Messaging Gateway

Hi,

I've enabled the Malware Policy Contains attachment(s) supported by Disarm with two actions:

1 Hold message in Spam Quarantine

2. Send notification "Notify Users"

Also I have enabled the SPAM Policy If message is spam with the action:

1. Append subject line with " [SPAM]"

The problem comes where a e-mail is spam and also contains an MS Office (w/ malware) file because the user receives the notification and some of them tries to release the mail from quarantine.

Is there any way to "exclude" notification (action 2) if the e-mail has been detected as spam?

How to exclude policies between Reputation, Spam and Malware policies? (I don't have problems with Content)

Thanks!

No, as long as the actions do not conflict, they will be combined.

I recommend putting the DISARM detected files into content quarantine instead of spam quarantine.

Hi,

Spam- and Malware-Scanning of a mail is running in parallel and cannot interfere each other.

The only possibility would be not to use the disarm in that way.

We use a content rule to just delete not allowed attachments. In case of spam and unallowed attachments theres a action for spams to bypass content filter rules as we just delete spam.

In addition to TSE-JDavis thoughts, i would suggest NOT to keep any disarmed attachements in a quarantine. Users click on any link they can find ...

Thomas

Hi TSE-JDavis,

How do I put the emails in Content Quarantine? I don´t see the option on Disarm attachments Policy

Thanks!

You are right, I did not look to verify that that was an option.

Suspect virus quarantine is a good option though, we will hold on to the file for 6 hours (by default) and rescan it before releasing it to the end user.

Hi TomVie

The intention of this rule is to "control" MS Office Documents. So, I can't deny all or permit all because we are receiving a lot of ransomware in doc or xml files.

We receive "good" Office documents with some macros and/or external links who aren't necessarily "malicious" but the SMG considers like "Risky". In cases like this we want that users have the possibility for release the mails from quarantine with a previos alert.

And yes, you're right: Users click on any link they can find :(

Thanks!

Hi to all

I'm going to explain what we want to do with the policy:

- If the message IS SPAM and has an MS Office file
    Action: Delete or send it to Quarantine.
- If the message IS NOT SPAM and has an MS Office file
    Action: Disarm the file
        If the file is "Risky"
            Action: Send it to Quarantine and send a notification to the user
        Else
            Action:  Deliver message normally

But this is what is happening:

1. The SMG detects the message as System denied email address or domain. In this case I've configured Local Bad Sender Domains to Delete message and Bypass all content filtering policies. If the sender or IP Address is in my black list, why don't only apply the action in this rule? Is there any posibility to also bypass Email and SPAM policies?
2. Is SPAM: For this rule I've configured the actions: Append subject line with " (...)" and Bypass all content filtering policies. The same, Is there any posibility to bypass Malware policies?
3. It Disarm the file: The actions are: Hold message in Spam Quarantine and Send notification

4.Actions taken: Sends the notification and deletes the message

Thanks

.

Hi,

Spam- and Malware-Scanning is done in parallel, therefore they cant "talk" to each other.

Think it that way:

If a mail is spam -> delete. No matter if there is a attachment or not. Dont care about it. Thats done with the spam-settings.

If a mail is not spam it wont get deleted there, but if there is an attachment which can be disamed it will.

And thats what your rules been doing.

A mail can have multiple verdicts, spf failure, spam, virus, etc and if one of the actions on these verdics is delete the message wont get delivered.

Or didnt i get the point?

Thomas