Trustwave SEG 8.3 Release Notes

(Previously known as MailMarshal SEG)

Last Revision: September 26, 2023

These notes are additional to the SEG User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21185.

New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 8.3.2

TLS/SSL Update: The TLS/SSL library included is updated to the current release.

Features New in 8.2

Azure Information Protection Rights Management (AIP RMS) support: Trustwave SEG supports content scanning of items protected by AIP RMS.
Azure SQL Server support: Trustwave SEG supports use of Azure SQL for databases (where SEG is deployed on Azure).
Remote server archiving support: Trustwave SEG supports delivery of messages to an archive server for long-term retention and searching.
SpamProfiler Rescan: To improve detection, SpamProfiler holds some suspect messages briefly for rescanning.
DMARC updates: Trustwave SEG supports the optional PCT keyword for evaluation. Incoming report emails must now pass the sender's DMARC policy by default.
Updated Image Analyzer: Accuracy of Image Analyzer detection is significantly improved.

System Requirements

The following system requirements are the minimum levels required for a typical installation of the Trustwave SEG Array Manager and selected database.

A full discussion of requirements for all supported configurations is available in the Trustwave SEG User Guide. See also Trustwave Knowledge Base article Q11358.

Table 1: System Requirements
Category	Requirements
Processor	Core i5 or similar performance
Disk Space	20GB (NTFS), and additional space to support email archiving
Memory	8GB (6GB available to SEG plus 2GB for operating system). Allow an additional 2GB if SQL Express is installed locally.
Supported Operating System	Windows Server 2022, 2019, or 2016 (Standard or Enterprise versions) Corresponding Workstation operating systems (Installation of server components on these workstation operating systems is not recommended) Installation on earlier Windows Server versions may be possible but is not supported
Network Access	TCP/IP protocol Domain structure External DNS name resolution - DNS MX record to allow Trustwave SEG Server to receive inbound email
Software	Microsoft .NET Framework 3.5 SP1 Database server (managed cloud service): Azure SQL Database Database server: SQL Server 2022, SQL Server 2019, SQL Server 2017, SQL Server 2016 Database server (free versions) - NOTE, Express is not supported when used with MailMarshal SPE: SQL 2022 Express, SQL 2019 Express, SQL 2017 Express, SQL 2016 Express (Service packs listed are the minimum required for compatibility with all supported operating systems.)
Port Access	Port 53 - for DNS external email server name resolution Port 80 (HTTP) and Port 443 (HTTPS) - for SpamCensor updates Port 1433 - for connection to SQL Server database and Reports console computers Port 19001 - between Array Manager and Processing Nodes, and between Array Manager and Admin Web Console IIS server, if installed Note: Additional ports are required by the Nodes for email and updates.

Upgrade Instructions

Please review the SEG User Guide before upgrading.

Trustwave SEG 8.3 supports a direct upgrade from Trustwave SEG 7.3.0 and later versions. This is a change from 7.5.X and earlier.

If your installed version does not support direct upgrade, you can upgrade in steps.

You should also consider performing a clean installation instead of an upgrade. You should strongly consider moving to MailMarshal 10.X.

Database Prerequisites

SQL 2016 is the minimum SQL Server version supported.
- See the System Requirements section for the latest list of supported SQL Server versions. If your database is hosted on an earlier version of SQL Server, before upgrading you must move the database to a supported SQL Server. See Trustwave Knowledge Base article Q10410.
SEG supports Windows Authentication as well as SQL Authentication. Mixed Mode is no longer required.

You can access a supported SQL Express version from the Prerequisites tab of the SEG installation package. The "With SQL Express" version of the package also allows you to install SQL Express during the main SEG installation.

Upgrading a Single Server

To upgrade a single SEG server from any version supporting direct upgrade, install the new version on the existing server. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary.

Upgrading an Array of Servers

After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

For upgrades to version 8.X from 7.X, you must upgrade processing servers manually. The Configurator option to upgrade processing servers is not available for this upgrade due to the nature of the changes required.
For upgrades to version 8.1 or above from 8.0, the change to the Microsoft Universal C++ Runtime package may cause the remote upgrade to fail if prerequisites are not already installed on the processing server. In this case you must upgrade processing servers manually.

Upgrading From Older Versions

To upgrade from a version prior to 7.3.0, first upgrade to version 7.3.0. Full details about upgrading to version 7.3.0 from older versions can be found in the documentation for the target version.

Notes on Upgrading

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21185.

Read the notes for all versions newer than your installed version. This list only includes information about versions newer than 7.3.0. For earlier versions, see the release notes of each version.

8.3.2 TLS Cipher Lists: If you have manually entered cipher lists for TLS using the TLSCipherList Registry or Advanced setting, you must modify the manual cipher lists due to changes in the TLS/SSL library. See Trustwave Knowledge Base article Q21203.
8.2 Server Threads: In SEG 8.2 and above, the "optimized" setting for Engine threads is calculated as twice the number of logical processors on each server (earlier versions use "logical processors + 1"). This change increases efficiency with asynchronous unpacking. However if you experience memory limitations, you should consider manually setting the number of threads to a lower value. See Help for more information.
8.2 Virus Cleaning removed: SEG 8.2 and above does not allow "virus cleaning" rules. Before upgrading, you must disable or remove all virus scanning rules that specify the "and is cleaned" check. Virus cleaning is deprecated by scanner providers, is very rarely successful and is a significant security risk.
8.X Upgrade on Terminal Services server: Upgrade from 7.X to 8.X on a Terminal Services server is not supported. In this scenario you can fully back up the configuration of the 7.X installation, uninstall (leaving the folder and contents in place), install the 8.X software, and import the configuration. (Trustwave does not recommend running SEG in production on a Terminal Services server.)
8.1.1 Stopping Services: On upgrade from 8.1.0 (only), you may need to manually terminate the Sender, Receiver, and SpamProfiler processes.
8.1.0 Social Security and Credit Card detection: On upgrade, new TextCensor scripts for Social Security and Credit Card detection are installed.
- Default rules that use these scripts are updated as follows:
  - Rules that are present and disabled are updated to use the new scripts.
  - Rules that are present and enabled are copied immediately below the original rule. The new copy is updated to use the new script. Both the old rule and the copy are enabled.
- Rules that use the old scripts with extra conditions (not the default rules) are not changed. The installer notifies you to update rules and scripts manually.
8.1.0 Receiver and SpamProfiler initialization delay: On service start, the Receiver service waits for the SpamProfiler service to be ready. At the first startup after installation or upgrade from SEG 7.X, SpamProfiler can take several minutes to download the initial database.
- If SEG does not have Internet access for updates, disable the SpamProfiler service.
8.1.0 Web Console prerequisites: The Web Console uses the SEG REST interface to communicate with the Array Manager. You must enable REST to use the Web Console.
8.0.3 RPC version change: SEG 8.0.3 components are not compatible with earlier 8.0 releases. When upgrading to 8.0.3 you must upgrade all components including the Array Manager, processing servers, and user interfaces.
8.0.0 64-bit Installation: Upgrade uninstalls the 32-bit software and installs the 64-bit software in the new default location (or a location you select).
- The Registry settings and configuration files are moved to the new location. All configuration settings are preserved.
- Quarantine folders are not moved. You can move quarantine folders after the upgrade is complete. To change the default quarantine folder location and automatically move messages, after upgrade of processing nodes is complete use the SEG Server Tool on each node. To change custom folder locations, see folder properties in the Configurator.
- Malware/Virus scanners must be manually installed. 64-bit versions of all "for marshal" virus scanners are available.
  - You must manually install the 64-bit scanners on each processing node and complete the engine and signature updates before starting the new SEG engine.
  - If no other 32-bit products are using the scanners (WebMarshal or Trustwave ECM), you can uninstall the 32-bit scanner packages.
  - At this release, the Symantec and SAVI (Sophos) scanners are not supported, as 64-bit interfaces are not currently available. Trustwave intends to support these scanners in a later release. Note that Sophos for Marshal is available and can be used as an alternative to SAVI. To license Sophos for Marshal, contact Trustwave.
- Web Components installation does not support upgrade. You must manually uninstall the previous version and install the new version. When configuring SQM, ensure you select the same authentication mode as was previously selected.
- External Command custom executables in the original install location are not moved. Where the command definition uses the {install} variable, the installer updates configuration as required to continue to reference the original location.
  - Note: In the rare case of an array where the installation location on the nodes is not the same as the location on the Array Manager, this reference update will not work. In that case you must move the custom executable and modify configuration to reference it correctly.
- CountryCensor is NOT supported in SEG 8.X. You must remove any CountryCensor rules before upgrading.
- Any custom credentials used to run SEG services are not applied to the 8.0 services after upgrade from 7.X. You must update the credentials manually.
8.0.0 Upgrade Policy Groups: Upgrade creates policy groups and rules to implement BEC Fraud checking and DMARC functions.
8.0.0 SQL Server support: SQL 2008 and SQL Express 2008 are no longer supported. If your database is hosted on a SQL 2008 server, BEFORE upgrading you must move the database to a supported SQL Server. See Trustwave Knowledge Base article Q10410.
8.0.0 TLS Cipher default: Upgrade changes the default TLS cipher setting to "Medium" if it was set to "Low." The "Low" setting is renamed to "insecure compatibility" and should only be selected if required to communicate with servers that do not meet current best practice recommendations for TLS.
8.0.0 TextCensor upgrade: Version 8.0 implements a new TextCensor with slightly changed functionality. See the User Guide for details of the features and matching behavior. In rare cases the small changes in matching behavior could affect the sensitivity of scripts triggering.
- The upgrade process checks existing scripts for compatibility with the new engine. If any scripts are incompatible, you must update them manually before upgrade can proceed. A standalone tool is available to check compatibility before you start the upgrade process. See the upgrade download page.
8.0.0 Engine thread optimization: On upgrade, if the server thread setting was configured for a "Small" or "Large" site, the Engine thread setting is optimized to number of processors plus 1 for each processing server. If the thread setting was customized, the selected number is not changed. You should consider enabling optimization to enhance performance.

Uninstalling

SEG can be installed in a variety of scenarios. For full information on uninstalling SEG from a production environment, see the Trustwave SEG User Guide.

To uninstall a trial installation on a single computer:

Close all instances of the SEG Configurator and SEG Console.
Use Add/Remove Programs from the Windows Control Panel to remove Trustwave SEG.
Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web components or the Marshal Reporting Console.
If you have installed any components (such as the Configurator, Console, Web components, or Marshal Reporting Console) on other computers, uninstall them.
If you have installed SQL Express specifically to support SEG and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave SEG (previously MailMarshal) listed.

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21185.

8.3.2 (September 26, 2023)

MM-8664	For Service Provider Edition installations, blank MAIL FROM could cause later messages to be denied due to unset Customer ID. Fixed.
MM-9225	API calls are provided to update and delete "usermaintained" user groups in bulk.
MM-9568	For Service Provider Edition installations, the flag to allow "no tenant" messages could be ignored when multiple messages were sent on a connection. Fixed.
MM-9571	The Syslog service did not correctly load self-signed certificates. Fixed.
MM-9638	A configuration setting is available to reduce virus scanner initialization footprint where applicable.
MM-9639	Sophos for Marshal Virus scanning results are cached where possible to enhance performance.
MM-9719	For Service Provider Edition installations, an option is available to bind different IP addresses for inbound and outbound traffic, per node.
MM-9744	An option is available for the Receiver to save abandoned messages on restart for analysis.
MM-9746	An option to disable delivery fallback to the domain A record is available.
MM-9747	The Controller service clears the unpacking Temp directory when starting.
MM-9769	Updated Visual C++ 2019 redistributables are included in the installation.
MM-9789	Marshal IP Reputation update checks used a direct ANY DNS query. Fixed: an A record query is used.
MM-9790	Transient DNS errors could cache a bad result for 24 hours. Fixed: transient errors are retried after one minute.
MM-9800	ARC evaluation could fail for certain canonicalization values. Fixed.
MM-9818	The DMARC library included is updated.
MM-9843	DKIM signing failed on specific message header and body sizes. Fixed.
MM-9847	DMARC evaluation now considers multiple domains in the From: header and applies the most restrictive result. DKIM signing is attempted for the first domain in the From: header that belongs to a local domain with DKIM enabled.
MM-9894	The Receiver service could stop unexpectedly when TLS renegotiation was requested. Fixed.
MM-9915	On Service Provider Edition installations, Domain Similarity evaluation did not trigger. Fixed.
MM-9916	Message extraction for DKIM signing uses a larger buffer for improved performance.
MM-9952	DMARC evaluation now considers results of checking all DKIM signatures present in the message.
MM-9959	Deletion of long unpacking paths is improved.
MM-9961	A new REST API request type is available to retrieve a MML file without unpacking.
MM-10136	The Archiver service used to connect to Cloud Archiving could stop in a specific case. Fixed.
MM-10138	Client- initiated TLS renegotiation is disabled to mitigate a potential Denial of Service attack.
MM-10141	Rule Profiler data provided through the REST API was invalid. Fixed.
MM-10171	The File Update notification email is reformatted and more informative.
MM-10192	Email messages with the ! character in the local part are no longer blocked by the "suspicious local part" setting.
MM-10195	BTM statistics retrieval is limited to the last 7 days.
MM-10326	For Sent History items, the API did not return a usable reference to the original MML content. Fixed.
MM-10344	The header From: value was not properly populated when the value contained a comma. DKIM would fail due to the empty value. Fixed.
MM-10345	Content-Transfer-Encoding `x-uue` is recognized (treated as `x-uuencode`)
MM-10353	For Service Provider Edition installations, the "LHASH" parameter for delivery between nodes is ignored if it cannot be decoded.
MM-10381	Group Manager querying of Connector groups is more efficient.
MM-10391	Opening a message from the Console could time out when nodes were distant from the Array Manager. Fixed
MM-10403	It is now possible to specific the IP address binding for the API deliveryserver/check function.
MM-10404	For Service Provider Edition installations, messages from an authenticated connection must be from or to domains belonging to the authenticated customer.
MM-10405	For Service Provider Edition installations, the local loopback target IP address can be specified.
MM-10416	Controller retrieval of user groups is now batched for efficiency.
MM-10440	For Service Provider Edition installations, SPF checking caused the Receiver to stop where IPv6 bindings were present. Fixed.
MM-10507	The version of Image Analyzer included is updated to resolve a memory leak issue.
MM-10510	Delivery of Syslog records to the remote server is multi-threaded to cater for much higher volume.
MM-10512	Database connectivity supports SQL Multi-Subnet Failover.
MM-10515	DMARC Aggregate Reports could include data from multiple days. Fixed.
MM-10585	For Service Provider Edition installations with IPv6 bindings, the Receiver stopped unexpectedly in SPF evaluation. Fixed.
MM-10759	The location of the Controller Temp folder can be configured using a Registry entry.
MM-10828	SPF evaluation over-counted the number of DNS lookups required. Fixed.
MM-10912	The TLS/SSL library is updated.
MM-10920	The FolderRetention variable is now available for use in notification templates as well as in digest templates.
MM-10949	The Array Manager did not honor multi-subnet settings when testing Syslog database connection. Fixed.
MM-10955	The Receiver could stop unexpectedly when evaluating certain badly formed DKIM signatures. Fixed.
MM-10961	Logic to throttle message acceptance under high load is improved.
MM-10981	IP group membership was not correctly propagated to processing servers after complete refresh of the group with some continuing members. Fixed.
MM-10984	For Service Provider Edition installations, the Syslog service uses the globally configured certificate for all customers.
MM-10985	Array Manager retry behavior during transient database errors is improved.
MM-11031	For Service Provider Edition installations, an option is provided to reject messages addressed with a domain part that is a non-routable IP address.
MM-11057	Performance counters for the Syslog service were not created on an Array Manager only install. Fixed.

8.2.6 (December 21, 2020)

MM-6770	SEG supports verification of DKIM signatures signed with Ed25519-SHA256 (RFC-8463).
MM-8477	When services restart, the Receiver service is started first to improve responsiveness where the Engine loads a large configuration.
MM-8698	Some URL validation issues were not covered by the fix in MM-7191 (release 8.2.4). Fixed.
MM-8733	For SEG Service Provider Edition installations, additional checking of the Customer ID is performed when a user attempts to view a message.
MM-8757	In version 8.2.2 and above, DMARC validation failed when SPF was validated but an invalid DKIM key was retrieved. Fixed.
MM-8781	The cloud archiving service could stop delivering messages to the archive (messages were queued at the SEG server). Fixed.
MM-8823	When AD Authentication is used in the Receiver, the sender address can be validated against the user's email addresses retrieved from AD.
MM-8902	For SEG Service Provider Edition installations, the domain part of Reputation Service results is not shown in logs so that paid domain keys are not visible.
MM-8910	DMARC report generation deleted unrelated configuration files from the Unpacking\Temp subfolder. In some cases the Engine service stopped as a result. Also, invalid DMARC report messages were never deleted. Both issues fixed.
MM-8917	Expired day folders within the DMARC Reports folder were never deleted. Fixed.
MM-8938	For SEG Service Provider Edition installations, Receiver SPF checking for local addresses could cause some notification messages to fail. Fixed.
MM-8942	In version 8.2.3 and above, the "last seen" date for user group entries was not updated as expected. Fixed.
MM-9089	For SEG Service Provider Edition installations, DMARC can be evaluated even if the destination customer has not enabled DMARC.
MM-9102	The database record for a message could show an incorrect subject where multiple messages were received on the same connection. Fixed.
MM-9139	The TLS/SSL library used by SEG has been updated.
MM-9142	Removing child IP groups caused the Array Manager to stop. Fixed.
MM-9156	To enhance performance on very busy systems, the maximum values for sender threads configurable in the user interface have been increased and the sender check for processed messages is more frequent.
MM-9209	DMARC Reporting activity could consume excessive database connections. This issue has been addressed with changes to the connection logic.
MM-9218	Rejected message records in the database did not correctly translate IPv4 addresses stored in the IPv6 column. Fixed.
MM-9246	The REST API could not retrieve mail component files with specific characters in the file name. Fixed: the API call has been updated to use the POST method.
MM-9262	In SURBL category lookups, the domain part of Reputation Service results can be hidden in logs so that paid domain keys are not visible.
MM-9435	CRL lookups results are cached in memory for up to an hour to reduce load caused by extremely large CRLs.
MM-9449	The Syslog service continued to retry sending and made excessive requests to the database when the target Syslog server refused connections. Fixed.
MM-9456	If the directory referenced by the Cloud Archiving service was not present, messages for archiving were deadlettered. Fixed: the directory is re-created if necessary.
MM-9510	The Engine service experienced excessive memory usage and file handle usage in some circumstances. Fixed.
MM-9534	Usergroup pruning settings were not saved in the configuration backup. Fixed.
MM-9544	The Receiver service no longer uses ANY queries when querying DNS based block lists.
MM-9547	The Receiver service no longer uses ANY queries when querying the Marshal Reputation Service.
MM-9573	For SEG Service Provider Edition installations, temporary files for messages that were split based on recipients were not deleted in some cases. Fixed.
MM-9567	The Syslog service could stop due to a race condition when invoked from multiple threads. Fixed.
MM-9569	User group pruning did not delete entries containing upper case letters. Fixed.

8.2.4 (October 31, 2019)

MM-6570	For SEG Service Provider Edition installations, email between customers on the same system retains the external sender IP for policy evaluation.
MM-6764	For SEG Service Provider Edition installations, client authentication did not override relay table checking. Fixed.
MM-6848	MMReleaseMessage checking of recipient addresses was case sensitive. Fixed.
MM-7124	For SEG Service Provider Edition installations, visibility of messages in the SQM did not match the retention period for the containing folder. Fixed.
MM-7139	SEG attempts to load a header rewrite map file from additional locations including the installation, Config and NodeConfig folders.
MM-7147	DMARC evaluation did not correctly check domain alignment of the DKIM result. Fixed.
MM-7176	The default retention period for service logs is increased to 14 days.
MM-7191	Reputation Services could return a TEMPFAIL for an indefinite time due to submission of URLs with a trailing . character. Fixed: the URLs are truncated correctly before submission.
MM-7254	In 8.1 and 8.2 releases, the User Filter function of the Console Recycle Bin returned an error. Fixed.
MM-7291	The DKIM signature header is added above existing headers (previously was at the end of headers).
MM-7297	Moving of temporary files during Receiver processing could fail. Fixed: moving is retried for a limited time.
MM-7298	Notification message names are logged to the Engine text log, for events such as dead letters.
MM-7317	DKIM header signing now only includes the headers recommended in the DKIM RFC.
MM-7603	The SpamProfiler "bulk" response attribute is captured for further processing.

8.2.3 (July 2, 2019)

MM-6447	In version 8.1 and above, the SQM Mail Search in "all folders" returned no results. Fixed.
MM-6759	The Engine stopped when the Executive Names list contained Unicode characters. Fixed.
MM-6790	For SEG Service Provider Edition installations, messages were incorrectly marked as having an external sender in specific cases. Fixed.
MM-6835	The Trustwave Email Archiving rule action could queue messages for archiving when the feature was not configured or the license was expired. Fixed.
MM-6849	The JSON structure returned from the API quarantine folders call has been improved.
MM-6850	The Engine now continues to run when incorrect Azure Information Protection credentials are provided. Affected messages will be deadlettered.
MM-6852	Azure Information Protection is added to the REST API.
MM-6856	ACE archive unpacking executables are removed from the product on install and upgrade.
MM-6865	Azure SQL Managed Instances are detected for feature support.
MM-6876	For SEG Service Provider Edition installations, caching of AIP RMS credentials is improved.
MM-6878	For SEG Service Provider Edition installations, per-customer use of AIP RMS credentials is enabled.
MM-6892	Adding users to groups in the database could cause delays for email logging. Fixed.
MM-6904	Unpack exceptions did not log the file name. Fixed.
MM-6909	In earlier 8.2 releases, HTML message stamps configured for the bottom of a message were placed at the top of certain poorly formatted messages. Fixed.
MM-6917	Insertion of Receiver logs to the database could be slow, resulting in deadlocks. Fixed.
MM-6919	Insertion of Receiver logs to the database could be slow, resulting in deadlocks. Fixed.
MM-6924	For SEG Service Provider Edition installations, the Customer ID is included with Syslog Quarantine Audit records.
MM-6925	Database log processing could be slow on installations with very large user groups while the "last seen" data was updated. Fixed.
MM-6938	Certain header field variable additions included an extra carriage return character. Fixed.
MM-6973	Syslog service reloading has been updated to work with SEG Service Provider Edition installations.
MM-6982	On upgrade to previous versions, some new SQL table indexes were not created. Fixed.
MM-6986	Additional indexes are created on SQL DMARC tables.
MM-6990	The Receiver could stop unexpectedly when processing a malformed DMARC record. Fixed.
MM-6991	The "do not NDR" rule action was not applied to BCC copies of the original message. Fixed.
MM-6999	The Routing Table format has been modified to support SEG Service Provider Edition scenarios.
MM-7007	Checking of receiver "time behind" and engine throttling is improved.
MM-7065	Array Manager file operations could fail due to the DMARC report generator not releasing some files when an exception occurred. Fixed.

8.2.2 (February 14, 2019)

MM-6700	Some installations affected by the issue fixed in MM-4324 required a manual update to stored procedures after every upgrade. Fixed.
MM-6763	When Syslog processing was enabled, the Array Manager could stop unexpectedly. Fixed.
MM-6771	In earlier 8.2 releases, folded Subject lines were not correctly populated by the Receiver. Fixed.
MM-6772	In earlier 8.2 releases, DKIM signing and verification did not correctly handle folded headers. Fixed.
MM-6783	In version 8.1 and above, the repacking flags for external commands were incorrectly set. Fixed.
MM-6785	Syslog processing caused the Array Manager to stop with certain system date formats. Fixed.
MM-6787	The Array Manager log now includes more details of DBLog file processing.
MM-6788	The default settings for update of the "last seen" value (user group pruning) have been adjusted to improve database performance on large sites.
MM-6789	In some cases the Engine did not deadletter a message when an exception occurred in unpacking. Fixed.
MM-6795	In version 8.1 and above, slow processing of rule profiling data at the Array Manager could cause DBLog files to be queued at the processing servers. Fixed.
MM-6799	Rule profiler usage statistics were incorrect when a rule was copied. Fixed.
MM-6802	Routing table entries containing high ASCII characters such as umlaut characters could not be edited in the Configurator. Fixed.
MM-6804	Gathering of Product Improvement Program (telemetry) data caused services to fail when the SQL server was unavailable. Fixed.
MM-6807	The SpamProfiler cartridge (executable) included in the release has been updated.

8.2.1 (December 14, 2018)

MM-6731	Messages deadlettered due to rejection by the Archiver server were incorrectly classified as "deadletter - routing". Fixed: these messages are classified as "deadletter - archiving".
MM-6736	The Receiver incorrectly skipped DKIM/DMARC evaluation for inbound messages. Fixed.

8.2.0 (December 6, 2018)

MM-1717	SpamCensor and SpamProfiler results are added to message headers for easier analysis.
MM-4324	Merging a configuration allowed duplicate classification codes. Fixed: Classifications are made unique when merging. Upgrade to 8.2 or above resolves existing duplicates.
MM-4842	IP whitelisting updates are improved to ensure that pruned addresses are not restored by an update.
MM-5007	DKIM keys can now be included in the configuration backup.
MM-5125	Message subjects written to the database by the Receiver and Sender now support wide characters.
MM-5132	For SEG Service Provider Edition installations, the Customer Name is available in Templates and Digests with the variable {CustomerName}.
MM-5554	Global TLD information consumed by all features is retrieved from a file that can be updated through the product update service. An updated file is also included in this release.
MM-5634	When a message is temporarily undeliverable, the failure reason or code is logged to the message table.
MM-5635	A new rule action provides the ability to insert text at the beginning of a message subject.
MM-5740	SpamCensor attachment evaluation now allows multiple entries in the FileType parameter.
MM-5776	The version of the charting software included in the installation has been updated.
MM-5895	The DMARC DNS record check from the Configurator now uses Google DNS or a DNS server set with a registry key.
MM-6251	The DKIM library included is updated.
MM-6277	A new rule action allows SEG to not return an NDR when onward message delivery is refused. This action is logged.
MM-6290	The Sender service could stop unexpectedly in rare cases due to routing issues. Fixed.
MM-6314	The DMARC library included is updated.
MM-6316	Badly formatted DMARC reports were never deleted from folders. Fixed.
MM-6339	The version of the Yara Analysis Engine included is updated.
MM-6341	For SEG Service Provider Edition installations, messages are rejected by default if the SPE Customer ID cannot be determined.
MM-6369	The Configurator now allows selection of more than one Elliptic Curve for key exchange.
MM-6399	Shutdown of the SpamProfiler service has been improved.
MM-6408	The included default database provider driver is MSOLEDBSQL (supporting TLS v1.2 secured connections).
MM-6435	The web access component included with the product is updated.
MM-6449	Image Analyzer has been updated to version 7.
MM-6450	Subfolders of the Config folder are now included in the configuration commit from Array Manager to processing servers.
MM-6501	For outbound messages, SPF, DKIM, and DMARC evaluation is now only performed if explicitly required by rules. Internal servers sending through SEG are not expected to have entries that allow DMARC validation. The previous behavior (evaluating all messages) can be set if required.
MM-6522	Message stamping uses in-memory files to improve performance.
MM-6567	The DMARC Report Import service now only runs if required by configuration settings.
MM-6572	Releasing of messages to multiple recipients by the Controller service is more efficient.
MM-6585	SQM now correctly displays Unicode characters in message subjects.
MM-6586	In earlier versions, encoding tags in the subject line (such as UTF-8) could be ignored if presented in uppercase. Fixed.
MM-6590	The Server Tool now allows explicit configuration of separate Server, Database, and Operational User for the Syslog database.
MM-6597	The DMARC Report Import service runs only when DMARC is enabled for a local domain.
MM-6601	DKIM key generation now allows selection of the key length (1024, 2048, or 4096).
MM-6602	Message stamps now allow CSS STYLE tags to be defined and merged into the styles for the stamped message.
MM-6603	DMARC policy processing now honors the optional "PCT" value.
MM-6608	For SEG Service Provider Edition installations, DMARC settings were not correctly applied for each customer. Fixed.
MM-6609	DMARC validation of incoming DMARC reports has been updated to be independent of other rules.
MM-6611	SpamProfiler holds some suspect messages briefly for rescanning to improve accuracy.
MM-6618	Enabling Syslog in the Configurator no longer checks for a Syslog database. This change allows configuration of the service when the Windows user does not have permission to connect to the database.
MM-6629	Named Expressions in TextCensor scripts could not be edited. Fixed.
MM-6632	SEG now collects anonymized summary system data for the SEG Product Improvement Program by default. For details, see Trustwave Knowledge Base article Q21064.
MM-6643	Message data submitted for SpamProfiler for evaluation is limited in size for performance reasons.
MM-6649	The timestamp of Syslog records was converted to Array Manger local time instead of UTC. Fixed.
MM-6651	When editing or creating a TextCensor script, the presence of named expressions was not correctly checked. Fixed.
MM-6660	The TextCensor DLL included with the installation has been updated.
MM-6692	DMARC tables are indexed for performance improvement.
MM-6695	The Block Malware - Outbreak Detection rules are removed. These rules depend on a sub-category in SpamProfiler that is not currently implemented.

8.1.3 (September 13, 2018)

MM-6564	In earlier 8.1 releases, certain badly formatted email addresses in the MAIL FROM or RCPT TO caused the Receiver to stop unexpectedly. Fixed.
MM-6571	After upgrade from version 8.0 to earlier 8.1 releases, the Credit Card Number, Social Security Number and PCIDSS TextCensor scripts had no "apply to" options selected. Fixed.
MM-6584	The Sender service could stop unexpectedly in rare cases due to message routing issues. Fixed.
MM-6621	The MessageId is changed when a message is released from quarantine (reverting to the behavior in all releases before 8.1.2). To control this behavior, see Trustwave Knowledge Base article Q21049.

8.1.2 (August 9, 2018)

MM-6364	Syslog record transmissions in RFC-3164 format now include the TAG: format to start the content portion of the record.
MM-6465	Syslog Rejected Messages records now populate the From variable with the Return Path address if the From address is empty.
MM-6467	The rule execution profiler result display is improved.
MM-6499	The Sender and Receiver services could fail to stop on command in some cases when a processing thread was unresponsive. Fixed.
MM-6500	Sender logging for null MX record detection is improved.
MM-6504	The MessageId is no longer changed when a message is released from quarantine. The previous behavior can be used if required.
MM-6530	In earlier 8.1 releases, configuration upgrade or import from earlier versions failed if older, unused Routing Tables were present. Fixed.
MM-6531	In earlier 8.1 releases, the Web Admin Console could not connect with Windows Authentication, due to a limitation of the REST interface. Fixed: the Web Admin Console uses the earlier port 19001 interface.
MM-6532	Web Admin Console connections to the Array Manager are reset to use port 19001 if port 19006 had been selected in an earlier 8.1 installation.
MM-6534	Syslog database connections did not work when the database user credential was a Windows username. Fixed.
MM-6535	SpamProfiler cartridge (executable) files could not be updated through automatic updates. Fixed.
MM-6536	Upgrade from release 8.0.1 to 8.1.1 (only) did not correctly upgrade the database. Fixed.
MM-6546	The SpamProfiler cartridge (executable) included in the release has been updated.
MM-6556	The engine could stop unexpectedly when attempting to extract URLs for validation. Fixed.
MM-6560	The version of the PDF unpacker that is included in the installation has been updated.

8.1.1 (June 28, 2018)

MM-6496	Sender logging for null MX record detection is improved.
MM-6498	In release 8.1.0, the Sender and Receiver services might not stop as requested when under load. Fixed.

8.1.0 (June 27, 2018)

MM-2058	Notification email messages for expired TLS certificates are improved.
MM-2267	Category script evaluation is now performed once per message. Engine performance is improved.
MM-3433	The REST API now provides the ability to retrieve a message in the sender queue.
MM-4133	The REST API now provides the ability to locate a user in a usergroup by exact match or wildcard.
MM-4331	Rule execution profiling is improved.
MM-4396	Email processing nodes send a notification email every hour if they cannot contact the Array Manager. For configuration settings see Knowledge Base article Q20987.
MM-4476	Storage of the Routing Tables in Registry has been revised for ease of use.
MM-4839	SEG service logs now provide consistent service startup information.
MM-5131	For SEG Service Provider Edition installations, the Maximum Recipients Per Message setting was not honored by the Receiver. Fixed.
MM-5237	URL rewriting for BTM changed XMLNS tags. Fixed.
MM-5656	The SQM User Settings page did not display the Message Digests tab if digests were configured with user groups containing AD users. Fixed.
MM-5720	Visual C++ 2015 redistributables are now included in the installation.
MM-5721	When a message is released, the processing node performs additional validation to ensure appropriate recipients.
MM-5730	In version 8.0, the Basic Install option did not connect to the local SQL Express instance on the first attempt. Fixed.
MM-5806	Installing SQL Express from the Prerequisites tab of the install window now sets the same options as the install wizard (Mixed Mode and TCP enabled).
MM-5886	On the Configurator DMARC Dashboard, search selections were not properly retained. Fixed.
MM-5994	The size of string data allowed in database logging files from nodes to Array Manager has been increased.
MM-6026	The Engine service would not stop when a thread was hung, in specific cases. Fixed.
MM-6053	Messages rejected at the Receiver are logged to the database.
MM-6117	The web access component included with the product is updated.
MM-6132	The Array Manager could fail to start while retrieving the database details. Fixed.
MM-6139	URL rewriting for BTM changed the envelope subject of a message upon rewriting the subject of an attached message. Fixed.
MM-6153	The Web Console now communicates with the Array Manager using the REST interface.
MM-6154	The Sender service now checks for Null MX records and does not deliver messages to a domain with a valid Null MX entry.
MM-6160	Message rejection codes are added for some additional cases (internal to Receiver processing).
MM-6297	The Receiver waits for SpamProfiler to be ready before accepting mail. On a new installation, SpamProfiler file download and initialization can take several minutes.
MM-6322	The version of the REST SDK used has been updated.
MM-6347	The Database Provider can be changed to MSOLEDBSQL using a Registry setting. This option is provided to allow connection to SQL servers that require TLS 1.2. For configuration settings see Knowledge Base article Q21020.
MM-6370	The TLS/SSL library used by SEG has been updated.
MM-6380	The SpamProfiler cartridge installed with SEG has been updated.
MM-6383	Text logging could cause services to stop where certain values were logged. Fixed.
MM-6405	Installation uses the Microsoft Universal C++ Runtime package.
MM-6427	TextCensor scripts could show an item match limit of 0 (zero). Fixed: the limit displays correctly as "ALL". Script triggering is not affected by the change.
MM-6434	The Engine log could show repeated errors concerning URL Categorization Cache. Fixed.

8.0.7 (May 25, 2018)

MM-6365	The Receiver could stop unexpectedly when processing a malformed DMARC record. Fixed.
MM-6371	The version of Image Analyzer included in the installation has been updated to correct an issue with initialization on Windows 2016 servers.
MM-6373	DMARC message database logging could cause SQL deadlocks under heavy load. Fixed.
MM-6376	DMARC aggregate reports had an incorrect Content Type header. Fixed.
MM-6378	The version of the PDF unpacker that is included in the installation has been updated.
MM-6379	The TLS/SSL library used by SEG has been updated.
MM-6382	.XZ compressed files are unpacked.
MM-6393	Adding message users to groups could cause delays on a busy system with large groups. Fixed.
MM-6395	The customized version of the archive unpacker included in the installation has been updated to address known vulnerabilities. This update was also released to SEG Automatic Updates for earlier supported versions.
MM-6396	User group pruning performance has been enhanced.
MM-6452	The DKIM key text field on the DKIM window now includes a scrollbar to allow the full key to be viewed and copied.

8.0.6.10796 (March 6, 2018)

MM-4120	Folder names entered in the Configurator could include invalid characters. Fixed.
MM-6209	Domain and route entries could not contain the underscore character. Fixed.
MM-6261	For SEG Service Provider Edition installations, the sender no longer attempts to deliver messages to domains that resolve to loopback entries.
MM-6296	Default values used for message unpacking limits in the controller did not match the engine settings. Fixed.
MM-6298	Certain characters in email addresses caused DMARC validation to fail. Fixed.
MM-6300	The DMARC Report Service could stop when dealing with corrupted or large DMARC reports. Fixed.
MM-6301	Loading of IPv6 addresses in IP groups during array manager startup could fail under certain circumstances. Fixed.
MM-6302	The Array Manager did not always use the "preferred server for notifications" when it was available. Fixed.
MM-6315	The sender DNS cache could incorrectly return permanent DNS failures after two consecutive temporary failures. Fixed.
MM-6317	For SEG Service Provider Edition installations, the "Send a copy of the message to host" action no longer requires TLS when TLS is required for the recipient domain.
MM-6320	For SEG Service Provider Edition installations, retrieval of queue information through REST is more efficient.
MM-6321	The REST API could consume a large amount of CPU resource. Fixed.
MM-6323	In earlier 8.0 releases, message details could not be viewed in consoles if the message had been released for all recipients. Fixed.
MM-6331	The receiver now enforces TLS cipher strength ordering (strongest preferred) by default.
MM-6333	Minor improvements and corrections are made to REST API functionality.

8.0.5.10552 (December 12, 2017)

MM-5981	DKIM keys could not be replicated if the Array Manager and processing server were in unrelated domains. Fixed: It is possible to use a generic credential to connect. For details, contact Trustwave Technical Support.
MM-6166	DMARC reports were sent with a blank MAIL FROM. Fixed: reports are sent "from" the DMARC organizational address for the domain.
MM-6210	Messages could not be viewed in the Console if a custom file type was invoked, in some cases. Fixed.
MM-6211	The REST API now provides the ability to list, add, get, and edit TextCensor scripts.
MM-6235	In earlier 8.0 releases, stripping of attachments within archives did not work as expected. Fixed.
MM-6236	In earlier 8.0 releases, setting folder retention to an explicit value longer than 68 years caused unexpected deletion of all messages in the folder. Fixed.
MM-6238	Additional information about DKIM signing and verification is logged.
MM-6256	In earlier 8.0 releases, opening the Database tab of the server tool caused the tool to stop. Fixed.
MM-6258	In earlier 8.0 releases, TLS certificate expiry notifications were not sent from separate processing nodes. Fixed.

8.0.4.10434 (November 7, 2017)

MM-5846	Message subjects are stored in the database as Unicode. Some interfaces, including SQM and digests, display wide characters in subjects correctly. For more information, see article Q20902.
MM-6134	In a database under heavy load, the user summarization stored procedure could time out. Fixed.
MM-6135	For SEG Service Provider Edition installations, queued messages can now be retrieved by customer ID.
MM-6136	The REST API now provides a check for availability of a remote delivery server.
MM-6152	In earlier 8.0 releases, the REST interface could fail to find a message. Fixed.
MM-6161	Configuration import failed when processing some valid combinations of nested user groups. Fixed.
MM-6163	In earlier 8.0 releases, Web Console installation did not present the option of Forms or NTLM authentication. Fixed.
MM-6164	Web Console installation did not enable Windows authentication on the virtual directory when NTLM authentication was specified. Fixed.

8.0.3.10302 (September 19, 2017)

MM-5999	On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-6005	Message stamping has been made more efficient.
MM-6030	The Configurator now shows the date created, date modified, and user names for each rule and policy group.
MM-6031	In earlier 8.0 releases, exceptions in the Yara module could cause the SEG Engine to stop. Fixed.
MM-6045	In earlier 8.0 releases, policy group schedules were not honored. Fixed.
MM-6090	The DMARC dashboard menu for domain selection did not honor the period selected. Fixed.
MM-6118	On upgrade from 7.X, the custom file type list (filetype.cfg) was not copied to all required locations. Fixed.
MM-6120	Changing the retention period on the DMARC Reports folder caused some other properties of the folder to be unset. Fixed.
MM-6121	DMARC Dashboard views in the Console can now be filtered by DMARC alignment status.
MM-6122	The version of the PDF unpacker that is included in the installation has been updated.

8.0.2.10224 (August 11, 2017)

MM-3812	The SEG variables `{ServerAddressSender}` and `{ServerAddressRecipient}` were not correctly used when sending notification messages from templates. Fixed.
MM-5882	Receiver performance could be affected during a configuration reload. Fixed.
MM-5980	In earlier 8.0 releases, requests to upgrade nodes from the Configurator did not succeed. Fixed.
MM-5907	In earlier 8.0 releases the Hash module of Yara was not supported. Fixed. In addition, the version of the Yara Analysis Engine is updated to 1.0.4.
MM-5977	The Console RSS functionality has been improved.
MM-5979	Upgrade is blocked if CountryCensor rules or files are present.
MM-5993	Upgrading to earlier 8.0 releases could fail due to a lock on previous SpamProfiler executable files. Fixed.
MM-5995	On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-5996	Upgrade from 7.X did not check for a supported operating system version (Server 2008 R2 or above) before beginning to copy Registry keys. Fixed.
MM-5997	The version of the PDF unpacker that is included in the installation has been updated.
MM-5998	On upgrade from 7.X, if the upgrade failed the manager listening port was set to 0. Fixed: the port is reverted to the previous value.
MM-6002	When a DMARC disposition was set on a message and the message was not quarantined, it was not delivered. Fixed.
MM-6004	Message stamping at the top of a HTML message did not always correctly identify the beginning of the HTML body. Fixed.
MM-6006	SpamProfiler scores and analysis are always logged to the Receiver log.
MM-6007	The TLD Difference evaluation for domain similarity matched on other local domain names. Fixed.
MM-6008	Items with a SpamProfiler score between 96 and 99 inclusive are tagged as "Spam-Suspect".
MM-6009	Console Audit logs now record opening the message detail.
MM-6010	Header matching now decodes headers (such as UTF-8 encoded headers) if required, and checks both raw and decoded text.
MM-6013	The Edit Distance evaluation for domain similarity could match on other exact local domain names. Fixed.
MM-6023	Cleanup of long paths in the unpacking directory has been improved.
MM-6024	The customized version of the archive unpacker included with SEG has been updated.

8.0.1.10124 (July 10, 2017)

MM-5902	The customized version of the archive unpacker included with SEG has been updated with long filename support.
MM-5904	Receiver socket buffer size is now set dynamically by default to enhance performance.
MM-5906	SPF Fail records can be viewed in the DMARC dashboard.
MM-5909	Calls to message repacking commands are now fully quoted.
MM-5914	In release 8.0.0, category scripts might not be run for all attachments. Fixed.
MM-5915	SpamCensor scanning of parent message and all attached messages has been improved.
MM-5917	On upgrade from versions below 8.X, the destination folder could not be chosen in some cases. Fixed. Also, some 32-bit DLLs are deleted on upgrade as not required.
MM-5918	XML files that were not category scripts could cause upgrade from versions below 8.X to stop. Fixed.
MM-5919	SpamProfiler technology has been updated. For upgrades from version below 7.5.8, the update URLs have changed. For more information about required URLs, see Knowledge Base article Q12992.
MM-5920	The version of the PDF unpacker that is included in the installation has been updated.
MM-5961	On upgrade the SpamProfiler service is updated to the new technology as required.

8.0.0.9997 (June 20, 2017)

MM-1678	SEG variables can be used in Engine Header Rewrite rules.
MM-3142	A domain route can be explicitly marked as "down". Messages that would be delivered through this route will be held without retry or timeout until the route is marked as "up".
MM-3323	Server Properties, General page now shows correct server and time zone information for currently supported Windows versions.
MM-3391	The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MM-3841	The Receiver connection count could display an incorrect very high number. Fixed.
MM-3905	Regular Expression checking of attachments in Category Scripts now searches over line breaks in the content by default.
MM-4293	Invalid date formatting in templates was not correctly handled. This issue could cause services to stop. Fixed: variables with invalid date formatting are not substituted.
MM-4386	Blended Threat rewriting incorrectly affected schema names in TNEF attachments. Fixed.
MM-4590	Installers and executables include manifests, as per Microsoft certification requirements.
MM-4836	The Sender service could stop unexpectedly in rare cases related to deadlettering of multiple messages. Fixed.
MM-4890	Server Thread settings can be configured for each processing server. Engine default settings are optimized by default, based on the number of processors on the individual server. On upgrade, customized settings are not changed.
MM-5128	URL rewriting for Blended Threat analysis uses a HTTPS link to the scanner if the original link is a HTTPS link.
MM-5214	Logging of TLS certificates to disk did not save the entire chain. Fixed.
MM-5248	When a message exceeds the maximum size for SpamProfiler evaluation, the truncated message is now evaluated.
MM-5253	CRL Distribution Points could not be extracted from certificates with a single v3 extension distribution point entry. Fixed.
MM-5273	DKIM library initialization is more efficient.
MM-5406	URL rewriting for Blended Threat analysis did not correctly handle links with @ characters in the path or query string. Fixed.
MM-5408	SPF evaluation supports IPv6.
MM-5409	URL rewriting for Blended Threat analysis passed an incorrectly escaped version of the URL to the scanner. Fixed.
MM-5420	All functions that require a list of Top Level Domains now use a copy of the Mozilla TLD file, which will be updated as required. The listing is used by Blended Threat rewriting, DMARC, and SpamSURBL functions.
MM-5446	SpamCensor Types evaluation could fail to trigger as expected because scoring was not summed correctly. Fixed.
MM-5447	When a message had invalid header format (no line breaks), the Receiver dropped the connection with no message. Fixed: the connection is terminated with a SMTP 554 response.
MM-5453	On upgrade, TextCensor scripts are checked for compatibility with the new version of the TextCensor engine.
MM-5474	Memory used for CRL list retrieval in the Receiver by TLS/SSL was not fully released. Fixed.
MM-5478	The version of the PDF unpacker that is included in the installation has been updated to 5.0.0.13
MM-5516	For SEG Service Provider Edition installations, if a connection was denied due to relaying restrictions, some other criteria were still checked to no purpose. Fixed.
MM-5517	TLS certificate manager in the Controller service has more efficient threading.
MM-5523	The Receiver service could stop due to problems in TLS/SSL routines. Addressed with improvements in the TLS/SSL library.
MM-5542	SpamCensor now scans a parent message and all attached messages.
MM-5565	On installation, logging when setting the MaxUserPort value is improved.
MM-5569	Digesting could fail when the SQL server default collation was Case Sensitive, due to inconsistent capitalization in a stored procedure. Fixed.
MM-5596	Management of DKIM keys and selectors has been enhanced. DKIM keys can be created directly in the Configurator.
MM-5623	The Controller could stop when importing a signed certificate with a blank password. Fixed.
MM-5624	The Yara functionality could not be completely updated through automatic updates. Fixed.
MM-5626	The version of the Yara Analysis Engine is updated to 1.0.3 (Yara codebase 3.5.0).
MM-5627	An incorrectly formatted or corrupt certificate or private key file could cause the Receiver or Sender service to stop. Fixed.
MM-5629	The Sender only loads a client certificate if it is requested by the remote server.
MM-5633	Loading of certificates in the Sender is improved.
MM-5642	The Receiver service could stop in specific cases due to an issue in TLS negotiation. Fixed.
MM-5643	Web Components installation on Windows Server 2016 did not check prerequisites. Fixed.
MM-5652	TextCensor could add blank lines to the Engine log. Fixed.
MM-5661	The TLS/SSL library used by SEG has been updated.
MM-5670	The default setting for minimum TLS cipher strength is set to "Medium" for new installations, and also on upgrade if the setting was "Low".
MM-5672	If a message processed through SEG does not include a Message-Id header, SEG adds this header to allow better tracking of any issues with onward delivery.
MM-5675	Loading and initialization of virus scanners has been made more efficient.
MM-5685	Default SSL cipher strings have been updated to disable "Diffie Hellman Authentication" ciphers, for compatibility with Exchange 2003 defaults.
MM-5696	Automatic updates now provide the ability to set parameters for file unpacking components.
MM-5717	When scanning a message with attached child messages, SpamCensor stops scanning at the first message that triggers and returns information about that message.
MM-5728	Email between local domain addresses that is checked by SpamProfiler is now validated with the Outbound SpamProfiler configuration.
MM-5777	GeoLite2 is used to provide geographical information for DMARC reports. GeoLite2 database updates are provided as part of the Automatic Updates to the Array Manager.
MM-5782	Business Email Compromise fraud detection is enhanced with the ability to enter and match local executive user names and addresses, and to check for domain similarity.
MM-5786	Category Script evaluation can now check SEG Envelope properties. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5793	Re-packing of a message could be unnecessarily triggered by the Blended Threat functionality if all URLs found were exempt from re-writing. Fixed.
MM-5807	The SpamProfiler executables have been updated.
MM-5808	Changes in TLS configuration are now applied to messages in the Sender retry queue.
MM-5812	Email addresses with certain invalid domain formats could cause the Sender to stop. Fixed: the affected messages are deadlettered.
MM-5813	A REST API call is available to delete messages from all queues based on search criteria.
MM-5826	Notification messages created by rule action are now identified by message name in the service logs.
MM-5829	If a CAB file contained a single file, the extracted file was incorrectly named. Fixed.
MM-5835	Category Script evaluation can now be used to check values in the headers of a message. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5836	Checking of free disk space has been made more efficient to avoid possible issues with slow disk access.
MM-5844	Category Script evaluation can now check for domain similarity (to enhance fraud detection). For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).

7.5.7.9061 (October 4, 2016)

MM-5521	For SEG Service Provider Edition installations, the SMTP relay denied response did not include any details of the source IP or recipient. Fixed.
MM-5524	Additional functions required for BTM rewriting have been moved to the file retrieved through automatic updates, to better support automatic updating.
MM-5541	For SEG Service Provider Edition installations, IP Relay source matching could function incorrectly where ranges entered by multiple customers and the Service Provider overlapped. Fixed.
MM-5548	For SEG Service Provider Edition installations, Marshal IP Reputation Service unlicensed notifications could be sent in error. Fixed.
MM-5568	The SEG Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems.
MM-5599	BTM rewriting was unnecessarily rewriting links in signed messages, resulting in deadletters. Fixed.
MM-5609	The Engine could fail to restart because anti-virus DLLs did not exit completely before reporting as stopped to the Service Control Manager. Fixed.
MM-5610	For SEG Service Provider Edition installations, SpamProfiler now ignores certain checks for messages between SPE customers.
MM-5620	The TLS/SSL library that SEG uses has been updated to version 1.0.2h.
MM-5622	The customized version of the archive unpacker included with SEG has been updated to support newer decompression methods (version 16.02).
MM-5630	User group membership could be incorrectly updated (members could be missing) if an error occurred while refreshing a sub-group. Fixed.
MM-5640	For SEG Service Provider Edition installations, in certain cases IP based relay restrictions were not applied. Fixed.

7.5.6.8438 (May 31, 2016)

MM-5271	Proxy port entry for internet access allowed only four digits. Fixed: five digits are allowed.
MM-5274	CRL distribution points were not extracted from certificates with v3 extensions. Fixed.
MM-5277	Suspect URL detection did not correctly normalize some URLs before querying the service. Fixed.
MM-5278	TextCensor memory usage has been improved.
MM-5390	In release 7.5.5, top-level message attachments were not scanned by TextCensor. Fixed.
MM-5391	The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners.
MM-5392	Certain malformed RTF message bodies caused the engine to stop. Fixed.
MM-5399	Text log files are better formatted for 5 digit thread IDs.
MM-5400	The customized version of the archive unpacker included with SEG has been updated to address recently reported vulnerabilities in 7zip files.
MM-5404	The SEG product version is no longer present in the SMTP greeting string by default.
MM-5405	TextCensor evaluation is no longer single-threaded.

7.5.5.8150 (March 3, 2016)

MM-5195	In recent releases, the message viewer did not provide information about message components for delivered messages. Fixed: this information is retrieved from the database if a full message file is not present on disk.
MM-5196	If a message was marked temporarily undeliverable during a configuration reload, it would not be retried until the Sender was restarted. Fixed.
MM-5198	Whitespace at the start or end of plain text message stamps is no longer trimmed when edited and saved. Blank lines can be added for formatting.
MM-5208	TextCensor now does not check sub-components when the parent has already been scanned or excepted from scanning.
MM-5209	Attempts to retrieve CRLs from a location that could not be reached caused the Controller to stop. Fixed.
MM-5210	In previous 7.5 releases, update downloading did not correctly process gzip encoded web responses. Fixed.
MM-5211	The header Reply-To field is now available as a template variable {Header-Reply-To}. The message return path is used if Reply-To is not set.
MM-5212	The TLS/SSL library that SEG uses has been updated to version 1.0.1q.
MM-5218	Signing of executable files now uses a SHA256 certificate.
MM-5220	YAE scripts now support the Hash function of Yara.
MM-5238	The SpamProfiler integration SDK has been upgraded.
MM-5240	For SEG Service Provider Edition installations, RBL license notification emails are not sent if the installation is not licensed.
MM-5242	Uninstallation of the SQM site did not de-register the interface DLL. Fixed.
MM-5247	Logging of quarantine release actions to the service text logs has been improved.
MM-5251	For new installations, the Malware - AMAX folder is included in the virus reporting group.

7.5.1.8064 (December 8, 2015)

MM-5200

In release 7.5.0, reporting a message as spam or not spam caused the Controller service to stop. Fixed.

7.5.0.8055 (November 24, 2015)

MM-4251	SEG now corrects headers that violate the RFC limit of 998 characters, "folding" the header onto multiple lines by default.
MM-4726	File name checking could fail for very long MIME encoded file names. Fixed.
MM-4727	Improved decoding of MIME Encoded-Word content has been implemented for message subject display (digests and console), Header Rewrite, and filename rules.
MM-4832	Multi-line content-disposition headers were not extracted correctly, so attachments with long file names might be incorrectly filtered. Fixed.
MM-4883	Libcurl is updated to use Visual Studio 2013.
MM-4909	Additional file types have been added to support anti-spam scanning. These types are not currently selectable in rules.
MM-4961	The default name of the product database for new installations is now TrustwaveSEG. Upgrading does not alter the database name.
MM-4999	A setting is available to control acceptance of multiple HELO commands within a session. For details of this advanced option, contact Trustwave Support.
MM-5038	For SEG Service Provider Edition installations, the From address for spam and not spam reports can be set as required.
MM-5049	Long-running Receiver threads could incorrectly log a low data transfer rate. Fixed.
MM-5054	URL rewriting for BTM incorrectly treated text with two consecutive dots as a URL if the text after the dots was a valid TLD. Fixed.
MM-5065	When a user selects SpamProfiler options with potential for higher false positives in the Configurator, an extra confirmation message is presented.
MM-5069	Default message template text and From addresses (for new installations) have been branded for Trustwave.
MM-5077	Some URLs containing escaped characters were not rewritten for Blended Threats inspection. Fixed.
MM-5085	Image Analyzer has been updated to version 6. This version offers 30%-60% fewer false positives for the same level of detection, depending on the sensitivity setting.
MM-5115	The TLS/SSL library that SEG uses has been updated to version 1.0.1p.
MM-5124	A small memory cleanup issue in the Array Manager has been corrected.
MM-5135	The default Scams TextCensor Script is updated for new installations.
MM-5164	A new YAE based rule to detect malformed PDF documents is included on new installations and in the Upgrade Rules policy group for upgrades.
MM-5173	The web access component included with the product is updated .

7.3.6.7949 (September 10, 2015)

MM-5141	The Engine and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Larger rulesets can be loaded without issues and performance enhancement is expected.
MM-5143	The version of the PDF unpacker that is included in the installation has been updated to 4.4.0.8
MM-5144	URL rewriting for BTM incorrectly treated some inline CSS declarations as URLs. Fixed.
MM-5145	Deletion of unpacked files with certain filenames could fail. Addressed by re-trying the deletion with no string parsing of the file name.

7.3.5.7612 (April 21, 2015)

MM-3499	Configuration import could fail due to incorrect case-sensitive comparison of user group members. Fixed.
MM-3509	Active Directory authentication for SQM failed for users with a text name containing [ ] characters. Fixed.
MM-4709	TLS can now be configured with specific lists of cipher suites, overriding the generic selections. For details of this advanced option, contact Trustwave Support.
MM-4823	A problem with group synchronization in the Controller could cause the Receiver to stop processing messages. Fixed.
MM-4837	Clean installations no longer install MSXML4.
MM-4857	The Receiver now supports ECDHE key exchange for PFS (TLS "Perfect Forward Secrecy").
MM-4862	Some utility files such as TextCensor2 DLLs might not be correctly updated on upgrade. Fixed: upgrade checks file version numbers instead of creation dates.
MM-4863	Links enclosed in round brackets and rewritten by the Blended Threats function incorrectly included the trailing round bracket in the rewritten link. Fixed.
MM-4864	For SEG Service Provider Edition installations, relay source checking was not limited to specific customer domains. Fixed.
MM-4866	Cleanup of TLS/SSL sessions has been improved.
MM-4867	Service executable paths were not quoted. Fixed.
MM-4869	Notification messages created by the Engine are now DKIM signed if required.
MM-4872	TLS now disables SSLv3 by default as per recent security best practice.
MM-4873	TLS cipher lists now exclude Anonymous, MD5, RC4, and IDEA ciphers as per recent security best practice.
MM-4874	Text logging includes better thread information.
MM-4876	The FileType DLL is now replaceable through the automatic update process.
MM-4880	The TLS/SSL DLLs are now replaceable through the automatic update process.
MM-4892	UUEncoded streams in the message body could be altered by the Blended Threats function. Fixed.
MM-4911	DKIM signing failed in some cases for email with headers longer than 2048 bytes. Fixed.
MM-4930	The version of the PDF unpacker that is included in the installation has been updated to 4.4.0.1.
MM-4932	By default "bare" CR or LF characters in messages are changed to CRLF.
MM-4933	For SEG Service Provider Edition installations, some earlier versions allowed an incorrect entry of a hostname as the "forward to IP." Fixed: On upgrade the configuration is corrected to use these entries as hostnames.
MM-4935	Additional indexing is performed on the Message table in the database to enhance performance.
MM-4944	For SEG Service Provider Edition installations, SpamProfiler could apply the wrong direction for scanning. Fixed.
MM-4945	The Controller log now records DNS query responses that took over 1 second.
MM-4948	DKIM signing and verification incorrectly ignored whitespace at the top of the message body in text-only messages. Fixed.
MM-4951	Slow DNS responses could cause the Receiver to stop accepting messages. Addressed with changes to the process that updates lists of anti-relay and blocked hosts.
MM-4952	The web access component included with the product is updated to 7.41.0.
MM-4960	SpamProfiler "valid bulk" classifications were not triggered due to unexpected format in data returned by SpamProfiler. Fixed.
MM-4965	URLCensor could perform unnecessary checks for incorrect URLs. Fixed.
MM-4968	SpamProfiler uses the same criteria for "inbound" and "outbound" messages that are used for other processing.
MM-4969	Full information about TLS negotiation is saved in the local message envelope.
MM-4979	Logging of DoS, DHA, relay, and other Receiver block events to the Event Log can be suppressed. For more information, see Trustwave Knowledge Base articles Q20228.
MM-4988	SpamProfiler responses were slow if IPv6 was enabled on the server. Fixed. The processing nodes MUST have a loopback adapter listening on the default IPv4 loopback address 127.0.0.1.
MM-4990	SpamProfiler responses were slow due to settings applied to the HTTP connection with the local SpamProfiler process. Fixed.
MM-5001	For SEG Service Provider Edition installations, Customer ID was not correctly determined for some Out Of Office messages. Fixed.
MM-5002	Blended Threats rewriting of subject lines added a space to the line. Fixed.
MM-5028	The TLS/SSL library that SEG uses has been updated to version 1.0.1m.

7.3.0.7277 (October 10, 2014)

MM-3597	The last lines of the Receiver log were not captured into the message envelope as expected. Fixed.
MM-4514	Email notifications are sent to the SEG Administrator from the local server when maintenance is about to expire or has expired.
MM-4591	The file extension .cpl has been added to the default Suspect Attachments rules.
MM-4628	File components that do not trigger a rule condition now do not add a line in text logs by default.
MM-4629	Visual C++ 2013 redistributables are now included in the installation.
MM-4674	The "monitor only" installation option and policy group have been removed.
MM-4706	DNS results were truncated if they exceeded the UDP packet size (notably when a large number of PTR records existed). Fixed by enabling EDNS0 in the DNS resolver.
MM-4710	Unpacking of XML based Excel documents now gets text from additional tags.
MM-4711	Unpacking of XML based Office Documents uses a simpler and more efficient parser.
MM-4723	Extracted binary unknown files could cause the engine to stop in TextCensor2 analysis due to improper formatting of extracted filenames. Fixed.
MM-4725	Moving or inserting User Groups by drag and drop now prompts for confirmation by default.
MM-4727	Better support for decoding Quoted Printable strings is provided.
MM-4729	For SEG Service Provider Edition installations, group information is loaded more efficiently.
MM-4731	Deleting User Groups now prompts for confirmation by default (in addition to the check for groups used in policy).
MM-4748	The TLS/SSL library that SEG uses has been updated to version 1.0.1i.
MM-4753	Calls to TextCensor2 did not correctly handle the case where the requested file could not be opened. Fixed.
MM-4760	The default theme of SQM has been updated to a Trustwave branded theme.
MM-4764	The Array Manager could encounter a database deadlock when manipulating folder records. Fixed.
MM-4766	If a message file was manually deleted from the queue, the sender service could become unresponsive. Fixed.
MM-4767	When releasing a message through a digest link, a text note about adding the sender to safe senders was displayed in error. Fixed.
MM-4773	Default values for suspicious compression and max header lines have been updated to reflect current email sizes. Additional unpacking space could be required. See Trustwave Knowledge Base articles Q10868 and Q11369.
MM-4774	Links with query parameters could be invalidated when processed by a Blended Threats rewriting rule. Fixed.
MM-4781	Utility DLL files used by TextCensor have been reverted to the version installed with SEG 7.2.2.
MM-4786	The product End User License Agreement has been updated.
MM-4789	The storage location for automatic configuration backups can be set. See Trustwave Knowledge Base article Q19556.
MM-4795	SMTP Authentication failed with some remote systems due to incorrectly encoded strings. Fixed.
MM-4797	TLS Certificate verification in Connection rules did not work when SMTP Authentication was enabled. Fixed.
MM-4799	When adding a new node to an array, the node controller service could fail on startup, due to a problem with IP whitelist retrieval. Fixed.
MM-4821	A record of the creation and last modification of rules and policies (by user and time) is now stored in the Registry.
MM-4834	Messages with malformed headers containing bare linefeeds could cause the Receiver to fail in some cases. Fixed.

To review Release History prior to version 7.3.0, please see the Release Notes for the specific versions.

Legal Notice

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.