Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

General Order of evaluating emails for Hosted Email Security (HES)

    • Updated:
    • 28 Jul 2016
    • Product/Version:
    • Hosted Email Security 1.9.8
    • Platform:
    • N/A N/A
Summary

HES follows a certain order on how it evaluates each email that pass through its servers.

Details
Public

General Order of Evaluation

Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Sender Filter Order of Evaluation

Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Evaluation is done in the following order:

  1. End User Quarantine website Approved Senders lists
  2. Administrator console Approved Senders lists
  3. End User Quarantine website Blocked Senders lists
  4. Administrator console Blocked Senders lists

Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.

Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.

IP Reputation Order of Evaluation

Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.

Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.

The order of evaluation for IP addresses in the lists on the Approved and Blocked IP Addresses screen is based on which list contains the IP address or Classless Inter-Domain Routing (CIDR) block.

Evaluation is done in the following order:

  1. The IP Addresses list:

    1. On the Approved screen
    2. On the Blocked screen
  2. The Country/Region list:

    1. On the Approved screen
    2. On the Blocked screen
  3. The selected standard IP reputation database lists on the IP Reputation Settings screen
  4. The adjusted dynamic IP reputation database lists on the IP Reputation Settings screen

An IP address added to the IP Addresses list on the Approved screen will not be blocked even if that IP address is also in a CIDR block listed on the Blocked screen. Furthermore, that IP address will not be blocked even if it is also in the Known Spam Source standard IP reputation database list.

 
IP reputation-based filters use only IP address data to filter messages. You can also use sender email address and domain to filter incoming messages. Approved senders bypass IP reputation-based filtering at the MTA connection level.

Messages will pass each one of the policies for filtering depending on the action on the first triggered policy.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Policy Order of Evaluation

Messages sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to virus detection. Messages from blocked email addresses are blocked.

Evaluation is done in the following order:

  1. "Intercept" actions: Actions in this class intercept the message, preventing it from reaching the original recipient. Intercept actions include deleting the entire message and re-addressing the message.

    1. Delete
    2. Deliver Now
    3. Change Recipient
    4. Quarantine
  2. "Modify" actions: Actions in this class change the message or its attachments. Modify actions include cleaning cleanable viruses, deleting message attachments, inserting a stamp in the message body, or tagging the subject line.

    1. Cleaning Cleanable Viruses
    2. Deleting Matching Attachments
    3. Tagging the Subject Line
    4. Inserting a Stamp
    5. Rule Tokens/Variables
  3. "Monitor" actions: Actions in this class allow administrators to monitor messaging. Monitor actions include sending a notification message to others or sending a BCC (blind carbon copy) of the message to others.

    1. iSend Notification Action
    2. Bcc Action
  4. "Scan Limitation" actions: Actions in this class allow administrators to reject or bypass scanning messages that exceed Hosted Email Security capabilities.

    1. Rejecting Messages
    2. Bypassing Messages
  5. "Encrypt Email Message" actions: Actions in this class encrypt the message and then queue it for delivery. This is a non-intercept action, but no other actions can be taken on the target message after this rule is triggered. This action has the lowest priority of all actions, but when triggered it is always the final rule run before the message is queued for delivery. If more than one rule in the rule set is triggered, the rule that uses the encrypt email action will always be triggered last.
 
Hosted Email Security takes action on email messages that pass Email Reputation and custom approved list filtering using the policy rules configured for content-based filters. For example, Hosted Email Security may quarantine an infected email message from an address in the approved senders list if you have configured content-based filtering to quarantine malware threats.
Premium
Internal
Rating:
Category:
Configure; Deploy
Solution Id:
1114783
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.