Image Analysis query and a few others

Answered Question
Jun 24th, 2010

Hi all,

  New here and new to Ironport. Using C360 with ASynchOS 7.0. I have a few questions I hope you can point me in the right direction....

1. Is it recommended to allow users quarantine access to release mails held in for example, encrypted or image analysis quarantines? My organisation is about 1000 users over 2 locations, and my boss thinks this could be a good idea - I don't      Does this functionality require an LDAP server in place to work with AD?

2. Is there any metrics anywhere that might indicate the expected overhead (if any) on incoming emails with Image Analysis turned on. Boxes in live without Image Analysis are running at only 3 % approx

  Appreciate any replies or advice in advance

Dave Lynch

I have this problem too.
0 votes
Correct Answer by exMSW4319 about 6 years 6 months ago

We don't use any self-service as yet so I can't advise on that. There might be a log term that you could search for in order to list all self-service releases from a particular quarantine, but obviously my logs won't contain it.

If it was previously acceptable to block all graphic attachments, why not strip them instead? This isn't as straightforward as it might seem when you take into account ambiguous formats such as PDF. PPS? - we just reject them with our "can't read your multimedia" notification, as the ratio of even slightly relevant presentations to jokes appears to be in excess of 500:1. YMMV.

I don't know about encrypted connections but we do take a harsh line on encrypted content; if the AV can't scan it then again the message is rejected with a notification. Our quick and dirty solution for those late-working senior staff is based around the premise that they are mostly dealing with legal firms with better protection than our own; once we've established that, we add the firm's domain to a "trusted" policy so that anything other than a positive virus will be delivered; an actual virus naturally sends us a notice rather being dropped as would be the case with any other sender. I don't recommend this if you have any concern that someone might guess and forge mail from one of your trusted senders.

Notifications? - I roll my own. I'm sure we all know the basic principles, but for any group members that don't: keep it brief, formal, polite and as simple as possible. Sign it so it's plain that it's an automated system that's replying. Weigh up the chances of creating backscatter against the opportunity of steering your hapless sender in a useful direction, whilst making less work for yourself. Always strip out everything that would make you valuable as a relay.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
exMSW4319 Sun, 07/04/2010 - 05:06

We're on C100-series equipment here so I can't comment on your loading question.

On the advisability of opening your quarantines, our vendor cautioned us that it's a one-way trip; once you've done it and published it, it's politically difficult to reverse your position. You might want to persuade $BOSS to try it the other way first, then re-think if there are too many calls coming in.

Daithi1972 Tue, 07/13/2010 - 02:08

Thanks for the reply - we have decided to use the ISQ. So, an update and a few more questions - here is the plan we're going to go with. To date, Ironport was only being used for Anti-Spam, but we are now moving all other functionality from Mailsweeper to Ironport. Our policy up to now has been to quarantine all incoming emails with media/image files, as we are a highly security conscious financial organisation bordering on the paranoid 

I have set up Image Analysis to send Suspect/Inappropriate to the ISQ and also CC mail to another account for periodic review. The mail will then be stripped of suspect/inappropriate image and delivered to recipient. We are going to allow users Self Service should they want to release the entire mail. We can then review the emails classified as suspect/inappropriate periodically which have been CCed to this other account, and use Message Tracking to see if the Email was subsequently released. As far as checking which emails have been released, it would be great if I could configure the CC to this other email account only occurred if the email was released by self service, but I can't see how this could be done? Bar that, is there any way to run a Report which would return which IA held emails have been released from the ISQ by users, as this would make admin much easier??

We are also in the process of moving all content filtering from Mailsweeper to Ironport as well as setting up alot of TLS connections. Can I ask what is the norm for dealing with encrypted mails - quarantined and then released by operators? We might have senior members of staff receiving encrypted emails outside of normal working hours - but I don't see how we can do anything about this bar give self service, which I imagine is not a good idea? Anyone have suggestions or what solutions have you come up with?

From testing sending hundreds of emails with image attachments which are currently held in the Mailsweeper Image Quarantine through Ironport, we are getting about 4% False Positives - I think this is reasonably good. I have used the default configuration for IA.

And finally, is there any generic Text Resource Notification Templates out there that you could point me to?

Many Thanks for any responses,


Dave.

Correct Answer
exMSW4319 Wed, 07/21/2010 - 11:17

We don't use any self-service as yet so I can't advise on that. There might be a log term that you could search for in order to list all self-service releases from a particular quarantine, but obviously my logs won't contain it.

If it was previously acceptable to block all graphic attachments, why not strip them instead? This isn't as straightforward as it might seem when you take into account ambiguous formats such as PDF. PPS? - we just reject them with our "can't read your multimedia" notification, as the ratio of even slightly relevant presentations to jokes appears to be in excess of 500:1. YMMV.

I don't know about encrypted connections but we do take a harsh line on encrypted content; if the AV can't scan it then again the message is rejected with a notification. Our quick and dirty solution for those late-working senior staff is based around the premise that they are mostly dealing with legal firms with better protection than our own; once we've established that, we add the firm's domain to a "trusted" policy so that anything other than a positive virus will be delivered; an actual virus naturally sends us a notice rather being dropped as would be the case with any other sender. I don't recommend this if you have any concern that someone might guess and forge mail from one of your trusted senders.

Notifications? - I roll my own. I'm sure we all know the basic principles, but for any group members that don't: keep it brief, formal, polite and as simple as possible. Sign it so it's plain that it's an automated system that's replying. Weigh up the chances of creating backscatter against the opportunity of steering your hapless sender in a useful direction, whilst making less work for yourself. Always strip out everything that would make you valuable as a relay.

Daithi1972 Thu, 08/26/2010 - 03:21

Thanks for the reply. After much testing we've veered away from self-service, as you said it's a one-way street, and was getting a little messy as we tried to force it use the ISQ. Thanks again...

Dave.

Actions

This Discussion