How do I block junk email, or email that contains potentially malicious code?


This article applies to:

  • Trustwave ECM/MailMarshal Exchange
  • Trustwave MailMarshal (SEG)

Question:

How do I block junk email, or email that contains potentially malicious code?

NOTE: For information about MailMarshal's anti-Spam abilities and settings, see Q10810: What are MailMarshal anti-spam best practices?

Procedure:

There are several ways you can configure MailMarshal to block junk email, or email that contains potentially malicious code.  You can implement one or more of the features below.  For best practice suggestions see the Anti-Spam and Anti-Malware Basics whitepaper found on the SEG documentation page (requires login).

  1. SpamProfiler:
    • This feature allows MailMarshal SMTP to check messages at the receiver. MailMarshal can refuse, delete, or quarantine messages based on the SpamProfiler evaluation. SpamProfiler is a signature based service. SpamProfiler is efficient because it does not require messages to be processed by the MailMarshal Engine.
    • In version 6.5 and above, SpamProfiler results can also be used in Standard rules.
    • SpamProfiler is not available in MailMarshal Exchange because MailMarshal Exchange does not perform the Receiver function.
  2. SpamCensor:
    • To classify spam, MailMarshal SMTP includes a facility that performs a multi-dimensional analysis of messages. This facility includes automatic updates provided by Trustwave. You can choose to quarantine or mark messages within the Block Spam rule in the Anti-Spam Ruleset in version 5.X, or the Block Suspect Spam rule in the Anti-Spam Email Policy in version 6.X.
      • MailMarshal Exchange 7.X includes Known Threats updates from Trustwave, but NOT SpamCensor.
  3. BEC Fraud protection:
    • Current versions of Trustwave SEG include customizable functionality that specifically targets Business Email Compromise or "CEO fraud" phishing email.
  4. AMAX and other Yara Analysis Engine based rules:
    • Current versions of Trustwave SEG include advanced anti-malware checks based on Yara scripting. AMAX is maintained and update by the Trustwave anti-spam team. Advanced customers can create their own scripts.
  5. Blended Threats Service and URL Categorization:
    • With Trustwave MailMarshal (SEG) 7.1 and above, the optional Blended Threats feature can check the URL links from a mail message for malicious code in real time when the recipient clicks the link.
    • URL Categorization (included with maintenance in current versions of Trustwave SEG) checks URL links at the time of processing.
  6. File Attachment Types:
    • Block all Executable, Image, Video and Sound attachments.
    • Block all Encrypted attachments.
      • Due to the encryption on these files, MailMarshal cannot unpack them to examine their contents.
      • You should create a rule to block encrypted attachments so they can be checked, and released if appropriate.  
      • Warning:  If a rule is not specified to block encrypted attachments, they will pass through MailMarshal unchecked.
    • Block Text and Binary Unknown (in the Other category)
      • Used to block all attachments that MailMarshal currently does not recognize.
  7. File Attachment Names:
    • Use a filename rule to block the following filename extensions that are capable of containing malicious code:
      • *.bat, *.chm, *.cmd, *.com, *.hlp, *.hta, *.inf, *.ins, *.js, *.jse, *.lnk, *.pif, *.reg, *.sct, *.shs, *.url, *.vb, *.vbe, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh
    • Please refer to the following Trustwave Knowledgebase article for more information on blocking files:
      • Q10483 : How do I stop viruses with MailMarshal?
  8. Text Censor Scripts:
    • In addition to blocking specific attachment types and/or file extensions, we recommend that you create text censor scripts to search for potentially harmful code.  The following Trustwave Knowledgebase articles provide examples of text censor scripts you can use to block hoax messages and chain letters, spam, vbs commands, and vbs type virus text body:
      • Text Censor Script Examples - Q10814 : What are some examples of TextCensor Scripts?
      • Stopping Email borne VBS viruses, such as 'Lovebug' - Q10483 : How do I stop viruses with MailMarshal?
      • Spam - how to protect yourself - Q10810 : What are MailMarshal anti-spam best practices?

Notes:

For more information on blocking email in your organization, please refer to the following Trustwave Knowledgebase articles:

  • Q10483 : How do I stop viruses with MailMarshal?
  • Q10810 : What are MailMarshal anti-spam best practices?
  • Q10814 : What are some examples of TextCensor Scripts?

This article was previously published as:
NETIQKB29181
Marshal KB131

Last Modified 6/8/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10232.aspx