Weloud Email Security Administrator's Guidewiki.cloudservices.no/lib/exe/fetch.php/no:... · Date:...

WeCloud Email Security

Administrator's Guide

Postal Adress Visit Adress Phone Fax Bank Account Organisation no. Adelgatan 11 Adelgatan 11 Nat 010-6900650 Nat 073-5276702 618-1119 556804-5628 21122 Malmö 21122 Malmö Int +46 10 6900650 Int +46 73 5276702 Email Web [email protected] www.wecloud.com

WeCloud Email Security – Administrator's Guide

WeCloud Email Security provides a variety of useful features within a user-friendly web console to manage the functions including whitelisting of sender domains, releasing an email from quarantine and forensic search capability of email logs.

This document provides a detailed description of all features and settings enabling you to quickly and easily take advantage of WeCloud Email Security.

Please note that all screenshots in this guide are from WeCloud’s development environment so there could be minor differences from the public clouds.

If you feel that we missed out on something you expected to find in this guide, please tell our support.

WeCloud Operating Status:

Operating status: http://status.wecloud.se

Administration:

Scandinavian Cloud: https://admin.mx-wecloud.net

International Cloud: https://intadmin.mx-wecloud.net

Partner Administration:

Scandinavian Cloud: https://partner.mx-wecloud.net

International Cloud: https://intpart.mx-wecloud.net

Contact Information:

Support: [email protected]

Order: [email protected]

Renewal: [email protected]

Date: 2017-05-18

Version: 17.05

http://status.wecloud.se/

https://admin.mx-wecloud.net/

https://intadmin.mx-wecloud.net/

https://partner.mx-wecloud.net/

https://intpart.mx-wecloud.net/

mailto:[email protected]




New features in version 17.05

Below are the release notes for version 17.05 including a brief description of the new features introduced in this release.

New Statistics

A brand new statistics module is being introduced. The new module offers an updated graphical design, as well as additional data and details such as top-malware, per-user-stats, top-senders and archive usage. 2-Factor authentication

To improve security and privacy we introduce the option to require SMS-verification passcodes in addition to username/password for administrator access to the Email Security Portal. IP-adress restricted access

To improve security and privacy we introduce the option to restrict access to the customers Email Security Portal from selected IP-numbers or IP-ranges. Filter by custom header

Option to quarantine emails based on custom headers or header values. Emails triggering the custom header rules can either be stored in the regular spam quarantine (and thus available to end-users) or in the admin quarantine (and thus only available to admins). VBA Macro Detection

Emails containing attached Microsoft Office files with active content (VBS Macros) may now be detected and blocked. The setting may be applied to a company profile, domain or a specific user. Brute force protection

Extended brute-force protection to improve security and privacy. Automatic lock-out if brute force attempts are detected. Option to disable spam feedback

The WeCloud Email Security system is continuously sending feedback containing spam, IP, sender, FP's and more from the live email flow to improve the hitrate and quality of filter. New option introduced with this release allows for disabling of spam feedback on a per-customer-level. Please contact WeCloud support if you want to disable spam feedback. Domain specific QMS customisation

QMS-report may now be customised on a per-domain-level. Optimised whitelabeling for partners

Whitelabeling for partners has been optimized and now includes option to whitelabel QMS and notifications. Bugfixes

Counter for bypassed emails now added to overview. File type on outbound file type blocks now displayed in logs. Additional reasons displayed for BMA filtering. Whitelist from overview fixed. Other minor backend bugs fixed.


The Overview

1. Domain selector - All logs and settings are domain specific so make sure that you have the correct domain selected

2. Administration tabs

2.1. Overview - Quarantine and logs

2.2. Archive - Archived emails (licensed separately)

2.3. Settings - Configuration options

2.4. Statistics – Historical statistics

2.5. Logout

3. Quarantine

3.1. Inbound quarantine – Inbound emails quarantined by the spam filter (Note: these are the emails that are reported to the end-users if QMS is enabled)

3.2. Outbound quarantine – Outbound emails quarantined by either spam filter or policies

3.3. Admin Quarantine – This quarantine contains inbound emails that are quarantined for other reasons than spam

4. Mail Filters

4.1. Delivered – This allows for log searches for delivered emails

4.2. Blocked – This allows for log searches for blocked emails

4.3. Failed – This allows for log searches of failed deliveries (where the recipient server refuses to accept the email from WeCloud’s servers)


5. Tools

5.1. Advanced Filter - This allows for advanced log searches across all types of emails

5.2. Hold Queue - This contains all emails that are queued for retry

5.3. Pending - This contains emails that has been processed by the filter but hasn't been written to the log database yet

5.4. Release Selected - This tool allows you to select multiple emails in the Quarantine and release them all at once (this is only available when the Quarantine is selected)

5.5. Export to csv - This allows you to export your current search result to a csv file (this will open a new tab for the download in your browser)


Log Searches

1. Search options - This field allows you to define your search, the options available depends on what tool is selected in the left-hand menu. All options can be combined for granular searches.

1.1. Wildcard search – by checking this box Sender/Recipient/Subject can be searched using partial addresses/subjects (Note: large wildcard searches can take longer to complete)

1.2. Sender – The sending address

1.3. Recipient – The recipient address

1.4. Subject – The subject of the email

1.5. Time ranges - Quick functions for defining a time frame for the search

1.6. Date from - Define the start date of the search

1.7. Date to - Define the end date of the search

1.8. Type - Define what type of email you're searching for (this is only available in Advanced Filter)

2. Search controls

2.1. Reset all search terms

2.2. Perform a search using the selected criteria

3. Search result – Click any email to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time).

3.1. The search result will be split up into days

3.2. Shows the status of the email and also the country of origin of the sending server

3.3. Shows the time of the email reaching WeCloud's servers


3.4. Shows the recipient address of the email

3.5. Shows the sending address of the email (note: This is the envelope-sender)

3.6. Shows the subject of the email


Inbound Quarantine email details

1. Content selector

1.1. Shows the details and body of the email

1.2. Shows the headers of the email (Note: Due to privacy settings for your account this option might not be available)

1.3. Shows the audit logs for the email

2. Status bar –-This will show the status of the email (note: the released status is only visible until your email server has accepted the released email, then the email is moved from the quarantine to the delivered logs)

3. Message details

3.1. Subject of the email

3.2. Recipient of the email

3.3. Sender of the email (Note: this is the envelope-sender), click the drop-down to get a quick- access to whitelist or blacklist the sender or the sending domain

3.4. The time the email arrived in the filter

3.5. Size of the email

3.6. IP of the server sending the email, click the drop-down to get a quick-access to whitelist or blacklist the sender


3.7. Country of origin of the server sending the email, click the drop-down to get a quick-access to set actions based on the country of origin

3.8. WeCloud ID of the email

3.9. TLS info for the email (Note: this is only visible if the email was sent using TLS)

3.10. Reason for quarantining the email

4. Content of the email – This will show the content of the email in a safe text-only format (Note: Due to privacy settings for your account this option may not be available)

5. Release functions

5.1. Enter the email address to release the email to (this will default to the original recipient)

5.2. Release the email to the address specified in 5.1, this will automatically report the email to WeCloud as a false positive


Outbound Quarantine email details

1. Content selector




2. Status bar –-This will show why the status of the email (note: the released status is only visible until your email server has accepted the released email, then the email is moved from the quarantine to the delivered logs)

3. Message details



3.3. Sender of the email (Note: this is the envelope-sender)



3.6. IP of the server sending the email

3.7. Country of origin of the server sending the email







5.1. This field lists all recipients of the email

5.2. Release the email to the recipient(s) specified in 5.1, this will automatically report the email to WeCloud as a false positive in the case of a suspect spam block


Admin Quarantine email details

1. Content selector




2. Status bar –-This will show the status of the email (note: the released status is only visible until your email server has accepted the released email, then the email is moved from the quarantine to the delivered logs)

3. Message details



3.3. Sender of the email (Note: this is the envelope-sender), click the drop-down to get a quick- access to whitelist or blacklist the sender or the sending domain




3.7. Country of origin of the server sending the email, click the drop-down to get a quick-access


to set actions based on the country of origin






5.1. Enter the email address to release the email to (this will default to the original recipient)

5.2. Release the email to the address specified in 5.1


Delivered email details

1. Content selector

1.1. Shows the details of the email

1.2. Shows the delivery logs for the email


2. Status bar - This will show that the email has been delivered

3. Message details



3.3. Sender of the email (Note: This is the envelope-sender), click the drop-down to get a quick-access to whitelist or blacklist the sender






3.9. TLS info for the email (Note: This is only visible if the email was delivered using TLS)

3.10. This shows the IP of the server that the email has been delivered to

3.11. This shows the response from the server the email was delivered to


Blocked email details

Content selector



2. Status bar - This will show why the email was blocked

3. Message details

3.1. Subject of the email (Note: This will be empty if the email was blocked before the data of the email was received)


3.3. Sender of the email (Note: this is the envelope-sender), click the drop-down to get a quick- access to whitelist or blacklist the sender


3.5. Size of the email (Note: This will be shown as 0.0 kb if the email was blocked before the data of the email was received)






Failed email details

Content selector


1.2. Shows the delivery logs for the email


2. Status bar - This will show that the email delivery failed

3. Message details



3.3. Sender of the email (Note: this is the envelope-sender), click the drop-down to get a quick- access to whitelist or blacklist the sender







3.10. This shows the IP of the server that the delivery attempt was made to

3.11. This shows the response from the server the email was delivered to


Archive

1. Domain selector - All archived emails are indexed on the domain so make sure that you have the

correct domain selected

2. Archive tools

2.1. Restore Selected - This allows you to restore the selected emails to the original recipients

2.2. Export to csv - This allows you to export your current log search to a csv file (this will open a new tab for the download in your browser)

3. Search options

3.1. Sender - Define parts of or a full sender address (any term entered will automatically start and end with wildcards)

3.2. Recipient - Define parts of or a full recipient address (any term entered will automatically start and end with wildcards)

3.3. Time ranges - Quick functions for defining a time frame for the search

3.4. Date from - Define the start date of the search

3.5. Date to - Define the end date of the search

4. Search controls

4.1. Reset all search terms

4.2. Perform a search with the selected criteria

5. Search result - Any email can be clicked to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time).

5.1. The search result will be split up into days

5.2. Shows the status of the email and also the country of origin of the sending server

5.3. Shows the time of the email reaching WeCloud's servers


5.4. Shows the recipient address of the email

5.5. Shows the sending address of the email (note: This is the envelope-sender)

5.6. Shows the subject of the email

5.7. Shows the size of the email


Archived email details

1. Content selector

1.1 Shows the details of the email

1.2 Shows the headers of the email (Note: Due to privacy settings for your account this option might not be available)

1.3 Shows the audit logs for the email

1.4 Advanced tools

1.4.1 Report the email as a missed spam

1.4.2 Open the original email (Note: Due to privacy settings for your account this option might not be available)

1.4.3 Download the original .eml file (Note: Due to privacy settings for your account this option might not be available))

2. Message details

2.1 Subject of the email

2.2 Recipient of the email

2.3 Sender of the email (Note: this is the envelope-sender)

2.4 The time the email arrived in the filter

2.5 Size of the email

2.6 IP of the server sending the email


2.7 Country of origin of the server sending the email

2.8 WeCloud Archive ID of the email

2.9 A list of the attached files in the email (Note: This is only visible if there are attached files in the email)

3. Content - This shows the content of the email in a safe text-only format (Note: Due to privacy settings for your account this option might not be available)

4. Restore functions

4.1 Address part of the email address to restore the email to (this will default to the original recipient)

4.2 Domain part of the email address to restore the email to (this will be locked to the original domain)

4.3 Restore options


Settings menu

1. Overview of the functions activated

2. Antispam settings

3. QMS settings (Spam digest)

4. Antivirus settings

5. Inbound settings

6. Outbound settings

7. Archive options (these are read-only)

8. Custom lists for blocking and allowing emails

9. Diagnostic tool for troubleshooting mailflow

10. Creating and editing Administrators

11. True Users is to define what email addresses exists for the domain

12. Admin access to users’ quarantine zones and personal black/whitelists

13. Interface settings

14. Define what domains should be controlled by a company profile

15. Change password for the current admin account


Overview Settings

1. Settings overview

1.1. AntiSpam status

1.2. QMS status

1.3. AntiVirus status

1.4. Archive status

1.5. True Users status

2. Entries overview

2.1. Number of administrators registered for the domain

2.2. Number of True Users addresses registered for the domain

2.3. Number of addresses/domains whitelisted for the domain


2.4. Number of addresses/domains blacklisted for the domain

2.5. Number of originating countries with a default action defined for the domain

2.6. Number of file extensions blocked for the domain

2.7. Number of IP addresses whitelisted for the domain

2.8. Number of IP addresses blacklisted for the domain

2.9. Number of addresses/domains bypassing the antivirus for the domain

2.10. Number of addresses/domains bypassing BMA for the domain

2.11. Number of addresses/domains bypassing the file extension rules for the domain


Antispam Settings

1. Save your changes - The changes takes effect immediately

2. Audit logs

3. First layer defense

3.1. HeloCheck - This will block emails where the sending server does not give a proper FQDN in the initial server greeting

3.2. SPF engine - This will block any email where the sending domain has a hardfail in their SPF and the sending server/IP is not included in the SPF record (Note: This needs to be enabled for the other SPF options to be functional, it is also required for the Domain Protection function)

3.3. Quarantine SPF softfail - This will quarantine any email where the sending domain has a softfail in their SPF and the sending server/IP is not included in the SPF record

3.4. SPF Block Temperror – This will block any emails where the lookup of the sender’s SPF Record causes temporary error

3.5. SPF Block permerror – This will block any emails where the resolve of the sender’s SPF Record causes a permanent error

3.6. Enable IP Reputation (RBL) - This checks if the sending IP is blacklisted and blocks emails from blacklisted IPs

3.7. Block Mailer-demons - This will block mailer-daemon delivery reports


3.8. Quarantine Newsletters – This will quarantine newsletters based on the presence of unsubscribe links the headers

3.9. Sender domain check - This checks if the sending domain is valid and otherwise blocks the email

4. Content scanner options

4.1. Content scanner On/Off

4.2. Threshold for detecting spam based on content, the higher the threshold the "softer" the filter is, WeCloud do not recommend setting a higher score than 5 or lower than 3

4.3. Action for emails detected by the content engine. The options are: Quarantine - Quarantine the email Tag Subject - Allow the email but tag the subject (Note: An additional field appears below this option to allow for the tag to be defined) Tag Header - Allow the email but tag it with an X-Header


QMS Settings


2. Audit logs

3. QMS Options

3.1. QMS On/Off – If On a spam digest will be sent out regularly according to the QMS settings

3.2. QMS Type – This defines the format of the QMS report, the options are: Email notification – This is a notification containing the number of new emails in quarantine and a link to the online quarantine Email overview – This is a notification containing a full list of the new emails in quarantine (please see the separate QMS guide for an example)


3.3. QMS Interval – This defines the interval of the QMS report, the options are: 1 day – This schedules a daily QMS report 1 week – This schedules a weekly QMS report

3.4. QMS Recipient – If this field contains an email address on your domain the QMS report for the domain will be sent to this address instead of personal QMS reports being sent to the end-users

3.5. QMS black/whitelist – This defines if the end-users should be allowed to create personal black/whitelists within their quarantine portal (please see the separate QMS guide for more information)

4. QMS Customization

4.1. QMS Subject – This will override the default subject for the QMS report

4.2. QMS header – Any text entered here will be inserted at the top of the mail body of the QMS report

4.3. QMS footer – Any text entered here will be inserted at the bottom of the mail body of the QMS report

4.4. QMS sender – This will override the default sender of the QMS report (Note: This will only change the From: header of the email and not the envelope-sender)


Antivirus Settings

1. Save your changes - The changes take effect immediately

2. Audit logs

3. Antivirus On/Off

4. Block nested zips On/Off – If this is set to on the filter will block any emails containing nested zips (a zip file within a zip file)

5. Block encrypted zip files On/Off – If this is set to on the filter will block any emails containing password protected zip files

6. Block files with VBA macros On/Off – If this is set to on the filter will block any email containing office files with macros

7. BMA On/Off – Please see the section on BMA – Enhanced Malware Analyzer for more information

8. Ignored BMA rules – Tick the box for any rule in the current BMA set that you want to ignore for your email flow


Inbound Delivery settings

This is where you configure the server and port to use for the delivery of clean inbound emails to your server.

1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect emails in the hold queue as well)

2. Audit logs

3. Delivery settings

3.1. Delivery server - The hostname or IP address that we should deliver your emails to (Note: we recommend always using a hostname if possible)

3.2. Delivery port - The port which we should deliver emails over, 25 is the default for SMTP but we can do delivery over any port you specify

3.3. This will allow you to test the connectivity with your server


Inbound Routing settings

This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide.

1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect emails in the hold que as well)

2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect emails in the hold que as well)

3. Audit logs

4. Routing settings

4.1. Routing server - The hostname or IP address that we should reroute the emails to (Note: we recommend always using a hostname if possible)

4.2. Delivery port - The port which we should route the emails over

4.3. Enable relay On/Off - This defines if the routing rule is enabled or not

4.4. Relay smime only - If set to On only emails encrypted with smime will be sent over the relay route

4.5. Enable archive - If set to On an additional copy of the email will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)


Inbound Force TLS settings

This allows you to set the default TLS behavior for your inbound traffic, and to add exceptions to that behavior

1. Add exceptions - This allows you to add sender and/or recipient exceptions (more info below)


3. Delete settings - This will remove all exceptions that are marked in section 6 (Note: Delete is only visible if you have one or more exception selected)

4. Audit logs

5. Default setting - This is the default setting for the domain, if set to Off (Note: this is the recommended setting) all inbound emails will use Opportunistic TLS except for the exceptions defined which will use Force TLS. If set to On all inbound emails will have Force TLS except for the exceptions which will use Opportunistic TLS.

6. Exceptions

6.1. Senders - This will list exceptions based on the sending address/domain

6.2. Recipients - This will list exceptions based on the recipient address/domain

6.3. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Senders - select Senders exceptions only


Recipients - select Recipients exceptions only

6.4. Each exception will have a selection box to allow for deletion

6.5. This will list the exceptions


Inbound Force TLS settings – Add exceptions

1. Sender exceptions - Enter any sending domains and/or addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon)

2. Recipient exceptions - Enter any recipient addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon)

3. Close without saving

4. Add the exceptions to your TLS configuration


Inbound Rewrite settings

This will allow you to rewrite the recipient for specific inbound emails

1. Add a new rule - More info below

2. Delete - This will delete the rules that are marked in section 4 (Note: Delete is only visible if you have one or more rules selected)

3. Audit logs

4. Rules - This will list the rules that you have configured

4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection

4.2. Each rule will have a selection box to allow for deletion

4.3. This will list the sender value for the rule 4.4. This will list the recipient value of the rule 4.5. This will list the rewritten recipient value 4.6. This will state if the original is discarded (i.e. If the email is rerouted to the new recipient or if a copy is made)

4.7. This will list the priority of the rule (rules with lower priority has precedence over rules with higher priority)

4.8. This allows you to edit a rule


Inbound Rewrite settings – Add rule

This will allow you to have the scanning service to insert custom headers on inbound emails

1. Sender(s) – Add one or more senders (addresses and/or domains) that the rule should be active for

2. Recipient(s) - Add one or more recipient addresses that the rule should be active for (Note: Leave this empty if you want the rule to be valid for the whole domain)

3. New recipient(s) - Add one or more recipient addresses and/or domains that the email should be rerouted to (Note: The recipients need to be on one of the domains on your account). If domains are entered here the address part of the recipient will stay the same and only the domain part will be rewritten

4. Discard original email – Checking this box will create a reroute rule (the original recipient will not receive the email) and leaving this box unchecked will create copies of the email to the new recipient(s) but still deliver the email to the original recipient

5. Close the window without saving changes

6. Add the rule to your rewrite configuration


Inbound Header settings


1. Add a new header – More info below

2. Delete – This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header insert selected)

3. Audit logs

4. Header inserts – This will list the Headers inserts that you have configured


4.2. This will list the Header key to be inserted 4.3. This will list the value to be inserted for the Header key 4.4. Each Header insert will have a selection box to allow for deletion

1. Key – Enter the key to be added to the header

2. Value – Enter the value to be added for the specified key


4. Save the setting


Inbound Header filters


1. Add a new header filter – More info below

2. Delete – This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header filter selected)

3. Audit logs

4. Header filters – This will list the Headers filters that you have configured


4.2. This will list the Header key to be filtered 4.3. This will list the value to be filtered for the Header key 4.4. This will list the action of the filter 4.5. Each Header insert will have a selection box to allow for deletion


Inbound Header filters – Add filter

1. Action – Select the action the filter should take if an email matches the criteria, the options are:

Spam Quarantine – This classifies the email as spam and allows the end user to release it Admin Quarantine – This puts the email in the admin quarantine and only allows admins to release it

2. Key – Enter the key to be filtered

3. Value – Enter the value required for the header field to trigger the filter, if this is left empty any email that contains the specified header will trigger the filter


5. Save the setting


Inbound Notification settings

Here you can configure in which cases the user on your end should be notified when the filter blocks an email addressed to the user.


2. Audit logs

3. Quarantined by BMA – This will generate a notification whenever an email is put into quarantine by BMA

4. Blocked by BMA – This will generate a notification whenever an email is blocked by BMA

5. Blocked by File extension - This will generate a notification whenever an email is blocked due to containing files listed under Lists → File extensions

6. Blocked by Nested Zip - This will generate a notification whenever an email is blocked due to nested zips being blocked under Antivirus settings

7. Blocked by Encrypted Zip Files - This will generate a notification whenever an email is blocked due to encrypted zip files being blocked under Antivirus settings

8. Blocked by Containing macro - This will generate a notification whenever an email is blocked due to VBA macros being blocked under Antivirus settings

9. Blocked by Header filter – This will generate a notification whenever an email is quarantined due to inbound header filters

10. Blocked by RBL - This will send a notification whenever an email is blocked because the sending IP is blacklisted

11. Blocked by Country - This will generate a notification whenever an email is blocked because the sending country has been blacklisted under Lists → Countries

12. Blocked by IP - This will generate a notification whenever an email is blocked because the sending IP has been blocked under Lists → IP

13. Blocked Antivirus - This will generate a notification whenever an email is blocked by the antivirus scanning


Outbound User settings

SMTP authentication is one of the options to authenticate your outbound traffic through the WeCloud scanning (this is suitable if you want the end-users to send emails through WeCloud directly from their email clients or if you for example have a dynamic IP and still want to be able to send your emails out via the service. Please note that this feature requires the communication to be protected by TLS and to use port 587.

1. Add user – More info below

2. Delete – This will delete the users that are marked in section 4 (Note: Delete is only visible if you have one or more users selected)

3. Audit logs

4. Users


4.2. This will list the users, domain users will be marked with a * (Note: A domain user is a user/password combination that can authenticate email traffic for the whole domain)

4.3. This will allow you to send a new password to a user

4.4. Each user will have a selection box to allow for deletion


Outbound User settings – Add user

1. User entries – Enter the user(s) that should be created, separate multiple entries by using comma, tab, newline or semi-colon (Note: all users must be in the form of an email address and the domain part needs to match the currently selected domain)

2. Notify user – If this is checked an email will be sent to the created user(s) with their password, if this is unchecked the password will instead be showed on screen when the user is created

3. Domain user – If this is checked the user(s) will be allowed to authorize emails for the whole domain (this is used when the authentication is setup on server level, if this is unchecked the user(s) created will only be allowed to authorize emails sent from their own address (this is used when the authentication is setup on the end-user level


5. Save the settings


Outbound IP settings

IP authentication is the preferred option to authenticate your outbound traffic in the WeCloud scanning. Please note that this authentication method should only be used if you have a static IP

1. Add IP – More info below

2. Delete – This will delete the IPs that are marked in section 4 (Note: Delete is only visible if you have one or more IPs selected)

3. Audit logs

4. IPs


4.2. This will list the IPs

4.3. Each IP will have a selection box to allow for deletion


Outbound IP settings – Add IP

1. Entries – Enter the IPs to be added, multiple entries should be separated by comma, tab, newline or semi-colon


3. Add my IP – Add the IP that you are currently accessing the interface from to the Entries

4. Save the settings


Outbound Routing settings

This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide.

1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect emails in the hold que as well)

2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect emails in the hold que as well)

3. Audit logs

4. Routing settings

4.1. Routing server - The hostname or IP address that we should reroute the emails to (Note: we recommend always using a hostname if possible)

4.2. Delivery port - The port which we should route the emails over

4.3. Enable relay On/Off - This defines if the routing rule is enabled or not

4.4. Enable archive - If set to On an additional copy of the email will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)


Outbound Header settings

This will allow you to have the scanning service to insert custom headers on outbound emails

1. Add a new header – More info below

2. Delete – This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header insert selected)

3. Audit logs

4. Header inserts – This will list the Headers inserts that you have configured


4.2. This will list the Header key to be inserted 4.3. This will list the value to be inserted for the Header key 4.4. Each Header insert will have a selection box to allow for deletion

1. Key – Enter the key to be added to the header

2. Value – Enter the value to be added for the specified key


4. Save the setting


Outbound Notification settings

Here you can configure in which cases the system should notify either an end user or an auditor when an email is blocked in the outbound scanning (Please see the Outbound Notification Appendix for a sample of the notification email)


2. Audit logs

3. Blocked by Antispam – This defines the notification setting if the outbound spam filter detects a suspected spam

4. Blocked by Antivirus – This defines the notification setting if the outbound antivirus filter detects a virus

5. Blocked by File extension – This defines the notification setting if an outbound email contains a prohibited filetype (as listed under Outbound -> File extensions)

6. Blocked by Recipient block – This defines the notification if an outbound email is sent to a blocked recipient (as listed under Outbound -> Block recipient)

7. Auditor email – An address listed here will receive notifications for blocked emails where the action is set to Auditor

8. Action - This is where you can set the notification action for blocked outbound emails, the options are: User – This will notify the sender of the blocked outbound email Auditor – This will notify the auditor when an outbound email is blocked Off – This will turn off the notifications when an outbound email is blocked (Note: No NDR will be sent to the sender if an outbound email is blocked)


Outbound File extension settings

Here you can configure what filetypes are not allowed in your outbound email flow

1. Add – More info below

2. Delete – This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected)

3. Audit logs

4. Total amount of entries

5. Entries


5.2. This lists the file extensions that will cause a block

5.3. Each entry will have a selection box to allow for deletion


Outbound File extension settings - Add

1. Add file block – This dropdown will give you access to different default groupings of file extensions, the options are: Programs – This is a collection of executable files Scripts – This is a collection of script files Shortcuts – This is a collection of shortcut files Others – This is a collection of other files you might wish to block Microsoft Office – This is a collection of office files All – This includes all the predefined file sets above

2. Entries – This is where you can add entries to block, multiple entries should be separated by comma, tab, newline or semi-colon


4. Save the entries


Outbound Block recipient settings

Outbound emails where one or more of the recipient addresses or domains are listed here will be blocked by the outbound scanning



3. Search box – Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching)

4. Audit logs


6. Entries

6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains Emails - selects all email addresses

6.2. This lists the addresses and/or domains in your whitelist



Archiving Settings This will show the settings configured by WeCloud for your archive. These settings require an additional license and can only be changed by WeCloud.


Lists Settings – Whitelist Any sending addresses or domains listed here will bypass the antispam engines but not any other policies or filters (Please see the section on Bypasses and Whitelists for more info). Please note that the system looks at the Envelope sender and that this might not be the same as the sender shown to the recipient in some cases

1. Add – Use this to add entries to the whitelist



4. Audit logs


6. Entries


6.2. This lists the addresses and/or domains in your whitelist

6.3. This shows the date and time that the entry was created



Lists Settings – Blacklist

Any sending addresses or domains listed here will be blocked by the system. Please note that the system looks at the Envelope sender and that this might not be the same as the sender shown to the recipient in some cases

1. Add – Use this to add entries to the blacklist



4. Audit logs


6. Entries


6.2. This lists the addresses and/or domains in your blacklist

6.3. This shows the date and time that the entry was created



Lists Settings - Countries

This will allow you to set default actions based on the Geo-IP mapping done for all sending IPs for inbound emails.



3. Audit logs


5. Entries

5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted - selects all whitelist entries Quarantined - selects all quarantine entries Blacklisted – selects all blacklist entries

5.2. This lists the countries you have set default actions for

5.3. This shows the action for the listed countries

5.4. This allows you to edit the default action for the listed countries



Lists Settings – Countries – Add entry

1. Country – Use the dropdown to select the country that you want to create a default action for

2. Action – Use the dropdown to select the action for emails from servers in the selected country, the options are: Whitelist – Don't spam scan emails from the selected country Blacklist – Block all emails from the selected country Quarantine – Quarantine all emails from the selected country


4. Save the entry


Lists Settings – File extensions

This will allow you to block emails containing specific files



3. Audit logs


5. Entries


5.2. This lists the file extensions that will cause a block



Lists Settings – File extensions - Add

5. Add file block – This dropdown will give you access to different default groupings of file extensions, the options are: Programs – This is a collection of executable files Scripts – This is a collection of script files Shortcuts – This is a collection of shortcut files Others – This is a collection of other files you might wish to block Office – This is a collection of office files All – This will include all the predefined file sets above

6. Entries – This is where you can add entries to block, multiple entries should be separated by comma, tab, newline or semi-colon


8. Save the entries


Lists Settings - IP

This will allow you to blacklist or whitelist IP addresses or ranges



3. Audit logs


5. Entries

5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted – selects all whitelist entries Blacklisted – selects all blacklist entries

5.2. This lists the IPs

5.3. This will show if the IP is whitelisted or blacklisted



Lists Settings – IP - Add

1. Action – Use the dropdown to select if the IPs should be blacklisted or whitelisted

2. Entries – Enter the IP addresses and/or IP ranges to add to the list, multiple entries should be separated by comma, tab, newline or semi-colon. (Note: ranges can be entered with either CIDR or by entering start-end IPs)


4. Save the entries


Lists Settings – Bypass

This will allow you to allow senders to bypass selected engines (please see the section on Bypasses and Whitelists for more info)

1. Add – Use this to add entries to the bypass list (more info below)


3. Audit logs


5. Entries

5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Antivirus – selects all antivirus bypasses BMA – selects all BMA bypasses File Extension – selects all file extension bypasses Domains – selects all listed domains Emails – selects all listed email addresses

5.2. This lists the addresses and/or domains

5.3. This lists the type of bypass



Lists Settings – Bypass - Add

1. Action – Use the dropdown to select the engine to bypass

2. Entries – Enter the addresses and/or domains to add to the list, multiple entries should be separated by comma, tab, newline or semi-colon.


4. Save the entries


Lists Settings – Domain Protection

This will allow you add Domain Protection to specific domains (see separate chapter on Domain Protection for more details)

1. Add – Use this to add entries to the domain protection list


3. Audit logs


5. Entries


5.2. This lists the domains



Diagnostics

This will allow you to run a simple diagnostics of your email configuration

1. Run – This will initiate the test

2. MX Record Check – This will check the MX Records you have configured for the domain

2.1. Result of the test

2.2. This will show your configured MX Records

3. Delivery check – This will test the connectivity to your server

3.1. Result of the test

3.2. This will list the server and port you have configured under your inbound settings

3.3. This will show a transcript of the communication test with your server


User Settings

This will allow you to manage the administrators and user profiles for your account

1. User control

1.1. Add new user – More info below

1.2. This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected)

1.3. This will remove the disable status on any entries that are marked in section 5 (Note: Enable is only visible if you have one or more entries selected)

1.4. This will disable the entries that are marked in section 5 (Note: Disable is only visible if you have one or more entries selected)

2. Search box – Use this to search for entries, the search result will show while you type

3. Audit logs


5. Entries (Note: any disabled user will be marked with a strike through)


5.2. This will list the name of the users

5.3. This will list the type of the user (Note: If the type is marked with a * the user also has a User Profile enabled)

5.4. This will list the email address of the user (Note: The email address is also the user name)

5.5. This will list the time and date of creation for the user

5.6. This will allow you to edit the settings for the user

5.7. Each entry will have a selection box to allow for deletion and enable/disable


User Settings – Add User

1. Firstname

2. Lastname

3. Email address – This will also be the username

4. Read-only – Setting this to On will render the user unable to change anything in the interface, the user will also be unable to access other users quarantine zones via the Token Manager (Note: This needs to be combined with one or more of the user rights in sections 5-7)

5. User profile – Setting this to On will allow the user to have their settings separated from the domain settings (Note: This also means that the user will not get any changes to the settings made on domain level)

6. Domain admin – Setting this to On will allow you to select one or more of your domains that this user will get access to (Note: This type of user will not automatically get access to new domains that you add to the account)

7. Company admin – Setting this to On will give the user access to all domains on your account (Note: This will automatically give the user access to new domains that are added to your account as well)

8. Notify user – Setting this to On will send an email with the login credentials to the user when created, setting this to Off will instead show the credentials on screen when the user is created (Note: We highly recommend setting this to Off and then ask the user to use the Forgot Password function on the login page so that no credentials are sent via email)


10. Save the entries


True Users settings

This will allow you to specify what email addresses are valid for your domain (Note: If you specify addresses here WeCloud will only accept emails for those addresses, emails to any other recipients will be rejected)

1. Add – Add one or more addresses to your list of true users


3. Search box – Use this to search for entries, the search result will show while you type

4. Audit logs

5. Entries


5.2. This will list the email addresses registered as true users



Token Manager

Any user that receive a QMS report will automatically be created as a token user. The Token Manager allows an admin to login to the personal quarantine as the selected user in order to manage their quarantine and (if activated in the QMS settings) their black/whitelists

1. This will list all users created by the QMS system

2. This allows the administrator to login as the selected user – This is not available to read only administrators (Note: The login will open a separate tab so the administrator will not be logged out from the administrator interface)


Interface Settings - Customize

This will allow you to specify account wide customizations to the different emails generated by the system


2. Audit logs

3. Name for system mail sender – This defines the name of the sender of system mails to your users

4. Sending address for system mails – This defines the sending address for system mails to your users (Note: This only changes the From: header and not the envelope-sender)

5. Name for notification mail sender – This defines the name of the sender of notification mails to your users

6. Sending address for notification mails – This defines the sending address for notification mails to your users (Note: This only changes the From: header and not the envelope-sender)

7. Name for QMS mail sender – This defines the name of the sender of QMS mails to your users

8. Sending address for QMS mails – This defines the sending address for QMS mails to your users (Note: This only changes the From: header and not the envelope-sender)


Interface Settings - Options

This will allow you to specify the settings for the interface and the emails generated by the system to your users


2. Audit logs

3. Time zone – Use the dropdown to select the time zone for your domain (Note: This will control the timestamps in you logs and the time of day that your QMS reports are sent out)

4. Default domain – Use the dropdown to select what domain should be the default selected domain when you log into your account

5. Notify/QMS Language – Use the dropdown to select the language for emails generated by the system to your users


Interface Settings – Login restrictions

This will allow you to restrict logins to the interface to specific IPs. Please be aware that this setting is account wide and affects all admin users. Note: These restrictions do not restrict your partner or WeCloud from accessing your account.

Please be aware that if you enable this option with incorrect IP addresses you will not be able to login and change these settings, use with caution.

1. Add IP – Add IPs to the list


3. Audit logs

4. Entries


4.2. This will list the IP addresses registered



Interface Settings – OTP SMS

This will allow you to enable 2-factor authentication for your admin user. Note: This could render your partner unable to access your account. WeCloud, however, will always be able to access your account

1. Add IP – Add IPs to the list

2. Audit logs

3. Mobile – Enter the cell phone number to be used for 2-factor authentication


Company Profile settings

By activating the Company Profile you can easily manage the settings for multiple of your domains by changing a single profile. If company Profile is activated a new option "Company Profile" becomes available in the domain selector and all changes of settings on the specified slave domains will be deactivated. Please note that all settings on the slave domains will be overridden when the Company Profile is activated.

The Company Profile controls the following settings for its slave domains: Antispam > All settings QMS > All settings Antivirus > all settings Inbound > Delivery, Routing, Inbound headers, Notifications Outbound > IP, Routing, Outbound headers, Notifications, File extensions, Block recipient Archive > All settings Lists > All settings Interface > All settings

1. Enable – This will enable the company profile according to your settings (Note: When you have a company profile active this will instead read Edit and allow you to change your settings to the profile)

2. Source domain – Use the dropdown to select the source domain that the settings for the profile will be copied from (Note: even though only some settings are controlled by the profile, all settings will be copied from it and used as a foundation on any domain that you include in the profile)

3. Slave domain(s) – This will allow you to select which domains your company profile should take control of (Note: All settings on these domains will be overwritten by the company profile settings)

4. Master domain – The master domain selected in section 2 will automatically be selected


WeCloud 3rd party routing

With WeClouds 3rd party routing function it is easy to combine WeClouds email scanning with a wide range of 3rd party products (for example for encrypting/decrypting emails). The WeCloud service can easily be configured to route inbound and/or outbound emails via a 3rd party product before they are sent to the recipient (see next page for a traffic overview). The routing settings are located in Settings → Inbound → Routing, for inbound routing, and Settings → Outbound → Routing, for outbound routing.

1. Save the current routing configuration (Please note that it can take up to 20 minutes for the

changes to become active) 2. Delete the current routing configuration (Please note that it can take up to 20 minutes for

the changes to become active) 3. Audit logs to track the changes to the routing configuration 4. The hostname or the IP of the server that emails should be routed to 5. The target port that the emails should be routed to 6. Enable or disable the routing configuration 7. Enable or disable Smime only routing. When set to off all emails are sent via the route,

when set to on only emails encrypted with smime are sent via the route (Note: This is for inbound routing only)

8. Enable or disable archiving. When set to off emails are only archived before the routing takes place, when set to off emails are archived both before and after routing. (Please note that this requires a subscription to WeCloud Archiving feature)


WeCloud 3rd party routing - Traffic overview


Heuristic Phishing Protection

You might have seen one or more emails blocked by WeCloud's Anti-Virus engine with the following explanation: Contains virus: Heuristics.Phishing.Email.SpoofedDomain Since the description might be a bit cryptic this document will breakdown what this means and how this part of the protection works. In our systems we have a number of domains listed as protected. These are domains that are frequently abused on a global scale when it comes to Phishing attempts. In this specific case I'll use americanexpress.com as an example. So, let's say that an email circulates where the content looks as follows.

Of course American Express wouldn't send an email like this out, but the scammers know that many unaware end-users might actually follow the link believing that the communication is from American Express. A mouse-over shows that the link doesn't go to the correct website at all.


In this case a spam filter might have problems with this type of email if the following applies: 1. The sending address isn't spoofed (the spoof is only in the From: Header) 2. The sending IP isn't blacklisted 3. The true target link isn't classified as bad (the website isn't known as hacked or perhaps a Google form is used) 4. The content is too generic to be classified as spam or too new to have been seen before by the filter Whenever a protected domain is visible in the link WeCloud will check the visible domain with the actual domain that the link leads to, in order to check if this is a scam or not. To illustrate this a simplified version of a hyperlink is shown below.

1. This is the link that is visible to the end-user 2. This is the actual target of the link If part 1 above contains a domain protected by WeCloud's Phishing engine, the filter will check and make sure that the same domain is the target in part 2. If these two do not match then the filter will block the email with the reason ”Contains virus: Heuristics.Phishing.Email.SpoofedDomain” Please note that this is only in effect for the domains identified as protected and not for all hyperlinks.


BMA – Enhanced Malware Analyzer

The WeCloud BMA Engine is a central collection of rules that look for suspicious patterns in the email flow. The ruleset is regularly updated by WeCloud and no maintenance is needed from our customers. Depending on the BMA rule that catches an email one of two things will happen: BMA Block – This means that the email will be blocked and made available for preview and/or release via the Admin Quarantine BMA Quarantine – Emails in the BMA Quarantine are scanned once every hour with multiple AV engines (at the time of writing the total is 10 AV engines) to check if the AV vendors signature databases see the content as malware. If no AV vendor has triggered on the email for 24 hours it will automatically be released and sent to the recipient. If, however, one or more AV vendors see this as a malware during the 24 hour period the email will be blocked as malware. Emails are available for preview and/or release from the Admin Quarantine during this 24 hour period. The current set of BMA rules can be seen (and controlled) under the Antivirus settings, please see the Appendix on BMA rules for a clarification the current ruleset.


BMA – Enhanced Malware Analyzer ruleset

Below is a description of the current ruleset for BMA – Enhanced Malware Analyzer Note: This is the ruleset as of release of version 17.05 of WeCloud email security and is subject to constant change. bma-600-001-malware Subject: package | order | payment | credit, JS, and zip mime This rule will block any email where the subject contains any of the following phrases: package, order, payment or credit. And where the email contains bot a zip file and a js file (the js file could be located within the zip archive) bma-800-001 Windows executable This rule will quarantine any email that contains windows executable files bma-800-002 Script files This rule will quarantine any email that contains script files bma-800-003 Windows powershell files This rule will quarantine any email that contains windows powershell files bma-800-005 Windows shortcut files This rule will quarantine any email that contains windows shortcut files bma-800-005 Microsoft Office Macro This rule will quarantine any email that contains office macro files (f.ex. docm, xlsm and so forth) bma-800-006 Nested Zips This rule will quarantine any email that contains nested zip files (zips within zips) bma-800-007 Legacy Microsoft Office files containing macro This will quarantine any email that contains legacy office files (f.ex. doc, xls and so forth) that contain macros


Domain Protection – Extended Sender

Verification During the last year the scam type known as CEO-scams has increased tremendously. A CEO scam typically targets key persons in your organization and try to get them to deposit money in a bank account on order of the CEO (or equivalent). In order to bypass SPF Records and other means of protection from frauds and domain abuses the sender usually only fakes the sender information shown to the recipient via the email client (the from: header) and not the real sender (which is the only part protected by SPF), this combined with the fact that these emails are generally tailormade and sent in really small batches has proven to be a problem for email scanning solutions. WeClouds answer to this is the feature Domain Protection. Domain Protection is an extended sender verification that allows an organization to define a set of domains that should be protected by SPF even when they are only present in the from: header. For any domain added to the Domain Protection list WeCloud will treat the email as if the sending domain in the from: header was the envelope sending domain and apply the domains SPF Record to the email. If the emails fails the SPF check (a SPF Hardfail Record is required) the email will be blocked and made available to the administrator via the Admin Quarantine.


Effect of Bypasses and Whitelists

There are four different types of bypasses or whitelists that can be setup in the WeCloud interface (all of them are available under Settings → Lists). Below is a brief on the different types, how they work and what filters they bypass. Note: in the WeCloud system a whitelist always wins over a blacklist, so if you for example have blacklisted the domain example.com and whitelisted [email protected] this will mean that emails from [email protected] will get through the filter while any other emails from the domain example.com will be blocked. Address/Domain Whitelist Senders listed here will bypass any filters defined under Settings → Antispam and also the Domain Protection filter defined under Settings → Lists → Domain Protection Country Whitelist Sending servers residing in countries whitelisted will bypass any filters defined under Settings → Antispam and also the Domain Protection filter defined under Settings → Lists → Domain Protection IP Whitelist Sending IPs whitelisted will bypass any filters defined under Settings → Antispam and also the Domain Protection filter defined under Settings → Lists → Domain Protection Bypass Senders listed here will bypass any of the engines that they are listed for: Antivirus – This will bypass any filter defined under Settings -> Antivirus except for BMA Bma – This will bypass any BMA rule defined under Settings -> Antivirus File Extension – This will bypass any rules for file extensions defined under Settings -> Lists -> File extensions




Reporting missed spam

To help improve the spam filter you can send us any missed spam to our feedback address. [email protected] In order for WeCloud to get all the data needed we will need to get the spam sample as an attachment in the original format (either .eml or .msg). Do not send us internally forwarded emails since that might cause information related to your company (logos, URLs and similar) to be classified as spam. Outlook users can easily drag and drop the spam sample from their inbox to a new email to attach the original. Please note that no responses will be sent from WeCloud when spam samples are submitted. If a response to your submit is required, please add [email protected] as a copy on your submit.

Reporting false positives

If the spam filter quarantines an email in error the email can be released by the end user via the QMS report or by the administrator via the web interface. As the email is released a copy of the email will automatically be used to train the filter. If similar emails keep being quarantined in spite of the automatic training a similar process as the one described above for reporting spam can be used to report the false positive. The address to send the sample to for this is: [email protected] Please note that no responses will be sent from WeCloud when spam samples are submitted. If a response to your submit is required, please add [email protected] as a copy on your submit.






How To: Configure Outbound scanning

All the configuration needed for WeCloud’s servers to accept your outbound emails can be done under the Outbound settings in the interface, please note though that you might need to contact WeCloud support to get the correct hostname to send outbound emails through if you haven’t received that previously in your WeCloud documentation. Allowed domains: WeCloud only allows domains registered on your account to send emails out through the system (please note that subdomains need to be registered as well). For all outbound emails WeCloud will do a check to see if the IP/user is registered for outbound for the sending domain and if not WeCloud’s servers will not allow the email to be sent. If you need to add more domains to your account (for example subdomains) please notify either WeCloud support or your WeCloud partner. Ports: WeCloud accepts outbound emails on the following ports: 25 – this can only be used for IP based authentication 587 – this port can be used for both IP based authentication and for user/passw based authentication TLS WeCloud uses opportunistic TLS for outbound emails. This means that we will always offer STARTTLS to your sending server and we will always use STARTTLS if offered by the recipient server. Please contact WeCloud support if you need to force TLS on outbound traffic. User/Passw based authentication User/passw authenticated outbound traffic is only allowed on port 587 and over TLS


Outbound spam filter

WeCloud scans the content of all outbound emails and searches for spam classified content (links, images and similar). This is done to protect the reputation of WeCloud’s outbound IPs and the reputation of our clients. If the outbound spam filter blocks one of your emails it is made available in the Outbound Quarantine, and, if configured, a notification is sent to either the sender of the email or to an auditor In the quarantine the reasons for the block are listed and the email can be released to the original recipient(s). In the case of a notification being sent to either the sender or to an auditor a link is also provided where the email can be previewed and released Any email released from the outbound quarantine will automatically be submitted to the system for training to prevent further false blocks.


Outbound notification

If the settings under Outbound -> Notifications has been set to notify Users or an Auditor when an outbound email is blocked WeCloud will send a notification like the one below whenever an email is blocked in the outbound traffic.

The sending address and the subject can be altered under Settings -> Interface. Please note that the preview and release link might not always be present (depending on what engine blocked the email)


Power of Attorney for Management & Access

In order for WeCloud support to access and/or change your specific settings and logs you will need to provide a signed Power of Attorney for Management & Access document. If you haven't received a copy of this from your WeCloud contact feel free to contact WeCloud support in order to set up a document for this.

This routine has been implemented to ensure that no one except for your pre-defined list of contacts can have WeCloud support perform any changes or log extracts and similar for your account.


FAQ

Why was an email addressed to me quarantined as spam? The reason for an email being quarantined is listed under the section Explanation when accessing the preview of the email

Emails keep getting quarantined as spam even though I release them, what should I do? Follow the step described earlier in this guide to report the email as a false positive to the WeCloud feedback team

When I reply to an email my reply gets blocked as spam, why and what should I do? In most cases all you need to do is to release the blocked email and the system will learn that this was not (as suspected) a spam. If this doesn't help please contact WeCloud support for assistance

We have an SPF Record but we still get scam emails that seem to be sent from ourselves, why? In most cases the sender has only spoofed the from: header (this is just a header telling your email client what sender to show) which isn't protected by SPF. Look at what sending address is shown in the WeCloud interface (this is the ”real” sender). If the WeCloud interface shows your domain as the sender it is a proper spoof and should be protected by SPF. Please make sure the following apply: - you haven't whitelisted your own domain- your SPF record is correct- you are either using a hardfail in your SPF record, or you are using a softfail and haveactivated the Quarantine SPF Softfail functionIf the WeCloud interface does not show your domain as the sender this is a spoof of thefrom: header, you can protect your organization from these scams by using our DomainProtection feature.

Your web interface only allows for inbound force TLS and we need to force TLS for outbound emails as well, how can we do that? Please contact WeCloud support and they can help you activate forced TLS for outbound emails

The outbound spam filter is causing us too much issues, is there a way to deactivate it for us? Please contact your WeCloud account manager, or WeCloud support for assistance.

I get an error when I try to use the links in the QMS report, why? The login tokens utilized by the QMS change every time a new report is sent out so you'll need to use the links in the latest report. If you don't have the latest report at hand you can either request a new QMS Token via the error page the old link takes you to, or you can request a new Token via the administrator login portal.


Outbound scanning - Exchange

This will give a brief description on how to configure an Exchange server to send outbound emails via WeCloud Email Security, for information on what WeCloud hostnames to use please see the appendix on outbound hostnames.

These instructions apply to Exchange server 2007+

Note: Before performing the steps described below you’ll need to add your outbound IPs to your domains in the WeCloud interface, and you’ll need to make sure that your server is properly configured not to generate backscatter. Please see Activate WeCloud Email Security PDF for more info

1. You can find your Send Connectors in the EMC by going to Organization Configuration -> HubTransport -> Send Connectors

2. Either disable your current default Send Connector and create a new Connector, or edit yourcurrent default Send Connector according to the following instructions:Introduction pageIntended use for this connector: CustomAddress space pageAddress space: *Cost: 1 (unless you intend to use several send connectors for granular control, then it should be setto 2 and the granular connectors to 1)Network settings pageRoute all mail through the following smart hosts: Add the appropriate host from the Outboundhostnames appendix (if the address space was set to * the appropriate host is the regularoutbound host)Smart host security settings: None

3. After you’ve created your new Send Connector(s) you’ll need to restart the Exchange TransportService for them to have effect.

4. To enforce TLS encryption between your server and WeCloud please see the following on how touse Exchange PowerShell to enforce TLS on a Send Connector:https://technet.microsoft.com/en-us/library/aa998294(v=exchg.160).aspx

For more information on Send Connectors please see: https://technet.microsoft.com/en-us/library/aa998662(v=exchg.80).aspx https://technet.microsoft.com/en-us/library/aa998814(v=exchg.80).aspx

https://technet.microsoft.com/en-us/library/aa998294(v=exchg.160).aspx




Outbound scanning – Lotus Notes

For Lotus Notes servers please follow the following steps to configure outbound scanning.


1. Open your server’s Address Book

2. Go to Server -> Domain and select to Add Domain

3. Under Basics select Foreign SMT Domain as your Domain Type

4. Messages Addressed to should contain “*”

5. Should be Routed to should contain the appropriate regular outbound host found in theoutbound hostnames appendix)

For more information please see: https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_CREATING_A_FOREIGN_SMTP_DOMAIN_DOCUMENT_STEPS.html

Outbound scanning – Sendmail

For Sendmail servers please follow the following steps to configure outbound scanning.


Sendmail uses AFAIR DS to set outbound scanning. This is configured by adding a new line to your sendmail.cf file, looking like this: DSrelay-hostname For example, a Swedish customer would add “DSse-out.mx-wecloud.net” Note: The configuration needs to be added on a new separate line and no other lines in the configuration file can use AFAIR DS

https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_CREATING_A_FOREIGN_SMTP_DOMAIN_DOCUMENT_STEPS.html

https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_CREATING_A_FOREIGN_SMTP_DOMAIN_DOCUMENT_STEPS.html


Outbound scanning – Office365

For Office365 please follow the following steps to configure outbound scanning.

Note: The option to apply outbound scanning for emails sent from Office365 is currently only available on the Scandinavian cloud

1. Add the following IPs in your WeCloud account under Settings -> Outbound -> IP (this needs tobe done for all domains you will send emails from):89.221.255.389.221.255.28

2. If you are using SPF for your domains make sure to add the following to your SPF Records:include:spf.mx-wecloud.net

3. In your Exchange Admin center go to mail flow -> Connectors and add a connector

4. Mail Flow Scenario should be From: Office 365 To: Partner organization

5. Give the connector a name and a description, also select if this connector should be activatedwhen saved

6. Select “Only when email messages are sent to these domains” and add “*” to the list

7. Select “Route email through these smart hosts” and add the appropriate Office365 host found inthe outbound hostnames appendix

8. Check the box to always use TLS, select “Issued by a trusted certificate authority (CA)” and checkthe box to match certificate subject. In the domain name box enter:*.mx-wecloud.net

Office 365 will allow you to send a test email using the Connector to ensure that all works as intended before the configuration is saved

Weloud Email Security Administrator's Guidewiki.cloudservices.no/lib/exe/fetch.php/no:... · Date:...

Documents

Transcript of Weloud Email Security Administrator's Guidewiki.cloudservices.no/lib/exe/fetch.php/no:... · Date:...