1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Firewall
  5. 10744983 - Mail Security 8320
  6. Administration manual

Symantec 10744983 - Mail Security 8320 Administration Manual

Administration guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Symantec Mail Security
Administration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 10744983 - Mail Security 8320 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Symantec 10744983 - Mail Security 8320

Summary of Contents for Symantec 10744983 - Mail Security 8320

  • Page 1 Symantec Mail Security Administration Guide...
  • Page 2 Terms and Conditions. Symantec, the Symantec Logo, Brightmail, LiveUpdate, and Norton AntiVirus are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Other names may be trademarks of their respective owners.

  • Page 3: Technical Support

    The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
  • Page 4 Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support, and then select the Licensing and Registration page.
  • Page 5 North America and Latin America: supportsolutions@symantec.com Additional Enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively.
  • Page 6 To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
  • Page 7 Symantec Software License Agreement Symantec Mail Security or SMTP 1. License: You may: You may not: 2. Limited Warranty: 3. Disclaimer of Damages: 4. U.S. Government Restricted Rights: 5. Export Regulation: 6. General: 7. Additional Uses and Restrictions:...

  • Page 9: Table Of Contents

    Contents Technical Support Chapter 1 About Symantec Mail Security Key features ................15 New features ................16 Functional overview ..............18 Architecture ................19 Where to get more information ............20 Chapter 2 Configuring system settings Configuring certificate settings ............23 Manage certificates ..............
  • Page 10 Contents Chapter 3 Configuring email settings Configuring address masquerading ..........53 Importing masqueraded entries ..........54 Configuring aliases ..............55 Managing aliases ..............56 Importing aliases ..............57 Configuring local domains ............. 58 Importing local domains and email addresses ......59 Understanding spam settings ............
  • Page 11 Contents Creating compliance policies ............ 98 Managing Email Firewall policies ........... 107 Configuring attack recognition ..........107 Configuring sender groups ............. 108 Configuring Sender Authentication ..........119 Managing policy resources ............120 Annotating messages ............120 Archiving messages .............. 122 Configuring attachment lists ..........
  • Page 12 Configuring Suspect Virus Quarantine port for incoming email ................162 Configuring the size for Suspect Virus Quarantine ...... 163 Chapter 7 Testing Symantec Mail Security Verifying normal delivery ............165 Verifying spam filtering ............... 165 Testing antivirus filtering ............166 Verifying filtering to Spam Quarantine ...........
  • Page 13 Appendix A Integrating Symantec Mail Security with Symantec Security Information Manager About Symantec Security Information Manager ....... 221 Interpreting events in the Information Manager ....... 222 Configuring data sources ............223 Firewall events that are sent to the Information Manager ..... 224 Definition Update events that are sent to the Information Manager ...............
  • Page 14 Contents Glossary Index...

  • Page 15: About Symantec Mail Security

    Symantec Mail Security offers enterprises an easy-to-deploy, comprehensive gateway-based email security solution through the following features: Antispam technology – Symantec's state-of-the-art spam filters assess and classify email as it enters your site. Antivirus technology – Virus definitions and engines protect your users from email-borne viruses.

  • Page 16: New Features

    About Symantec Mail Security New features New features The following table lists the features that have been added to this version of Symantec Mail Security: New features for Symantec Mail Security (all users) Table 1-1 Category Features Description Threat Improved email...
  • Page 17 About Symantec Mail Security New features New features for Symantec Mail Security (all users) (continued) Table 1-1 Category Features Description Flexible LDAP integration Dynamic group population via any of several mail supported LDAP servers management Expanded variety of More than two dozen actions that can be taken,...

  • Page 18: Functional Overview

    About Symantec Mail Security Functional overview Functional overview You can deploy Symantec Mail Security in different configurations to best suit the size of your network and your email processing needs. Each Symantec Mail Security host can be deployed in the following ways:...

  • Page 19: Architecture

    About Symantec Mail Security Architecture Note: Symantec Mail Security does not filter messages that don't flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, their messages will not pass through the Symantec Mail Security filters.

  • Page 20: Where To Get More Information

    Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information. You can visit the Symantec Web site for more information about your product. The following online resources are available: Provides access to the technical support Knowledge www.symantec.com/enterprise/support...
  • Page 21 Where to get more information Provides information about registration, frequently www.symantec.com asked questions, how to respond to error messages, /licensing/els/help/en/help.html and how to contact Symantec License Administration Provides product news and updates www.enterprisesecurity.symantec.com Provides access to the Virus Encyclopedia, which www.symantec.com/security_response contains information about all known threats;...
  • Page 22 About Symantec Mail Security Where to get more information...

  • Page 23: Configuring System Settings

    Chapter Configuring system settings This chapter includes the following topics: Configuring certificate settings Configuring host (Scanner) settings Testing Scanners Configuring LDAP settings Replicating data to Scanners Configuring Control Center settings Configuring certificate settings Manage your certificates using the Certificate Settings page. The two types of certificates are as follows: MTA TLS This is the TLS certificate used by the MTAs in each Scanner.

  • Page 24: Manage Certificates

    Configuring system settings Configuring certificate settings Add a Certification Authority Signed certificate by submitting a certificate request to a Certification Authority. When you receive the certificate back from the Certification Authority, you then import the certificate into the Control Center. Manage certificates Follow these steps to add either self-signed or Certification Authority Signed certificates and to assign certificates.

  • Page 25: Configuring Host (Scanner) Settings

    Configuring system settings Configuring host (Scanner) settings On the Import Certificate page, type the full path and filename or click Browse and choose the file. Click Import. To view or delete a certificate In the Control Center, click Settings > Certificates. Check the box next to the certificate to be viewed or deleted.

  • Page 26: Working With Services

    Configuring system settings Configuring host (Scanner) settings Working with Services You can stop or start the following services on a Scanner using the Services tab on the Edit Host Configuration page, under Settings > Hosts. Conduit LiveUpdate Filter Engine Note: If you stop the filter engine or the MTA service and wish to continue receiving alerts, specify an operating MTA IP address under Control Center Settings on the Settings >...

  • Page 27: Http Proxies

    HTTP proxies The Conduit and Symantec LiveUpdate services run on each Scanner and receive filter updates from Symantec. If you need to add proxy and/or other security settings to your server definition, follow the steps below. To change or add proxy information In the Control Center, click Settings >...
  • Page 28 Configuring system settings Configuring host (Scanner) settings Note: For incoming messages, you can conserve computing resources by blocking messages from undesirable domains and IP addresses using SMTP Scanner settings rather than by configuring content filtering policies from the Policies > Sender Groups page.
  • Page 29 Configuring system settings Configuring host (Scanner) settings Inbound Mail Provides settings for inbound messages. In this area, you can Settings* provide the following information: Inbound mail IP address – Location at which inbound messages will be received. You can ping this address by pressing Test.
  • Page 30 Configuring system settings Configuring host (Scanner) settings Outbound Mail Provides settings for outbound mail characteristics. In this area, Settings* you can provide the following information: Outbound mail IP address – Specifies the IP address on which outbound messages are sent. You can ping this address by pressing Test.

  • Page 31: Configuring Default Smtp Settings

    Configuring system settings Configuring host (Scanner) settings Configuring Default SMTP Settings Additional SMTP settings are available from the SMTP Defaults page of the SMTP tab when you click the Advanced Settings button at the bottom of the Edit Host Configuration page. There are advanced SMTP settings for: Inbound messages Outbound messages Delivering messages...
  • Page 32 Configuring system settings Configuring host (Scanner) settings SMTP Defaults page—outbound settings Table 2-2 Item Description Maximum number of Sets the maximum number of permissible simultaneous connections outbound connections. Additional attempted connections are rejected. The default is 2,000 connections. Maximum number of (Not available on Windows systems.) Sets the maximum number connections from a single of permissible simultaneous outbound connections from a...
  • Page 33 Configuring system settings Configuring host (Scanner) settings SMTP Defaults page–delivery settings describes SMTP delivery configuration message settings for your site. SMTP Defaults page—delivery settings Table 2-3 Item Description Maximum number of Sets the maximum number of simultaneously allowed external external connections connections.
  • Page 34 Configuring system settings Configuring host (Scanner) settings SMTP Defaults page—delivery settings (continued) Table 2-3 Item Description Enable TLS encryption For Unix/Linux installations, indicates if TLS encrypted (Unix/Linux) information can be accepted. Check the box to accept encrypted information. Whenleft unchecked, TLS encryption is not Require TLS encryption performed.

  • Page 35: Configuring Internal Mail Hosts

    Configuring system settings Testing Scanners Configuring internal mail hosts You can add or delete internal mail hosts at your site. Configure internal mail hosts Follow these procedures to add or delete internal mail hosts. To add an internal mail host From the Control Center, click Settings >...

  • Page 36: Configuring Ldap Settings

    Control Center for replication to Scanners but are not written back to the LDAP source. Symantec Mail Security supports the following LDAP directory types: Windows 2000 Active Directory Windows 2003 Active Directory Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)

  • Page 37: Configure Ldap Settings

    Configuring system settings Configuring LDAP settings Configure LDAP settings Follow these procedures to configure LDAP settings. To add an LDAP server definition to the Control Center In the Control Center, click Settings > LDAP. Click Add. Complete the necessary fields presented for defining a new LDAP Server. The values you complete will depend on your choices for LDAP Server Usage.
  • Page 38 Configuring system settings Configuring LDAP settings Add LDAP Server page Table 2-4 Item Description LDAP Server Description – Text describing the LDAP server being defined. Permissible characters are any alphanumeric character (1-9, a-z, and A-Z), a space ( ), hyphen (-), underline (_), and double-byte characters.
  • Page 39 Configuring system settings Configuring LDAP settings Add LDAP Server page (continued) Table 2-4 Item Description Windows Domain If you are using Active Directory, specify the Windows Domain names – When logging Names onto a Windows host, you see Windows domain names in the Log on to dropdown list. Use commas or semicolons to separate multiple domain names.
  • Page 40 Configuring system settings Configuring LDAP settings Add LDAP Server page (continued) Table 2-4 Item Description Synchronization Specify default synchronization options – This section only appears if Synchronization Configuration is checked for Usage. It allows for the following definitions governing synchronization behavior: Synchronize every –...
  • Page 41 Configuring system settings Configuring LDAP settings Make changes to the definition as appropriate. Not all of the original portions of this definiton visible during the add process are available for editing. Click Save. Table 2-5 on page 41. for a description of settings that can be changed after an LDAP server has been defined.
  • Page 42 Configuring system settings Configuring LDAP settings Edit LDAP Server page (continued) Table 2-5 Item Description Authentication Query Autofill – Places default values in the fields for you to modify as needed. Details Specify the queries to use – You have the following options when selecting what authentication queries to use: Query start (Auth base DN) –...

  • Page 43: Synchronization Status Information

    Configuring system settings Configuring LDAP settings If you wish to synchronize only the LDAP data that has changed since the last synchronization, click Synchronize Changes. In most cases synchronizing only updated data is much faster than performing a full synchronization. If you have made substantial changes to your directory data or structure or you have recently restored your directory from a backup, click Full Synchronization.
  • Page 44 Configuring system settings Configuring LDAP settings Status Information about synchronization activity. Status can indicate any of the following states: Idle – Nothing is happening. Starting – The status during a one-minute delay between saving an LDAP synchronization source and initiation of synchronization.

  • Page 45: Replicating Data To Scanners

    Configuring system settings Replicating data to Scanners Rejected The number of directory entries from the LDAP server rejected by the synchronization server. A number of LDAP transactions can be rejected when an attempt to add a group entry fails because one or more of the group members is not yet known to the LDAP synchronization service.

  • Page 46: Starting And Stopping Replication

    Click Cancel Replication. Replication status information When LDAP data is replicated from the Control Center to one or more Scanners, status information is generated and displayed via the Status interface in Symantec Mail Security. To view replication status information In the Control Center, click Status > Scanner Replication.

  • Page 47: Troubleshooting Replication

    Configuring system settings Replicating data to Scanners Item Description Ended The time at which the most recent replication finished. Size The number of bytes of replicated data. Troubleshooting replication Replication will not complete until at least one LDAP synchronization source is available and synchronization has completed successfully.

  • Page 48: Configuring Control Center Settings

    If replication still stalls, restart the Control Center software and begin the entire cycle again with a full synchronization. Configuring Control Center settings Symantec Mail Security Control Center allows you to configure the following: Control Center administration Control Center certificate...

  • Page 49: Control Center Administration

    Configuring system settings Configuring Control Center settings Control Center administration You access the Control Center via a Web browser. By default anyone with the correct address and logon information has access from any host. You can choose to limit host access to the Control Center. Users attempting to log into the Control Center from unauthorized computers will see a 403 Forbidden page in their Web browser.

  • Page 50: Control Center Certificate

    Configuring system settings Configuring Control Center settings About specifying host names for Control Center access When specifying host names for Control Center access, the Control Center allows clients to connect based on the Control Center's own DNS perspective. If the client's IP address resolves into a name that matches an allowed host name (a “reverse lookup”), then the the Control Center permits access to the client.

  • Page 51: Control Center Settings

    Configuring system settings Configuring Control Center settings “Configuring LDAP settings” on page 36. for information on setting up LDAP services. The replication attributes on the Settings > Control Center page determine how replication operates in your installation. You can determine if replication is to take place and how often it occurs.

  • Page 52: System Locale

    Configuring system settings Configuring Control Center settings Reports Spam Quarantined messages You must supply the SMTP host IP address and port number where you want the Control Center to send information. To specify where the Control Center should send alerts, reports, and quarantined messages In the Control Center, click Settings >...

  • Page 53: Configuring Email Settings

    Configuring address masquerading Address masquerading is a method of concealing email addresses or domain names behind the mail gateway by assigning replacement values to them. Symantec Mail Security lets you implement address masquerading on inbound mail, outbound mail, or both. A typical use of address masquerading is to hide the names of internal mail hosts, so that outgoing mail appears to be coming from a different domain than that of the actual host.

  • Page 54: Importing Masqueraded Entries

    Configuring email settings Configuring address masquerading Specify a mail flow direction to which this masqueraded name will apply: Inbound, Outbound, or Inbound and Outbound. Click Save. To edit a masqueraded entry In the Control Center, click Settings > Address Masquerading. Click the masqueraded address or domain or check a box, and then click Edit.

  • Page 55: Configuring Aliases

    Configuring email settings Configuring aliases orig6@domain.com new6.com inbound/outbound orig7.com new7@domain.com inbound orig8.com new8@domain.com outbound orig9.com new9@domain.com inbound/outbound To import a list of masqueraded entries In the Control Center, click Settings > Address Masquerading. Click Import. On the Import Masqueraded Entry page, enter or browse to the filename containing the list of masqueraded entries.

  • Page 56: Managing Aliases

    Alias transformation does not occur for messages passing through the Symantec MTA to the Internet. Alias transformation only applies to inbound or internal messages that pass through the Symantec MTA. The system's inbound MTA checks email addresses in the SMTP envelope to determine if any transformations are needed.

  • Page 57: Importing Aliases

    Commas or semicolons are not valid delimiters. In the import file, each line must contain an alias address followed by one or more destination addresses. Following is a sample import file: oak@example.com quercus@symantec-internetsecurity.com ops@example.com tla@example.com bmi@example.com noadsorspam.com To import aliases In the Control Center, click Settings >...

  • Page 58: Configuring Local Domains

    Configuring email settings Configuring local domains On the Import Aliases page, enter or browse to the filename containing the list of aliases. Click Import. If entries in the import file are not specified correctly, do not match the required file format, or are duplicates, a message is displayed. You can click a link to download a file containing the unprocessed entries.

  • Page 59: Importing Local Domains And Email Addresses

    Configuring email settings Configuring local domains In Domain or email address from which to accept inbound mail, enter a local domain, subdomain, or email address. The resulting behavior for each setting is as follows: Setting Syntax Behavior Domain name company.com The system accepts email for all recipients in the speicified domain.

  • Page 60: Understanding Spam Settings

    Click on the link to download a file containing the unprocessed entries. Understanding spam settings The following types of spam settings are available in Symantec Mail Security: Configuring suspected spam Choosing language identification type Software acceleration...

  • Page 61: Configuring Suspected Spam

    80 through 89. If an incoming message receives a spam score of 83, Symantec Mail Security will consider this message to be suspected spam, and will apply the action you have in place for suspected spam messages, such as Modify the Message (tagging the subject line).

  • Page 62: Software Acceleration

    You can also type a value in the box. Under Do you want to enable Language Identification, click Yes or No: Click Yes if users will use the Symantec Outlook Spam Plug-in for language identification. Built-in language identification is disabled, and can't be accessed in the Edit Group page.

  • Page 63: Configuring Liveupdate

    To receive Rapid Response updates Click Settings > Virus. On the LiveUpdate tab click Enable Rapid Response updates. Symantec Mail Security checks every 10 minutes after this setting is saved. Click Save. Working with LiveUpdate Follow these procedures to view LiveUpdate status, start LiveUpdate, schedule LiveUpdate to run automatically, and establish a source for download of LiveUpdate virus definitions.

  • Page 64: Excluding Files From Virus Scanning

    Configuring Bloodhound settings The Bloodhound level determines the way in which the system uses heuristics to flag viruses. Symantec Mail Security uses Symantec Bloodhound™ heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments.

  • Page 65: Configuring Invalid Recipient Handling

    By default, when an email message arrives addressed to your domain, but is not addressed to a valid user, Symantec Mail Security passes the message to the internal mail server. The internal mail server may either accept the message and...

  • Page 66: Configuring Scanning Settings

    You can specify this size threshold and the maximum extraction level that Symantec Mail Security will process in memory, as well as a time limit for scanning containers. If the configured limits are reached, Symantec Mail Security will automatically perform the action designated for the “unscannable” category in...

  • Page 67: Configuring Content Filtering Settings

    Configuring content filtering settings In addition to checking plain text files against words as defined in content-related policies, Symantec Mail Security can check attachments that are not plain-text files against dictionaries. While such checking maximizes the effect of content filtering, it can also impact the system load and slow down email filtering.
  • Page 68 Configuring email settings Configuring scanning settings...

  • Page 69: Configuring Email Filtering

    Content filtering and Email Firewall policies offer further methods of managing mail flow into and out of your organization. Symantec Mail Security provides a wide variety of actions for filtering email, and allows you to either set identical options for all users, or specify different actions for distinct user groups.
  • Page 70 Symantec virus filters. Mass-mailing Email is flagged because it contains a mass-mailing worm worm, based on current virus filters from Symantec. Unscannable for Email is flagged because it exceeds the container viruses limits configured on the Scanning Settings page, or...
  • Page 71 Verdict Description Category Spam Spam Email is flagged as spam, based on current spam filters from Symantec. Suspected spam Email from known spammers is flagged as suspected spam based on a configurable Suspected Spam Threshold. Content Any part of a...
  • Page 72 Configuring email filtering About email filtering Filtering verdicts by category (continued) Table 4-1 Filtering Verdict Description Category Message Header Email is flagged because it contains a particular header. Message Size Email is flagged because it is a particular size. Body Email is flagged based on the text in the body.
  • Page 73 Deliver message to the Deliver the message recipient's Spam folder to end-user Spam folder(s). Requires use of the Symantec Spam Folder Agent for Exchange or the Symantec Spam Folder Agent for Domino. Forward the message...
  • Page 74 Configuring email filtering About email filtering Filtering actions by verdict (continued) Table 4-2 Action Description Verdict Directory Virus Virus Spam, Content harvest attack Suspected Compliance attack Spam Hold message in Hold the message in Suspect Virus the Suspect Virus Quarantine Quarantine for a configured number of hours (default is...
  • Page 75 Configuring email filtering About email filtering Filtering actions by verdict (continued) Table 4-2 Action Description Verdict Directory Virus Virus Spam, Content harvest attack Suspected Compliance attack Spam Route the message Route the message using the designated SMTP host. Save to disk Save the message to a standard location on the Scanner...
  • Page 76 Configuring email filtering About email filtering Filtering actions by verdict (continued) Table 4-2 Action Description Verdict Directory Virus Virus Spam, Content harvest attack Suspected Compliance attack Spam Strip and hold in Remove all message Suspect Virus attachments, hold Quarantine the message with its attachments in Suspect Virus Quarantine and...
  • Page 77 Configuring email filtering About email filtering Filtering actions by verdict (continued) Table 4-2 Action Description Verdict Directory Virus Virus Spam, Content harvest attack Suspected Compliance attack Spam Treat as a Process the mass-mailing worm message using the action(s) specified in the associated worm policy.

  • Page 78: Notes On Filtering Actions

    Configuring email filtering About email filtering Filtering actions by verdict (continued) Table 4-2 Action Description Verdict Directory Virus Virus Spam, Content harvest attack Suspected Compliance attack Spam Treat as spam Process the message using the action(s) specified in the associated spam policy.

  • Page 79: Multiple Actions Per Verdict

    An email message is received whose recipients include someone in the new Group Policy. Symantec Mail Security cleans the message, annotates it, then sends a notification to its intended recipients. Table 4-3 describes lists the limitations on combining actions within a filtering policy.
  • Page 80 Configuring email filtering About email filtering Compatibility of filtering actions by verdict (continued) Table 4-3 Action Compatibility with other actions Can be added multiple times? Clean the message Any except Delete the message Defer SMTP Can't be used with other actions connection Delete the message Bounce Message...

  • Page 81: Multiple Group Policies

    If the message is inbound, the group policy applied is based on the recipient. Security risks Symantec Mail Security can detect security risks. Security risks are programs that do any of the following:...
  • Page 82 Table 4-4 lists the categories of security risks that Symantec Mail Security detects. Each of these risks can cause a verdict of spyware or adware. Security risk categories included in spyware or adware verdict...

  • Page 83: About Precedence

    Configuring email filtering About email filtering Security risk categories included in spyware or adware verdict Table 4-4 (continued) Category Description Spyware Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer.

  • Page 84: Creating Groups And Adding Members

    Also, lists that you create have precedence over lists created by Symantec. However, third party DNS blacklists do not have priority over all Symantec lists. In the event of a conflict between Open Proxy Senders and an entry from a DNS blacklist, Open Proxy Senders will “win.”...
  • Page 85 Configuring email filtering Creating groups and adding members Note: To edit a group member, such as to correct a typo, delete the member and add the member again. There is no edit button for group members. To create a new Group Policy In the Control Center, click Policies >...
  • Page 86 Configuring email filtering Creating groups and adding members domain.* @domain.* dom*.com sub*.domain.com Check the box next to one or more LDAP groups. The LDAP groups listed on this page are loaded from your LDAP server. Configuring LDAP settings for information about configuring LDAP. Click Add members to add the new member(s).

  • Page 87: Assigning Filter Policies To A Group

    Configuring email filtering Assigning filter policies to a group To export Group Policy members to a file In the Members tab of the Add Group page, click Export. Complete your operating system's save file dialog box as appropriate. LDAP groups cannot be imported or exported. If you export from a group that includes LDAP groups, the LDAP groups will be omitted from the export.
  • Page 88 Configuring email filtering Assigning filter policies to a group By default, inbound and outbound messages containing a virus or mass-mailing worm, and unscannable messages, including malformed MIME messages, will be deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages.

  • Page 89: Selecting Spam Policies For A Group

    Configuring email filtering Assigning filter policies to a group Selecting spam policies for a group Spam policies determine what to do with inbound and outbound messages that contain spam or suspected spam. “Creating spam policies” on page 96. By default, inbound and outbound spam will be marked up with [Spam] at the beginning of subject lines, and inbound and outbound suspected spam will be marked with [Suspected Spam].

  • Page 90: Enabling And Disabling End User Settings

    To log in, users access the same URL in their browser as Control Center administrators: https://<hostname>:41443/brightmail. The login and password for end users is the same as their LDAP login and password. For information about supported browsers, see the Symantec Mail Security Installation Guide.
  • Page 91 The Specify language settings check box enables or disables user access to the language identification offered by Symantec Mail Security, not the Symantec Outlook Spam Plug-in. If the Symantec Outlook Spam Plug-in is installed and enabled, end users can set their language preferences using the Options dialog box accessible from the Symantec Outlook Spam Plug-in toolbar.

  • Page 92: Allowing Or Blocking Email Based On Language

    English and Spanish messages, or block messages in English and Spanish and allow messages in all other languages. Note: If the Language tab in the Edit Group page is inaccessible, the Symantec Outlook Spam Plug-in has been enabled. To disable support for the Outlook Plug-in and enable support for built-in language identification, set Language Identification to No on the Spam Settings page.

  • Page 93: Manage Group Policies

    Configuring email filtering Managing Group Policies Set Group Policy precedence, the order in which Group Policy membership is determined when policies are applied. Edit Group Policy membership and actions. Enable and disable Group Policies. Delete Group Policies. View Group Policy information for particular users. “Creating groups and adding members”...

  • Page 94: Creating Virus, Spam, And Compliance Filter Policies

    Configuring email filtering Creating virus, spam, and compliance filter policies To view Group Policy information for a particular user or domain On the Members tab of the Edit Group page, click Find User. Type an email address or domain name in the Email address box. Click Find User.
  • Page 95 If a message contains a The message contains an attachment that, according to suspicious attachment Symantec filters, may contain a virus or other threat. If a message contains The message contains spyware or adware. spyware or adware...

  • Page 96: Creating Spam Policies

    Configuring email filtering Creating virus, spam, and compliance filter policies Select the desired action. Table 4-2 on page 72. For some actions you need to specify additional information in fields that appear below the action. When using the Save to disk action on Solaris, Linux, or Windows, you must specify a writeable directory.
  • Page 97 Configuring email filtering Creating virus, spam, and compliance filter policies In the Policy name box, type a name for the spam policy. This name appears on the Spam Policies page, and on the Spam tab when configuring a Group Policy. Compliance, spam, and virus policy names must be unique.

  • Page 98: Creating Compliance Policies

    Configuring email filtering Creating virus, spam, and compliance filter policies If desired, add more actions. Table 4-3 on page 79. Click Save. Creating compliance policies Using the Content Compliance Policies page, you can add, edit, copy, delete, and enable or disable compliance policies. You can also change the precedence of compliance policies by changing their location in the list on this page.
  • Page 99 When you are sure the compliance policies are working correctly, you can adjust the action. Sieve scripts cannot be imported, including those created in previous versions of Symantec or Brightmail software. There is no limit to the number of conditions per compliance policy. Conditions can't be nested.
  • Page 100 Configuring email filtering Creating virus, spam, and compliance filter policies Spammers usually "spoof" or forge some of the visible headers and the usually invisible envelope information. Sometimes they forge header information using actual email addresses or domains of innocent people or companies. Use care when creating filters against spam you've received.
  • Page 101 Configuring email filtering Creating virus, spam, and compliance filter policies If you tested that a subject i n k j e t c a r t r i d g e contains this string Then any message subject inkjet cartridge containing these strings would not inkjet cartridge...
  • Page 102 Configuring email filtering Creating virus, spam, and compliance filter policies Compliance conditions (continued) Table 4-7 Condition Test against Examples Envelope recipient Recipient in message envelope jane example.com jane@example.com Envelope sender Sender in message envelope jane example.com jane@example.com For all messeges All email not filtered by a (Not applicable) higher precedence policy is...
  • Page 103 Configuring email filtering Creating virus, spam, and compliance filter policies Compliance conditions (continued) Table 4-7 Condition Test against Examples To: address To:message header jane example.com jane@example.com To:/Cc:/Bcc: address To:, Cc:, and Bcc: jane message headers example.com jane@example.com The following table shows the addtional fields available when you add a condition. Additional fields for adding conditions Table 4-8 Condition...
  • Page 104 To use regular expressions that behave like Perl regular expressions, click “matches regular expression” or “does not match regular expression” for either of the condition options that offer you that choice. The Symantec Mail Security wraps your regular expression in two forward slashes.
  • Page 105 Note: Symantec Mail Security uses two different types of analysis in scanning for messages that match your criteria. If you specify a condition using a regular expression, a regular expression analysis is performed. If you specify a condition using a keyword or dictionary, a text search is performed.
  • Page 106 Configuring email filtering Creating virus, spam, and compliance filter policies In the Policy name box, type a name for the compliance policy. This name appears on the Content Compliance Policies page, and in the Compliance tab when configuring a Group Policy. Compliance, spam, and virus policy names must be unique.

  • Page 107: Managing Email Firewall Policies

    Proxy Senders, Suspected Spammers, and Safe Senders lists maintained by Symantec. Sender authentication provides a way to block forged email. Configuring attack recognition Symantec Mail Security can detect the following types of attacks originating from a single SMTP server (IP address): Directory harvest...

  • Page 108: Configuring Sender Groups

    Configuring email filtering Managing Email Firewall policies Virus attack A specified quantity of infected messages has been received from a particular IP address. By default, connections received from violating senders are deferred. Enable, disable, and configure attack recognition Set up attack recognition as described in the following sections. All attack recognition types are disabled by default, and must be enabled to be activated.
  • Page 109 90. Alternatively, you can deploy the Symantec Outlook Spam Plug-in. With the Symantec Outlook Spam Plug-in, users can easily create personal lists of blocked and allowed senders from within their Outlook mail client. The Plug-in imports information from the Outlook address book to populate the personal Allowed Senders List.
  • Page 110 Symantec Mail Security to use a third-party sender list, Symantec Mail Security checks whether the sending mail server is on the list. If so, Symantec Mail Security performs a configured action, based on the policies in place. About Allowed and Blocked Senders Lists The following sections provide important information about the Allowed Senders Lists and Blocked Senders Lists.
  • Page 111 IP-based Blocked Senders List. How Symantec Mail Security identifies senders and connections The following sections provide details about the Allowed Senders Lists and Blocked Senders Lists. Supported Methods for Identifying Senders...
  • Page 112 Method Notes IP-based Specify IP connections. Symantec Mail Security checks the IP address of the mail server initiating the connection to verify if it is on your Allowed Senders Lists or Blocked Senders Lists. Wildcards are not supported. Although you can use network...
  • Page 113 Your network is based on the internal address ranges that you supply to Symantec Mail Security when setting up your Scanners. This is why it is important that you accurately identify all the internal mail hosts in your network.
  • Page 114 Click Add. In the Add Sender Group Members page, supply the information appropriate for the current Allowed Sender group. “How Symantec Mail Security identifies senders and connections” on page 111. Click Save. Modify the default action for messages originating from allowed senders (Deliver message normally) if desired.
  • Page 115 You may need to periodically disable and then re-enable senders from your list for troubleshooting or testing purposes or if your list is not up to date. Symantec Mail Security will treat mail from a sender that you've disabled just as it would any other message.
  • Page 116 Configuring email filtering Managing Email Firewall policies The maximum number of sender lines per file when importing senders is 500,000. To add more (up to the limit noted below), divide senders into multiple files and import multiple times. The maximum number of total allowed and blocked senders that can be stored is 650,000.
  • Page 117 Configuring email filtering Managing Email Firewall policies RS: spammer@example.com BL: sbl.spamhaus.org # Example notations for disabled and enabled entries follow RS: rejectedspammer@example.com:- RS: rejectedspammer2@example.com:+ The following table lists the attributes and the syntax for the values. Attribute Description Examples Allowed connection or network. AC:76.86.37.45 Specify a numerical IP address, AC:76.86.37.45/255.255.255.0...
  • Page 118 Ensure that the sender information is formatted correctly. “How Symantec Mail Security identifies senders and connections” on page 111. Symantec Mail Security merges data from the imported list with the existing sender information. Click Save. To export sender information from your Blocked Senders Lists or Allowed Senders Lists In the Control Center, click Policies >...

  • Page 119: Configuring Sender Authentication

    Sender Policy Framework (SPF) or the Sender ID standard. This can reduce spam because spammers often attempt to forge the mail server name to evade discovery. Symantec Mail Security checks the sending IP address against the published DNS record for the named mail server. If the DNS record includes a hard outbound email policy (one that requires compliance), and it does not match the sending IP address, the specified action is taken on the message.

  • Page 120: Managing Policy Resources

    Configuring email filtering Managing policy resources Under Authentication Types, check Sender Policy Framework (SPF), Sender ID, or both. To choose domains to authenticate, click Authenticate only the following domains, or to authenticate all domains, skip to step 6. Click Add, type a domain name, and click Save to add domains to the list. Optionally, you can click on a domain or check the domain and click Edit to edit the spelling of a domain you already added.
  • Page 121 Configuring email filtering Managing policy resources Inline annotation behavior Table 4-12 If these MIME parts And annotations Then... are found... have been specified... Text only Plain text only Plain text annotation is added to the message Text only Plain text and HTML Plain text annotation is added to the message;...

  • Page 122: Archiving Messages

    Configuring email filtering Managing policy resources the annotation to the end of the message body. If you prepend, you may want to end your annotation text with a blank line or a line of dashes, to provide a clear boundary before the beginning of the message body. To add a new annotation In the Control Center, click Policies >...
  • Page 123 Specifying an archive tag adds an X-archive: header to archived messages followed by your text. The X-archive: header may be useful to sort archived messages when viewing them with an email client. However, Symantec Mail Security itself does not use the X-archive: header. If multiple policies result in archiving the same message, each unique X-archive: header is added to the message.

  • Page 124: Configuring Attachment Lists

    Configuring email filtering Managing policy resources X-archive: Docket 53745 To specify an archive tag When configuring a virus, spam, or compliance policy, click Archive the message. In the Optional archive tag box, type the text that should occur after the X-archive header.
  • Page 125 Configuring email filtering Managing policy resources Attachment characteristics for attachment lists Table 4-13 Characteristic Description Examples True file type Specifies an attachment type based on direct Microsoft Word for inspection of the type of file. You can use Windows this to match files whose extensions may not accurately reflect their true file types.

  • Page 126: Configuring Dictionaries

    Configuring dictionaries A dictionary is a list of keywords, keyphrases, or both that emails are checked against. Symantec Mail Security evaluates matches to a dictionary using substring text analysis, not regular expression analysis. Symantec Mail Security includes the following predefined dictionaries, which can be edited.
  • Page 127 When adding words to a dictionary, keep in mind that some words can be considered both profane and legitimate, depending on the context. Symantec Mail Security does not search for dictionary matches in the HTML headers or tags of HTML messages or HTML attachments.

  • Page 128: Adding And Editing Notifications

    Configuring email filtering Managing policy resources Click Import. The dictionary keywords or phrases in the text file should be newline delimited—each keyword or phrase should be on a separate line. Click Save. Editing a dictionary Edit an existing dictionary to add or delete keywords. To edit a dictionary In the Control Center, click Policies >...
  • Page 129 Configuring email filtering Managing policy resources Under Send to, check one or more of the following: Sender Check this box to send the notification to sender listed in the message envelope (not the sender listed in the From: header). Recipients Check this box to send the notification to the recipients listed in the message envelope (not the recipients listed in the To: header).
  • Page 130 Configuring email filtering Managing policy resources...

  • Page 131: Working With Spam Quarantine

    Cases in which you might use Spam Quarantine include: Your company policy requires it After initial installation of Symantec Mail Security After lowering the Suspected Spam Threshold in Settings > Spam When creating or changing a spam policy If the amount of false positive messages is acceptable, you can later change your spam policy to delete spam, suspected spam, or both rather than quarantine it.

  • Page 132: Delivering Messages To Spam Quarantine

    Working with Spam Quarantine Delivering messages to Spam Quarantine false positives are high, continue to quarantine spam messages as you tune your Suspected Spam Threshold and spam policies. Delivering messages to Spam Quarantine To use Spam Quarantine, check that your system is configured as follows: One or more groups must have an associated filter policy that quarantines messages.

  • Page 133: Checking For New Spam Quarantine Messages

    This action also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator email address (such as yourself), Symantec, or both. This allows the email administrator or Symantec to monitor the effectiveness...
  • Page 134 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To delete individual messages Click on the check box to the left of each message to select a message for deletion. When you've selected all the messages on the current page that you want to delete, click Delete.

  • Page 135: Administrator Message Details Page

    Working with Spam Quarantine Working with messages in Spam Quarantine for administrators When you navigate to a different page of messages, the status of the check boxes in the original page is not preserved. For example, if you select three messages in the first page of messages and then move to the next page, when you return to the first page, all the message check boxes are cleared again.
  • Page 136 This also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator email address (such as yourself), Symantec, or both. This allows the email administrator or Symantec to monitor the effectiveness of Symantec Mail Security.

  • Page 137: Searching Messages

    Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To return to the message list To return to the message list, click Back To Messages. To display full headers To display all headers available to Spam Quarantine, click Display Full Headers.
  • Page 138 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search message envelope "To" recipient Type in the To box to search the message envelope recipient in all RCPT TO: messages for the text you typed. You can search for a display name, the user name portion of an email address, or any part of a display name or email user name.
  • Page 139 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search using time range Choose a time range from the Time Range list to show all messages received during that time range. Search details The search function is optimized for searching a large number of messages. However, this can lead to unexpected search results.

  • Page 140: Configuring Spam Quarantine

    Working with Spam Quarantine Configuring Spam Quarantine Differences between the administrator and user search pages The pages displayed for administrators and other users on your network have the following differences: Quarantine administrators can search for recipients. In the Search Results page, users can only delete their own quarantined messages.

  • Page 141: Configuring Spam Quarantine Port For Incoming Email

    Working with Spam Quarantine Configuring Spam Quarantine Click Add Action. Click Save. “Creating groups and adding members” on page 84. Configuring Spam Quarantine port for incoming email By default, Spam Quarantine accepts quarantined messages from the Scanner on port 41025. To specify a different port In the Control Center, click Settings >...

  • Page 142: Configuring The Delete Unresolved Email Setting

    By default, when users click on the Need help logging in? link on the Control Center login page, online help from Symantec is displayed in a new window. You can customize the login help by specifying a custom login help page. This change only affects the login help page, not the rest of the online help.

  • Page 143: Configuring The User And Distribution List Notification Digests

    Unless you quarantine spam only, you should not check the Symantec Security Response box. Symantec Security Response will take no action on submissions of content compliance policy violations.
  • Page 144 In this text, distribution list is used to mean an email address that translates to two or more email addresses. Symantec Mail Security does not deliver a spam message sent to a distribution list in the intended recipients' Spam Quarantine mailboxes. Instead, the message is delivered to a special Spam Quarantine mailbox for that distribution list.
  • Page 145 Working with Spam Quarantine Configuring Spam Quarantine Separate notification templates for standard and distribution list messages By default, the notification templates for standard quarantined messages and quarantined distribution list messages are different. This allows you to customize the notification templates for each type of quarantined message. Changing the notification digest frequency To change the frequency at which notification messages are sent to users, follow the steps below.
  • Page 146 Working with Spam Quarantine Configuring Spam Quarantine Table 5-1 describes the variables that are replaced with the information described in the Description column. You can reposition each variable in the template or remove it. Notification Message Variables Table 5-1 Variable Description %NEW_MESSAGE_COUNT% Number of new messages in the user's Spam...
  • Page 147 Working with Spam Quarantine Configuring Spam Quarantine In the Subject box, type the text that should appear in the header Subject: of notification digests, such as "Your Suspected Spam Summary." Don't put message variables in the subject box; they won't be expanded. The Send from and Subject settings will be the same for both the user notification template and distribution list notification template.
  • Page 148 Working with Spam Quarantine Configuring Spam Quarantine To choose a notification format In the Control Center, click Settings > Quarantine. If needed, click on the Spam tab. Under Notification Settings, click one of the following items in the Notification format list: Multipart (HTML Send notification messages in MIME multipart format.

  • Page 149: Configuring The Spam Quarantine Expunger

    Working with Spam Quarantine Configuring Spam Quarantine Configuring the Spam Quarantine Expunger The Spam Quarantine Expunger runs periodically to delete messages. You can configure the amount of time spam messages are kept before being deleted, the frequency of deletion, and the deletion start time. Setting the retention period for messages To change the amount of time spam messages are kept before being deleted, follow the steps below.

  • Page 150: Specifying Spam Quarantine Message And Size Thresholds

    Working with Spam Quarantine Configuring Spam Quarantine Specifying Spam Quarantine message and size thresholds Table 5-2 describes options to limit the number of messages in Spam Quarantine or the size of Spam Quarantine, and configure Spam Quarantine threshold settings. Spam Quarantine Thresholds Table 5-2 Threshold Description...
  • Page 151 Working with Spam Quarantine Configuring Spam Quarantine Message "The operation could not be performed" is displayed Rarely, you or users at your organization may see the following message displayed at the top of the Spam Quarantine page while viewing email messages in Spam Quarantine: The operation could not be performed.
  • Page 152 If Spam Quarantine can't determine the proper recipient for a message received by Symantec Mail Security, it delivers the message to a postmaster mailbox accessible from Spam Quarantine. Alternatively you can specify Delete message sent to unresolved email addresses in Settings > Quarantine. Your network may also have a postmaster mailbox you access using a mail client that is separate from the Spam Quarantine postmaster mailbox.
  • Page 153 Working with Spam Quarantine Configuring Spam Quarantine Specify additional filters as needed. Click Display Filtered. Error in log file due to running out of disk space If you check log file as described in Checking the Control Center error log and see lines similar to those listed below, make sure that you haven't run out of disk space where Spam Quarantine is installed.
  • Page 154 Check the check box for The Schema may be modified on this Domain Controller. If replication to the Global Catalog cannot be modified as described above, contact your Symantec representative for a work-around. Duplicate messages appear in Spam Quarantine You may notice multiple copies of the same message when logged into Spam Quarantine as an administrator.
  • Page 155 Working with Spam Quarantine Configuring Spam Quarantine Copies of misidentified messages aren't delivered to administrator If you typed an email address in the Administrator box under Misidentified Messages on the Quarantine Settings page but messages aren't delivered to the email address, make sure the email address is not an email alias. The administrator email address for misidentified messages must be a primary email address including the domain name, such as admin@example.com...
  • Page 156 Working with Spam Quarantine Configuring Spam Quarantine...

  • Page 157: Working With Suspect Virus Quarantine

    Chapter Working with Suspect Virus Quarantine This chapter includes the following topics: About Suspect Virus Quarantine Routing messages to Suspect Virus Quarantine Accessing Suspect Virus Quarantine Configuring Suspect Virus Quarantine About Suspect Virus Quarantine Suspect Virus Quarantine provides short-term storage of messages that are suspected to contain virus-infected attachments.

  • Page 158: Accessing Suspect Virus Quarantine

    Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine Strip and hold message in Suspect Virus Quarantine Apply the policy to one or more groups. For example, you can create a virus policy called potential_virus that delays messages containing suspicious attachments and set it as the inbound and outbound suspicious attachment message policy for the Default group.
  • Page 159 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine To sort messages Click on the To, From, Subject, or Date column heading to select the column by which to sort. A triangle appears in the selected column that indicates ascending or descending sort order.

  • Page 160: Searching Messages

    Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine To search messages Type a search value in one or more of the fields. Click Display Filtered to search messages for a specific recipient, sender, subject, or date range. “Searching messages” on page 160.
  • Page 161 You can search for a display name, the user name portion of an email address, or any part of a display name or email user name. If you type a full email address in the To box, Symantec Mail Security searches only for the user name portion of .

  • Page 162: Configuring Suspect Virus Quarantine

    Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine You can use * (asterisk) to perform wildcard searches. It also functions as a logical AND character. In addition, you can search on special characters such as & (ampersand), ! (exclamation point), $ (dollar sign), and # (pound sign). To search for exact phrases, enclose the phrase in "...

  • Page 163: Configuring The Size For Suspect Virus Quarantine

    Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine To disable the Quarantine port, type 0 in the Spam and Suspect Virus Quarantine Port box. Disabling the Spam and Suspect Virus Quarantine port is appropriate if your computer is not behind a firewall and you're concerned about security risks.
  • Page 164 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine...

  • Page 165: Testing Symantec Mail Security

    Chapter Testing Symantec Mail Security This chapter includes the following topics: Verifying normal delivery Verifying spam filtering Testing antivirus filtering Verifying filtering to Spam Quarantine Verifying normal delivery You can verify whether the Windows SMTP Service or your installed MDA is working properly with the Scanner to deliver legitimate mail by sending an email to a user.

  • Page 166: Testing Antivirus Filtering

    Testing Symantec Mail Security Testing antivirus filtering To test spam filtering with subject line modification Create a POP3 account on your Mail Delivery Agent (MDA). For the SMTP Server setting on this account, specify the IP address of an enabled Scanner.

  • Page 167: Verifying Filtering To Spam Quarantine

    Verifying filtering to Spam Quarantine If you configure the Symantec Mail Security to forward spam messages to Spam Quarantine as described below, you should see spam messages when you enter Spam Quarantine. There can be a slight delay until the first spam message arrives, depending on the amount of spam received at your organization.
  • Page 168 Testing Symantec Mail Security Verifying filtering to Spam Quarantine Send a message to the same account that is not spam and that does not contain any viruses. In the Control Center, click Quarantine > Spam Quarantine. Click Show Filters and type Test Spam Message in the Subject: box.

  • Page 169: Configuring Alerts And Logs

    Chapter Configuring alerts and logs This chapter includes the following topics: About alerts Viewing logs About logs About alerts Alerts are automatic email notifications sent to inform system administrators of conditions that potentially require attention. You can choose the types of alerts sent, the header shown in alerts, and the order in which administrators From:...
  • Page 170 Antivirus license expired Your antivirus license is approaching expiration. Another alert is sent when your license expires. Contact your Symantec sales representative for assistance. Antispam license expired Your antispam license is approaching expiration. Another alert is sent when your license expires.

  • Page 171: Configuring Alerts

    Configuring alerts and logs Viewing logs Alert settings (continued) Table 8-1 Alert setting Explanation Service start A service was started. Configuring alerts Follow these procedures to configure alerts. To specify which administrators receive alerts In the Control Center, click Administration. In the Administrators list, click the name of an administrator.

  • Page 172: Working With Logs

    Configuring alerts and logs Viewing logs View Logs page (continued) Table 8-2 Item Description Severity (drop-down) Select a severity level from the list. This option is only available for Scanner logs. Time range (drop-down) Select a time range from the list or create a custom time range. If you have recently changed time zones on the Control Center, this change is not reflected immediately, but requires you to stop and restart Tomcat or to reboot the system.

  • Page 173: About Logs

    Display, wait a few minutes then click Display again. About logs You can configure log settings for Symantec Mail Security components on each Scanner in your system, and choose the severity of errors you want written to the...
  • Page 174 Configuring alerts and logs About logs Log Settings page (continued) Table 8-3 Item Description Conduit Set the logging level for the Conduit. Filter Engine Set the logging level for the Filter Engine. LiveUpdate Scheduler Set the logging level for the LiveUpdate Scheduler. Mail Transfer Agent Set the logging level for the Mail Transfer Agent.
  • Page 175 Configuring alerts and logs About logs To trace the path of particular messages through the mail flow, under Message Tracking Logs click Enable message logs. To enable logging to System Event Viewer running on Windows or to Syslog running on Unix or Linux, check Enable logging to Event Viewer/Syslog. Click Save to save your settings.
  • Page 176 Configuring alerts and logs About logs...

  • Page 177: Working With Reports

    Printing, saving, and emailing reports Scheduling reports to be emailed About reports Symantec Mail Security reporting capabilities provide you with information about filtering activity at your site, including the following features: Analyze consolidated filtering performance for all Scanners and investigate spam and virus attacks targeting your organization.

  • Page 178: Selecting Report Data To Track

    The third column in each table lists the reporting data that you must instruct Symantec Mail Security to track before you can generate the specified report. You can choose from a selection of reports, all of which can be customized to include specific date ranges, time-period grouping per row, and email delivery.
  • Page 179 Working with Reports Choosing a report Note: If any Scanners are accepting relayed messages from a gateway computer, the SMTP HELO name or IP connection address will be the name or connection of the gateway computer, rather than the external Internet address you might expect.
  • Page 180 Working with Reports Choosing a report Available Message reports (continued) Table 9-1 Report Type: Displays... Required Data Storage Options Specific Senders Number of messages processed for a sender email Senders, Sender address that you specify. For each grouping, the total domains processed and number of virus and spam messages are listed.
  • Page 181 Working with Reports Choosing a report Available Virus reports Table 9-2 Report Type: Displays... Required Data Storage Options Overview A summary of total messages that matched filters for None each virus type. For each grouping, the virus-to-total-processed percentage, total processed, and the number of viruses, suspected viruses, worms, unscannable messages, scan errors, malware (spyware/adware), encrypted attachment, and...
  • Page 182 Working with Reports Choosing a report Available Virus reports (continued) Table 9-2 Report Type: Displays... Required Data Storage Options Top Recipient Recipient domains for which the most virus messages Recipient Domains have been detected. For each recipient domain, the Domains virus-to-total-processed percentage, total processed, and the number of viruses, worms, and unscannable messages are listed.
  • Page 183 Working with Reports Choosing a report Available Spam reports (continued) Table 9-3 Report Type: Displays... Required Data Storage Options Top Senders Email addresses from which the most spam messages Senders, Sender have been detected. For each email address, the domains spam-to-total-processed percentage, total processed, and the number of spam, suspected spam, blocked, and allowed messages are listed.
  • Page 184 Working with Reports Choosing a report Available Spam reports (continued) Table 9-3 Report Type: Displays... Required Data Storage Options Top Recipients Email addresses for which the most spam messages Recipients, have been detected. For each email address, the Recipient spam-to-total-processed percentage, total processed, domains and the number of spam, suspected spam, blocked, and allowed messages are listed.
  • Page 185 Working with Reports Choosing a report Available Content Compliance reports (continued) Table 9-4 Report Type: Displays... Required Data Storage Options Top Sender SMTP HELO domain names from which the most Sender HELO HELO Domains compliance matches have been detected. For each domains HELO domain, the total messages processed and number and percentage of content-compliance...
  • Page 186 Working with Reports Choosing a report Available Attack reports Table 9-5 Report Type: Displays... Required Data Storage Options Overview Total messages processed and number and percentage None of directory harvest, spam, and virus attacks. Top Directory IP addresses from which the most directory harvest Sender IP Harvest Attacks attacks have been detected.
  • Page 187 Working with Reports Choosing a report Available Sender Authentication reports (continued) Table 9-6 Report Type: Displays... Required Data Storage Options Top Succeeded Email addresses from which the most successful Senders Senders sender authentication attempts have been detected. For each email address, the total messages processed and number and percentage of successful sender authentication attempts are listed.

  • Page 188: About Charts And Tables

    20 items. Setting the retention period for report data You can specify the number of days or weeks that Symantec Mail Security should keep track of report data. Depending on your organization's size and message volume, the disk storage requirements for reports data could be quite large. You should monitor the storage required for reporting over time and adjust the retention period accordingly.

  • Page 189: Running Reports

    In the Control Center, click Settings > Reports. Under Report Expunger Settings, use the Time to store report data before deleting drop-down lists to choose how long Symantec Mail Security will keep your reporting data. Optionally, you can click Clear All to remove all report data stored to date.

  • Page 190: Saving And Editing Favorite Reports

    Working with Reports Saving and editing Favorite Reports For reports that rank results, such as Spam: Top Senders, specify the maximum number of entries you want to display for each time range specified in the Group by drop-down list. For some reports, you can choose columns to include or exclude. Click Column Selection to display or hide the column names, then check the columns you want to include.

  • Page 191: Troubleshooting Report Generation

    Troubleshooting report generation Check the following information if you're having trouble with reports. No data available for the report type specified Instead of displaying the expected reports, Symantec Mail Security might display the following message: No data is available for the report type and time range specified.

  • Page 192: By Default, Data Are Saved For One Week

    Scanner receives and marks a message as spam at 5:30pm local time on April 23, Friday (12:30am, April 24, Saturday GMT). When generating the report, Symantec Mail Security determines what day the email belongs to based on where the report is generated. If the Control Center is in Greenwich, the resulting report counts it in GMT (the local time zone) so it increases the spam count for April 24.

  • Page 193: Recipient Count Equals Message Count

    Working with Reports Printing, saving, and emailing reports this situation and list one of the 12 recipients, the processed count will include this message and, if the message matches the filters for spam, the spam count includes the message, too. Recipient count equals message count For reports that list the number of recipients, each received message counts as one message, even if the same recipient receives more than one message.

  • Page 194: Print, Save, Or Email Reports

    Working with Reports Scheduling reports to be emailed Emailing Type an email address to which to send the report. To send a report to multiple email recipients, separate each email address with a comma, semi-colon, or space. Scheduled reports are also emailed. “Scheduling reports to be emailed”...
  • Page 195 Working with Reports Scheduling reports to be emailed To schedule a report Ensure that you have configured Symantec Mail Security to track the appropriate data for the report. “Selecting report data to track” on page 178. In the Control Center, click Reports > Scheduled Reports.
  • Page 196 Working with Reports Scheduling reports to be emailed To edit a scheduled report In the Control Center, click Reports > Scheduled Reports. Check the box next to the scheduled report that you want to edit, and then click Edit. You can also click the underlined report name to jump directly to the edit page for the report.

  • Page 197: Administering The System

    Periodic system maintenance Getting status information Symantec Mail Security provides a comprehensive means of checking and displaying system, host and message status. Status information is combined with options for changing what is displayed as well as with actions you can take based on the information shown.

  • Page 198: Overview Of System Information

    :59 minutes will be displayed in the Last 24 Hours graph. At midnight, data from the last day will be displayed in the Last 30 Days graph. Message status The following sections provide information about messages that have been processed and assigned a verdict by Symantec Mail Security: Message details Message queues Message tracking...
  • Page 199 Administering the system Getting status information Mass-Mailing Worm Spam Suspected Spam Content Compliance Columns list the numbers of messages for each of the following time periods: Past Hour Past Day Past Week Past Month Uptime: the period since the software was last started Lifetime: the period since the software was installed Note: The message tracking information shown on the Status >...
  • Page 200 Message tracking Symantec Mail Security provides a message tracking component allowing you to search for messages and find out what has happened to them. When enabled, message tracking provides administrators with a trail of detailed information about every message that has been accepted and processed by the software.
  • Page 201 > Message Tracking page enables you to specify either one or two criteria and related supplementary information as follows: Host One or more Scanners running the Symantec Mail Security software. In order to find all details about a message, search on all attached Scanners.
  • Page 202 Unique identifier typically generated by the email software initiating the sending of the message and included as a message header. Because the Message ID is not generated by Symantec Mail Security, the uniqueness of the ID cannot be guaranteed. At times, distributors of spam have used this header to mask the identity of a message originator.

  • Page 203: Host Details

    Administering the system Getting status information To search information in the message audit log In the Control Center, click Status > Message Tracking. Complete the desired search criteria. “Searching for a message ” on page 201. Click Display Filtered. Host details On the Host Details page, you can view details about the status of components on selected hosts.

  • Page 204: Ldap Synchronization

    Administering the system Getting status information LDAP Synchronization You can synchronize user, alias, group and distribution list data and view synchronization details from LDAP directories with the Control Center. When an LDAP server initially is attached to the Control Center, a full synchronization is performed automatically.

  • Page 205: Scanner Replication

    Administering the system Managing Scanners https://prefix.yourcompany.com:port/brightmail/BrightmailVersion where is the port that Tomcat uses. port You can view the following version information when logged on to the Control Center: Build tag Control Center version Java version MySQL version Scanner replication Status information is available to show you your most recent replication activity. The replication process moves updated information from the Control Center to each attached and enabled Scanner host.

  • Page 206: Enabling And Disabling Scanners

    Administering the system Managing Scanners To edit a Scanner In the Control Center, click Settings > Hosts. Check the host to edit. Click Edit. Make any changes to the host or its included components and services. From this page, you can: Start and stop services Start and stop the flow of data to and from a Scanner.

  • Page 207: Deleting Scanners

    Administering the system Managing Scanners To enable a Scanner In the Control Center, click Settings > Hosts. A red x in the Enabled column indicates that the Scanner is disabled. A green check in the Enabled column indicates that the Scanner is enabled. To enable a Scanner that is currently disabled, check the box next to the Scanner and click Enable.

  • Page 208: Administering The System Through The Control Center

    Administering the system Administering the system through the Control Center To delete a Scanner In the Control Center, click Settings > Hosts. Check the box next to the scanner you want to delete. Click Delete. Administering the system through the Control Center The following administrative tasks can be performed through the Control Center: Managing system administrators Managing software licenses...

  • Page 209: Managing Software Licenses

    To license a Symantec product, either browse to or enter the full path and license filename in the Specify a license file edit box.

  • Page 210: Checking The Control Center Error Log

    Administering the system Administering the Control Center to manually stop and later start the Control Center, such as to investigate a problem. Start or stop the Control Center To start or stop the Control Center, you must start or stop its processes. The main processes are Tomcat and MySQL.

  • Page 211: Increasing The Amount Of Information In Brightmaillog.log

    Administering the system Administering the Control Center Each problem results in a number of lines in the error log. For example, the following lines result when Spam Quarantine receives a message too large to handle: com.mysql.jdbc.PacketTooBigException: Packet for query is too large (3595207 > 1048576) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1554) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1540) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1005)
  • Page 212 Administering the Control Center To increase the detail of logging messages saved into BrightmailLog.log Open the following file in a text editor such as WordPad or vi: On Solaris or Linux: /opt/Symantec/SMSSMTP/tomcat/webapps/brightmail /WEB-INF/classes/log4j.properties On Windows: C:\Program\WEB-INF\classes\log4j.properties Find the following line: #log4j.rootLogger=WARN, file...

  • Page 213: Starting And Stopping Unix And Windows Services

    Starting and stopping UNIX and Windows services Although you should perform routine administration using the Control Center, you may occasionally need to start and stop Symantec Mail Security services outside of the Control Center. For example, the Control Center itself can't be stopped using the Control Center.
  • Page 214 Administering the system Starting and stopping UNIX and Windows services Windows services (continued) Table 10-3 Service display Service short name Process in Task Description name Manager SMS Filter Hub BMIFLTRHUBSVC filter-hub.exe Filters messages SMS IPlanet SMSIPLANETCNASVC iPlanet_CNA.exe Tracks changes in Notification Agent iPlanet/Sun ONE for SyncService...

  • Page 215: Starting And Stopping Unix Services

    Administering the system Periodic system maintenance Starting and stopping UNIX services Table 10-4 describes the UNIX services of Symantec Mail Security. UNIX services Table 10-4 Service Description Serves Control Center pages via HTTP sms_ldapsync Synchronizes user and group data from LDAP directories...

  • Page 216: Backing Up Logs Data

    Or you can backup each database separately. If you have a large number of messages in Spam Quarantine, backing up may take some time. Backups can be done while the Symantec software is running. MySQL must be running when you perform backups. For complete instructions on performing backups of MySQL data, see MySQL documentation.
  • Page 217 Back up the directory containing suspect virus messages using your preferred backup software. UNIX: /opt/Symantec/SMSSMTP/tomcat/work/Catalina/localhost/ brightmail/dzq/ Windows: C:\Program Files\Symantec\SMSSMTP\tomcat\work\Catalina\ localhost\brightmail\dzq\ To restore Spam Quarantine and Suspect Virus Quarantine tables from backup Type the following command: mysql --user=brightmailuser --password=PASSWORD --host=127.0.0.1 brightmail < quarantine.sql Restore the directory containing suspect virus messages using your preferred backup software.
  • Page 218 To save Suspect Virus Quarantine tables Type the following command: mysqldump --user=brightmailuser --password=PASSWORD --opt brightmail settings_quarantine day_zero_message --host=127.0.0.1 > virus_quarantine.sql Back up the directory containing suspect virus messages using your preferred backup software. UNIX: /opt/Symantec/SMSSMTP/tomcat/work/Catalina/localhost/ brightmail/dzq/ Windows: C:\Program Files\Symantec\SMSSMTP\tomcat\work\Catalina\ localhost\brightmail\dzq\...

  • Page 219: Maintaining Adequate Disk Space

    UNIX: /opt/Symantec/SMSSMTP/tomcat/work/Catalina/localhost/ brightmail/dzq/ Windows: C:\Program Files\Symantec\SMSSMTP\tomcat\work\Catalina\ localhost\brightmail\dzq\ Maintaining adequate disk space Use standard file system monitoring tools to verify that you have adequate disk space. Remember that the storage required by certain features, such as extended reporting data and Spam Quarantine, can become large.
  • Page 220 Administering the system Periodic system maintenance...

  • Page 221: Integrating Symantec Mail Security With Symantec Security Information Manager

    Interpreting events in the Information Manager About Symantec Security Information Manager In addition to using the Symantec Mail Security for SMTP logging features, you can also log events to the Symantec Security Information Manager appliance for event management and correlation. Symantec Security Information Manager (SSIM) integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization.

  • Page 222: Interpreting Events In The Information Manager

    For more information about interpreting events in the Information Manager and on the event management capabilities of the Information Manager, see the Symantec Security Information Manager documentation. Symantec Mail Security for SMTP can send the following types of events to the Information Manager: Firewall events...

  • Page 223: Configuring Data Sources

    Configuring data sources You must configure the following data sources on the Information Manager to receive events from Symantec Mail Security for SMTP. You can add a new sensor for each data source. Once you have configured these sources, you must distribute the configuration to the Collector for it to take effect.

  • Page 224: Firewall Events That Are Sent To The Information Manager

    Dynamic Filename & Monitor in Real Time Firewall events that are sent to the Information Manager Table A-4 describes the definition update events that Symantec Mail Security for SMTP can send to the Information Manager. Firewall events that are sent to the Information Manager...

  • Page 225: Message Events That Are Sent To The Information Manager

    Permit definition update Message events that are sent to the Information Manager Table A-6 describes the message events that Symantec Mail Security for SMTP can send to the Information Manager. Message events that are sent to the Information Manager Table A-6...

  • Page 226: Administration Events That Are Sent To The Information Manager

    Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Administration events that are sent to the Information Manager Table A-7 describes the administration events that Symantec Mail Security for SMTP can send to the Information Manager.
  • Page 227 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Administration events that are sent to the Information Manager Table A-7 (continued) Event ID Severity Event class Rule Description (SES_EVENT_<Unique ID>) (Reason sent) SES_EVENT_CONFIGURATION_CHANGE Informational...
  • Page 228 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager...
  • Page 229 Glossary 1. A person who oversees the operation of a network. 2. A person who is responsible administrator for installing programs on a network and configuring them for distribution to workstations. The administrator may also update security settings on workstations. Programs that secretly gather personal information through the Internet and adware relay it back to another computer.
  • Page 230 An action that consists of deleting unrepairable virus infections and repairing clean repairable virus infections. A component that retrieves new and updated filters from Symantec Security Conduit Response through secure HTTPS file transfer. Once retrieved, the Conduit authenticates filters, and then alerts the Filter Hub that new filters are to be received and implemented.
  • Page 231 (targets for future spam campaigns). Symantec Mail Security allows you to identify and defuse directory harvest attacks. A network added between a protected network and an external network to provide DMZ (de-militarized an additional layer of security.
  • Page 232 A component of a Symantec Mail Security Scanner that manages message filtering Filtering Hub processes. In Symantec Mail Security, a set of actions that apply to a category of messages. filter policy The actions specified in a filter policy are only applied to users who are members of a Group Policy that includes the filter policy.
  • Page 233 Internet. In Symantec Mail Security, a set of filter policies that apply to a specified group Group Policy of users. Users can be specified by email address or domain. See also filter policy.
  • Page 234 Extensions) A generic term for programs such as Sendmail, postfix, or qmail that send and MTA (Mail Transfer receive mail between servers. Each Symantec Mail Security Scanner uses the Agent) following three separate MTAs: Delivery MTA: The component that sends inbound and outbound messages that have already been filtered to their required destinations.
  • Page 235 Glossary 1. In Symantec Mail Security, a separate email that can be automatically sent to notification the sender, recipients, or other email addresses when a specified condition is met. For example, if you have a policy that strips .exe attachments from incoming messages, you may want to also notify the sender that the attachment has been stripped.
  • Page 236 See also filter policy, Group Policy. In Symantec Mail Security, sets of data that enable customization of email filtering policy resources and the actions taken on filtered email. You can employ policy resources when you create filter policies.
  • Page 237 A device that helps local area networks (LANs) and wide area networks (WANs) router achieve interoperability and connectivity. A list of IP addresses from which no outgoing email is spam, provided by Symantec Safe Senders based on data from the Probe Network. Part of the Sender Reputation Service, Safe Senders is a sender group in Symantec Mail Security.
  • Page 238 Glossary Symantec Mail Security allows you to specify an action for messages that fail Sender ID authentication. A service that provides comprehensive reputation tracking, as part of Symantec Sender Reputation Mail Security. Symantec manages the following three lists as part of the Sender Service Reputation Service: Open Proxy Senders, Safe Senders, and Suspected Spammers.
  • Page 239 SPF (Sender Policy participates in SPF, the recipient MTA can check for forged return addresses. Framework) Symantec Mail Security allows you to specify an action for messages that fail SPF authentication. Stand-alone programs that can secretly monitor system activity and detect...
  • Page 240 The Symantec Spam Folder Agent for Domino also allows users to submit missed spam and false positives to Symantec.
  • Page 241 In Symantec Mail Security, a message can be unscannable for viruses for a variety unscannable of reasons.
  • Page 242 A series of virus-infected emails from a specific domain. Symantec Mail Security virus attack allows you to choose an action to perform on these messages; by default messages received from violating senders are deferred.
  • Page 243 Index antivirus filters create antivirus policies 94 address masquerading 53 Suspect Virus Quarantine 157 administrator test 166 add, delete, edit 208 architecture administrator-only Spam Quarantine access 141 overview 19 message details page, Spam Quarantine 136 attachment lists 124 message list page, Spam Quarantine 133 attachments rights of 208 determining your policy 96...
  • Page 244 Index container settings configure 66 email addresses Content Compliance filters add to Allowed Senders Lists 114 create compliance policies 98 add to Blocked Senders Lists 113 create dictionaries 126 email aliases.. See aliases and distribution lists disable, enable 107 email filtering 69 guidelines for creating 99 email firewall policies 107 language-based 61, 92...
  • Page 245 219 language identification system 215 filter based on 61, 92 maintenance of the system, periodic 215 Symantec Outlook Spam Plug-in 61 masquerading, address 53 LDAP matches exactly and does not match tests 104 add LDAP server 37 message archives 122...
  • Page 246 Index message delivery.. See delivery message filters.. See filters Open Proxy Senders Message ID 138, 202 enable 118 message queue information 199 overview of system information 198 messages add HTML text 120 add plain text 120 periodic system maintenance 215 annotate 120 Perl, use in Content Compliance policies 104 configure misidentified message...
  • Page 247 Index recipients, drop invalid ones 65 retention (continued) redeliver misidentified messages, Spam data retention for report information, Quarantine 133, 136 default 192 registration 209 routing Scanners, Control Center 209 specify for local domains 58 regular expressions, use in Content Compliance policies 104 replication Safe Senders...
  • Page 248 62 spam score software licenses, manage 209 set 61 software versions, checking 204 SSIM spam filters see also Symantec Security Information configure spam settings 60 Manager 221 creating antispam policies 96 status language-based 61, 92 log information 204...
  • Page 249 222 configure delete 142 firewall events 224 configure Spam Quarantine Expunger 149 message events 225 update virus filters 63 Symantec Security Information Manager (SSIM) integrating with 221 synchronization verdicts 69 status information 43 filtering actions available 72 troubleshooting procedure 47...

This manual is also suitable for:

Mail security

Table of Contents