user and the Internet that...

Page 232: ...n A suffix consisting of a period followed by several letters at the end of a file that by convention indicates the type of the file false positive A piece of legitimate email that is mistaken for spa...

Page 233: ...for exchanging files text graphic images sound video and other multimedia files on the World Wide Web Similar to the TCP IP suite of protocols the basis for information exchange on the Internet HTTP i...

Page 234: ...etwork where mail servers are located All other mail servers are downstream from the mail servers located at the messaging gateway MIME Multipurpose Internet Mail Extensions A protocol used for transm...

Page 235: ...ender group packet A unit of data that is formed when a protocol breaks down messages that are sent along the Internet or other networks Messages are broken down into standard sized packets to avoid o...

Page 236: ...s Probe Network Partners Used by Symantec Security Response for the detection of spam the Probe Network has a statistical reach of over 300 million email addresses and includes over 2 million probe ac...

Page 237: ...based on data from the Probe Network Part of the Sender Reputation Service Safe Senders is a sender group in Symantec Mail Security You can specify actions to take on messages from each sender group...

Page 238: ...butes and descriptive text This is more precisely referred to as signature data site A collection of one or more computers hosting Symantec Mail Security in which exactly one computer hosts a Control...

Page 239: ...y identifying the network of the local host The subnet mask is a required configuration parameter for an IP host A local bit mask set of flags that specifies which bits of the IP address specify a par...

Page 240: ...ng the next generation of threats using its worldwide intelligence network and unmatched insight The team delivers the bi annual Internet Security Threat Report that identifies critical trends statist...

Page 241: ...n specific keys and message integrity checks TLS provides some improvements over SSL in security reliability interoperability and extensibility See also SSL toolbar The various rows below the menu bar...

Page 242: ...other programs like a traditional virus but creates copies of itself which create even more copies WWW WorldWideWeb An application on the Internet that allows for the exchange of documents formatted...

Page 243: ...creating antispam policies 96 language based 92 sender authentication 119 Spam Quarantine 131 verify filtering 165 verify filtering to Spam Quarantine 167 antivirus filters create antivirus policies...

Page 244: ...o Blocked Senders Lists 113 import local domains 59 specify routing for local domains 58 double byte character sets configure the Control Center for 52 duplicate messages in Spam Quarantine 154 E emai...

Page 245: ...43 LDAP continued configure settings 36 delete LDAP server 43 edit LDAP server 40 initiate an LDAP synchronization cycle 42 license add manage view 209 lists Allowed Senders Lists 110 attachment list...

Page 246: ...fication Spam Quarantine change frequency of 145 choose format 148 configuring digests 143 edit template subject address 146 for distribution lists aliases 144 notifications 128 O Open Proxy Senders e...

Page 247: ...t data retention period 189 configure Spam Quarantine message retention period 149 retention continued data retention for report information default 192 routing specify for local domains 58 S Safe Sen...

Page 248: ...og check 210 Expunger 149 login help page customize 142 maximum number of messages 154 message details page 136 message list page 133 message navigation 134 136 Spam Quarantine continued message redel...

Page 249: ...hird party lists add to Allowed Senders List 114 add to Blocked Senders List 113 thresholds set Spam Quarantine message and size 150 time search Spam Quarantine using Time Range 139 search Suspect Vir...