In this article, you will learn everything you need to know about the Email Security module. The Email Security engines scan for the most intrusive method cybercriminals use to introduce malware and viruses into corporate systems. Lightweight, easy to deploy, and highly responsive, our Email Security anti-malware and anti-spam filter can be scaled to any number of endpoints within your organization. Its MX record-based analysis vectors keep all malicious emails out of your inbox, automatically removing malware-laced attachments, and filtering emails coming from malicious IPs or domains, or those containing malicious URLs.
1. Description
2. How does Email Security work?
3. Email Security setup guide
4. Email Security view
5. Email Security personal/individual console
6. Email Security settings
DESCRIPTION
Our Email Security uses market-leading spam detection and filtering engines that go beyond simple spam definitions. It proactively prevents even the most sophisticated email exploits that seek to harm your organization by bypassing regular spam filters and antivirus solutions. The Email Security features include anti-spam protection, botnet protection, Advanced Malware Filtering, Protection against DNS hijacking, Phishing protection, threat tracing & full audit log, social security number leakage detection (US, UK, DK, DE), personal quarantine report, 90-day email retention, deep attachment scanner, deep content inspection.
The Email Security infrastructure is hosted on Microsoft's Azure cloud platform (West Europe - Amsterdam, North Europe - Ireland, South India, East US - Virginia). As a security provider, HEIMDAL understands the importance of complying with security standards and that is why Email Security comes with DNSSEC and DANE/TLSA support for inbound SMTP services:
HOW DOES EMAIL SECURITY WORK?
Email Security protects both Inbound and Outbound mail flows by acting like the man-in-the-middle, between the Internet and your organization's email server (in case of the Inbound Mail Flow) or vice-versa (in case of the Outbound Mail Flow). Below you have the diagram of the Email Security module:
On the Inbound flow, emails that come from the Internet reach the organization's domain (example.com) and are forwarded to the HEIMDAL Security MX Records found on the domain's DNS (example: eu-esec-01.heimdalsecurity.com or eu-esec-02.heimdalsecurity.com for the Europe region). Once they reach the HEIMDAL servers, Email Security goes through the following flow:
- Allowlist & Blocklist (Allowlist has priority over everything. Anything in the Allowlist is skipped from the Blocklist check);
- Greylist check
- IP Reputation check (only if Spam scanning is enabled);
- SPF/DMARC scanning;
- Non-TLS check;
- Virus scanning;
- Spam scanning;
- Attachment scanning;
- Newsletter scanning;
-
Advanced Threat Protection;
If emails pass these checks, they are delivered to the organization's inbound Mail Server (configured in the HEIMDAL Dashboard - Network settings) to reach the recipient's inbox, but if the emails fail the checks, they can be tagged, quarantined, or rejected (depending on the settings configured in the HEIMDAL Dashboard - Network settings) before reaching the recipient's inbox. In the case of quarantined emails, the HEIMDAL Dashboard Admin can allow users to release the quarantined emails they have received or he can allow them himself.
IMPORTANT
In the interest of timely email delivery, emails that include an attachment with a size above 0.7 MBs will be scanned by only one of our Antispam engines. The rest of the emails are scanned by both our Antispam engines.
On the Outbound flow, emails are sent from the organization's Outbound server using a forwarding rule/connector to reach the HEIMDAL Security smarthost (eu-esec-outbound.heimdalsecurity.com), where the Email Security engines perform the following operation:
- Spam scanning;
- Virus scanning;
- Attachment scanning;
- Advanced Threat Protection;
If emails pass these checks, they are delivered by the Email Security servers to the recipients, but if the emails fail the checks, they will be rejected or undelivered.
EMAIL SECURITY setup guide
To set up Email Security without disrupting the email flow in your organization, you need to follow the steps below for each of the flows you are configuring.
Setting up the Inbound Mail Flow
A. Adding your domain to the HEIMDAL Dashboard
1. Log in to the HEIMDAL Dashboard and navigate to the Network Settings.
2. Click the Email Protection tab and make sure the Email Security module is enabled.
3. To add a new domain to be filtered by the Email Security engines click Add Domain.
4. Insert your Domain Name, and your Inbound Mail Server (Domain or Public IP Address), and Save Changes.
5. Additionally, you can configure the rest of the settings or leave them for a later time.
6. After having all the settings configured, press the Update Network Settings button.
B. Adding the Email Security MX Records to your domains DNS Settings
1. Log in to the portal where you manage your domain's DNS Settings (your registrar's portal or your hosting company's portal | example: GoDaddy, HostGator, or others) and go to the DNS Settings. In case your domain's DNS hosting provider is Microsoft, note the fact that Microsoft 365 prefers Exchange Online Protection as the primary Mail Server service and that is why you will see that on the MX Records configuration, Microsoft expects the Office 365 MX Record (example-com.mail.protection.outlook.com) and does not validate the MX Records of a 3rd-party spam filter as primary MX Records. Although the Email Security doesn't validate, the email flow will work just fine having them set with priority 0 and 1.
2. Change your MX Records to point to the Email Security MX Records (make sure you use the MX Records corresponding to the region your customer account is stored):
- eu-esec-01.heimdalsecurity.com (for customers stored in the Europe region);
- eu-esec-02.heimdalsecurity.com (for customers stored in the Europe region);
- us-esec-01.heimdalsecurity.com (for customers stored in the United States region);
- us-esec-02.heimdalsecurity.com (for customers stored in the United States region);
- uk-esec-01.heimdalsecurity.com (for customers stored in the United Kingdom region);
- uk-esec-02.heimdalsecurity.com (for customers stored in the United Kingdom region);
Once the configuration of the MX Records has been completed and the settings propagated, emails should be displayed and filtered by the Email Security module in the HEIMDAL Dashboard, under the Email Security view (Inbound view).
IMPORTANT
In case you are setting up Email Security to work with Office 365, make sure you go through the steps described in this article to prevent the bypass of Email Security and also to configure the bypass of the EOP spam filtering: https://support.heimdalsecurity.com/hc/en-us/articles/22421112073501-Email-Security-and-Exchange-Online-Office-365-setup-of-the-inbound-flow
Setting up the Outbound Mail Flow
A. Adding your Outbound Mail Server(s) in the HEIMDAL Dashboard
1. Log in to the HEIMDAL Dashboard and navigate to the Network Settings.
2. Click the Email Protection tab and make sure the Email Security module is enabled.
3. Click the Edit button (the pencil icon) to edit the domain you have created.
4. Add your Outbound Mail Server (Domain or Public IP Address) by clicking the Add button, and Save Changes.
5. After having all the settings configured, press the Update Network Settings button.
B. Adding the Email Security SPF, DMARC, DKIM records to your domain's DNS Settings
1. Log in to the portal where you manage your domain's DNS Settings (your registrar's portal or your hosting company's portal | example: GoDaddy, HostGator, Office 365, or others) and go to the DNS Settings.
2. Edit your SPF Records to include the Email Security SPF Records:
- include:spf-esec.heimdalsecurity.com (for customers stored in the Europe region);
- include:spf-esec-us.heimdalsecurity.com (for customers stored in the United States region);
-
include:spf-esec-uk.heimdalsecurity.com (for customers stored in the United Kingdom region).
Example:v=spf1 include:spf.protection.outlook.com include:spf-esec.heimdalsecurity.com -all
Make sure you don't remove any 3rd Party SPF Records that are already set up on your SPF Records. After adding the Email Security SPF Records, do an SPF Record Lookup to make sure the SPF Records are validating correctly (you can use mxtoolbox.com or any other online tool to check).
3. Add a DMARC Record:
- Type: TXT
- Host: _dmarc
- Value: v=DMARC1; p=quarantine; rua=mailto:gcafy1yi@ag.dmarcian-eu.com, mailto:test1@example.com; ruf=mailto:gcafy1yi@fr.dmarcian-eu.com, mailto:test1@example.com;
- TTL: 1/2 Hour
4. Additionally, you can add DKIM Signature to make sure the emails you send are DKIM-signed.
C. Adding a rule/connector on your Mail Server to relays emails to the Email Security smarthost
1. Go to your Outbound Mail Server settings and create a rule/connector to relay all the outbound emails through the Email Security smarthost:
- eu-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the Europe region);
- us-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the United States region);
- uk-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the United Kingdom region).
Once the configuration of the smarthost has been completed, emails should be displayed and filtered by the Email Security module in the HEIMDAL Dashboard, under the Email Security view (Outbound view).
IMPORTANT
In order for Email Security to work, you need to make sure that the Email Security IP Addresses are not blocklisted/greylisted by your environment or by your hosting company. Verify your firewall settings and allow SMTP from these IP Addresses.
- 20.50.183.144 (eu-esec-01.heimdalsecurity.com)
- 20.50.183.146 (eu-esec-01.heimdalsecurity.com)
- 20.50.183.145 (eu-esec-02.heimdalsecurity.com)
- 20.50.183.147 (eu-esec-02.heimdalsecurity.com)
- 20.50.183.148 (eu-esec-outbound.heimdalsecurity.com)
- 20.50.183.149 (eu-esec-outbound.heimdalsecurity.com)
- 20.50.183.150 (eu-esec-backup.heimdalsecurity.com)
- 20.50.183.151 (eu-esec-backup.heimdalsecurity.com)
- 20.88.177.217 (us-esec-01.heimdalsecurity.com / us-esec-02.heimdalsecurity.com)
- 20.88.177.218 (us-esec-01.heimdalsecurity.com / us-esec-02.heimdalsecurity.com)
- 20.88.177.208 (us-esec-outbound.heimdalsecurity.com)
- 20.88.177.209 (us-esec-outbound.heimdalsecurity.com)
- 172.166.114.48 (uk-esec-01.heimdalsecurity.com / uk-esec-02.heimdalsecurity.com)
- 172.166.114.49 (uk-esec-01.heimdalsecurity.com / uk-esec-02.heimdalsecurity.com)
- 172.166.114.50 (uk-esec-outbound.heimdalsecurity.com)
- 172.166.114.51 (uk-esec-outbound.heimdalsecurity.com)
In case your firewall includes special rules for inbound & outbound traffic, make sure you whitelist the following:
- 20.50.183.133/29 (port 25 for Inbound traffic)
- 20.88.177.217, 20.88.177.218, 172.166.114.48, 172.166.114.49
- 20.50.183.144/29 (all ports for Outbound traffic)
- 20.88.177.208, 20.88.177.209,172.166.114.50,172.166.114.51
EMAIL SECURITY view
The Email Security page displays 2 views: the Homepage (that showcases relevant data from the Email Security product) and the Details (for in-depth data analysis).
Homepage
The Homepage displays several stats and graphs that provide a streamlined understanding of the usage and activity of the email addresses and domains:
- Summary Report - brief info about the total number of malicious, inbound, and outbound emails, over the last 90 days. These are further broken down by Status and expressed in percentiles;
- User Anomalies - shows, sorted in descending order, the top 8 email addresses on which outliers have been detected (SPAM, Virus, and ATP); each entry (email address) will have 3 bars, displaying the number of emails from this category, over the last month, 2 and 3 months ago (from the current date). For more details regarding a certain email address, the dashboard user can click on the bar chart section and a detailed linear graph is displayed below;
- Domain status - lists all the email domains, with their corresponding TAC risk score and their MX, SPF, and DMARC authentication methods’ statuses;
-
The bottom row tiles display a month-to-month comparison of Quarantined, Rejected, Spam, Virus, and ATP emails. The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease, in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.
After clicking on the hovered point in the chart tile, the timeframe interval of the redirected Details page is automatically set to one of the hovered data points.Moreover, this action also sets, in the Advanced filter, the Type or Status field to whatever Type or Status from the graph style from which the selected data point was clicked. Depending on the graph tile clicked, the following actions occur: clicking on the Rejected and Quarantined tiles, automatically sets the Status of the Advanced filter, while clicking on the Spam, Virus, and ATP graph tiles, automatically sets the Type field from the Advanced filter.If there is no recorded data when hovering over the chart data points and attempting to click on them, a toast notification will be shown to the dashboard user with the message "No data for the specific timeframe."
Details
The Details view all the information regarding the Inbound Mail Flow and the Outbound Mail Flow in your organization. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED.
On the top, you see a statistic regarding the number of Scanned Emails, the number of Spam Emails, the number of Virus detections, and the number of detected Advanced Threats.
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Domain Status view displays the status of the MX, SPF, and DMARC Records that are set up on your domain(s).
The Advanced Filter allows you to filter your searches by Domain, To, From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.
The Type submenu has the following types:
- All
- Normal
- Botnet
- Spam
- Virus
- Encrypted
- ATP
- SPF Block
- DMARC
- Blocklisted
- Allowed
- Attachment Block
- Released to ATP
- Newsletter
- EFP
The EFP Rule category submenu has the following categories:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
-
Modified or Malicious attachment
In the Inbound view, you can see a list of all inbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Inbound view refreshes in real-time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Release - this action will release the selected email in case it has been quarantined and you think is safe;
- Resend - this action will resend the selected email (this action works only for delivered emails);
- Report - this action will automatically mark the selected email as Spam and an email notification will be sent to the Heimdal Security Team.
- Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report;
In the Outbound view, you can see a list of all outbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Outbound view refreshes in real-time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Release - this action will release the selected email in case it has been quarantined and you think is safe;
- Resend - this action will resend the selected email (this action works only for delivered emails);
- Report - this action will automatically mark the selected email as Spam and an email notification will be sent to the Heimdal Security Team.
The Details button will display a popup with various email details (Main, Advanced, Header, and Body). In the Main tab, you can use the Choose a domain dropdown field to take actions for the specified domains.
- Add Sender to Blocklist - adds the sender (the one who sends the email) to the blocklist of the selected domain(s);
- Add Sender to Allowlist - adds the sender (the one who sends the email) to the allowlist of the selected domain(s);
- Add Domain to Blocklist - adds the sender's domain (the one who sends the email) to the blocklist of the selected domain(s);
- Add Domain to Allowlist - adds the sender's domain (the one who sends the email) to the allowlist of the selected domain(s);
- Add Email based on subject to Allowlist - adds the sender's email to the allowlist of the selected subject(s). Unchecking the SPF/DMARC scanning will still perform an SPF/DMARC check to increase security;
- Add Email based on subject to Blocklist- adds the sender's email to the blocklist of the selected subject(s).
Dashboard users have the option to create Allowlist/Blocklist rules either at a personal or global (domain) level.
If the dashboard user selects the “Personal” option, a new End User Console rule will be created (and also displayed in the End Users Allowlist & Blocklist table which can be found in the Blocklist, Allowlist & Greylist section in Network Settings - Email Protection).
In the Advanced Status tab, you can use the Choose a domain dropdown field to take more actions for the specified domains.
- Add Source IP to Blocklist - adds the Source IP Address (the source IP Address of the sending server) to the blocklist of the selected domain;
- Add Destination IP to Blocklist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the blocklist of the selected domain;
- Add Source IP to Allowlist - adds the Source IP Address (the source IP Address of the sending server) to the allowlist of the selected domain;
- Add Destination IP to Allowlist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the allowlist of the selected domain.
In the Header tab, you see information about the Envelope-From the Header-From:
The Body and the Attachments tabs preview the body and the files that are attached to the email whether the email has been quarantined, delivered, undelivered, or rejected. These options are available only if the domain has enabled the Email Archiving options feature in the Additional Domain Settings tab. To preview the Body and the Attachments tab, the HEIMDAL Dashboard user needs appropriate Access Control (View Email Security Data and View Email Security Sensitive claims enabled).
Note 1: The email's body and attachments must not exceed 25MB. If the total size exceeds this limit, the Body tab section will be disabled and appear grayed out.
Note 2: Just the size of the body should not exceed 1MB. If that happens, that Body tab will be grayed out.
EMAIL SECURITY personal/individual console
The Email Security personal/individual console is available to end users if the End user console option (within the Network Settings -> Email Security -> Quarantine Settings) is enabled. This portal is accessible through the following URL: https://rc-dashboard.heimdalsecurity.com/emailspamfilterlogs/index, through an authentication token (valid for 24 hours from the moment it was generated) that is being sent on the email (if the email address is valid).
The Email Security personal/individual console can be accessed from the Quarantine Report link at the bottom of the report.
Once authenticated in the Email Security personal/individual console, the end user can see all the details related to the email flows concerning his email address: the Inbound Mail Flow, the Outbound Mail Flow, the Blocklist, and the Allowlist. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED.
On top of that, you will see statistics regarding the number of scanned emails, spam emails, virus detections, and advanced threats.
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Blocklist and the Allowlist display the entries specific to each list. The Advanced Filter allows you to filter your searches by From/To, Header From, Type, Status, Spam Classification, Minimum Spam Score, and Maximum Spam Score.
Quarantined emails can be released from the Email Security personal/individual console by selecting the email and by choosing the Release action from the top drowndown menu or from the Details modal.
IT admins can block the end users' ability to release quarantined emails using the Deny email release action.
The emails that have been denied will have a warning icon in the Status field and hovering the mouse over the status will display the message "Email is denied for release for end users. IT admins can still release the email from the dashboard".
After applying this action to an email, the Release button will be disabled for the end users, and placing the mouse over the button will display the message: "This action is not allowed by your IT admin"
The Details modal allows the end user to add items to the Allowlist and/or Blocklist. The blocklisted items are added with the default action from the HEIMDAL Dashboard -> Reject and the end user cannot select a different action (due to security reasons). Once the items are added to the end user's Allowlist/Blocklist, they are displayed in the corresponding view (Allowlist/Blocklist).
Add Sender to Blocklist - add the sender's email address (FROM) to the Blocklist;
Add Sender to Allowlist - add the sender's email address (FROM) to the Allowlist;
Add Domain to Blocklist - add the sender's domain to the Blocklist;
Add Domain to Allowlist - add the sender's domain to the Allowlist;
Add Header Sender to Allowlist - add the sender's HEADER FROM email address to the Blocklist;
Add Header Domain to Allowlist - add the sender's HEADER FROM email address to the Allowlist;
Add Email based on subject to Blocklist - add the subject to the Blocklist;
Add Email based on subject to Allowlist - add the subject to the Allowlist;
Release - releases the quarantined email.
When using the Show details button from the ESEC Inbound and Outbound views, users will be able to visualize details related to EFP detected emails, in a dedicated new tab called EFP.
Note: The EFP tab is available (not faded) only if the Advanced Filter selection on Type is made for EFP type emails.
The only action the end user can perform in the Allowlist/Blocklist views is the Delete action (deleting the entry/ entries from the table).
IMPORTANT
The settings are applied only for the mailbox of the end user and have priority over the general domain settings set up in the HEIMDAL Dashboard.
Example: if test@domain.com is blocklisted in the domain settings, but added to the end user’s personal Allowlist (in the Email Security personal/individual console), the end user will receive emails from the mentioned whitelisted email address while, all the other users will not (unless they performed whitelist actions, on the same mailbox, in their Email Security personal/individual console) as the email will be blocklisted by the HEIMDAL Dashboard domain settings.
EMAIL SECURITY settings
To set up Email Protection - Email Security in the HEIMDAL Dashboard, you have to log in and access the Network Settings section:
Email Security - enables the Email Security module;
Grant consent - allows you to connect the Heimdal Email Security to O365 / Azure tenant by installing the Heimdal Security ESEC enterprise application in Azure AD to allow the HEIMDAL Dashboard to get mailbox count from the Microsoft Graph/Office 365 API.
Configuration
Add Domain - allows you to add the domain that will be filtered by the Email Security engine;
Domain name - allow you to add a domain name (eg. heimdalsecurity.com);
Inbound Host - allows you to set your Inbound Mail Server Domain/Public IP, your Port and to choose a TLS option (eg. heimdalsecurity-com.mail.protection.outlook.com:25);
Outbound IP/Provider - allows you to set the Outbound SMTP Server by selecting one from the dropdown or adding the Public IP Address of the SMTP Server in the Public IP field;
Additional Domain Settings
Email archiving options - allows you to select the desired email archiving period and implicitly the timeframe corresponding to the resent option. You can choose between None, 30 days, 90 days, or 1 year. Those that have selected 1 year cannot switch back to 30 or 90 days;
Put inbound delivery on pause - allows you to pause the inbound email delivery (the system will check every 15 minutes for any changes);
Recipient verification - this option allows the Email Security servers to verify if a recipient's email address exists before sending them an email. If a user does not exist, Email Security will block the email before reaching the mail server. Recipient verification helps improve the spam block rate by using resources more efficiently. Enabling it will tell Email Security to do recipient verification on port 2525 (just like Exchange does it for receipt validation) instead of port 25 (which is configured on the domain. When it's disabled, recipient verification is done on the configured port (25 or any other port). (This feature is visible and can be configured only by the Support Team);
Block outbound Danish CPR number if no TLS transmission - this option will block outbound emails when a Danish CPR number is detected, even if the Force TLS (encrypted) transmission is enabled for any domains;
Always block outbound Danish CPR Number - scans the email for any Danish CPR number and blocks it if it includes any Danish CPR Number;
DMARC** - checks if the incoming email comes from a sender that is authorized to send emails on behalf of the sending domain and that the email has not been modified in the delivery process;
SPF** - checks if the incoming email comes from a host that is authorized by the domain's administrators to send on behalf of the domain;
SPF SoftFail - performs an additional verification on emails that have the SPF SoftFail status result;
Sender Rewriting Scheme (SRS) - allows the Email Security engine to rewrite the Envelope From address for all Inbound emails). The Header From field will remain unchanged. This feature bypasses the requirement to allow the HEIMDAL Email Security IP Addresses on your organization's Mail Server. This feature is recommended only in case of not being able to allowlist the HEIMDAL Email Security IP Addresses;
Block emails without TLS - allows you to tag, quarantine, and reject emails that are not transmitted through TLS. the quarantine will store the emails for 90 days, while the reject will not store them in any way;
Forced TLS settings- opens the Forced TLS settings menu:
- Force TLS transmission to any domain - encrypts the email message from Heimdal Security to the next-hop email server;
- Add TLS Exceptions - exclude domains from TLS transmission (available only if the Force TLS transmission to any domain option is enabled);
DKIM** Signing - allows you to generate and configure a DKIM Signature that will be included in the outbound email header; after generating it, the DKIM Signature needs to be validated through the Check DNS button with the DKIM Record specified on the domain DNS Settings; after validation, the configured selector can be enabled;
SEPO In - allows you to use the SEPO encryption service and delivers the email to the SEPO Inbound Scan Server;
SEPO Out - allows you to use the SEPO encryption service and checks CPR, Abnormal and Forced TLS delivery;
Block emails without TLS - allows you to intercept emails without TLS and choose whether to tag/block/quarantine them;
Email Fraud Prevention
Email Fraud Prevention - enables or disables the Email Fraud Prevention filtering engine on the selected domain;
Action on detection - allows you to choose an action for every type of classification (None, Quarantine, Tag Subject, Reject).
- Reject will reject the email without storing it on the HEIMDAL Servers;
- Quarantine will quarantine the emails and will store them for 90 days on the HEIMDAL Servers;
- Tag Subject will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #;
- None will make the emails pass unaltered through the Email Fraud Prevention engine.
Anti-Spam Settings
The Antispam Settings allow you to change the aggressiveness of the spam filter and to choose what actions to take on emails based on five different classification levels and scores between -0.1 and 100.
Anti-Spam Settings - enables or disables the antispam filtering engine on the selected domain;
CLASSIFICATION - each email that is being filtered by the HEIMDAL Email Security module gets a classification from one of the anti-spam engines. The emails can be classified as Confirmed Spam, High Possible Spam, Possible Spam, Suspected Spam, All other Emails;
SCORE LEVEL - allows you to customize a value between 0-100 that will serve as a limit for the action that will be taken on each email; a lower number/score will make the Anti Spam engine detect emails that are less likely to be spam, and a higher number will make the Anti Spam engine detect emails are likely to be spam;
PREVIEW - redirects you to the Email Security view and applies the search filters according to the Classification, Score Level, and configured domain.
ACTION - allows you to choose an action for every type of classification (Reject, Quarantine, Tag Subject, None).
- Reject will reject the email without storing it on the HEIMDAL Servers;
- Quarantine will quarantine the emails and will store them for 90 days on the HEIMDAL Servers;
- Tag will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #;
- None will make the emails pass unaltered through the Email Security engine.
Examples:
- if the Score level is set to >= 3, emails that get a score level of 2 will not be flagged (they will be DELIVERED), while emails that get a score level of 3 or higher will be flagged as SPAM (they will be Tagged, Quarantined, Rejected or No Action, depending on the set Action);
- if the classification for Possible SPAMs has a set Score Level of 2 and an action of Quarantine, all emails that are tagged as "Possible SPAM" and have a Score Level equal to or higher than 2 will be quarantined and flagged as SPAM in the Email Security view (within the HEIMDAL Dashboard).
Presets - allow you to use the recommended presets for Anti-Spam settings: Moderate (relaxed settings), Default (regular settings), Aggressive (restrictive settings);
Newsletter scanning - will scan for emails that are newsletters or look like newsletters;
Security Settings
In the Security Settings section, you can change the different Security Settings for Email Security.
Antivirus & Anti-Malware - allows you to activate or deactivate the malware & virus detection engines. This can be used to diagnose against false positives, in the event that Email Security detects legitimate emails and/or attachments as harmful, or containing malware;
Advanced Threat Protection (this feature is included in the Email Security Advanced licensing option) - allows you to activate or deactivate the detection systems against advanced threats. This can be used to diagnose false positives, in the event of legitimate emails and/or attachments as harmful or contain advanced threats.
Email Security Advanced Threat Protection - enable/disable Advanced Threat Protection, which detects new threats through Machine Learning and Dynamically developed detection mechanisms. The ATP has been integrated with the DarkLayer Guard filter, which increases the detection capabilities;
Email Security Macro Analyzer - allows you to execute macros and scripts within emails in a sandboxed environment for analysis & detection;
Email Security SHA256 Analyzer - this feature quickly checks the email blocked by Email Security Advanced Threat Protection against online malware analyst services Virustotal and Payload Security. This can be of use in gaining more information on a specific malware sample. Email Security generates a SHA256 hash checksum for each file detected as suspicious/bad/harmful/malicious. You can run the search or even download email parts through the Messaging Logs interface. To search & locate any email blocked by Email Security Advanced Threat Protection in Messaging Logs, you have to left-click the email and select Attachments. Here you will have the option to check the attachments checksum directly at VirusTotal or Hybrid Sandbox. You can download the full attachment for further investigation and analysis, but please be aware that downloading the full attachment can be a security risk (which also will be communicated via a dialogue box before potential download);
Email Security PDF Analyzer - executes PDF files and other container files within emails in a sandboxed environment for analysis & detection;
Email Security Phishing Protection - enable or disable the detection systems against phishing emails. This can be used to diagnose against false positives, if Email Security detects legitimate emails as phishing emails;
Force ATP scanning if released - allow the email to be scanned by the ATP Email Security engines after being released from quarantine (due to previously having been detected by the Antivirus, Anti-Malware, and Anti Spam engines). An email that is not confirmed malicious by the Advanced Threat Protection will be delivered but it will be flagged as Released to ATP. If Advanced Threat Protection confirms that the email is malicious, the email will be quarantined and the type will be changed from Released to ATP into ATP;
Action on Detection - allows you to configure the actions that will be taken by Email Security on emails containing threats, categorized by malware, ATP, and Phishing (None, Quarantine, Tag Subject, Reject);
Blocklist, Allowlist & Greylist
These functionalities will allow you to add email addresses, domains, IP Addresses, or Email Subjects to the Blocklist or the Allowlist, thus regulating specific email senders your organization needs to always block or allow.
Blocklist - allows you to blocklist an email address, a domain, or a sender IP Address that is sending emails to your domain or to blocklist an email based on the email subject and take action against them (Quarantined, Reject, Delete). If you want to edit an existing blocklisting rule, you can click the Pencil button:
In the Blocklist editor, you can edit the action that will be performed on the email matching the blocklist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (test@example.com) and blocklist the sender's domain (example.com), the email should be received by the recipient.
The Import CSV functionality allows you to import a blocklist from a CSV file (you can download a sample by hovering the Blocklist info bubble.
Allowlist - allows you to allowlist an email address, a domain, or a sender IP Address that is sending emails to your domain or to allowlist an email based on the email subject and can be customized to bypass different scanning methods. Under normal circumstances, it is not advisable to allow sender IP Addresses, as this can provide open access for threats and spam in the event the sender's network or endpoints are compromised. If you want to edit an existing allow listing rule, you can click the Pencil button:
In the Allowlist editor, you can edit the allowlisting settings performed on the email matching the allowlist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.
- SPF/DMARC scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for SPF/DMARC scanning;
- Spam scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for Spam scanning;
- Virus scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for Virus scanning;
- Attachment detection - while unticked, the specified email address/domain/IP Address will be whitelisted for attachment scanning;
- Advanced Threat Protection - while unticked, the specified email address/domain/IP Address will be whitelisted for Advanced Threat Protection scanning;
- Non-TLS block - while unticked, the specified email address/domain/IP Address will allow emails that are not sent with TLS;
- Check Header - while enabled, the header sender information will be checked. The SPF/DMARC scanning engine will not be whitelisted for security reasons.
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (test@example.com) and blocklist the sender's domain (example.com), the email should be received by the recipient. Allowlisting an email based on the subject will NOT bypass the SPF/DMARC check even if it's disabled in the allowlist.
The Import CSV functionality allows you to import a blocklist from a CSV file (you can download a sample by hovering the Allowlist info bubble.
End Users Allowlist & Blocklist - allows admins to manage all user-level (personal) rules found in the End User Console. It displays both the Allowlist and Blocklist rules. Users having access to the Network Settings will be able to edit or delete rules from this grid. When it comes to editing, the only allowed action is switching a rule's type between Allowlist and Blocklist. When a rule is deleted, it will also be removed from the End User Console of that specific account.
The grid is visible only if the "User Quarantine Report by Email" and "End User Console" checkboxes are ticked, under the Quarantine Settings tab, when editing an existing domain.
Domain greylist threshold - allows you to enable and set the domain greylisting interval from 1 to 90 days. Domain Greylisting will collect and store data on sending domain names for the number of days set on the threshold slider. This feature works in conjunction with the Tag greylisted emails, which adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). We recommend having the Domain greylist threshold activated for at least 30 days prior to enabling the Tag greylisted emails option for better data collection. Also, know that the data collection on sending domain names will be done if all the above conditions are met:
- recipient's domain is not the same as the sender's domain;
- sender's domain is not in the list of common domains;
- sender's domain was not whitelisted.
Tag greylisted emails - adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). Each email will be scanned in the background.
Attachment Settings
This feature will allow you to change the different settings for an email with attachments. The attachment filters can be enabled for specific file extensions. As an increasing number of threats are trying to bypass email filters by filename and/or file parser manipulation, Email Security also provides an advanced attachment filter, based on inspection and analysis of each attached file. The advanced attachment filter will also safeguard against users renaming or manipulating their files to bypass policies your organization has set up for allowable file types for email transmission. You also have the option to select specific actions on detection, for different file extensions.
- Executables - allows you to intercept and take action on emails with attached executable files (EXE files);
- Dangerous files - allows you to intercept and take action on emails with attached files with the following file extensions: .ac .air .apk .app .applescript .awk .bas .bat .cgi .chm .cmd .com .cpl .crt .csh .dld .dll .drv .elf .exe ._exe .fxp .hlp .hta .inf .ins .inx .isu .iqy .jar .js .jse .jsp .kix .ksh .lib .lnk .mcr .mem .mht .mpkg .mrc .ms .msc .msi .msp .mst .ocx .pas .pcd .pif .pkg .pl .prc .prg .py .pyc .pyo .reg .scpt .scr .sct .seed .sh .shb .shs .spr .sys .thm .tlb .udf .url .uue .vb .vbe .vbs .vdo .wcm .ws .wsc .wsf .wsh .xap .zlq .wmf;
- Password Protected Files - allows you to intercept and take action on emails with attached files that are password protected (usually archives);
- Multiple file extensions - all the emails having attachments made of more than one extension will be handled based on the selected Action on Detection;
- Filtering by Extension - allows you to define your file extensions to be filtered by the Email Security engine. Please note that threats in attachments are masked by false file extensions when compared to the real content of the attachment. This feature works only for the Inbound mail flow and will block emails including external attachments;
- Add Extension - allows you to add a file extension (E.g. exe, without the dot [.] in front of the file extension);
- Action on Detection - allows you to add a specific action for the specified extension. The actions are None (do nothing with the email and allow it to go through), Quarantine (quarantine it), TagSubject (add a prefix in front of the subject) or Reject.
Quarantine Settings
This feature allows you to change the notification settings for emails that have been sent to quarantine by Email Security. Depending on the configuration, Email Security sends email notifications to the users that receive emails that get quarantined, but also allows Administrators to receive email notifications about the emails that are quarantined in your organization. You can select what types of quarantined emails to add to the report, and also define if it’s possible to preview and release the emails directly from the Quarantine Report.
General Quarantine Report Settings - allows you to set a sending schedule for the Quarantine Report. It can be configured for daily sending, weekly sending, or hourly sending;
End user Custom Quarantine Report - allows the user to generate a custom Quarantine Report for the number of days selected on the slider. It can be generated by pressing the Get Report button or from the regular Quarantine Report email;
Allowlist based on Header from - the Allowlist entries will take into consideration the Header From address instead of the Envelope From address.
View & Edit Quarantine Report - allows you to set the limits of the classification to be included in the Quarantine Report;
- View & Edit Template - allows you to customize the way the Quarantine Report header and footer look like;
- Spam limits - allows you to define the Score Level interval for each Spam Classification to be included in the Quarantine Report;
- Test report - this feature allows you to send a test Quarantine Report to an email address that you specify;
- Get Report - manually sends a Quarantine Report to the specified email address;
Admin Quarantine Report by Email - allows you to enable the Quarantine Report for Administrators only. This report includes all quarantined emails from within your organization in one complete Quarantine Report. You can add one or more recipients using the Receivers field (comma-separated list). To avoid spam-releasing conflicts, enabling this feature will disable the User Quarantine Report;
User Quarantine Report by Email - allows you to enable the User Quarantine Report to be sent to recipients of quarantined emails. The users who do not receive any quarantined emails will not receive a User Quarantine Report. To avoid spam-releasing conflicts, enabling this feature will disable the Admin Quarantine Report;
End user console - allows end users to access their personal/individual dedicated Email Security portal that allows them to view the emails received on their email address, release quarantined emails, and add new entries in the Allowlist/Blocklist. The personal/individual dedicated Email Security portal can be accessed through the following URL: https://rc-dashboard.heimdalsecurity.com/emailspamfilterlogs/index, where the user needs to input his email address (it needs to be a valid email address) to get access through a temporary token that is valid for 24 hours (from the moment it was generated). This option is available only if User Quarantine Report by Email is enabled;
Advanced Threat Protection - allows you to define what type of quarantined emails should be included in the Quarantine Report (Spam, Malware, ATP, Attachment, SPF, Non-TLS, Newsletter, EFP) and to enable whether to Preview, Release, or Allow the Sender right from the quarantined email right from the Quarantine Report notification.
If the Allow Sender Personal option is enabled, it will authorize end users to add the sender to their personal Allowlist from the email Quarantine Report and the End User Console. The new option will work only when the User Quarantine Report By Email and End User Console checkboxes are enabled. This option will also act as a restriction for a user logged to their End User Console, for a particular email type (for example, if the Newsletter type is not ticked/ enabled in the GP area), in regard to the Add Sender to Allowlist option, as showcased below.
If the Release option (from the Quarantine Settings tab), for a particular email type, is not ticked/ enabled, it will restrict the end user from releasing emails of that particular type, in the End User Console.
If Allow Sender Personal is checked for a particular email type, a new option will be displayed, on the end user side, after clicking the Allow Sender button, from the Quarantine report, and the option is called Add Sender to Personal Allowlist.
If Allow Sender Global is checked for a particular email type, a new option will be displayed, on the end user side, after clicking the Allow Sender button, from the Quarantine report, and the option is called Add Sender to Global Allowlist.
Activating any of the Allow Sender Global or Allow Sender Personal checkboxes, or both, will activate the Allow Sender option within the email Quarantine Report. Clicking on the Allow Sender button opens a page similar to the Preview one that displays at the bottom the buttons to Add Sender to Global Allowlist, Add Sender to Personal Allowlist, or both.
Activating the checkboxes for the Allow Sender Personal row will activate the Allow options within the Details modal window, in the End user console.
Unchecking these tickboxes or one of the following options: Preview or Include in Report, will also make the Add X to Allowlist buttons inactive. While inactive, hovering on each button will display the reason for inactivity.
While inactive, the Add Header Sender to Allowlist and Add Header Domain to Allowlist buttons will not be displayed.
Limits
This feature allows you to set a limit for the outbound mail flow in terms of minute rate and daily rate:
Outbound minute rate - allows you to set an outbound minute rate of 10 to 200 minutes;
Outbound daily rate - allows you to set an outbound daily rate of 500 to 10,000 emails per day. All emails that exceed the limit will be rejected.
SMTP AUTH USERS
This feature allows you to add an SMTP Authenticated User for a Printer or a Copy-Machine to send emails through Email Security. To use this feature you need to specify a username, a password, and an IP Address:
- Username: smtp (or any other username)
- Password: <your-password>
- Confirm Password: <confirm-your-password>
- IP Address: <your-IP-Address>
Press Add, then Save changes and Update Nework Settings.
To test the SMTP Auth feature, you can use the following command line in a PowerShell window or the script below:
Send-MailMessage -From 'smtp@yourdomain.com' -To 'recipient@otherdomain.com' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer 'eu-esec-outbound.heimdalsecurity.com' -Usessl -Port 587 -Credential (Get-Credential)
You will be prompted to insert the credentials (smtp@yourdomain.com* and password) you added in the HEIMDAL Dashboard. Although in the Heimdal Dashboard, the username does not include the domain, in the authentication popup you are required to specify the domain.
[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12
$username = 'test@yourdomain.com'
$password = 'mypassword1234'
$securepassword = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($username, $securepassword)
Send-MailMessage -From 'test@yourdomain.com' -To 'test@internet.com' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer 'eu-esec-outbound.heimdalsecurity.com' -Usessl -Port 587 -Credential $mycreds
Make sure you use the Email Security outbound server corresponding to your region:
- eu-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the Europe region);
- us-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the United States region);
- uk-esec-outbound.heimdalsecurity.com with ports 25, 587, 2525 (for customers stored in the United Kingdom region).
Copy settings
This feature consists of a popping modal that will allow you to copy the settings from the domain that is being edited to another domain (or multiple domains) configured in the Email Security module. It is important to know that the domain that is being edited will include the changes you already applied on each tab.