Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

General order of evaluating emails for Hosted Email Security (HES)

    • Updated:
    • 4 Feb 2021
    • Product/Version:
    • Hosted Email Security
    • Platform:
    • N/A
Summary

Hosted Email Security (HES) follows a certain order on how it evaluates each email that pass through its servers.

Details
Public

Sender Filter Order of Evaluation

Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Evaluation is done in the following order:

  1. End User Quarantine console blocked sender list
  2. Administrator console blocked sender list
  3. End User Quarantine console approved sender list
  4. Administrator console approved sender list
 
Approved senders added to the End User Quarantine console will not override the blocked senders for the same email address or domain in the administrator console. For example, assume that *@example.com is in the blocked sender list of the administrator console, and john@example.com is in the approved sender list in the End User Quarantine console for an end user. Messages from john@example.com will still be blocked.

IP Reputation Order of Evaluation

Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.

Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.

The order of evaluation for IP addresses in the lists on the Approved and Blocked IP Addresses screen is based on which list contains the IP address or Classless Inter-Domain Routing (CIDR) block.

Evaluation is done in the following order:

  1. The IP Addresses list:

    1. On the Approved screen
    2. On the Blocked screen
  2. The Country/Region list:

    1. On the Approved screen
    2. On the Blocked screen
  3. The selected standard IP reputation database lists on the IP Reputation Settings screen
  4. The adjusted dynamic IP reputation database lists on the IP Reputation Settings screen

An IP address added to the IP Addresses list on the Approved screen will not be blocked even if that IP address is also in a CIDR block listed on the Blocked screen. Furthermore, that IP address will not be blocked even if it is also in the Known Spam Source standard IP reputation database list.

 
IP reputation-based filters use only IP address data to filter messages. You can also use sender email address and domain to filter incoming messages. Approved senders bypass IP reputation-based filtering at the MTA connection level.
 

Policy Order of Evaluation

Messages sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Evaluation is done in the following order:

  1. "Intercept" actions: Actions in this class intercept the message, preventing it from reaching the original recipient. Intercept actions include deleting the entire message and re-addressing the message.

    1. Delete the entire message
    2. Deliver Now
    3. Quarantine
    4. Change Recipient
  2. "Modify" actions: Actions in this class change the message or its attachments. Modify actions include cleaning cleanable viruses, deleting message attachments, inserting a stamp in the message body, or tagging the subject line.

    1. Cleaning Cleanable Viruses
    2. Deleting Matching Attachments
    3. Tagging the Subject Line
    4. Inserting a Stamp
    5. Rule Tokens/Variables
  3. "Monitor" actions: Actions in this class allow administrators to monitor messaging. Monitor actions include sending a notification message to others or sending a BCC (blind carbon copy) of the message to others.

    1. iSend Notification Action
    2. Bcc Action
  4. "Scan Limitation" actions: Actions in this class allow administrators to reject or bypass scanning messages that exceed Hosted Email Security capabilities.

    1. Rejecting Messages
    2. Bypassing Messages
  5. "Encrypt Email Message" actions: Actions in this class encrypt the message and then queue it for delivery. This is a non-intercept action, but no other actions can be taken on the target message after this rule is triggered. This action has the lowest priority of all actions, but when triggered it is always the final rule run before the message is queued for delivery. If more than one rule in the rule set is triggered, the rule that uses the encrypt email action will always be triggered last.
 
Hosted Email Security takes action on email messages that pass Email Reputation and custom approved list filtering using the policy rules configured for content-based filters. For example, Hosted Email Security may quarantine an infected email message from an address in the approved senders list if you have configured content-based filtering to quarantine malware threats.
 

For more information about the General Evaluation Order, refer to this article: General Order of Evaluation.

Premium
Internal
Partner
Rating:
Category:
Configure; Deploy
Solution Id:
1114783
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.