Message Security for Google Apps Administration Guide • Google Apps for Business
Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 www.google.com Part number: ADG_MSD_R645_85 June 6, 2012 © Copyright 2012 Google, Inc. All rights reserved. Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc.
library. Credit must be given in user-accessible documentation. This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.
Message Security for Google Apps Administration Guide
Contents About This Guide 11 Welcome to the Administration Guide 11 Online Help 12 Additional Documentation for the Postini for Google Apps Service How to Send Comments About This Guide 12 12 Chapter 1: The Administration Console 13 About the Administration Console 13 Administration Console Security 13 Logging In 13 Administrator Passwords 14 Using Home Page 14 Navigating the Administration Console 19 Navigating the Organization Hierarchy 20 Troubleshooting the Administration Console 21 Chapter 2: Organi
Troubleshoot Organizations 53 Chapter 4: Users and Quarantines 55 About Users and Quarantines 55 View All Your Users 56 Search for Users 59 Manage Default User Templates 63 Add / Delete / Move Users 69 Manage a User’s Settings 70 Manage Quarantined Messages 74 Manage User Aliases/Nicknames 78 User General Settings 79 Protect Your Mailing and Distribution Lists Suspend a User 81 Reset a User 81 Download Users and Settings 82 Troubleshoot Users 84 79 Chapter 5: Administrators 87 About Administrators and A
User Settings for Notifications 155 Disabling and Redirecting Notifications 156 About Quarantine Summary 158 Configuring the Quarantine Summary 160 Customizing the Quarantine Summary 162 Quarantine Summary & Message Center Localization 164 Setting Languages Using Batch commands 165 Troubleshooting: User Notifications 166 Chapter 9: Spam Filters 169 About Spam Filters 169 Configure Spam Settings for an Organization Enable and Adjust Spam Filters 177 Fine-Tune Spam Filters 179 Phishing Attacks 180 Botnet Atta
Using Batch Commands for Approved/Blocked Lists 262 Deciding Which Approved Senders to Add 263 Quarantine Redirect and Approved/Blocked Senders 264 Message Headers for Approved/Blocked Senders 264 Sender Lists and Google Apps Email Whitelists 264 Troubleshooting: Approved/Blocked Senders and Mailing Lists Health Check: Approved Senders List Cleanup 268 Chapter 13: Attachment Manager 271 About Attachment Manager 271 Configure Attachment Manager 275 Create / Edit Attachment Manager Filters 277 Troubleshoot At
Summary Reports 323 Traffic Reports 325 Spam Reports 330 Email Authentication Reports (SPF Check) Virus Protection Reports 335 Attachment Manager Reports 338 Content Manager Reports 342 Message Encryption Reports 345 Archiving Reports 346 Quarantine Delivery Reports 348 TLS Reports 349 Troubleshooting Reports 351 334 Chapter 18: Message Log Search 355 About Message Log Search 355 About the Data 356 Administrative Privileges for Message Log Search Run a Log Search 357 Log Search Fields 362 Common Log Searc
X-pstn-disposition Header Field 409 X-pstn-nxpr and X-pstn-nxp Header Fields 410 Attachment Manager and Content Manager Header Fields Attachment Manager Header Fields 410 X-CM Header 410 Analyzing Header Fields 410 Index 10 413 Message Security for Google Apps Administration Guide 410
About This Guide Welcome to the Administration Guide This guide contains detailed information for setting up and administering your email security service. It’s intended for administrators of the email security service, and assumes that you are familiar with administering email services for an organization. This guide is for customers of Postini for Google Apps.
Online Help The complete content of this guide is available in online Help format, a browserbased system that you can access from the Administration Console. To access Help, click the Help link in the upper-right corner of any page: Additional Documentation for the Postini for Google Apps Service You can find additional guides and helpful elearning videos about using your Postini for Google Apps service at the Help Center. How to Send Comments About This Guide We value your feedback.
Chapter 1 The Administration Console Chapter 1 About the Administration Console The Administration Console is a secure web-based interface used to manage and configure the message security service, and administer organizations and users. This chapter provides an overview of the Administration Console, information about logging in and passwords, and a description of the Home page. Administration Console Security The Administration Console provides a secure web interface during the entire session.
Logging in to the Administration Console 1. Log in to the Google Apps control panel. Open a web browser and go to http://www.google.com/a/[yourdomain] where [yourdomain] is the domain you are using in Google Apps for Business. 2. Enter your login address and password to log in to the Good Apps dashboard. 3. In Service Settings page, click Postini Services console. 4. If necessary, enter your login address and password again. 5.
This page includes several useful links: • You can find a link to the Message Center in the upper-right corner of the page. • You can also find a link back to the Apps Dashboard at the very top of the page on the right. • If you have access to the Archive, the page will include a link to Message Archiving in the upper-right corner of the page. • Your administrator ID (email address) appears in the left corner.
To quickly access a user’s quarantine or view settings, enter their email address in the User Shortcut field and click the Quarantine or Settings button, or click Launch to open a floating User Shortcut window that controls your main Administration Console window. Systems Tests Use the System Tests to test mail flow, verify your MX record configuration or check that email traffic cannot bypass the message security service.
Email Activity The Email Activity graph shows an at-a-glance summary of important email statistics from the last 60 minutes. The number of processed messages, quarantined, delivered, and bounced are displayed. The following pieces of data are shown: • Processed: All mail sent to the message security service. • Quarantined: Messages quarantined for spam, virus, attachments or content rules and stored in the Message Center. • Delivered: Messages passed to Gmail.
Activity Information Meaning Valid messages Total count of valid messages that were passed on to Gmail. Spam Total count of messages quarantined as spam. This is separate from Gmail spam filtering. Viruses Total count of messages quarantined as viruses. This is separate from Gmail virus filtering. 500 Errors Total count of messages rejected with 500 errors. A 500-series error is a standard email code (with an error number between 500 and 599) that indicates a mail message has been rejected.
Message Composition The Message Composition box displays a pie chart summary of the number of delivered messages, virus messages quarantined, spam quarantined, spam blocked (by Attachment Manager or Content Manager), and spooled messages. This information is a summary of the activity that has taken place over the last 60 minutes. Customer Care The Customer Care section of the Home page gives an update on new features and support, and provides links to help pages and other useful resources.
Other versions of the message security service use this tab to manage mail server information. Since your mail server is Google Apps, you do not need to set this information. • Reports: Reports and logs for mail filtering activity. See “ Reports” on page 321 for more information. Navigating the Organization Hierarchy Your users are grouped into an organizational hierarchy (information about organizations is described in detail in the “ Organization Hierarchy & Design” chapter).
Troubleshooting the Administration Console How do I get another administrator account for a co-worker? You can create an administrator account by creating a new authorization record for a user. See “Create Administrators and Manage Authorization Records” on page 92 for more information.
Message Security for Google Apps Administration Guide
Chapter 2 Organization Hierarchy & Design Chapter 2 About the Organization Hierarchy To best manage users, you can divide them into groups called organizations (or orgs, for short). An org can be configured to give its users specific services or management control, such as a support address, email policy, or administrator. You can also create sub-organizations (or sub-orgs) below an org to create a finer level of control within a larger group.
As new users, user aliases, and domain aliases are created in your Google Apps account, they are added to your initial User organization. If you have several organizations in your hierarchy, you can move your new users to a suborganization. Each user org can be configured to provide its users with specific services, filter settings, administrators, and other policies. Placing users in an org applies its settings to those users. Changing a setting applies the change to the entire org.
Hierarchy Configurations For the message security service to filter users’ email, it has to know about their email address and their domain (the part of their address that comes after the @ sign). You register your users by associating them with organizations in your hierarchy. When doing so, follow the best practice configurations described below.
Hierarchy with Multiple User Orgs If some users have unique service requirements, you can create additional orgs, and configure them with the unique settings. As new Google Apps users are added, move these users to the appropriate sub-organization. Each user receives the filtering, services, and administrators defined for its organization. For example, you might separate users in your New York and La Honda offices to give each group its own administrator and support address.
You might group users by geography; by their department or role in the company; by the security services they can access or their level of filtering; according to the administrator who will manage their service; or most likely by some combination of factors. Because each new org receives a copy of settings from its parent, it’s easy to maintain common settings throughout a leg of your hierarchy. The best strategy is to decide policies for different user groups, then create orgs to support your strategy.
Distribute Administrative Control To distribute management of user groups across several administrators, or allow individual customers to manage their own service, assign each administrator to the organization they should be able to manage. An administrator has permissions to manage his or her own org, and all sub-orgs below it. Here, Joe is an administrator at the parent-level and can therefore administer the entire hierarchy below.
Provide Access to Services If some users need access to different services, enable or disable the service for those users’ organization. Such services include: • Message Center and Notifications: If users should be able to manage their own quarantined spam and viruses, enable their Message Center. Also enable Notifications, which sends them an email summary of recently quarantined messages. If not, disable these features for their org.
Similarly, some Default User settings shouldn’t be changed for individual users, if they define policies that should remain in effect across the org. See below for guidelines on where, or where not, to control each setting. Organization Settings The following org-level settings can be made for any organization. Users added to the org receive these settings, and changing a setting applies the change to the whole org.
Default User Settings When a new user is added to the message security service, it gets certain userlevel settings from a Default User—the one assigned to the organization the new user is added to. These settings include: • Spam filters on/off • Virus filters on/off • Spam filter levels for individual categories of spam As a template for creating new users, a Default User is how you enforce common filter settings across an org.
WARNING: Don’t change User Access permissions for an individual user. Manage User Access at the org-level, instead. See “Enable / Disable Message Center Access” on page 135. User-Controlled Settings at the Message Center You can optionally allow individual users to manage some settings themselves, by providing them User Access permissions to the Message Center.
Where Settings Can and Should be Made x = Typically avoid changing settings at this level Support address / time zone Default User assignment The Default User applied to new users Industry Heuristics Message Center subject links Outbound virus blocking Compliance footer User Access (to Message Center) It’s strongly recommended that you change specific permissions only at the org-level Daily message limit Virus notification interval Allowed and blocked sender lists Virus blocking On/Off (should alwa
Message Security for Google Apps Administration Guide
Chapter 3 Organization Management Chapter 3 About Organization Management You manage your users’ email protection by arranging them into groups called organizations (or orgs, for short). An org can be configured to give its users specific services or management control, such as a support address, email policy, or administrator. You can also create sub-organizations (or sub-orgs) below an org, to create a finer level of control within a larger group.
You can list organizations: • Along with links to related commands. • Along with a summary of service settings. • In a list showing each org’s domains • In a convenient pop-up that you can keep around. • In a Choose Orgs list at the top of most pages. Note: The exact orgs you see and tasks you can perform depend on your administrative privileges. See “Create Administrators and Manage Authorization Records” on page 92.
Organizations page overview View Hierarchy with Domains link (top of page) Click this link to list each org along with its domains. Download Orgs/ Settings link (top of page) Click this link to retrieve settings for currently listed orgs as comma-delimited text, which you can then import into a spreadsheet. See “Download Organization Settings” on page 52. List Users, Add Users, etc.
Organization Summaries page overview Default User The user template whose settings are applied to new users in the org. Click the link to manage these settings. Last Modified The date the org was last modified (a setting changed, user added, and so on). Date Created The date the org was created Creator The administrator who created it. For the first initial organization, this is blank. List Organizations with Domains Each user organization has a domain associated with it.
Show Orgs in a Popup Window Keep access handy to all organizations from a popup window that can always stick around. Note: A maximum of 25 organizations can be displayed in the popup window. To view large numbers of organizations, go to Orgs & Users > Orgs. You can adjust the number of organizations displayed per page. 1. Click the Show Hierarchy link at the top of any page. 2. In the popup window, click an org to access its settings. Click an org under Organizations to access its service settings.
Choosing an org while on the Organizations page (which lists all your orgs), narrows the list to only that org and its sub-orgs. Note: Only 45 orgs can be displayed in the Choose Orgs list. Choose Orgs list: Navigate conveniently between organizations while viewing a specific feature or component Manage Organization Settings To set email policies and configure services that apply for all users in an organization, go to the org’s Management page. Then click a feature to view or change its settings.
Inbound Services Inbound Services Description Enable/disable Blatant Spam Blocking for the organization, and set a spam disposition (method of processing spam). See “Configure Spam Settings for an Organization” on page 173 and “Configure Spam Disposition for an Organization” on page 176. Set a virus disposition and manage other org-level virus settings. See “Configure Virus Settings for an Organization” on page 192. Filter messages based on the size and file type of attachments.
Outbound Services All outbound services are optional features that aren’t available with all service packages. Outbound Services Description Apply virus blocking, or attachment or content filters to outbound messages, that is, messages sent from users in this organization. See “About Outbound Services” on page 507. Place a standardized text message at the bottom of messages sent from users in this organization. See “Compliance Footer” on page 518.
Organization Settings Description Control what settings users in this org have permission to view or modify at their Message Center. See “Enable / Disable Message Center Access” on page 135 and “Control What Users Can View and Modify” on page 138. Manage default user-level settings applied to new users added to this org, such as spam filter levels and virus blocking. See “Manage Default User Templates” on page 63.
Organization Settings Description Optional feature. Configure Message Encryption settings. For information about Message Encryption, see: Message Encryption Administration Guide. Organization Summary Organization Summary Description Organization ID A unique ID for this organization, useful when escalating an issue to Support. An org’s name can be changed, but its ID always remains the same. Organization The org’s name. Can be changed under General Settings.
The name in the gray bar changes, indicating that you’re now looking at your new org’s settings, which were copied from the parent. You can change them now, to apply for this org’s users, only (see “Manage Organization Settings” on page 40). Optionally, you can assign privileges for one or more administrators to manage the new org. Administrators of the parent org have privileges to manage it, too. See “ Administrators” on page 87.
Find an Organization You can quickly find any organization by typing its name in a search form, on either the Home page or the Organizations page: 1. Locate the appropriate search form on the Home or Organizations page. • Searching from the Home Page • Searching from the Organizations page. 2. You can search only for orgs that are beneath the current org in your hierarchy. So use the Choose Orgs list change the current org, if necessary. 3. Type the org name you’re looking for, in the form.
To limit daily number of messages that users in an organization can receive, go to Message Limits on the org’s Management page. This page also displays a maximum message size for users in this org, defined in Attachment Manager. Field Value Maximum Message Size The maximum size of attachments-per-message that users in the organization can receive. Messages that exceed this limit are bounced, returning a SMTP error 552 Message too large psmtp message to the sender.
Organization General Settings Organization ID A unique ID for this org, useful when escalating an issue to Support. An org’s name can be changed, but its ID always remains the same. Organization Name The name of the current org. Parent Organization The org one level up in the hierarchy. • When the current org was created, it received a copy of its original parent’s settings. • The current org can be administered by its parent’s administrators.
Organization General Settings Non-Account Bouncing When Non-Account Bouncing is on, messages are bounced if they are not addressed to a registered user or alias. The SMTP error message: 550 No such user - psmtp is returned to the sender. This setting is used for organizations that contain domains. In other organizations, this setting has no effect. Non-Account Bouncing applies to all domains in an organization.
Organization General Settings Time Zone If users in this organization receive a regularly scheduled Quarantine Summary notification, the notification is sent based on this time zone. See “Configuring Notifications for an Organization” on page 149. Region and Language Choose your region and language for text in the quarantine summary and the Message Center. Note: The Message Center supports a subset of the languages listed in the Region and Language menu.
Handle Mail to Unrecognized Addresses Once you add a domain to the message security service, all email to that domain is routed through the data center. Only addresses recognized by the data center— that have been added as users, for example—receive filtering. But email to other addresses in the domain—to users that aren’t yet added to the service, that aren’t receiving protection, or that don’t exist—must be dealt with, too.
Move an Organization You can move an organization to a new location in your organization hierarchy by assigning it to another parent. Do this under General Settings on the org’s Management page. 1. Locate the org you want to move, under Orgs and Users, and go to the org’s Management page. 2. Scroll down and click General Settings. 3. Enter the name of the new parent org in the Parent field, and click Save.
You can download settings for one or more organizations as text. Then import the text into a spreadsheet, for easy reference. Listed for each org is its support contact, filter settings, and other details of its service. 1. Go to Organizations page under Orgs and Users, and list of the orgs whose settings you want to download as text. • Use the Choose Orgs list to show a particular organization and its suborgs (choose the top-level org to show the entire hierarchy).
Message Security and Discovery Administration Guide
Chapter 4 Users and Quarantines Chapter 4 About Users and Quarantines A user is an email address in Gmail that has been added to the message security service. Users are added to and removed from the service through the Google Apps Control Panel. When you add a user, the service then filters email going to and coming from that address. Each user resides in an organization (org) and inherits the associated org-level settings, such as a support address, administrator, or email policy.
View All Your Users View a list of users currently receiving email protection under Orgs and Users > Users.
List Many Users When you first open the Users page, it lists users by address only, allowing you to scan many users at once. The page displays all users in the current organization and its sub-orgs. Users page overview Choose Org list (top left) Choose an org from this list to display only users in that org and its sub-orgs. Find User form Find a user quickly by entering the address. See “Search for Users” on page 59 for more information.
List User Summaries To list users along with details about their settings, click the Settings Summary link. User Summaries page overview Find User form On this page, there are additional fields for refining your search. See“Search for Users” on page 59. Aliased To If the address is a user alias/nickname, this column displays the primary user address for which this is an alias/nickname. See “Manage User Aliases/Nicknames” on page 78.
User Summaries page overview Modified The date the user was last modified. Creator The administrator who created the user. Created The date the user was added. Method How the user was added. Admin Batch or API: Created using a Batch File. List Users by Organization To list users in a particular organization but not in any of its sub-orgs: 1. Open the Users page and choose the org from the Choose Orgs list. 2. Clear the Include: sub-orgs check box in the Find User form.
Basic Search To search from the Users page: 1. Click the Orgs and Users tab. 2. Click the Users link. 3. Use the Choose Org list to choose an organization. 4. Enter a user address in the Find User form. • Enter an entire address to find one user. • Enter the beginning of an address to find all users that begin with that character string. • Begin your entry with a % to find all users that contain that character string. • End your entry with a $ to find all users that end with that character string.
This search lists all users in the domain postqa7.com: • User Shortcut This is also like searching from User pages, except entering a complete address allows you to then click Quarantine to view the user’s Quarantine, or click View Settings to open the user’s Overview page. Click Launch to open the form in a pop-up window. Refine Your Search You can refine your search by specifying additional criteria on the Users and User Summaries pages.
This example shows how to find all users and user aliases/nicknames, in the current org or its sub-orgs, beginning with “hobie”: • Search for a particular user’s aliases/nicknames On the User Summaries page, enter the user in the field above the Aliased To column, and select the aliases check box. In this example, we find only aliases/nicknames that belong to users beginning with “helen.” • Confine your search to the current org Clear the sub-orgs check box.
Search Text Tips When you search for users, you can enter a partial address as a shortcut or to narrow your search to users with similar addresses. You can do this in any search form on User pages or the Home page. If you enter jean, for example, and only one user address begins with “jean,” you find that user. If more users begin with “jean,” you see a list of those users, and you can choose the one you want.
How Default Users Work Initially, there is one Default User, pdefault@yourdomain.com, in your hierarchy. It resides in your top-level Account Administrator org. New users added to this org inherit the Default User’s settings. In this default configuration, when you create sub-orgs, users in those orgs also inherit the Default User’s settings. Every org that contains users must be assigned a Default User.
2. Click the user name to open its Overview page. 3. Click the feature you want to modify, make your changes, and click Save. See below for recommended settings. Recommended Default User Settings Before configuring a Default User, please note: • Configure a Default User before assigning it to a hierarchy. The configuration of a Default User only affects users as they are added to an org. Changes to the Default User do not affect users already in the org.
Default User Recommended Settings Senders Lists Allowed or Blocked Senders Don’t add any senders to these lists. To apply common allowed or blocked senders across an org, use the org’s Sender Lists. Approved Recipients Optionally add any external mailing lists that should be approved for all users in the org. See “ Approved and Blocked Sender Lists” on page 255. Message Limits: Leave the daily message limit blank. Set any desired message limit at the organization level.
Default User Recommended Settings Message Center Access Enable this setting regardless of whether you want new users to access their Message Center. Disable Message Center access using the org-level User Access settings. Individual permissions Leave these check boxes unchanged. Set all permissions at the orglevel, instead. See “About the Message Center” on page 133.
To create a new Default User: 1. Create the user in the Google Apps Control Panel. To identify it as a Default User, use a meaningful naming convention. The system automatically recognizes names that begin with pdefault and postinidefault as Default Users, for example, pdefaultSalesOrg or postinidefaultStaffOrg. Note: Default Users do not count toward your billing.
To delete a default user: 1. Remove the Default User from all orgs’ General Settings. 2. Use the Google Apps Control Panel to delete the user. Add / Delete / Move Users Add Users You add users from the Google Apps Control Panel. Once you add a user, that information is synchronized with Postini for Google Apps, and the user is visible in the Administration Console in about 30 minutes. Any nicknames associated with that user are also visible in the Administration Console as aliases.
Users retain their existing user-level settings, but acquire new org-level settings from their new organization. To move a single user, you can also go to General Settings on the user’s Overview page, and enter a new parent organization for the user. See “User General Settings” on page 79. Manage a User’s Settings You can manage a user’s individual settings and Quarantine from the user’s Overview page.
Suspend or Reset a User On the User Overview page, you can: • Suspend a User: Stops all filtering and protection for the user, but retains the user’s settings and account information in the message security service. See “Suspend a User” on page 81 for details. • Reset a User: Sets the user’s settings to the Default User’s settings. See “Reset a User” on page 81 for details. Inbound Services Inbound Services Overview Spam Filtering: Enable/disable spam filtering for this user.
Inbound Services Overview Message Limits: Track how many messages this user receives for the current day. In general, we recommend leaving blank the daily message limit for a user. Set any desired message limit at the organization level. You can enter 0 to block all messages for this user (useful when a user has left the company.) For details, see “Set an Organization’s Message Limits” on page 46.
User Settings Overview Aliases: If a user receives email at more than one address (such as jonathan@jumboinc.com and john@jumboinc.com), add the additional addresses here as user aliases/nicknames. See “Manage User Aliases/Nicknames” on page 78. See whether the user has ever logged in to the Message Center, or received a Welcome notification (sent when the user is first added to the message security service). You can also specify the address to which the user’s notifications are sent.
Manage Quarantined Messages Incoming messages filtered as spam or otherwise diverted from delivery to a user, can be placed in a Quarantine where administrators can go to review and manage them. You can quarantine each user’s suspicious messages in a separate User Quarantine. Or you can set up a central Quarantine for collecting all users’ quarantined messages. From a Quarantine, you can: • Review and safely open quarantined messages for analysis. • Find messages based on sender, subject, or content.
Quarantine Messages Centrally Instead of quarantining each user’s suspicious messages separately, you can collect all users’ spam or viruses in a central Quarantine. To do so, set the spam or virus disposition to Quarantine Redirect, or configure Content Manager filters to copy messages to a specific quarantine. In each case, you supply a user address whose Quarantine you want to use.
2. Select the type of quarantined traffic you want to view: • All: Messages that are currently quarantined, messages that were quarantined and delivered, and messages that were quarantined and deleted. • Quarantined: Messages that are currently quarantined. • Delivered: Messages recently delivered from the Quarantine to the user or an administrator (if they were delivered with the “Marked as delivered” option). Copies of these are kept for three days, and then deleted.
OB Virus Outbound virus blocking (optional feature) Org Blocked Sender Sender is on the org’s Blocked Senders list Racial Racially insensitive spam filter Sexually Explicit Adult content spam filter Special Offer Special Offers spam filter Undeliverable Bounce Outbound undeliverable bounce messages (optional feature) User Blocked Sender Sender is on the user’s Blocked Senders list Virus Virus blocking (message contained a virus) Tip: Click a column heading to sort the messages by that headin
2. To delete the selected messages, click Delete. 3. To deliver the selected messages, select an option: • Deliver to original recipient: Delivers selected messages to the user to whom they were originally sent. • Deliver to administrator: Delivers selected messages to your administrator account (the account currently logged in to the Administration Console).
User General Settings Under General Setting on a user’s Overview page, you can manage the user’s primary address and organization, reference its ID, and view its Wireless Forwarding settings. Configure the settings as described below, then click Save when you have finished. User General Settings User ID A unique ID for this user, useful when escalating an issue to Customer Care. A user’s primary email address can be changed, but its ID always remains the same. Organization Name The user’s organization.
WARNING: Do not add the mailing list as a user account. Under these circumstances, the mailing list is treated as a user, and all members of the mailing list, including those outside of your organization, receive the notifications and quarantine summaries. You have two options to protect mailing lists: • Alias the mailing list to an existing user, such as an administrator or the designated owner of the mailing list.
Select the mailing list user. Under Settings, click Notifications. Add the list owner’s email address to the Notification address. This allows only the list’s owner to receive the quarantine summary, notifications, and password changes. 4. Configure filtering for the mailing list user. Select the mailing list user account, and configure Spam Filtering. Add any approved or blocked senders. 5. Select the mailing list user, and add the mailing list address as an alias.
Download Users and Settings From the Users or User Summaries page, you can download a text list of users and their settings, and then import the text into a spreadsheet. For example, you can download the results of a user search or a list of all users in a particular domain. To download users and settings: 1. Go to Orgs and Users > Users, then click the Download Users/Settings link at the top right of either the Users or User Summaries page. 2.
Filter GetRich Get Rich Quick category filter setting for the user Same scale as Filter Adult Filter Offers Special Offers category filter setting for the user Same scale as Filter Adult Filter Racial Racially Insensitive category filter setting for the user Same scale as Filter Adult Wireless State 0: On 1: Off 2: Not allowed Virus Notify Frequency of user virus notifications NULL: use organization setting 0: Send immediately 1: Send one per day 9: Disable virus notifications Virus State 0: On 1
Troubleshoot Users How do I protect internal distribution or mailing lists from spam and viruses? Do this by adding each list to the message security service, either as a user, or aliased to a user. See “Protect Your Mailing and Distribution Lists” on page 79. Mail from external mailing lists is being falsely filtered as spam. What should I do? Users can add these addresses to a special list that approves incoming mail based on the address in its To and CC fields.
7. Load the file created in Step 6 into a text editor and replace all occurrences of “modifyuser,” with “modifyuser “to remove the comma and add a space. Make sure there is a comma between the user’s address and the fields, and between each field=value pair. The result should look something like this example: modifyuser msmith@sales.jumboinc.com, junkmail_filter=0, virus_notify=9 Save result as a TXT file. 8. You can now validate this file and upload it as a batch file.
The limit is configured there. Changing this limit does not restore mail flow to the user. How can I view a list of all my user aliases/nicknames? You can see a list of users and aliases/nicknames through the Administration Console: 1. Go to Orgs and Users > Users. 2. Select the Include: aliases check box, then click Search. 3. You see a list of all users and their aliases/nicknames in your org structure. 4. To narrow this search, you can enter special criteria into the Find User text box.
Chapter 5 Administrators Chapter 5 About Administrators and Authorization Administrators have access to the Administration Console where users and organizations are managed. Each administrator must have a user account and assigned privileges to access organizations. Administrator privileges are assigned by creating an authorization record. The authorization record doesn’t need to be in the same organization as the administrator -- the authorization record can be anywhere in the organization hierarchy.
Authority Privilege Propagation In an organization hierarchy, administrator privileges are propagated down the organizational tree. The following example illustrates how administrative authority affects management privileges in the organization. The Jumbo Inc activation administrator maintains authority over both the New York and Jumbo Inc Users organizations, and all sub-organizations. Admin B is assigned an authorization record and privileges for the New York organization.
A peer administrator can modify and delete another administrator’s privileges, if it is assigned to the same organization, by clicking Delete on the Authorization List page. This does not remove the impacted administrator as a user. It removes the administrator’s authorization record for this organization. If this is the impacted administrator’s only authorization record, this user is no longer an administrator and is not allowed to log into the Administration Console.
3. At the Systems organization, our administrator has a new authorization record with privileges limited to just reading user settings. The administrator can only read and not modify user settings for the sub organizations IT and Operations. 4. For the IT Support organization, our administrator’s full read and modify privileges are restored. A new authorization record with full read and modify privileges is assigned to this organization.
1. Examples of initial inheritance and a sub-organization record change: a. The top-level authorization record assigned to the New York organization has the read-only privilege for managing spam filters. b. When created, the Customer Service and Systems authorization records inherit the New York authorization setting. Both have read-only privileges for managing spam filters. c. In the Systems record, the account administrator enables the Spam Filters modify privilege.
Create Administrators and Manage Authorization Records When you create an administrator: • Check your authorization record -- Your authorization record needs the Add Users, Assign Authority, and Assign Peer Authority (optional) privileges: • Add Users -- If the new administrator is not yet a user in the system, you must have full Add Users privileges for the organization where you are adding the new administrator.
Note: An account administrator, with the Assign Peer Authority privilege enabled, can create and change settings for a peer account-level administrator. Creating an Administrator To create a new administrator: 1. If the user does not already exist, create a user account for the administrator. See “Add / Delete / Move Users” on page 69 for more information. 2. In the Administration Console, go to Orgs and Users > Authorizations. 3. Choose the organization where the administrator should have privileges.
WARNING: Modifications to the authorization record take effect immediately. Unlike modifying a user or organization, you do not have to click a submit button to save to the authorization record. If the administrator needs access to support, please contact the appropriate support channel. Viewing and Editing Authorization Records 1. Go to Orgs & Users > Authorizations. 2.
Example of results by address: Note: Administrators who have authorization records in the same organization (peer administrators) can edit each other’s authorization records. 5. In an emergency or under special circumstances, an administrator can delete a peer administrator. For example, bchad@corp.jumboinc.com can delete the New York authorization record assigned to abradley@corp.jumboinc.com. Click Delete to delete a peer administrator’s authorization record.
Types of Administrators To simplify the range of possible administrator configurations, this section describes the common types of administrators, where to place their authorization records, and recommended privilege settings. Use these descriptions as a guide that you can customize. It is common for an administrator’s job to be composed of several administrative types.
Account Admin Monitor Admin Compliance, Security Admins Spam Filters, Sender Lists, Traffic Limits, Virus, Early Detection Quarantine read/ modify read read read/ modify read Industry Heuristics read/ modify read read read/ modify read Archive Security, Search/ Discovery, Audit, Retention, Investigator read/modify Archive Admins Org Policy Admin User Admin read and/or modify System Tests run run run run run Attachment Manager read/ modify read read read/ modify read Content
Positioning Account Authorization Records The account administrator’s authorization record is assigned to the account organization. This administrator has global management privileges across the whole account hierarchy. And, in turn, this administrator creates additional administrators to manage either peer or sub organization levels. The following example illustrates how the account administrator for Jumbo Inc has administrative privileges for every level of the hierarchy.
In the following example, fully authorized email administrators are assigned to organizations below the account level. These administrators have the same privileges as an account administrator. In the example, the Jumbo Inc account administrator has access to the Western and Eastern Divisions. The Western Division and Eastern Division regional administrators manage their respective divisions.
Account Administrator Privilege Delete Users Application Management Junk Email Settings Sender Lists Spam Filters Sexually Explicit Virus Settings Show Delivered-As-Is Pending Quarantine Wireless Settings Account Settings Password Email Aliases Regional Settings Personal Archive Archive Search Archive Recover Junk Email Analysis View Images, Attachments, and Links Organization Management Assign Authority Assign Peer Authority Change Admin Passwords Create Organizations Delete Organizations View Reports Ou
Account Administrator Privilege Read /Modify Notes Manage Domains Message Center Branding Application Management Traffic Limits Junk Email Virus Advanced Applications Attachment Manager Content Manager Industry Heuristics Message Archiving Inbound Mail Processing Mail Connection Management Auto Connection Management Delivery Management Spooling Inbound Transport Security Archive Security Administrator archive security/ compliance Archive Search archive security/ compliance Archive Discovery security
Positioning Monitor Authorization Records In large accounts, an authorization record for monitor administrators is assigned to the account organization. In addition, large sub-organizations may need monitor administrators. In the following example, the administrator assigned to the Jumbo Inc Account Administrators monitors the status of the whole account hierarchy. The division-level administrators monitor their specific suborganizations.
Monitor Administrator Privilege Read /Modify Notes User Settings Traffic Limits Change Address Add Users Delete Users Application Management Junk Email Settings Sender Lists Spam Filters Sexually Explicit Virus Settings Show Delivered-As-Is Pending Quarantine Wireless Settings Account Settings Password Email Aliases Regional Settings Personal Archive Archive Search Archive Recover Junk Email Analysis View Images, Attachments, and Links Organization Management Assign Authority Assign Peer Authority Chang
Monitor Administrator Privilege Read /Modify Notes Outbound Applications Management Edit Organizations Notification Messages Manage Domains Message Center Branding Application Management Traffic Limits Junk Email Virus Wireless Email Advanced Applications Attachment Manager Content Manager Industry Heuristics Message Archiving Inbound Mail Processing 104 if email config org Mail Connection Management if email config org Auto Connection Management if email config org Delivery Management if email c
Compliance Officers and Security Administrators A compliance officer manages the operations and procedures of a company’s compliance program, which prevent illegal and unethical conduct. A security administrator manages the protection and security of the company’s assets from illegal and improper activities. Compliance officers, security administrators, and archive search administrators are the only administrators who can search and audit an account’s archive.
Recommended Compliance Officer and Security Administrator Privilege Settings For detailed information for each privilege, see The Message Security Authorization Reference.
Compliance Officer and Security Administrator Privilege Read/Modify Notes View Images, Attachments, and Links Organization Management Assign Authority Assign Peer Authority Change Admin Passwords Create Organizations Delete Organizations View Reports Outbound Mail Processing Outbound Applications Management Edit Organizations Notification Messages Manage Domains Message Center Branding Application Management Traffic Limits Junk Email Virus Wireless Email Advanced Applications Attachment Manager Content M
Compliance Officer and Security Administrator Privilege Read/Modify Notes Archive Security Administrator Archive Search Archive Discovery Archive Audit Archive Retention Archive Investigator Security Archive Reports security/archive Archive Administrators An archive security administrator manages the important but very focused areas of responsibility in Message Archiving (available optionally for an additional fee): • Security Administration • Search • Discovery • Audit • Retention • Investi
Archive Security Administrator Archive Security Administrators have full access to the corporate archive and full access to Message Archiving features: • Requires the Archiving Security Administration privilege, which in turn grants all other archiving privileges. • The Message Archiving privilege is optional -- If the Message Archiving privilege is enabled (for customers who purchase archiving), the administrator can turn on archiving and set archiving options for the org.
Archive Audit Administrator An archive audit administrator manages the account-level audit reports. This administrator has one required privilege and some optional privileges: • Requires the Archive Audit privilege. If this is the only granted privilege, this administrator has access to the audit reports on the Message Archiving Reports tab. The Message Archiving link replaces the System Administration link on the login screen.
Archive Investigator Administrator An archive investigator administrator manages which investigators can search which users’ messages. This administrator has two required privileges and some optional privileges. • If Archive Investigator Security and Archive Search are the only granted privileges, this administrator has access to the Message Archiving Search and Admin tabs. The Message Archiving link replaces the System Administration link on the login screen.
Recommended Archive Administrator Privilege Settings For detailed information for each privilege, see The Message Security Authorization Reference.
Archive Privileges Read/Modify Notes View Images, Attachments, and Links Organization Management Assign Authority Optional Assign Peer Authority Change Admin Passwords Create Organizations Delete Organizations View Reports Outbound Mail Processing Outbound Applications Management Edit Organizations Notification Messages Manage Domains Message Center Branding Application Management Traffic Limits Junk Email Virus Wireless Email Advanced Applications Attachment Manager Content Manager Industry Heuristics
Archive Privileges Notes Archive Security Administrator Alone: Message Archiving login and, with archive settings, other archiving pages Archive Search Alone: Message Archiving login and Search pages Archive Discovery Requires Archive Search Archive Audit Alone: Message Archiving login and Audit Reports Archive Retention Alone: Message Archiving login and Retention pages Archive Investigator Security Alone: Message Archiving login and, with Search, Audit, Retention, sees Admin tab Archive Repo
Organization Policy Administrators An organization policy administrator manages the common settings, services, and administrative controls across the organization hierarchy. This administrator also controls the Default User, common User Access options each user has in the Message Center, and Early Detection Quarantine. An organization policy administrator can create new sub-administrators. This administrator does not manage inbound mail processing tasks.
In an additional example of large, complex hierarchies, an organization policy administrator can have sub-administrators managing different parts of the hierarchy tree. In the following example, the Operations organization’s administrator manages all of the sub-organizations. And the administrator assigned to the Big User Org shares administrative access.
Organization Policy Administrator Privilege Read/Modify Notes Delete Users Application Management Junk Email Settings Sender Lists Spam Filters Sexually Explicit Virus Settings Show Delivered-As-Is Pending Quarantine Wireless Settings Account Settings Password Email Aliases Regional Settings Personal Archive Archive Search Archive Recover Junk Email Analysis View Images, Attachments, and Links Organization Management Assign Authority Create admins Assign Peer Authority Change Admin Passwords Create Or
Organization Policy Administrator Privilege Read/Modify Notes Manage Domains Message Center Branding Application Management Traffic Limits Junk Email Virus Wireless Email Advanced Applications Attachment Manager Content Manager Industry Heuristics Message Archiving Inbound Mail Processing Mail Connection Management Auto Connection Management Delivery Management Spooling Inbound Transport Security 118 Archive Security Administrator archive security/ compliance Archive Search archive security/ complia
User Administrators A user administrator manages the general user administration tasks such as moving and suspending users. Note: This administrator does not manage the Default User or the Message Center’s user-access settings. These are managed by the organization policy administrator. Positioning User Administrator Authority Records User administrators are generally assigned to strategic organizations that contain users.
In large, complex hierarchies, a user administrator can also be assigned at a strategic managing-organization level in order to manage across several user organizations. In the following example, the user administrator assigned to the Operations organization can manage all users in the sub-organizations. Recommended User Administrator Privilege Settings For detailed information for each privilege, see The Message Security Authorization Reference.
User Administrator Privilege Read/Modify Notes Application Management Junk Email Settings Sender Lists Spam Filters Sexually Explicit Virus Settings Show Delivered-As-Is Pending Quarantine Wireless Settings Account Settings Password Email Aliases Regional Settings Personal Archive Archive Search Archive Recover Junk Email Analysis View Images, Attachments, and Links Organization Management Assign Authority Assign Peer Authority Change Admin Passwords Create Organizations Delete Organizations View Report
User Administrator Privilege Read/Modify Notes Message Center Branding Application Management Traffic Limits Junk Email Virus Wireless Email Advanced Applications Attachment Manager Content Manager Industry Heuristics Message Archiving Inbound Mail Processing Mail Connection Management Auto Connection Management Delivery Management Spooling Inbound Transport Security Archive Security Administrator archive security/ compliance Archive Search archive security/ compliance Archive Discovery security/arc
You may also be able to choose between “Read” and “Modify” since you might want to provide visibility into an organization (“User Settings”) but you may not want that administrator to modify those settings. All Standard Privileges Choosing this option provides visibility or modification privileges for all data at an organization and below. This is the most appropriate role for assigning a new “super” administrator at a newly created sub-organization.
Delete Users If your product has this configuration, you can delete users from an organization. Application Management Turn on/off a user's applications and settings, if the services are available to an organization's users. In turn, an administrator can enable these settings to be viewable and editable by the end user. Junk Email Settings Enables the administrator’s viewing and modification of the Spam filters in the Message Center.
Archive Recover Enables an administrator to let a user export messages from the user’s Personal Archive by forwarding them to the user’s email address. Junk Email Analysis Enables administrators to let users see “Why this email was quarantined” link in the Message Center. View Images, Attachments, and Links Enables administrators to allow user access to view images, attached files and hyperlinks within quarantined messages in the user’s Message Center.
View Reports Enables the viewing of inbound reports. Outbound Mail Processing Configure and modify outbound servers and services. Outbound Applications Management Enables managing the outbound services consisting of virus blocking, attachment manager, content manager, and the compliance footer. Edit Organizations Modify organization settings. Notification Messages Enables Message Center notification messages.
Inbound Mail Processing For detailed information for each Inbound Mail Processing privilege, see ,“Inbound Mail Processing” chapter. Inbound Mail Processing If your product has this configuration, you can assign read and modification privileges for inbound mail applications managed under the Inbound Servers tab.
Archive Investigator Security Restricts an archive search investigation to the messages for 50 or less users. Archive Reports Enables the Message Archiving Reports tab. Access to specific reports is based on having additional archive settings.
Chapter 6 Domains Chapter 6 About Domains Every Internet email address includes a domain, which specifies where mail should be sent. For instance, the address ted@jumboinc.com directs a message to the user ted in the domain jumboinc.com. In order to receive filtering from the Postini for Google Apps service, one domain was added to the service during your activation process. Domain aliases were also added if your Google Apps for Business account included domain aliases during activation.
Date Last Changed Full timestamp when the domain settings were last modified after creation. Searching for Domains If you manage a large number of domains, you can find domains using the Search form on the Start page or using the search form in Orgs and Users > Domains. Search results also include special commands for handling domains. 1. Select the organization that contains the domain, or any organization whose sub-org contains the domain. 2.
Click Move Domain link next to move a domain from one organization to another. Add a Domain Alias During activation, your service is initially set up for users in one primary domain and any associated domain aliases. If you have additional domain aliases that you want to filter, you can add these domain aliases in your Google Apps dashboard. These aliases are then automatically added to the Postini Services console. To add a domain alias: 1. Go to your Google Apps control panel. 2.
Delete a Domain Alias You can delete a domain alias by logging in to your Google Apps for Business account. This alias is then automatically deleted from the Postini Services console. To delete a domain alias: 1. Go to your Google Apps control panel. 2. From the top menu bar, click Domain settings. 3. Click the Domain names link. 4. Click the Remove alias link for the alias that you want to delete. 5. Click Yes, remove alias.
Chapter 7 The Message Center Chapter 7 About the Message Center You can allow users to manage their own spam, viruses, and other quarantined messages, by enabling access to the Message Center. From the Message Center, users can see what messages are being filtered and why, they can look at quarantined messages, and they can forward any legitimate messages to their own Inbox. In addition, users can be given permissions to view and modify certain aspects of their own service at the Message Center.
Message Center: Features Overview When their Message Center is enabled, users can log in using any standard Web browser, and see their own personal, quarantined messages. These can include messages that triggered a spam filter or virus blocking, depending on the disposition set for the filter. They also include messages from blocked senders, on either the org level or the user’s own list.
By default, your service automatically deletes virus-infected messages, so users won't see any messages in the Virus quarantine. You can change this setting, but we recommend that you leave it as is. The Virus quarantine can also let users safely review the content of messages, without risking harm to their computers. However, if message archiving is turned on (it's On by default), users can't view message content, to prevent virus-infected messages from being stored in your archive.
Most User Access changes should be made for organizations. It is possible to configure User Access by individual users, but this makes administration more difficult. Except when disabling Message Center access for a specific user, use the org level User Access page, not the user level page. You can also enable and disable the Message Center for several existing users at once using a Batch file command.
Enable Access for an Org To enable Message Center access for an org, you make sure access is enabled at the user level. Then turn on the appropriate permissions for the org: 1. Go to the org’s User Access page (from the org’s Management page, click User Access). 2. Check boxes as desired to allow users to view and modify certain aspects of their service at the Message Center (see “Control What Users Can View and Modify” on page 138). 3.
For existing users, you must disable access for each account. You can use a Batch command to disable access for multiple accounts at once. For new accounts you have not yet added, make sure that access for the Default User template is disabled and the Welcome notification for the org is also disabled. Temporarily Disable Message Center Access for a User If the Message Center is enabled for an organization, but you want to temporarily disable it for one user, do so at the user-level. 1.
Set Permissions for an Organization User Access permissions should almost always be controlled from the org-level, and rarely changed for an individual user. To set permissions for an org: 1. Go to the org’s Management page, and click User Access.
Setting User Access permissions for an org 2. On the org’s User Access page, click check boxes to assign or remove permissions for users in this org, as described in the chart below. • For each feature, assigning Read privileges lets users see the current setting, and Modify lets them also change it. • Modify permissions for a feature also requires Read permissions, so clicking one setting might change another one, accordingly. • Changes take effect immediately when you check or uncheck a permission.
User Access Permissions Sender Lists Read only Users can see any Approved and Blocked Senders, and Approved Mailing Lists, defined for them via their user-level settings in the Administration Console, but they can’t add to these lists. (Users don’t see any org-level senders at the Message Center.) Use this setting if you want individual users to have their own approved/blocked senders and mailing lists, but you don’t want them to manage the lists themselves.
User Access Permissions View Images, Attachments, and Links (Message Center only) This controls users’ access to images, attachments, and links in quarantined messages. It provides security from viewing offensive images, downloading suspicious attachments, and clicking links to malicious content (a common technique for virus infection). Override Permissions for a Single User You can override User Access for an individual user, by going to User Access on the user’s Overview page.
If your company follows SEC requirements to archive all messages viewed by employees, however, allowing users to open messages in the Message Center can significantly increase the number of messages you must archive. To prevent this from happening, disable the Subject links. Then to open a quarantined messages, users must first forward the messages to their Inboxes. Delivered message can be tracked as usual by your own archiving methods.
For information on configuring notifications, see “About Notifications” on page 149. See below for recommended configurations, as regards the Message Center: Message Center Status Recommended Notification Status Enabled for the org Enable Welcome New User This notification is mailed automatically to new users whose Message Center Access is enabled (via the Default User’s User Access settings). It contains the URL and password for logging in to the Center.
Welcome notification Enable this notification for an org if the Message Center is also enabled for the org, as it provides each new user with a URL and password for logging in to the Center. Message Center Language Settings The new Message Center interface and online help are available in English, French, German, Japanese, and Spanish. Please see “Quarantine Summary & Message Center Localization” on page 164 for information on configuring language settings.
Message Center Color Palette Use the Message Center Color Palette to set Message Center colors for your users. This setting also acts as a default for all sub-orgs. To set your Message Color Palette 1. In the Administration Console, go to the Orgs & Users tab and select the organization which contains your users. 2. Click the Branding link.
3. Choose from the following options: • Blue • Red • Green • Gray • Orange 4. Click Save to make your change. These colors affect the shaded areas of your Message Center. Tabs and text remain in the same color for all configurations. Upload Logo You can add your own company logo to your user’s Message Center. This affects all users, and acts as a default for sub-organizations as well. To change your logo: 1.
6. Click Save to upload the logo and add your file. You will be redirected to the Organization Management page. 7. Click Branding again to confirm your image. Additional Branding Other branding changes, including changes to your message center layout and template, may be available. Contact Support for more information on available branding changes. Troubleshoot the Message Center The Message Center seems slow or is unavailable for short periods of time.
Chapter 8 Quarantine Summary & Notifications Chapter 8 About Notifications User notifications are messages sent by the message security service to notify users of important account activity, such as a welcome message when their Message Center account is created, or a note when a virus-infected message is quarantined.
To set up notifications for an organization: 1. Go to Orgs and Users > Orgs. 2. Choose the organization from the Choose Org pull-down list, or click the name of an organization in the organization list. We recommend that you set notifications for organizations that contain your users. (Although they can be set at the account and email config orgs, those settings do not apply to any users.) 3. In the Organization Management page, scroll to the Organization Settings section and click the Notifications icon.
5. Click the Edit link in the gray menu bar of the User Notifications page. 6. Following are descriptions of each notification. Make your changes to the notifications configuration and click Save.
Welcome New User Determines whether new activated users receive the New Service Welcome email. When a Message Center account is created for a user, the user automatically receives an email within 24 hours that includes the login URL, and temporary password details. A user must change the temporary password within 30 days, or an administrator has to reset the password for that user. The default setting is On.
The default setting is Immediately. Early Detection Determines whether a user receives a notification when a message is sent to the Pending Quarantine due to Early Detection Filtering. When this notification is turned On, users will receive an immediate message every time a potential threat or high-risk message is sent to the Pending tab in Message Center. My First Spam Determines whether a new user receives notification of the first spam message quarantined for that account in the Message Center.
Quarantine Summary The Quarantine Summary is an HTML-formatted email that lists the messages that have been quarantined. This is a convenient option that allows users to scan their quarantine without logging in to the Message Center.
The default setting is Off for both Inbound and Outbound. Note: The timestamps for Attachment Manager notifications do not necessarily correlate with the recipient’s organization time zone settings. Attachment Manager uses GMT, and organizations can be configured to any time zone.
Notification Address You can specify the address where the user’s notifications are sent. Normally the Notice Address field is left blank, and notices are delivered user’s primary address. However, if an administrator is managing the user’s message security service, you can add the administrator’s address here. First Login to Message Center (Yes/No) Displays whether the user has ever logged in to the Message Center.
Turning off Notifications Use the instructions in the section “Configuring Notifications for an Organization” on page 149 to turn off the Welcome New User, My First Spam, and New Spam notifications, as well as to set the Virus notification frequency to Disable notifications. Enabling Quarantine Redirect Enable quarantine redirect for an organization containing users so that all quarantined traffic is routed to the configured quarantine.
2. Enter the user address in the Find User field, then click Search. 3. On the User Overview page, under Settings, click Notifications. 4. In the Notification Address field, enter the address to which you want send notifications. 5. Click Save. To configure the Notification Address for all users: See the Notification Examples in the Batch Reference Guide for sample batch commands to modify the notice_address field to point to the mailbox where you wish to have the notifications delivered.
The Quarantine Summary is sent to the user’s primary email address, or notice address. If there are no spam or virus messages quarantined, no Quarantine Summary is sent. The default message looks something like this: Accessing Messages from the Quarantine Summary The Quarantine Summary links to the Message Center and each individual message. Users can access the Message Center by clicking the Message Center link in their Quarantine Summary messages. Or, they can go to the following URL: login.postini.
Configuring the Quarantine Summary You must configure these options for the Quarantine Summary for an organization. • Turn Quarantine Summary on or off. By default, the quarantine summary is turned off for an organization. The enabling/disabling of the quarantine summary is not propagated down the organization hierarchy. • Set the frequency of delivery, and optionally customize the Quarantine Summary message for an organization. By default, Quarantine Summary notification is scheduled for daily deliver.
4. Turn on or off the quarantine summary, set the frequency and time of delivery, and turn on or off the message links and inbox delivery.
Frequency The default is every seven days. The frequency range is one to ten days. Subject Links By default, the message links in the Quarantine Summary and Message Center are active. However, the SEC requires most financial institutions to archive all messages that have been viewed by their employees. To meet this requirement, you can disable the message subject links that go directly to the full message in the Message Center quarantine and Quarantine Summary.
We recommend that you set notifications for user organizations (though they can be set at the account and email config levels). 2. On the Organization Management page, under Organization Settings, click Notifications. 3. Click the Spam link. 4. Enter a URL for the logo image you want to use, and enter text for the message body. • Logo: Add a URL where the logo can be found on a public web site. The recommend logo size is 120w x 34h pixels.
Quarantine Summary & Message Center Localization When you enable language localization, static text in the Quarantine Summary, along with the default top text, is displayed in the chosen language. You can change the language and encoding of the quarantine summary, and control the character set and date format with this setting.This setting is configured for organizations that contain users. 1. In the Administration Console, go to Orgs and Users > Orgs, and select a user organization from the list. 2.
Language Date Format English (UK) 14/09/2006 16:00 German 14.09.2006 16:00 Spanish 14/09/2006 16:00 Japanese 2006/9/14 16:00 Dutch 14-9-2006 16:00 All other languages 2006-9-14 16:00 Setting Languages Using Batch commands You can change the language of the Quarantine Summary with the following batch command: modifyorg < org name >, lang_locale=< code > For information on using batch commands, see the lang_locale field in the “Batch Organization Fields” chapter of the Batch Reference Guide.
Language Code Encoding Japanese ja_jp.utf8 Japanese UTF-8 ja_jp.euc-jp Japanese EUC-JP ja_jp.shift-jis Japanese SHIFT-JIS ja_jp.iso-2022-jp Japanese ISO-2022-JP ko_kr.utf8 Korean UTF-8 ko_kr.euc-kr Korean EUC-KR nl.utf8 Dutch UTF-8 nl.iso-8859-1 Dutch ISO 8859-1 Polish pl.utf8 Polish UTF-8 Portuguese pt.utf8 Portuguese UTF-8 pt.iso-8859-1 Portuguese ISO 8859-1 Russian ru.utf8 Russian UTF-8 Chinese zh_cn.utf8 Chinese (Simplified) UTF-8 zh_cn.
See “Default Notifications with Tokens” on page 388 for information on customizing notifications and a list of all tokens. In a custom notification, why are header fields such as Date, To, From, & Subject put into the body of a mail message? The field that contains the custom notification has an extra line break between two fields or above the first field in the text input field, which contains notification text. According to the SMTP RFC 2821, section 2.
Message Security for Google Apps Administration Guide
Chapter 9 Spam Filters Chapter 9 About Spam Filters Your message security service detects spam by applying hundreds of rules to each message that passes through the data center. It can block obvious spam immediately, then divert more borderline spam to a Quarantine for later evaluation. From there, you or your users can review the Quarantine for any legitimate messages that were falsely quarantined and need to be forwarded to the user’s Inbox. Otherwise, spam is deleted automatically.
Where Spam Filtering Is Managed You manage spam filtering at the following locations: • Organization level Enable Blatant Spam Blocking for users in the org, and choose a spam disposition—the method of disposing of filtered spam, for example, by changing how it’s quarantined, or by not quarantining it at all. Configure Null Sender Disposition to dispose of messages that do not contain an SMTP-envelop sender address.
Types of Spam Filters When spam filtering is enabled for a user, the user’s messages are processed through the following filters: • If Blatant Spam Blocking is enabled for the user’s organization, the user’s most obvious spam is bounced or blackholed (deleted), before it reaches your email servers. This eliminates more than half of users’ spam, so neither you nor they ever have to deal with it.
This means: • If the message security service detects spam, the message goes to the Message Centerm quarantine, not the Gmail Spam folder. • If the message security service does not detect spam, the message is passed to Google Apps spam filtering. The message may still be quarantined in the Gmail spam folder. Note: When using Message Security for Google Apps, spam filters apply to all mail you send, including internal mail to the same domain.
You can see a message’s spam score, whether or not it’s tagged as spam, by looking at the message header. For details, see “ Interpreting Header Fields” on page 401. Why Catch Rates Might Vary Developing an effective technology for filtering spam is an ongoing effort since spammers are always evolving tactics to avoid detection.
Configure Blatant Spam Blocking Blatant Spam Blocking (BSB) is an org-level setting on the Spam Filters page that detects and deletes the most obvious spam before it reaches your email server. This feature identifies more than half of all spam. Messages are either bounced or blackholed (deleted) without reaching the intended recipient or any Quarantine. Specifically, BSB calculates the message’s spam score. If the score is below 0.
3. For the org’s Default User (and any existing users), make sure the Filter Status is On (go to Spam Filters on the user’s Overview page). All obvious spam will be eliminated without reaching the data center or your server. Any remaining spam detected by the filters is tagged with a spam score written in the Header, and then delivered to users.
Whether or not you have configured Outbound Services for you mail server, we recommend that you turn this filter on. When the filter is on and it catches a message, the system looks ahead to Content Manager to see whether it is configured to let messages bypass the junk filters and allow valid email that does not have an SMTP-envelope sender address. Under these circumstances, you can let valid messages pass through to their recipients’ inboxes.
If Quarantine Summary is also enabled for the org (under Notifications), each user receives a periodic summary of recently quarantined messages. If User Access is enabled for the org, as well, users can manage their own quarantined messages in the Message Center. See “Manage Quarantined Messages” on page 74 and “Enable / Disable Message Center Access” on page 135.
You enable spam filtering and adjust how aggressively you want to filter under Spam Filtering on a user’s Overview page. Doing this for a Default User applies these settings to all new users in any org the Default User is assigned to. Doing this for any other user applies the settings only to that user. You can set an overall level of aggressiveness for filtering all types of spam (Bulk Email), then adjust separate filters for more aggressive filtering of specific spam categories.
How spam is handled when it is identified by these filters depends on the spam disposition defined for the user’s organization. For more information, see “Configure Spam Disposition for an Organization” on page 176. Fine-Tune Spam Filters Adjusting spam filters requires striking a good balance between catching the most spam possible while not falsely identifying legitimate messages as spam.
Phishing Attacks Spam Filtering also provides protection against phishing attacks. A phishing attack is a type of spam disguised as valid email that is designed to trick recipients into providing information or visiting a hostile web site. For instance, a common type of phishing attack is a message, supposedly from a bank, claiming that a credit card and password are needed. A URL is provided to a site at which users can enter credit card information. That information is then used illegally.
Messages are held in the Early-Detection Quarantine for 8 hours to allow time for virus-definition files to be updated, and then those messages are scanned again for viruses based on the updated definitions. Those messages are then disposed of according to your Virus Blocking settings. Administrators and users who have access to the Pending tab in Message Center can see messages in the Early-Detection Quarantine.
Troubleshoot False Positives On rare occasions, legitimate messages can be falsely filtered as spam (often called false positives). Or conversely, messages might get past the filters and reach users’ inboxes. Some common reasons for false positives include: • Filter levels are too aggressive. The message might have characteristics that make it look like spam, such as disclaimers, URLs, dollar signs, multiple exclamation points, and little or no body content apart from a link, image, or file attachment.
Go to Spam Filtering on the user’s Overview page and verify that the Bulk Email and other category filters are set high enough (see “Fine-Tune Spam Filters” on page 179). If they aren’t, adjust them accordingly. If they look OK, go to the next step. 2. Was the message sent directly to and accepted by your mail server, bypassing the protection service? a. Sometimes users’ email is delivered to them from more than one email server.
If so, all spam addressed to the user, regardless of any spam settings, is delivered to that user’s inbox. Log in to the Message Center and remove that user’s address or domain from this list. Then let the user know why adding your own address or domain here is not a good idea. 6. Does the email content have enough spam characteristics to trigger filtering? In general, if all prior steps have turned out to be false, the spam did not have sufficient spam characteristics to be filtered.
Chapter 10 Virus Blocking Chapter 10 Levels of Protection Your message security service offers multiple levels of protection against viruses, including the use of virus-detection engines, early-detection filtering, protection against zero-hour threats, and antivirus heuristics. This section describes each level of protection.
Messages are held in the Early-Detection Quarantine for 8 hours to allow time for virus-definition files to be updated, and then those messages are scanned again for viruses based on the updated definitions. Those messages are then disposed of according to your Virus Blocking settings. Administrators and users who have access to the Pending tab in Message Center can see messages in the Early-Detection Quarantine.
Additional Zero-Hour Threat Protection The following additional zero-hour threat protection is available to you: Attachment Manager (optional feature) “System Threats” filter catches potentially harmful files. Virus Blocking The message security service uses heuristics to detect malformed MIME attachments and messages to augment McAfee and Authentium virus scanning. McAfee Antivirus McAfee’s virus heuristics engine catches some viruses before patterns can be isolated.
Attachment Scanning Virus Blocking scans messages for both complete and incomplete MIME headers (MIME headers as separate attachments from the rest of the content of an email message). Next, Virus Blocking opens and scans uncompressed and unencrypted files. Compressed file attachments are opened and recursively scanned.
The Virus Blocking disposition has precedence over other filter dispositions. When Virus Blocking is enabled: • All messages that are either quarantined by a filter or pass through all the filters are scanned for viruses. If a message contains a virus, it is processed according to the virus disposition. For example, if a message has been quarantined by the Junk Filter because of spam content, but the message also contains a virus, then the message is processed according to your Virus Blocking settings (e.
McAfee Virus Definition Files Virus Blocking uses DAT files provided by McAfee that contain virus patterns for all known viruses. McAfee provides Hourly DAT files that are updated at least every hour. Most McAfee customers have access to only the Weekly DAT files, which are the numbered files listed on the McAfee Virus Information Library web site (http://vil.nai.com).
Configure Virus Settings for Users You turn virus blocking on/off and set the notification interval for users by editing the default user’s virus settings. If the user isn’t registered in the message security service, the user does not receive virus-blocking protection unless you turn on Non-Account Virus Blocking for the organization to which the user belongs. If you want to change these settings for all users, you can change the default user and all existing users by batch file.
4. Click Save. Configure Virus Settings for an Organization The virus settings for a user organization allow you to configure the disposition of virus-infected messages and other processing options. For details on configuration of virus notification settings see “Configuring Notifications for an Organization” on page 149. To configure virus blocking for an organization: 1.
Early Detection Filtering Quarantines messages that may contain viruses. You need to configure Spam Filtering in order to implement Early Detection Filtering. Values: On or Off. The default is Off. • On: Your message security service quarantines messages that may be zero-hour threats.
Message Fragment Bouncing Bounces fragmented messages. Values: On or Off. The default is On. • On: Messages containing fragments are bounced, returning “Error 571 - Domain Does Not Accept Fragment Messages”. • Off: Messages containing fragments are quarantined. RFC2046, section 5.2.2.1 provides a facility for fragmenting email messages. Since this would bypass all known virus scanning technologies, all fragmented messages are either quarantined or bounced for your users’ protection.
Configuring User Access to Virus Settings If you allow user access to the Message Center, we highly recommend turning off permissions to change virus settings. Otherwise, users may be able to turn off virus scanning. 1. In the Administration Console, go to Orgs and Users > Orgs, and select an organization from the list. 2. Under Organization Settings, click User Access. 3. On the User Access page, set Virus Settings to Read, or clear all the check boxes to turn them off.
Troubleshooting Virus Blocking Why was this virus delivered despite virus blocking? In most cases, the user receiving the message was not registered in the message security service. Following is the process for troubleshooting and determining what happened: 1. Check the headers of the virus-infected email to determine the recipient, and see whether the message was sent directly to and was accepted by your mail server, bypassing the message security service: a.
Resolution: As necessary, configure a different disposition, or configure your mail server to dispose of all messages that contain the custom header Xpstn-virus. 3. If the Virus Disposition is set to User Quarantine or Quarantine Redirect, check whether the recipient of the message has a user account. a. Click the Users tab and enter the address in the Find User field. b. Click Search to determine if the user exists. c.
If the virus was delivered after the protection date and time determined above, then compare the file size of the virus attachment with the documented size of the virus listed on the web site of McAfee or Authentium. If the size of your virus is significantly smaller, then follow the resolution below. Otherwise, proceed to the next step. Resolution: The virus payload was truncated, making the virus inert and preventing detection. Viruses like this can be deleted since they pose no threat. 3.
Chapter 11 Content Manager Chapter 11 About Content Manager Content Manager scans email messages for specific content—words, phrases, or text patterns—and then takes an action on any messages that contain that content. For example, you can set up Content Manager to quarantine any inbound message that contains specific text in its subject line. Use Content Manager to help secure your network, enforce email content policies, prevent leakage of proprietary information, and protect private information.
Content Manager Features You can use Content Manager to filter both inbound and outbound email messages. To filter messages, you can create custom content filters and set up content compliance policies. Custom Content Filters A custom content filter comprises up to three content rules and a message disposition. Each rule contains a word or phrase that you specify. Or, a rule can contain a text pattern, called a regular expression, rather than specific text.
File Attachment Scanning You can create content filters that scan all parts of an email message, including any text-based file attachments. If you set up a compliance policy, file attachments are scanned automatically. For details, see “Attachments That Content Manager Scans” on page 204. Outbound Message Scanning Outbound Content Manager filters messages that your users send to addresses outside your network. Outbound Content Manager is an optional feature.
Protect proprietary information You can use Content Manager to help prevent recipients outside your company from receiving messages with proprietary information. For example, you could create a content filter that scans outbound messages for references to proprietary information, such as the code name for a new product your company is developing.
When Content Filters Apply The message security service applies Inbound Content Manager filters after Connection Manager (attack blocking), but before Sender Lists, Junk Filters, Virus Blocking, and Attachment Manager. As a result: • Messages with approved content are not filtered as spam. If a message is captured by a content filter or compliance policy with a disposition of Approve, it bypasses the Junk Filters, even if it contains spamlike content.
Types of Content Scanned In any part of an email message, Content Manager scans the text-based or HTML content, as well as any MIME (base-64) sections for binary attachments (the sections that usually appear as “gibberish” in the message source). If you choose the option to scan the entire message, Content Manager also decodes and then scans sections in MIME and quoted-printable encoding (for non-ASCII text). In this case, Content Manager also scans the actual text content of binary attachments.
Content Manager does not scan attachments that are: • ZIP or other types of compressed files • Microsoft 2007 Office documents • Over 100 MB • PDF files How Outbound Content Manager Works Outbound Content Manager filters the messages that your users send to recipients outside your network. You create outbound content filters in the same way you create inbound content filters, except that the User Quarantine and Blackhole dispositions are not available.
Order of Precedence of Filters and Policies The least severe disposition takes precedence over more severe dispositions. If two or more custom content filters or compliance policies contain a match for a message, the filter or policy with the least severe disposition takes precedence. The following is the order, from least severe to most severe: 1. Deliver • Bypass junk filters (Inbound only) • Encrypt (optional feature; Outbound only) 2. Copy to Quarantine 3. Bounce 4.
2. Under Inbound Services or Outbound Services, click the Content Manager icon. The Content Manager filter list appears, showing the current filters and settings. If this is the first time you’ve accessed this page, none of the policies are on, nor are there any filters configured. See “Configure Content Manager” on page 207. Configure Content Manager You configure Content Manager at the organization level.
WARNING: Applying settings to suborgs also overwrites any existing content filters you’ve set up in those suborgs. To configure Content Manager: 1. Access Content Manager for the organization that contains the users whose messages you want to filter. For details, see “View Content Manager Filters and Policies” on page 206. 2. Click the Edit Settings link. 3. Specify settings to configure Content Manager. For details about the settings, see “Content Manager Configuration Settings” on page 241.
Create or Edit a Content Manager Filter A content filter can contain up to three content rules and a message disposition (what Content Manager does with the captured message). A rule specifies the following: • The content to scan for: The content, or rule value, can be an exact word, phrase, or string of characters. Or, it can be a text pattern in the form of a regular expression. For more information, see “About Using Regular Expressions” on page 218.
The Add Filter page appears (this example uses the Inbound page): 4. Under Filter Name, enter a descriptive name for the filter. 5. Under Filter Status, select ON. 6. Under Rules, in the Match drop-down list, choose whether Content Manager executes this filter’s disposition if an email message contains a match for any rule or all rules you specify. 7. Under Rules, specify up to three rules for this filter. For details about the options for creating rules, see “Filter Rules” on page 243. 8. Click Save.
3. Click the name of a filter you want to edit. For example: 4. Edit information about the filter. For details, see “Content Manager Filter Settings” on page 243. 5. Click Save. Set Up Common Content Filters The following table provides instructions for creating common types of content filters. For each filter, also select the Routing method you want to apply—that is, the action you want Content Manager to take if the filter captures a message.
To capture messages that contain this content: Specific word or phrase in the message body Enter the following: Match: Any Rule Select Location: Body Select Filter Type: matches regex Value: Enter the word or phrase, in the following regex syntax: • For a single word, enter: \Wword\W • For a phrase, separate words with \s: \Wword\sword\W Specific word or phrase in any part of a message, including attachments Match: Any Rule Select Location: Entire Message Select Filter Type: matches regex Value: Ent
To capture messages that contain this content: Enter the following: Attachment of any type Match: Any Rule Select Location: Header Select Filter Type: contains text Value: Content-Disposition: attachment; filename= Note: The header for attachments appears in messages only if the sender’s or recipient’s email client supports attachment headers.
To capture messages that contain this content: Specific word or phrase, but only if another word does not appear in the same message Enter the following: Match: All Rules Rule 1: Select Location: Body Select Filter Type: matches regex Value: Enter the word in the following regex syntax: \Wword\W Rule 2: Select Location: Body Select Filter Type: matches regex Value: Enter the word in regex syntax: \Wword\W Set Up a Compliance Policy A compliance policy contains a lexicon (a predefined content filter) and
3. Click the link for the compliance policy you want to set up: • Social Security Numbers • Credit Card Numbers The policy setup page appears. For example: 4. Under Filter Status, select ON or OFF to activate or deactivate the policy. 5. Under Routing, select the routing option you want to apply. For more information about routing options, see “Message Dispositions” on page 248. 6. Under Copy to Quarantine, add the quarantines to which you want messages sent.
7. Click Save. Note: For information about how report data is interpreted based on your configuration of filters, see the notes for Domain/Account and Filter Name reports in “Content Manager Reports” on page 342. Reorder Content Filters and Policies Content Manager applies filters and policies in the order in which they are listed. To reorder the filter list: 1. Enter new order numbers for the filters and policies and click Update Priority List, or click the Up or Down arrow for a filter. 2.
Delete and Disable Content Filters If you want to stop using a content filter or compliance policy, you can do any of the following: • Delete a specific custom content filter that you created • Temporarily disable a specific compliance policy that you set up • Temporarily disable all custom content filters and compliance policies at once Tip: • If you disable filters and policies, their configurations are saved, so you can use them again at any time.
About Using Regular Expressions Content Manager includes a powerful string-matching tool called regular expressions, often abbreviated as regex. With regular expressions, you can create filters that can match patterns of text rather than only single words or phrases. Regular expressions are a standard tool in many systems and scripting languages. Regular expressions can be simple or highly complex.
Uses for Regular Expressions Using regular expressions, you can create content filters that can find: • Text patterns Use this option to scan messages for patterns of letters, numbers, or a combination of both. For example, you can create regular expressions that match phone numbers, addresses, employee numbers, and account numbers. Or, you can create one regular expression that can find many different variations of a word, such as viagra, vi@gra, v1agr@, and so on.
Character Description Anchors ^ (caret) Matches the start of the line or string of text that the regular expression is searching. For example, a content rule with a location Subject line and the following regular expression: ^abc captures any email message that has a subject line beginning with the letters abc. $ (dollar) Matches the end of the line or string of text that the regular expression is searching.
Character Description [^...] Matches any character not in the set of characters. For example: [^a-f] matches any character that’s not a letter from a to f Note: Regular expressions in Content Manager are not case sensitive. Therefore, using this formatting to specify a character set in lowercase letters also excludes the equivalent uppercase letters.
Character Description [:space:] Matches all whitespace characters, including spaces, tabs, and line breaks. Note: This character class must be surrounded with another set of square brackets when you use it in a regular expression, for example: [[:space:]]. [:word:] Matches any word character—that is, any letter, digit, or underscore: a-z, A-Z, 0-9, or _ Note: This character class must be surrounded with another set of square brackets when you use it in a regular expression, for example: [[:word:]].
Character Description Group (...) Groups parts of an expression. Use grouping to apply a quantifier to a group or to match a character class before or after a group. For example, in the following expression: \W(dog|cat|mouse)\W the \W character class applies before and after each word in the group. The expression would match things like dog+cat or *dog*. Quantifiers {n} Match the preceding expression exactly n times.
Content Manager Support for Regular Expressions Content Manager provides robust support for regular expressions. However, because Content Manager filters large volumes of email messages, it does not support all regular-expressions syntax standards or features. Regex Syntax Support There are many variations of regular-expressions syntax and features. Content Manager supports only the POSIX Extended Regular Expressions (ERE) standard and shorthand notation for some character classes.
Range Limitations: Content Manager does not support the following types of ranges, because they could cause delays in processing your email: • • Ranges more than {0,25} • A valid range: (a|b|c){0,10} • An invalid range: (a|b|c){0,26} • An invalid range (equivalent to a *): (a|b|c){1,} Nested ranges • A valid range: (a|b|c){5,10} • An invalid range: ((a|b|c){0,5}){5,20} • An invalid range: ((a|b|c){0,5})? Examples of Regular Expressions The following examples illustrate the use and construction
Match Whole Word Only Usage example Match the word hell. Don’t match the word hello, shell, shellac, and so on. Regex example (\W|^)hell(\W|$) Note • \W matches any character that’s not a letter, digit, or underscore. It prevents the regex from matching letters before or after the word. Important: When creating a regex to match whole words, ensure that you include the \W character class, to help to avoid capturing legitimate messages. • ^ matches the start of a new line.
Notes • \W matches any character that’s not a letter, digit, or underscore. It prevents the regex from matching characters before or after the phrase. • In example 2, \s matches a space character, and {0,3} indicates that from 0 to 3 spaces can occur between the words stock and tip. • ^ matches the start of a new line. Allows the regex to match the phrase if it appears at the beginning of a line, with no characters before it. • $ matches the end of a line.
Match Word or Phrase in a List Usage example Match any word or phrase in the following list: • baloney • darn • drat • fooey • gosh darnit • heck Regex example (\W|^)(baloney|darn|drat|fooey|gosh\sdarnit|heck)(\W |$) Notes • (...) groups all the words, such that the \W character class applies to all of the words within the parenthesis. • \W matches any character that’s not a letter, digit, or underscore.
Match Word with Different Spellings or Special Characters Usage example Match the word viagra and some of the obfuscations that spammers use, such as: • vi@gra • v1agra • v1@gra • v!@gr@ Regex example v[i!1][a@]gr[a@] Notes • \W is not included, so that other characters can appear before or after any of the variants of viagra.
Notes • [\w.+\-] matches any word character (a-z, A-Z, 0-9, or an underscore), a period, a plus sign, a percent sign, or a hyphen. These are the only valid characters in a URL. Note that the \- (which indicates a hyphen) must occur last in the list of characters within the square brackets. • {0,25} indicates that from 0 to 25 characters in the preceding character set can occur after the text badmail.
Notes • \W matches any character that’s not a letter, digit, or underscore. It prevents the regex from matching characters before or after the email address. • ^ matches the start of a new line. Allows the regex to match the address if it appears at the beginning of a line, with no characters before it. • $ matches the end of a line. Allows the regex to match the address if it appears at the the end of a line, with no characters after it. • [\w.
Notes • The \ before each period “escapes” the period—that is, it indicates that the period is not a regex special character itself. • In the example 1, no characters follow the last period, so the regex matches any IP address beginning with 192.168.1., regardless of the number that follows. • In example 2, \d matches any digit from 0 to 9 after the last period, and {1,3} indicates that the from 1 to 3 digits can appear after that last period.
How to Use Content Manager in a Spam Outbreak On rare occasions, malicious senders create new junk messages that don’t have any text or patterns in common with previous junk messages. During a large-scale spam outbreak, a few of these messages may initially pass through the spam filters. During such outbreaks, your message security service immediately begins collecting data to update spam filters. Once updated, the filters begin blocking the spam messages.
Tip: Instead of looking for exact text, you can look for a unique text pattern in the junk messages. You can then use this pattern to create a regular expression. See “About Using Regular Expressions” on page 218. 2. Create a filter: a. Specify a name that identifies the spam. b. Set the rule location to Body and the filter type to contains. c. Set the rule value to the unique text of the email. Or create a regular expression to scan messages for a unique pattern of characters. 3.
Use Multiple Regular Expressions for a Filter You can enter up to three regular expressions for a filter—one expression per filter rule. You might want to enter multiple regular expressions for the following reasons: • To avoid the regex complexity or word list limitation If you your regular expression exceeds the component (complexity) limitation for a rule, you can enter two or three shorter expressions.
Note: Alternatively, you can often create a single, more complex expression that matches many word obfuscations. But creating multiple, simpler expressions is usually easier, and helps you to avoid the complexity limitation for a rule. Block Messages with Profanity To prevent users from sending or receiving email messages with profane words, you can create content filters with regular expressions. If you want to catch only specific profane words, you can enter them in a regular expression word list.
3. Add a new custom filter with the following properties: • Filter Status: ON • Rules: Match: Any Rule Select Location: Recipient Select Filter Type: does not contain Filter Value: @ • Routing: Bounce • Copy to Quarantine: Optionally, specify a quarantine to which messages are copied With this filter in place, any outgoing messages from the new user org that are not addressed to your domain are bounced, and optionally quarantined.
To create a custom filter that deletes other null-sender messages: 1. Under Rules, set Match to: Any Rule. 2. Set the first rule in the filter to: • Select Location: Sender • Select Filter Type: is empty 3. Set Routing to: Delete (Blackhole). 4. If you want to copy the deleted messages to one or more quarantines, you can set Copy to Quarantine to the appropriate value.
A content filter captured messages that don’t contain any words, phrases, or patterns I specified in the filter rules. Why? If the message contains a file attachment, the value you specified in the filter rule might appear in the attachment. If you selected Body for the filter’s rule location, Content Manager still scans any plain-text attachments, including attached email messages. If you selected the location Entire Message, Content Manager also scans binary attachments, such Microsoft Office files.
Content Manager Reference Content Manager Filter List Use this page to view Content Manager settings and filters, or to access other pages on which you can: • Configure Content Manager • Set up compliance policies • Create or edit content filters See “About Content Manager” on page 199. Configure Content Manager: If you have not yet configured Content Manager, a Configure button appears.
See: • “Social Security Numbers Policy” on page 250 • “Credit Card Numbers Policy” on page 252 Create or Edit a Content Filter: Create content filters to block or monitor messages with specific content. To create a new content filter, click Add Custom Filter. To edit an existing filter, click the filter name: See “Content Manager Filter Settings” on page 243. Content Manager Configuration Settings Use this setting... To... Content Filtering Turn Content filtering ON or OFF.
Use this setting... To... Quarantine Administrator Specify the email address of the administrator who receives messages captured by a filter for which you have configured the Copy to Quarantine option. Content Manager sends messages that the filter captures to the administrator’s quarantine in Message Center. If all administrators share one account (for example, admin@jumboinc.com), enter the email address for that account here. Note: • Any message limits set for the organization or user account apply.
Content Manager Filter Settings Use this page to: • Create a new content filter, or edit an existing filter. • Delete a content filter. Alternatively, you can temporarily disable all content filters for an organization, by turning off Content Manager. See “Configure Content Manager” on page 207. General Filter Settings Use this field... To... Filter Name Enter a descriptive name for the filter. The name must be unique and cannot exceed 15 characters.
Use this field... To... Select Location Select the part of the message you want Content Manager to scan: • Subject Line: Scans the Subject field in a message. • Body: Scans the body text in a message. Does not scan file attachments, except plain-text files. • Header: Scans the complete SMTP headers of a message, including subpart headers. • Sender: Scans the From field in a message. • Recipient: Scans the To field in a message.
Use this field... To... Select Filter Type Select the scanning method that Content Manager uses for this filter. • starts with: If text in the specified location begins with the specified value, this filter captures the message. • ends with: If text in the specified location ends with the specified value, this filter captures the message. • contains text: If text in the specified rule location contains the specified rule value, this filter captures the message.
Use this field... To... Select Filter Type (cont) • does not match regex: If the text in the specified location does not match the regular expression you enter for the rule value, this filter captures the message. When you select this filter type, the Test regex link appears. Click this link to open the Test Regular Expression panel, where you can make sure your expression syntax is valid, and catches the type of content you want. For more information, see “Test Regular Expression” on page 249.
Use this field... To... Value Enter the content for which you want Content Manager to scan messages. If you selected a filter type of starts with, ends with, contains text, does not contain, equals, or matches any word in: • The value must be a word or phrase. You can enter a regular expression only if you select a filter type of matches regex or does not match regex. • Enter a space-separated list of ASCII characters (for example: one two three).
Message Dispositions Field Value Routing Deliver: Sends the message to the recipient’s inbox, without further Content Manager processing. • Bypass junk filters (Inbound only): Sends the message to the recipient’s inbox, without processing by the junk filters. • Encrypt (Outbound only): Encrypts the message, using Message Encryption. Message Encryption is an optional feature. For more information, refer to the Encryption Services Administration Guide.
Field Value Copy to Quarantine Copies any message that matches the filter to the specified quarantine addresses: • Quarantine Administrator • Recipient (Inbound) • Sender (Outbound) • Other User To add/remove an address: 1. Click Add quarantine address. 2. Select the quarantine. If you select Other User, enter that user’s quarantine address. 3. To remove an address, click Remove. Note: • You can designate an administrator on the Content Manager Configuration Settings page.
Field Value Text to Match Enter text you want the regular expression to match. Click Test Match to see whether your regular expression matches the text you enter. Result If you are checking syntax, the message here tells you either: • Your regular expression is valid. • The reasons your regular expression is not valid. If you are testing whether your expression matches text you enter, the message here tells you whether or not the expression matches the text.
About the Social Security Numbers Lexicon The Social Security Numbers lexicon is a predefined filter that finds U.S. social security numbers in email messages. The following table describes how the lexicon works: Lexicon pattern matching This lexicon matches sequences of 9 digits. The digits in a valid sequence can be separated by spaces, dashes, or periods. The following are examples of the patterns this lexicon matches: • nnn-nn-nnnn • nnn nn nnnn • nnn.nn.
Number validity checking Filtering Accuracy This lexicon also checks sequences of 9 digits to determine whether they meet the requirements for a valid U.S. social security number, within the range that has been allocated. A valid social security number: • Cannot contain a group of digits that are all 0s, such as in 000-11-1111, 111-00-1111, or 111-110000. • Cannot start with the digits 666, or any three-digit number greater than 728.
About the Credit Card Numbers Lexicon The Credit Card Numbers lexicon is a predefined filter that finds credit card numbers in email messages. The following table describes how this lexicon works: Lexicon pattern matching Number validity checking This lexicon matches sequences of 16 digits. The digits in a valid sequence can be separated by spaces or dashes.
Filter Status Set this policy to ON or OFF. If you turn the policy off, the Disposition setting is saved. Disposition Select the action you want this policy to take on messages that the Credit Card Numbers lexicon captures. For details about dispositions, see “Message Dispositions” on page 248.
Chapter 12 Approved and Blocked Sender Lists Chapter 12 About Sender Lists You can approve or block specific senders and recipients, based on the email address or domain. The message security service detects spam by applying hundreds of rules to each message that passes through. It blocks obvious spam outright, and diverts what is possibly spam to the Quarantine.
At the user level in the Message Center, you can configure: • Approved Senders (individual email addresses) • Approved Domains (individual domains) • Approved Mailing Lists/Email Lists (individual list addresses) • Blocked Senders (individual email addresses) • Blocked Domains (individual domains) Approved Senders Messages from individual senders or entire domains are delivered to user inboxes, regardless of spam-like content. Approved senders always circumvent junk email filters.
Approved Domains Messages from an approved domain are delivered to user inboxes, regardless of spam-like content. Messages from approved domains always circumvent junk email filters. However, if virus blocking is enabled for the recipient, the message security service does not deliver a message containing a virus, even if the domain is approved. Approved senders can optionally override Attachment Manager and Content Manager filtering.
Industry Heuristics and the Blocked Sender List If an organization has Industry Heuristics turned on, a message containing industry content coming from a Blocked Sender is still quarantined. The industryspecific content disposition is set after the Approved/Blocked Senders disposition is set and processed. You may consider adding an address from user’s list to the appropriate organization-level list to improve filtering for all users, while freeing up space for that particular user.
How Senders Are Identified The service identifies an approved or blocked sender by looking at the address in the message’s From field. First, it looks at the From address shown in the message header. If that is empty, it looks at the From address in the message’s Envelope (which is typically hidden from view in email clients). Reply-To headers aren’t checked because they aren’t necessarily assigned to the actual sender.
4. Enter an email address or domain into the Approved Senders or Blocked Senders field, then click Add. To allow or block an entire domain, use a Content Manager filter. See “Sender address from one or more specific domains” on page 213 for information about creating a domain-level filter. WARNING: Use caution with the option, “Apply settings and filters to existing sub-orgs.
5. Enter an email address or domain into the Approved Senders, Blocked Senders, or Approved Recipients field, then click Add. For a domain, use the format @domainname.com or domainnname.com. Editing Sender Lists in Message Center You use Message Center or Message Center Classic to edit personal sender lists. To edit the approved-sender lists in Message Center: 1. Log in to Message Center. 2. Click the My Settings link in the upper-right corner of the page. 3. Click the Approve Senders link. 4.
Click Update Blocked Domains. Size Limits for Sender Lists The maximum number of characters for each approved/blocked list in the Administration Console is 4000. If each address or domain is 30 to 40 characters, each sender list can include approximately 100 to 130 addresses and domains. The maximum number of characters for all lists for each user in the Message Center is 1000. For each address, add an additional 2 characters to get an accurate count.
The batch-command syntax to remove an address or domain from an approved/ blocked sender list is as follows: modifyorg ORGNAME, approved_senders=-DOMAIN_OR_ADDRESS or modifyuser USER_ADDRESS, blocked_senders=-DOMAIN_OR_ADDRESS ORGNAME The name or IID of the organization associated with the approved/blocked sender list USER_ADDRESS The address of the user associated with the approved/ blocked sender list ADDRESS_OR_DOMAIN The domain or email address to remove Addresses or domains can be added and remo
2. For delivered messages that seem to establish a trend, research the messages (your research data is used in remaining steps): a. Go to Users and click the Quarantine icon next to the user who delivered a message. b. Select the Delivered radio button, and click Apply. c. Select the message in question, and click Show Header. d. Look at the header of the message.
Troubleshooting: Approved/Blocked Senders and Mailing Lists Why is it that some obvious spam messages are occasionally allowed through the filters? Spammers commonly forge sender addresses from popular domains in attempts to bypass filtering. These may be approved senders you added, or approved senders that were pre-populated for your organization. You may wish to modify the lists for your organizations to remove these approved senders. Be sure to modify any organizations that contain your users.
Why is a domain or address added to the approved/blocked sender list not approved or blocked as expected? Either: • The address or domain was not added before the message arrived. • It was not added to the user or organization containing the user. • It was added to multiple lists. See “Message Processing Order” for further details on the processing order. 1. Compare the received date of the mail message to the last modification date/ time for the user: a. Go to Orgs and Users > Users. b.
Filtering was working fine, then suddenly much more spam made it through the filter for a particular user. Most of the spam messages are delivered with an Xpstn header containing the text GOOD RECIP. What is happening? That user’s own e-mail address or domain was added to his/her approved sender lists. Configured this way, all messages sent to that user or to the user's domain are allowed through. The administrator can remove this configuration using the Administration Console as follows: 1.
When a I attempt to add or remove an entry from a sender list, I see the error “A request could not be completed because of a system error. Try clicking ‘Back’ on your browser and reload that page”. What should we do if this happens? Please contact customer support to resolve this issue. Please provide the Org ID, System #, User ID, and which list you are having an issue with (ex. approved, blocked, etc.,) There is a rare occurrence of approved/blocked senders entries being inserted improperly.
3. Click the user whose sender lists you want to edit. 4. Under Inbound Services, click Sender Lists. To edit Approved Senders list in Message Center: 1. Log in to Message Center. 2. Click the My Settings link in the upper-right corner of the page. 3. Click the Approve Senders link.
Message Security for Google Apps Administration Guide
Chapter 13 Attachment Manager Chapter 13 About Attachment Manager Use Attachment Manager to filter messages based on the size or file extension of any attachments. Each of several filters can have its own disposition, or method of processing filtered messages. For example, centrally quarantine messages with attachments that are .exe files, and you can user quarantine attached image files.
• With the exception of Early Detection filters, messages must pass other filters before Attachment Manager. Attachment Manager scans only valid messages. Message must pass through spam, senders lists, and virus filters before filtering by Attachment Manager. For example, a message infected with a virus that also triggers an attachment filter, is processed according to your Virus Disposition, not the attachment filter’s disposition.
Note that binary scanning now identifies Microsoft Office 2007 file types. If binary scanning cannot determine the file type of an attachment, Attachment Manager uses extension scanning as a fallback method. Note: In some cases, binary scanning does not distinguish among some related file types, if they are generated by the same application. For example, binary scanning treats .pps (PowerPoint SlideShow) files as .ppt (PowerPoint) files.
Following are technical details for the compressed file scanning feature: • Compressed file types: Attachment Manager opens the most common compressed file types, including .zip, .tar, .gz, .lzh, and win.dat files. If compressed file cannot be opened and the contents scanned, Attachment Manager filters the message based on the compressed file type.
Configure Attachment Manager The Attachment Manager settings are made at the organization level. You can configure Attachment Manager to: • Send incoming messages to users’ quarantines in Message Center, when those messages contain attachments that violate an attachment filter policy. • Allow messages from senders on the organization’s approved senders list to bypass the Attachment Manager filters. An individual user’s approved senders list has no affect on the Attachment Manager filtering.
5. Configure notifications for messages that trigger Attachment Manager filters. By default, notifications are sent to the administrator only, but can be sent to the user or both the user and administrator. See “Configuring Notifications for an Organization” on page 149 for information on setting up notifications, and “Default Notifications with Tokens” on page 388 for information on customizing the Attachment Manager Notification message.
Field Value Approved Senders You can choose to have inbound messages from senders on the organization’s approved senders list bypass the Attachment Manager filters. Click the Approved Senders link to see the current list. (An individual user’s approved senders list has no affect on the Attachment Manager filtering.) (for Inbound Attachment Manager only) Bounce Message Enter a custom message to return to senders whose messages trigger an attachment filter with a Bounce disposition.
5. Enter file types in the Custom File filters. These filter are most useful if you’re filtering only a few types of files. See “Custom File Types Filter” on page 281 for details. 6. Set up filters for broad categories of files using the System Threats and Productivity filters. See “System Threats and Productivity Filters” on page 281 for details. 7. Optional: Configure binary scanning as the method to identify file types. See “Troubleshoot Attachment Manager” on page 282 for details. 8.
When creating the filter, select a disposition, as follows: Disposition Action Bounce Rejects the messages and returns the sender an error message. For attachments that exceed the maximum size, the error returned is “552 Message too large - psmtp.” The error message for other filter types defaults to, “582 The file attached violates our email policy.” but can be customized on Attachment Manager’s Edit page (see “Configure Attachment Manager” on page 275).
Scanning Options Binary scanning is an optional method for identifying file attachments; it identifies an attachment by checking its binary content instead of the file extension. You can enable binary scanning from the Attachment Manager Filters page. When you enable binary scanning, Attachment Manager will then use binary scanning to identify file types for all of your filters (Custom File Types, System Threats, and Productivity filters).
Custom File Types Filter Enter Custom File Types to filter only a few file types (rather than the collection included in System Threats and Productivity filters), or as exceptions to subsequent file type filters. For each disposition, enter one or more file extensions, without the period and separated by commas (for example, vcf, txf, gif). See “Attachment Filter Dispositions” on page 278 for a description of each disposition. It is also possible to filter for files with multiple file extensions.
Productivity Filters check for office documents such as Microsoft Word or Excel, or media files such as images and sound files. 1. Click a link (for example, Executables or Compressed Files) to see the file types are included in each filter. WARNING: To filter just a few file types, don’t use System Threats or Productivity filters (leave them on Ignore.) Instead, enter specific file extensions in the Custom File Types filter. 2.
How do you limit file size of attachments? Set the maximum attachment size using the Message Size filter as described in “Message Size Filter” on page 280. Does Attachment Manager filter viruses? No, messages and attachments are scanned for viruses before they pass through the Attachment Manager filter. Any messages with viruses are disposed of before reaching attachment filters.
Message Security for Google Apps Administration Guide
Chapter 14 Industry Heuristics Chapter 14 About Industry Heuristics Industry Heuristics is an optional feature. For more information on the features included in your service package, contact your account manager or vendor. Industry Heuristics can help reduce falsely quarantined messages for users and groups that receive large numbers legal- or finance-related messages, which can contain content that appears to be spam.
When Industry Heuristics are turned on, additional information is included in the x-pstn headers. For more information these headers, see “Industry Heuristics Header Fields” on page 407. Configuring Industry Heuristics You may wish to create a separate organization for your legal, sales, or finance departments and enable Industry Heuristics only for that organization. By default, Industry Heuristics are turned off for an organization. 1. In the Administration Console, go the Orgs and Users > Orgs. 2.
6. Set Transport Heuristics to On or Off. 7. Click the propagation checkbox to apply settings and filters to existing suborgs. 8. Click Save.
Message Security for Google Apps Administration Guide
Chapter 15 Test Tools & Mail Flow Troubleshooting Chapter 15 About Test Tools & Mail Flow Troubleshooting From time to time, you’ll need to ensure that the message service is running as desired. The System Tests section of the Administration Console includes several programs for testing and troubleshooting the delivery of email. If you have a mail delivery emergency (no incoming mail), see “Troubleshoot Incoming Email Delivery” on page 292.
To run the MX Record Test by batch file: See the testmx command in the “Commands” chapter of the Batch Reference Guide for details on submitting the following command: testmx Name of the domain whose DNS MX entries you wish to test Successful Results for the MX Record Test The following indicates a successful MX Record Test. Mail for the domain you selected (in this case, jumboinc.com) is routing correctly to the message service. jumboinc.com: MX records OK. jumboinc.
See the table below for details on which errors you may run into, and the next steps you should take. Error Next Steps There is no domain in this organization to test Click the Show Hierarchy link. Choose a different organization. By default, choose your Users organization. Once you choose the correct organization, click the MX Record test again to run the test. No MX record found containing 'sNaM.psmtp.com' or No MX record found containing 'sNbM.psmtp.com' Add the appropriate entry.
Error Next Steps Priority of psmtp MX records must be higher than Customer MX records Change your DNS MX entries for the domain so that the message service entries are higher than the entries which route to your mail server. Troubleshoot Incoming Email Delivery A mail delivery emergency is when some or all of your users are receiving no email. This is typically due to one of the following root causes: • Incorrect configuration of the message security service. • MX records configured incorrectly.
This step checks whether the MX records that route your email to the message security service are configured correctly. Check the format for the MX records in the Administration Console. a. Go to the home page (click the logo in the upper left-hand corner), and click MX Record Test link in the bottom left-hand corner. b. Choose the domain you want to check. c. Click Test. The results appear on the bottom of the page. Action: If the MX records for this domain are incorrect, correct or add new records.
Message Security for Google Apps Administration Guide
Chapter 16 Transport Layer Security Chapter 16 About the Inbound Servers Tab You can set use the Inbound Servers tab to set up Transport Layer Security for your inbound mail. The Inbound Servers tab contains a link to your TLS settings. See “Transport Layer Security for Inbound Mail” on page 296. Transport Layer Security (TLS) Use the TLS page in the Inbound Servers tab, or the Outbound Servers tab, to configure whether your mail is encrypted.
Setting Up Transport Layer Security Set up Transport Layer Security using the Administration Console. For outbound TLS, you will also need to contact Google Apps Support. • “Setting Up Inbound TLS” on page 301. Steps for setting up TLS for incoming mail in the Inbound Servers tab. • “Setting Up Outbound TLS” on page 304. Steps for setting up TLS for outgoing mail in the Outbound Servers tab. You will also need to set up Outbound TLS in your Google Apps Mail by contacting Google Apps support.
The key features of TLS are: • Encrypted messages: TLS uses Public Key Infrastructure (PKI) to encrypt messages from mail server to mail server. This encryption makes it more difficult for hackers to intercept and read messages. • Authentication: TLS supports the use of digital certificates to authenticate the receiving servers. Authentication of sending servers is optional. This process verifies that the receivers (or senders) are who they say they are, which helps to prevent spoofing.
This diagram shows the flow of TLS messages between servers: • Stage 1: The sending server sends a message via TLS to the message security service, which always accepts TLS messages and process them according to the TLS protocol. The message is encrypted from the sending server to the message security service. • Stage 2: You can choose whether the connection from the message security service to Google Apps Mail uses TLS. You may choose not to use TLS if you wish, but this will reduce security.
Message Processing and Encryption The following describes message flow, encryption, and message filtering for incoming TLS connections. (Note, this is a high-level overview; please see the TLS specification, RFC 2246, or other technical reference for the complete data flow.) 1. The sending server initiates a TLS connection with the message security service. (TLS handshake with the message security service using the ESMTP STARTTLS command.) 2.
4. Google Apps Mail sends certificate information (including the public key for encryption) to the message security service. 5. The sending server encrypts and delivers the message to the message security service. 6. The message is decrypted, processed for viruses, and filtered based on junk mail settings and email policies (such as message attachments and content type). Other than the initial decryption, filtering is identical to normal filtering. 7.
For TLS connections between the message security service and Google Apps Mail, you may use either self-signed or authority-signed certificates. The type of certificate doesn’t affect delivery—the message security service uses your certificate to negotiate the encryption between the two servers, and does not perform any disposition based on the information in the certificate. TLS-encrypted messages or messages sent from an authority-signed certificate only imply that the senders are who they say they are.
2. Choose a setting for TLS delivery from the message security service to Google Apps Mail. Select “Send by SMTP or TLS” which provides the greatest flexibility. Following are descriptions of each delivery option: • Send only SMTP No TLS connections from the message security service to Google Apps Mail. If a message is sent via TLS, it is received by the message security service in encrypted form, but delivered to Google Apps Mail unencrypted via SMTP.
If a message is sent via TLS, the message security service delivers the message via TLS to Google Apps Mail if possible, but otherwise delivers by SMTP. If the message is sent via SMTP, the message security service delivers the message via SMTP to Google Apps Mail, so the message is delivered to match the sender’s preference if possible. This is the recommended setting. It ensures end-to-end TLS connections, and the impact to performance is relatively low.
4. Click Save. Transport Layer Security for Outbound Mail This section provides a technical overview of how TLS works on your inbound mail delivery, with details of data flow and the features of TLS. For information on how to set up TLS with outbound mail, see “Setting Up Outbound TLS” on page 304. Outbound Service supports Transport Layer Security (TLS), which is a protocol that encrypts and delivers mail securely.
2. Choose the Outbound TLS settings. To do this, you must select how the message security service accepts outbound messages from Google Apps Mail, and also how the message security service sends your outbound messages to recipient mail servers. These settings are described below. Choose “Accept SMTP and TLS” which provides the greatest flexibility.
The second outbound TLS setting enables you to choose how the message security service sends your outbound messages to recipient mail servers. If you are not sure what to select, choose “Send by SMTP or TLS.” 306 • Send only SMTP: No TLS encryption, and all messages are delivered via SMTP. • Send by SMTP or TLS (Recommended): This is the recommended setting. Messages sent via TLS are delivered via TLS to the recipient.
• Send only TLS: Send all messages by TLS. Mail sent to recipient servers that do not support TLS will be deferred. • Send and Deliver TLS: Messages sent via TLS are delivered via TLS to the recipient. If the recipient does not support TLS the message will be deferred. All other messages are delivered via SMTP. 3. If you wish to set up specific domains for TLS, enter domain names in Domain Specific Settings. See “Setting Up Policy Enforced TLS” on page 311 for more information. 4. Click Save.
Features and Benefits Policy Enforced TLS provides the following benefits: • Support for Transport Layer Security (TLS) encryption of email. Mail is encrypted before delivery, based on your TLS settings. You can set Policy Enforced TLS to bounce messages which cannot be encrypted, or to allow non-secure mail transmission. • Ability to configure security settings separately for specific domains. You can name specific domains which will receive additional security.
This diagram shows the flow of TLS messages between servers: • Stage 1: The sending server sends a message via TLS to the email protection service, which will only accept TLS messages if the sending domain is listed in Policy Enforced TLS. Without Policy Enforced TLS, you can set the email protection service to defer all messages if TLS is not possible, or to deliver them. With Policy Enforced TLS, you can name specific sender domains which must be encrypted.
This diagram shows the flow of TLS messages between servers: • Stage 1: The first connection is from Google Apps to the email protection service. You can choose whether this connection uses TLS. • Stage 2: The second connection is from the email protection service to the receiving mail server. If the exact recipient domain is in your list of domains for Outbound TLS by Recipient Domain, the outbound security service will connect via TLS to the receiving mail server.
Setting Up Policy Enforced TLS Set up inbound Policy Enforced TLS and outbound Policy Enforced TLS separately. WARNING: If Policy Enforced TLS stops a message, you will not receive an alert or notification that the message failed. Do not set up Policy Enforced TLS without verifying successful mail delivery with a test connection. Set up Inbound TLS by Sender Domain 1. In the Administration Console, click the Inbound Servers tab and click the TLS link. 2.
2. If TLS is set to “Accept only SMTP” or “Send only SMTP”, change your settings to allow TLS. The recommended setting is “SMTP or TLS.” See “Transport Layer Security for Outbound Mail” on page 521 for more information on outbound TLS settings. 3. Scroll to the Outbound TLS by Sender Domain section, at the bottom of the page. If you do not see this section, you do not have Policy Enforced TLS enabled. Contact your account representative for information. 4. Enter the domain name you wish to set as TLS-only.
WARNING: If set up improperly, Certificate Validation can interrupt mail flow. Check your settings and certificates before setting up certificate validation. Certificate Validation is an advanced feature for administrators who need to verify TLS certificates to avoid malformed or spoofed certificates. When outbound mail is sent to a domain that is configured for Certificate Validation, Policy Enforced TLS verifies the format, source, and domain of the certificate.
Certificate Validation settings are described below. TLS Certification Description Encrypt Only Behavior: Policy Enforced TLS obtains the keys from the Server Certificate, extracts the keys, completes the TLS handshake, and begins the encrypted session. No further verification takes place. Errors that prevent key extract will result in a bounced connection, but any other certificaterelated errors are ignored.
TLS Certification Description Check Domain Behavior: In addition to the certificate tests in Verify Cert and Check Trust, also confirms that the domain in the certificate matches the domain of the server host. If there is a wildcard in the domain certificate, the recipient’s domain must match the wildcard. Will also block any certificate linked to an IP address instead of a hostname. Ends the session if the domain check fails.
TLS Alerts If you use Policy Enforced TLS, set up TLS Alerts in the Batch page so that you will receive an alert if Policy Enforced TLS defers messages. Policy Enforced TLS is intended for secured business partners who intend to encrypt all email communication between two parties. To prevent secure messages from being transmitted in the open, Policy Enforced TLS will refuse messages that come from specified domains when TLS sessions fail.
orgname is the name of your admin user organization. This command will show all fields for the organization. Check the tls_notify_admin and tls_notify_on settings to confirm that they are correct. Modify or Disable TLS Alerts 1. Log in to the Administration Console. 2. Go to the Batch page in the Orgs & Users tab. 3. Enter the following command into Step 2.
This message is an automated alert from your email security service. The email security service was unable to accept messages from the following domain, because the domain's mail server did not establish a TLS connection: Your Inbound TLS by Domain encryption policy requires messages from this domain be sent using TLS. Your email security service defers messages if the domain's mail server does not establish a TLS connection with the service.
Outbound Mail (Remote) When Policy Enforced TLS blocks an outbound message because the email protection service could not establish a TLS session with the recipient, your administrator will see the following alert: This message is an automated alert from your email security service. Your email security service was unable to send messages to the following domain, because the domain's mail server would not accept a TLS connection.
This message is an automated alert from your email security service. Your email security service was unable to send messages to the following domain, because your outbound mail server did not establish a TLS connection to the service: Your Outbound TLS by Domain encryption policy requires this domain to receive messages using TLS.
Chapter 17 Reports Chapter 17 About Reports Reports provide visibility into the traffic patterns across your organization. The Administration Console produces different traffic reports based on your product configuration. Reporting provides extensive analysis into email message traffic, spam, virus, and usage over a day or week. You may also download report data and import it into reporting or spreadsheet software for further analysis.
2. Select the organization from the pull-down list. The total number of registered users in organization, including sub-orgs, is displayed above the reports list. 3. Click the report name. You’ll see a page similar to this: Notes about the report results: • The reports displayed in the Administration Console show the top 20 results • Reports containing the data from the previous day are generally available around noon, Pacific Time, the following day.
6. To download a report, click the Download link located in the upper right corner of the screen. The report is opened in a new browser window that presents the data in CSV format so it can easily be saved and imported into most reporting and spreadsheet software for further analysis or storage. The download report provides a comma-delimited list and is ideal when you wish to view more than the top 20 results.
Field Description Unfiltered Number of unregistered account messages that are passed through unfiltered. Spam Number of spam messages detected and quarantined. Virus Number of virus messages detected and quarantined. Attachment Manager Number of messages filtered by Attachment Manager. Content Manager Number of messages filtered by Content Manager. Other Filters Number of messages blocked by other filters, such as SPF and TLS. Total Messages Total number of messages processed for this domain.
Field Description Content Manager Total bytes of messages filtered by Content Manager. Other Filters Total bytes of messages blocked by other filters, such as SPF, DKIM, IP Lock, and TLS. Total Messages Total bytes of messages processed for this domain. Traffic Reports Traffic Reports give you visibility into traffic sources and destinations for messages that are quarantined or forwarded to the recipient. Mail that is bounced or blackholed is not recorded in the reports.
Field Description Acct Messages Account Messages. The number of filtered email messages sent to accounts and aliases registered in the message service. There may be a difference between Messages and Acct Msgs numbers. This is because the Messages number includes all messages passing through the system that are accepted by your mail server, but Acct Msgs only counts messages sent from the message service to registered accounts and aliases.
Field Description Msgs Quarantined Number of messages quarantined. % Quarantined Percent of messages quarantined. Total Msgs Processed Total number of messages processed. Bytes Processed Total number of bytes processed. Traffic by Recipient (Inbound) This report shows inbound mail traffic information for the users in the selected organization. Two types of inbound Traffic by Recipient reports are available. One report generates only the primary email addresses in the results.
Field Description Blocked Acct Msgs Number of Acct Messages blocked by Blatant Spam Blocking % of Msgs Percent of Blocked Acct Msgs delivered. % of Bytes Percent of bytes delivered. Quarantined Acct Msgs Number of Acct Messages quarantined. % of Msgs Percent of Quarantined Acct Msgs delivered. % of Bytes Percent of bytes delivered.
Traffic Activity Log (Outbound) The Outbound Traffic logs show the detailed data for outgoing messages. The logs contain data from 20 minutes prior. The timestamps are in PST. The log contains a maximum of 5000 lines of data (the lines are tab-delimited.) Once the size limit is reached, logging continues, with the oldest data deleted first. A sample log entry looks like: 2007/11/07 10:13:21 IP:888.888.888.888 IPOrg:000000000 From:kristine@jumboinc.com User:999999999 Org:111111111 Recipients:helene@hugeisp.
Spam Reports Spam Reports give a list of the domains that are sending spam, the users receiving spam, and provide detailed information on the most active spam filters. Spam by Domain (Inbound) This report shows spam messages quarantined for each domain in the selected organization. Two types of inbound Spam by Domain reports are available. One report aggregates all messages for sub-domains and aliased domains to the primary domain.
Spam by Filter Name (Inbound) Number of messages quarantined by each category filter.
Field Description Delivered due to Filter off Number of spam messages delivered because users had spam filtering turned off, or because spam filtering was bypassed due to another user configuration setting. For example, if a Content Manager filter triggers, and if that filter is configured with a Deliver disposition, the message will be delivered without a spam scan. Delivered due to Tag and Deliver Number of spam messages delivered because the org is configured to tag and deliver.
Field Description Delivered due to Filter off Number of spam messages delivered because users had spam filtering turned off. Delivered due to Tag and Deliver Number of spam messages delivered because the org is configured to tag and deliver. Delivered due to Unregistered Users Number of spam messages delivered because the recipients were not registered with the message security service.
Field Description Racially Insensitive Number of messages triggering the Racially Insensitive junk email filter. Blatant Spam Blocking Number of messages blocked as obvious spam by Blatant Spam Blocking. Blocked Sender Messages quarantined because the specific sender address was listed in either the user or org-level Blocked Senders list. Blocked Server Messages quarantined because the domain was listed in a Blocked Senders list, not a specific address.
Field Description Soft Fail Number of messages with the Soft Fail response type during the SPF Check. Fail Number of messages with the Fail response type during the SPF Check. Error Number of messages that triggered an error during the SPF Check. Total Messages Total number of SPF Check messages for a sender domain. SPF by Recipient Domain Two types of inbound SPF by Recipient Domain reports are available.
Virus by Sender IP (Inbound) Per sender IP, the total number of quarantined viruses and the total size of viruses in bytes. Field Description Sender IP Sender’s IP address. Viruses detected Number of viruses detected and quarantined. Virus Bytes Total size of viruses detected and quarantined. Virus by Domain (Inbound) Per domain name, the total number of viruses blocked for the domain, and total byte size of blocked viruses. Two types of inbound Virus by Domain reports are available.
Field Description Bytes Processed Total size of virus-infected messages processed. Virus by Account (Inbound) Per account, the number of viruses quarantined, the total byte size of quarantined viruses, the number of viruses cleaned, the number of virus cleaning failures, and the number of infected deliveries from quarantine. Field Description Account Recipient’s account. This is normally the recipient’s email address, but in the case of an alias, the primary address is used.
Field Description Msgs Quarantined Number of virus-infected messages quarantined. % Quarantined Percent of virus-infected messages quarantined. Total Msgs Processed Total number of virus-infected messages processed. Bytes Processed Total size of virus-infected messages processed. Virus by Virus Name (Inbound) By virus name, the number of quarantined messages containing that virus, and total byte size for that virus. Field Description Virus Name Name of the virus, based on virus filtering data.
Attachments by Domain (Inbound) Per domain, the number of messages with attachments, and how those messages were handled by the system. Two types of inbound Attachments by Domain reports are available. One report aggregates all messages for sub-domains and aliased domains to the primary domain. A second type of report -- the Attachments by Domain (& subdomains) report -- includes all sub-domains and domain aliases exactly as they were received without any mapping to a primary domain.
Attachments by Domain (Outbound) Per domain, the number of messages with attachments, and how those messages were handled by the system. Field Description Domain Domain from which messages were sent. Msgs Bounced Number of messages bounced. % Bounced Percent of virus-infected messages bounced. Msgs Quarantined Number of messages quarantined. % Quarantined Percent of messages quarantined. Total Msgs Processed Total number of messages processed. Bytes Processed Total size of messages processed.
Field Description System Threat Depending upon how you configured your System Threat filter, this item returns the number of messages with attachments either bounced, approved, or quarantined. The filtering is based upon the attachment’s file extension. Productivity Depending upon how you configured your Productivity filter, this item returns the number of messages with attachments either bounced, approved, or quarantined. The filtering is based upon the attachment’s file extension.
Content Manager Reports Content Manager is an optional feature; whether the Content Manager Reports are displayed depends on your product configuration. Domain/Account (Inbound) By domain or account, the number of messages caught by your filters, the percentage of overall traffic represented by those messages, and the disposition applied to those messages. Two types of inbound Domain reports are available. One report aggregates all messages for sub-domains and aliased domains to the primary domain.
Domain/Account (Outbound) By domain or account, the number of messages caught by your filters, and how those messages were handled by the system. Field Description Domain (domain report) Domain from which messages were sent. Sender (account report) Address from which messages were sent. Account (account report) Whether the sender has an account in the message service (Y or N). Msgs Bounced Number of messages bounced. % Bounced Percent of virus-infected messages bounced.
Filter Name (Inbound, Outbound) The filter by which messages were caught, the disposition applied to messages caught by each filter, and the number of messages caught by each filter. Field Description Filter Name The name of the content filter that caught the messages. Disposition The disposition applied to messages caught by each filter. Events The number of messages caught be each filter.
The following logs are available: Log Description Daily Log Data for the most-recent 24-hour period for the selected org. Daily Log - includes sub-orgs Data for the most-recent 24-hour period for the selected org and its sub-orgs. Weekly Log Data for the most-recent 7-day period for the selected org. Weekly Log - includes sub-orgs Data for the most-recent 7-day period for the selected org and its sub-orgs. The logs show data from 20 minutes prior. The timestamps are in GMT.
Message Encryption Activity Log (Outbound) Message Encryption Logs are daily or weekly reports containing the details on outbound messages that were encrypted. Following are the descriptions of each field in the logs. Field Description Date Date on which the message was sent. Sender Email address from which the message was sent. Recipient Email address to which the message was sent. Bytes Message size in bytes.
Two types of inbound Archiving by Domain reports are available. One report aggregates all messages for sub-domains and aliased domains to the primary domain. A second type of report -- the Archiving by Domain (& sub-domains) report -- includes all sub-domains and domain aliases exactly as they were received without any mapping to a primary domain. The fields in these two reports are identical, and each report has the same total emails processed.
Field Description Total Messages Total number of messages archived. Total Bytes Total size of messages archived. Quarantine Delivery Reports Activity Log (Inbound) Quarantine Delivery Activity Logs are daily or weekly reports containing the details on messages that were delivered from the Message Center, or by clicking the Deliver button in the Quarantine Summary. The activity logs contain date, source of the delivery, sender, sender’s domain, recipient, size, subject.
The following logs are available: Log Description Daily Log Data for the most-recent 24-hour period for the selected org. Daily Log - includes sub-orgs Data for the most-recent 24-hour period for the selected org and its sub-orgs. Weekly Log Data for the most-recent 7-day period for the selected org. Weekly Log - includes sub-orgs Data for the most-recent 7-day period for the selected org and its sub-orgs. Field Description Domain/Account Domain or recipient address to which messages were sent.
Field Description Msgs Total number of inbound messages that passed through the message service. Msgs Bytes Total size of inbound messages that passed through the message service. TLS msgs Sender Hop Number of inbound messages that were transmitted by TLS between the sender and the message service. TLS bytes Sender Hop Data size of inbound messages that were transmitted by TLS between the sender and the message service.
Field Description TLS bytes Sender Hop Data size of outbound messages that were transmitted by TLS between your mail server and the message service. %TLS msgs Sender Hop Percentage of outbound messages sent that were transmitted by TLS between your mail server and the message service. %TLS bytes Sender Hop Percentage of outbound data that was transmitted by TLS between your mail server and the message service.
Why does a domain show up in an organization report when that domain is not located in that organization? There is at least one address in that domain which is aliased to a primary user account that is in the selected organization. For example: The user, legal@domain.com, and domain.com are registered in the organization “Corporate”. The user legal@domain.com has an alias legal@domain.net. domain.net is registered in another organization, “Internal”. Quarantined messages for legal@domain.
Blocked Servers are messages quarantined because the domain was listed in a Blocked Senders list, not a specific address.
Message Security for Google Apps Administration Guide
Chapter 18 Message Log Search Chapter 18 About Message Log Search As the message security service processes your messages, data about these messages is captured and stored in a log. The Message Log Search feature enables you to run searches on this data using different criteria. You can then view the search results and drill down to details about specific messages.
About the Data Note the following about Log Search data: • Message Log Search data is available within approximately 3 hours of message processing (sent or delivered through the message security service), and messages remain in the log for approximately 45 days. If you want to save search results for later analysis, you can export a .csv file.
7. To grant access to Log Search, select the Log Search check box in the Modify column. Clear this check box if you want to disallow access for that user. Note: For more information about setting access privileges in the Administration Console, see “Descriptions of Privileges” on page 122“. Run a Log Search From the Log Search tab in the Administration Console, you can run queries based on the following criteria.
• Subject: Find Log Search results by entering an exact or partial subject. Searches by subject are case insensitive. Non-ASCII characters are not supported for Subject searches. Note: For searches on a partial subject, the results only match whole words. For example, if the subject is Basketball Bracket, the message will not appear in the results if you search on the words "ball" or "basket." However, if you enter the word basketball, the message will appear in the results.
• Org ID: Unique number from the message security service that identifies the sender’s Org ID for an outbound message or the recipient’s Org ID for an inbound message. Click More search criteria to display this field. To locate an Org ID, log in to the Administration Console. Go to Orgs and Users > Orgs, and then click the relevant organization to open the Organization Management page. The Organization ID is displayed in the Summary box on the right side of the page.
To run a Log Search: 1. From the Log Search tab, choose an organization from the Choose Org dropdown list at the top of the page. 2. Select a date range that matches the date and time the message was sent. This range corresponds to the time zone for the organization in which you’re running the search. You can use a date range such as Today, Yesterday, Last 7 days, or Last 30 Days.
Note: The “Message ID” is a unique number for the message security service that identifies a specific message. It differs from the SMTP Message-ID, which is often found in the message header. To view more details about a specific message recipient, expand the row for that recipient. For descriptions and definitions for each of the fields in the search results, see “Log Search Fields” on page 362.
Examples: to:jeffsmith@ez4utech.com AND from:janesmith@ez4utech.com To:jeffsmith@ez4utech.com OR To:janesmith@ez4utech.com NOT is useful when you want to eliminate a specific email address, Sender MTA, or Recipient MTA from the search results. With the following query, all recipients in the organization are included in the search except for janesmith@ez4utech.com: NOT to:janesmith@ez4utech.
Field Description and Values Disposition Description: Specifies how the message was processed after passing through the message security service filters. For example, messages can be bounced back to the sender, deleted with no return message, or placed in a Quarantine. Multiple dispositions can apply to a message. Example: Delivered,Archived Possible values: Blank value - Message did not trigger any filters. Admin Quarantined - Message was redirected to an administrator’s quarantine.
Field Description and Values Disposition (cont.) Tag And Delivered - The message security service delivers the message without acting on the filter condition shown in the message header (spam and virus filtering). Zero Hour - Inbound message was placed in the Early Detection Quarantine (Pending tab) in the Message Center.
Message Details Page The following additional fields and values are displayed when you click a Message ID link on the search results page. These results are specific to an individual message. Note that the fields are arranged in alphabetical order below, but they appear in the Log Search results in a different order. Field Description and Values Archive Action Specifies whether a message was archived normally, bounced, or ignored/blackholed (silently dropped).
Field Description and Values Archive Source Description: The source of the archived message -for example, from mail flow or from Exchange journals. Values: Domino - Domino journal archiving. Exchange 2k3 - Exchange 2003 journal archiving. Exchange 2k7 - Exchange 2007 journal archiving Exchange 2k7 tnef - Exchange 2007 journal archiving (TNEF format). Mailflow - Unjournaled message between a user or users in an organization for which archiving is enabled.
Field Description and Values Attachment Sender Approved Description: An Attachment Manager filter was triggered, but the message was allowed through because of an approved sender list. Values: Recipient - Message was allowed through because of an approved mailing list. Sender Org - Message was allowed through because of an org-level approved sender. Sender User - Message was allowed through because of a user-level approved sender.
Field Description and Values Attachment Type Description: Type of attachment that triggered an Attachment Manager filter. Values: Blocked File Extension - File formats listed in Custom File Types. Compressed Files - File formats such as .zip and .tar. Executable Content - Executable file formats such as.exe, .asp, and .vbs. Multimedia - Movie, film, and video formats such as .avi, .wmv, and .mpg. Music - File formats such as .mp3 and .wav. Images - File formats such as .jpg, .gif, and .bmp.
Field Description and Values CM Result Indicates the Content Manager disposition. Values: Approved - Message was delivered to the recipient only, or it was delivered both to the recipient and to an admin quarantine or user quarantine. Blackhole - Discards/deletes the message, with no notification to the sender or recipient. ERROR 582 - This message violates our email policy - Message was bounced and returned to the sender.
Field Description and Values Disposition Filter Description: Displays which filter set the final disposition of the message. Example: If the final disposition of a message is Quarantined, and if a spam filter caused this disposition, then the Disposition field will display: Quarantined The Disposition Filter field will display: Spam Filtering Values: Attachment Manager - Filters messages based on the size or file extension of attachments.
Field Description and Values Finance score Financial-industry heuristics filter (see “Spam Scores” on page 403 and “Enable and Adjust Spam Filters” on page 177). Legal score Legal-industry heuristics score (see “Spam Scores” on page 403 “ and “Enable and Adjust Spam Filters” on page 177). Message Size Size of message in KB, MB or GB, including attachments Example: 11.29KB or 1.
Field Description and Values Proxy Description: Specifies the proxy server for the message security service that processed the inbound or outbound message. Examples: exprod8mx8 eu3sys200amx205 The proxy value can be used to determine the IP address that delivered the message to your server. When a message is processed by the message security service, the name of the proxy server is located in the message header.
Field Description and Values Sender TLS Description: Specifies whether a message was processed using transport layer security (TLS). If TLS is on, this field also specifies whether the TLS was policy enforced or domain enforced. For an inbound message, this refers to the connection between the sender's mail server and the message security service server. For an outbound message, this refers to the connection between your company’s mail server and the message security service server.
Field Description and Values Spam Result Description: Indicates the spam disposition. Values: Approved - Message was allowed through because of an approved sender. BSB Blackhole - Spam - Blackholed due to blatant spam blocking BSB Bounce ERROR 571 Message Refused - Message was bounced due to blatant spam blocking. If a custom message was set up for this error, the custom message is displayed. Passed - Forwarded (same as delivered) Quarantine - Bulk - Quarantined due to spam filters.
Field Description and Values User ID Description: Unique number from the message security service that identifies the sender of an outbound message or the recipient of an inbound message. A user’s primary email address can be changed, but its ID always remains the same. A User ID is useful for tracking a user even when they have multiple aliases. To locate a User ID, log in to the Administration Console. Go to Orgs and Users > Users, and then click the relevant user to open the User Overview page.
Common Log Search Scenarios The most common search scenarios are presented below. Each section presents a list of the queries you’ll need, instructions for running the searches, and tips on interpreting search results. What happened to an inbound message? Common answers include: • The message was delivered to the recipient server. • The message was quarantined or bounced by a filter. • The sender connection may have been blocked by Connection Manager.
2. On the search results page, look for the message and view the results in the Disposition column: • If Delivered, the message passed successfully through the message security service. If the message is missing, you’ll need to search your company’s mail server environment to locate the message. • If Quarantined, go to the Quarantine and deliver the message. If the message still does not arrive from quarantine after you deliver it, contact Support to troubleshoot the cause.
2. On the search results page, look for the message and view the results in the Disposition column: • If Delivered, the message passed successfully through the message security service and may be lost within the recipient’s network. • If Bounced, click the Message ID link to view message details. Outbound filters for spam, Content Manager, or Attachment Manager may have been the cause.
To track all messages for a sender or recipient, follow these steps: 1. From the Log Search page, run the following query: • Enter the sender’s address in the From field, and/or the recipient’s address in the To field. • Select Inbound or Outbound for the Direction. Leave this field blank to search on both inbound and outbound mail. • Click Search. 2. On the search results page, view the following fields: • View the To field to view a complete list of recipients for the sender’s messages.
However, to analyze filter settings and determine the cause of a message being delivered or quarantined, you’ll need the Message Header Analyzer. The message security service inserts custom tags into the message headers of processed email. The Header Analyzer uses these tags to determine why a message was quarantined or allowed through.
Chapter 19 Batch Processing Chapter 19 About Batch Processing Batch processing is a quick and efficient method to perform a large number of configuration changes by creating, validating and running command scripts in real-time. The batch commands allow you to modify, and gather reports on: • organizations • users • domains • aliases Important: For detailed information about the batch commands, fields, and protocols, see the Email Security Batch Reference Guide.
When To Use Batch Authority privileges determine which batch commands an administrator can run, just as they determine what parts of the Administration Console an administrator can access. Batch processing is independent of your currently viewed location within the Administration Console, since each batch command contains details about where to apply. Configuration changes should be made by batch whenever: • The number of changes is too great to effectively use the Administration Console.
Appendix A Customizing Notifications Appendix A About Customizing User Notifications Although it is not necessary to edit notifications messages, you may customize the text of the notification messages. You might do this for branding purposes, or to provide further information or details to your users. If you choose not to customize any notifications, the default email that is automatically generated includes a basic message with your organization's branding included. Notification messages use tokens.
3. On the User Notifications page, click the link to a notification. For example, click the “Welcome New User’ link to edit the welcome message. 4. Choose one of the four options for customizing notifications. 384 • Edit a notification: Insert your own text in the text box, and use “tokens” for displaying variables. See “Editing Text with Tokens” on page 386. • Upload a File: Create the notification in an external editor and upload the message.
Keep in mind that the “stock” notification and the “default” notification are not the same. The stock notification is what the parent organization supplies one time only to a sub-organization when that organization is created; whereas the default notification is the original system-wide template. They could be the same¨, but if the parent organization modified the default before the sub-org was created, the sub-org received a copy of the customized message.
If you have enabled the Quarantine Summary, you will see these editing options: 5. Click the Submit button to save your changes. Make sure to include header information (“Date:”, “From:”, “To:” & “Subject:”) as seen in the templates at the top of the text field. If no header information in included, then the notification messages will bounce. Pay special attention to the tokens that you can insert into the text. If they are mis-typed, then they will not be replaced with the associated value.
For example, you should use the token for the “From” address rather than hardcoding an actual support address. Then if you change the “Support Contact” for your organization, you can be assured the change is be reflected in all notifications sent to your users. Wrapping Text around Tokens in Notifications Once you determine what content your customized message should include for a particular notification, you may simply compose the text and insert any tokens you wish to use within that message.
3. After the Subject of the e-mail, leave a blank line and then include the following HTML text:
4. After the body content of the HTML notification insert: 5. The message should look something like this: Content-Type: text/html Date: <-date-> From: "<-isp-> Support" <<-from->> To: <-notice_address-> Subject: <-isp-> First Junk Email Safely Quarantined ... The first line, Content-Type:text/html, is the HTML MIME Type header.The “From:”, “To:” & “Subject:” lines must be at the top of a custom notification, since they are used as the actual message headers for the message when sent out. If they are not included, then the custom notification messages will bounce.
<-date-> The timestamp indicating the date and time the notification was sent. <-from-> The return address, referenced as your organization's Support Contact in the “Support Address” field (see organization record). <-address-> The specific user's email address. <-notice_address-> Used as the location to send notifications as found on each user's user record.
When using the above string in your notification, the user would only need to enter a password to log in after clicking the link. However, if you are using the “Login Widget” on your web site to provide remote, branded, access to the Message Center for your users, you can alternatively send users to the page directly that hosts the Widget by simply inserting the URL and disregarding the use of tokens. For example, you might use in your notification: http://www.jumboinc.
Once you log in, you will be asked to change the temporary password. If you require additional assistance, please contact your administrator. Thank you! <-isp-> The “From:”, “To:” & “Subject:” lines must be at the top of a custom notification, since they are used as the actual message headers for the message when sent out. If they are not included, then the custom notification messages will bounce.
where the URL is the location of the Widget for your organization.) My First Spam Notification Users receive this message when they receive their first junk mail. The “From:”, “To:” & “Subject:” lines must be at the top of a custom notification, since they are used as the actual message headers for the message when sent out. If they are not included, then the custom notification messages will bounce.
The return address, referenced as your organization's Support Contact in the “Support Address” field (see organization record). <-address-> The specific user's email address. <-notice_address-> Used as the location to send notifications as found on each user's user record.Note: By inserting this address as the “To” recipient, the notification is sent to a recipient which may not necessarily be the owner of the Message Center account.
where the URL is the location of the Widget for your organization.) New Spam Notification Your users receive the New Spam notification when suspicious messages are held in their Message Center quarantine, pending review. The time period between notifications is determined through the “Notification Interval” setting. The “Date:”, “From:”, “To:” & “Subject:” lines must be at the top of a custom notification, since they are used as the actual message headers for the message when sent out.
** Log in now to review suspicious messages sent to your account. ** ******************************************************************** <-inactive2-> Login information for the user if using PMP, otherwise nothing. If using PMP as the authentication method for your organization, you must provide a temporary password for the user to log in to his or her Message Center.
Virus Alert Default Notification Your users receive the Virus Alert whenever a virus-infected message is quarantined within their Message Center, pending review. This notification is generated immediately whenever an infected message is found The “Date:”, “From:”, “To:” & “Subject:” lines must be at the top of a custom notification, since they are used as the actual message headers for the message when sent out. If they are not included, then the custom notification messages will bounce.
<-date-> The timestamp indicating the date and time the notification was sent. <-from-> The return address, referenced as your organization's Support Contact in the “Support Address” field (see organization record). <-address-> The specific user's email address. <-notice_address-> Used as the location to send notifications as found on each user's user record.
Dear <-address->, Your value-added email services are now DISCONTINUED. Any suspicious messages that may have been quarantined in your private Message Center have been forwarded to your email account. <-extra-> Please be advised that your request to discontinue these services may result in junk mail or virus-infected messages arriving to your inbox without the benefit of filtering.
Used as the location to send notifications as found on each user's user record.Note: By inserting this address as the “To” recipient, the notification is sent to a recipient which may not necessarily be the owner of the Message Center account. In most cases, you should use the Notice Address for the “To” line-if no “Notice Address” address exists for a user record, this field defaults to inserting the normal user “Address” (above).
Appendix B Interpreting Header Fields Appendix B About Header Fields When messages are processed by the message service, custom header fields are placed in email-message headers. This header information can be useful for either determining email disposition or for handling support issues.
To open the full header in Google Apps: 1. Log in to Gmail. 2. Open the message whose header you want to see. 3. Click the down arrow next to Reply, at the top-right of the message pane. 4. Select Show original. The full header appears in a new window. Received Header Field The service includes a “Received” header field in each message processed.
Spam Filters • S = General/bulk spam score • CV = Internal use only. This has no effect on the overall spam score or message disposition. • P = Sexually explicit (pornography) spam score • M = Make-money-fast (MMF) spam score • C = Commercial or “special offer” spam score • R = Racially insensitive spam score Spam Scores A spam score of 100 on the S filter would indicate that this email contains nothing that triggers the general spam filter (it is a valid message).
If a message scores as blatant spam, the BSB disposition of bounce or blackhole results in a discarded message, and there are no spam-related header fields for those messages. The BSB score was added to make it clear to someone evaluating the header that the message did meet the spam score criterion but failed to meet the BSB score criterion. X-pstnvirus Header Field When a virus is detected, the message service inserts the X-pstnvirus header field to show what virus was caught.
The first number is the user's Bulk Filter (base) spam setting: • 1= lenient • 2= less lenient • 3= moderate • 4= more aggressive • 5= most aggressive In the example above, the user's bulk filter was set to 5, the most aggressive setting. The parenthesized pair of numbers indicate the user's base threshold and effective threshold. These are derived values and should not be directly interpreted, as they are subject to change.
X-pstn-2strike Header Field An exception to the spam score and threshold calculations is the X-pstn-2strike header field. The X-pstn-2strike field indicates that the spam score was below the effective threshold, but was likely a valid message. This is based on the IP address of the sender and other message characteristics. If the spam score (S:) is greater than 0.15, the message was allowed through as a valid message. Example: X-pstn-levels: (S: 0.22604/99.8045 R:97.45080 P:76.42022 M:64.93900 C:93.
X-pstn-neptune-rslt: pass You may also see the following header field, which indicates that the message has suspicious behavior and content and may be treated as a virus: pstn-neptune-cave-rslt: virus If a message triggers Early Detection for viruses, this field appears in the message header: X-pstn-neptune-cave-rslt: pbox Industry Heuristics Header Fields Industry Heuristics (optional feature) generates these header codes: • LC: legal content • FC: financial content • LT: legal transport • FT: fi
The score for legal content category appears levels line, LC: 0.1839. The score is less than 85, which triggers the category. Because this category was triggered and because the legal-content filter was set to the highest value, the effective threshold on the settings line was set to zero (1.0000:0.0000). The effective threshold is compared to the spam score. If the spam score is less than the effective threshold, the message is spam.
agoodman@jumboinc.com is the From address used in evaluating the user’s approved- and blocked-sender lists. If the address appears on one of these lists, the processing is terminated and the disposition is noted on this line. The text after the address can be one of the following options. (If nothing appears, the address was not on any of the following lists.) forward (org good) Address is on the organization's Approved Senders list.
X-pstn-nxpr and X-pstn-nxp Header Fields When messages are delivered to Google Gmail, these header fields are added, and display information similar to the following: X-pstn-nxpr: disp=neutral, envrcpt=address X-pstn-nxp: bodyHash=e7a578306639faf47072571274493f2ce89341bc These header fields refer to only internal information. Attachment Manager and Content Manager Header Fields Attachment Manager and Content Manager add header fields when they quarantine an email message.
X-pstn-levels: (S: 0.46800 R:95.91081 P:95.91081 M:99.85141 C:55.44761 ) X-pstn-settings: 5 (2.00000:8.00000) r p m C X-pstn-addresses: from X-pstn-disposition: quarantine The header fields give this information about the message • The overall spam score is 0.46800. • The only junk mail filter triggered was the Commercial Offer filter (C). • The user's Bulk Spam filter was set to Most Aggressive (5). • The Effective threshold was 8.
Message Security for Google Apps Administration Guide
Index A Administration Console Choose Org list 39 Choose Org pull-down 20 Home page 14 logging in 13 Message Composition chart 19 navigating 19 passwords 14 Search feature 15 security 13 Show Hierarchy panel 20, 39 Troubleshooting 21 User Shortcut 15 Administration Guide audience 11 overview 11 related documentation 12 sending comments about 12 administrators account administrators 97 archive administrators (search/discovery, audit, retention) 108 authority privilege propagation 88 authorizing administrato
multiple record updates 90 organization hierarchy relationship 87 organization policy authorization record position 115 overview 87 privileges for all standard settings 123 privileges for archive search, discovery, audit, and retention 127 privileges for help desk 123 privileges for inbound mail processing 127 privileges for organization management 125 privileges for user settings 123 recommended account settings 99 recommended archive settings 112 recommended compliance and security settings 106 recommende
D Default User configuring 31, 64 overview 63 distribution lists 79 documentation, related 12 domains 129 E email servers. See Inbound Servers events, Virus Outbreak 195 extension scanning, attachments 272 F feedback about this guide, sending 12 file attachment scanning in Content Manager, introduction 201 H header tags.
hierarchy 35 ID 44 junk email settings 140 list domains 37 Message Center subject links 49 message header tagging 177 Message Limits 46 move 52 non-account bouncing 49 organization ID 48 organization summary 44 outbound services 42 overview 35 privileges 125 propagation of settings 50 searching 46 Sender Lists 141 Show Summary 37 Spam Disposition 176 Spam Filtering 177 Support Contact 48 troubleshooting 53 User Access 135 View Hierarchy with Domains 38 Virus Settings 141 org-level sender lists 255 outbound
Virus by Domain, inbound 336 Virus by Domain, outbound 336 Virus by Sender IP, inbound 336 Virus by Virus Name, inbound 338 Virus by Virus Name, outbound 338 RFC 2487 312 S searching, Home page 15 sender lists approved domains 257 approved mailing lists 257 approved recipients 256 approved senders 256 batch commands 262 blocked domains 257 blocked senders 257 filter order 258 header information 264 industry heuristics and blocked senders 258 org level 255 organization and user precedence 258 quarantine redi
X-pstn-levels 402 X-pstn-neptune 406 X-pstn-nxp 410 X-pstn-nxpr 410 X-pstn-settings 404 X-pstnvirus 404 X-pstn-xfilter 406 418 Message Security for Google Apps Administration Guide
