Default Rules

Updated 1 week ago by admin

Email Security comes with a set of sensible default Rules. These defaults may be sufficient for your organisation, but we still recommend you familiarise yourself with them, in order to fully understand what's happening. There are defaults for both Message Rules and Connection Rules.

Many of the default Rules are System Rules. System Rules will be hidden, unless you set the View System Rules toggle to .

Default Connection Rules

Connection rules are used when a connection is made to EMS and before any email content is processed. If an email is rejected no message rules will apply.

Please don't make changes to these default Rules. If you do so, the amount of spam you receive will probably increase significantly.
DHA

The (Locked) DHA Rule checks whether a valid email address is configured in the Mailboxes section of the portal. If the email address is not configured, then the message is rejected.

Blacklist

Two IP Blacklist Rules - Spam RBL and Spamhaus - use free and commercially available blacklists of IP addresses known to send spam.

Invalid MX record

This Rule will only be triggered if the MX record for the domain is invalid and EMS was unable to deliver.

Deny

The Deny Rule is used to block connections from address that are entered on the Global and personal Deny lists. It will block inbound and outbound email from and to those email addresses respectively.

Default Message Rules

System Rules

(Default) Signature Verification

Adds a header to the message (Authentication-Result) with the various pass or fail properties of the email.

(Default) DMARC Fail

This checks the DMARC result in the message's Authentication Result header (added by the Signature Verification Rule) for all inbound emails. When there is a failed DMARC result and sender domain has reject/quarantine in their published DMARC policy the email will be quarantined.

(Default) Invalid Sending Domain

Checks the sender domain for the presence of an MX record and host, and that the domain can be connected to. Also validates if the remote server responses to a Helo or ehlo command, within 10 seconds. Adds 110 to spam score if triggered.

(Default) CoreService Spam

Checks and classifies if the email is a known Spam and adds values to the spam score.

(Default) CoreService Malware

Checks and classifies the email as Malware detected by heuristic analysis adds values to the Virus score.

(Default) CoreService Phishing

Checks and classifies the email as a known Phishing attempt. These are Messages detected as phishing either by heuristic analysis or through a fraudulent link found in it. Adds values to the spam score.

(Default) Password Protected Attachment

Looks for password protected zip files, and adds a message header if such a file is found.

(Default) Heuristic Virus Analysis

Scans the attachments of the email for Macro or VBA code-enabled office documents. This includes .rtf files. Also triggers based on dangerous attachment types.

(Default) SWL Safe List

Completes a RBL lookup on the Safe List and if listed on whitelist then subtracts 100 from spam score.

(Default) System Malware Detection

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 108 to the virus score.

(Default) Bit Defender AV

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 110 to the virus score.

(Default) Blog Spam

Looks for known blog spam entries in body or subject and adds 110 to spam score if it finds any.

(Default) URL Scanner

Looks at URLs in the email and checks the reputation of those links using a subset of the LinkScan rule method.

(Default) URL Redirect Spam

Looks for known URL redirected links that are blacklisted and adds 110 to spam score if any are found.

(Default) Email Banner

Adds an email banner/stamp based on your branding.

(Default) Apply DKIM signing

Applies a Domain Key Identified Mail or DKIM entry to outbound emails.

Standard Rules

Opportunistic TLS

Marks the email for delivery by TLS if the remote server supports it. It will fall back to non-TLS/Plain SMTP if it can't be sent by TLS.

Virus

If the current Virus Score for this message is greater than 30, send the message to company quarantine into virus folder.

Spoofed Messages

Checks the Mail from and recipient. If both are internal domains, add to the spam score.

Executive Tracking

For more information on this rule see this article.

Nearby Domain

Detects senders using a domain similar to your own configured domains to appear as if it is an internal message. For more information see this article.

SPF Fail

Adds to spam score for SPF FAIL message based on IP and SMTP connection sender domain and the sender domains DNS records.

CoreService Suspect

New customers only.

Messages with a subject that may potentially cause financial or other damage will be caught by this filter. For instance, emails with content referencing money transfer or intended to obtain personal information.

Rewrites any URL links to use the linkscan.io service. For more information see this article.

High Reputation Marketing

Typically, this Rule catches email campaigns issued from a professional and known routing platform (ESP) that follow the rules of use for email advertising, by providing unsubscribe links, list cleaning, etc. Prefixes a subject line entry with [Marketing High].

Medium Reputation Marketing

This Rule will catch any advertising email that follow the rules of use of marketing email, but which was not sent through a well-known routing platform. The heuristic rules that catch these are predictive and generic. Prefixes a subject line entry with [Marketing Medium].

Low Reputation Marketing

Any other advertising campaign that does not comply with emailing rules by presenting poorly-organized content, non-compliance with CAN-SPAM, no unsubscribe link, etc. Adds 109 to the spam score.

Confirmed Phishing

Quarantines any known phishing emails (as identified by the CoreService Phishing Rule).

Confirmed Spam

If the previous rules have raised the spam score to above the threshold specified, the message will be company quarantined into spam folder. No digest will be sent. This reduces the user administration as they are known spam emails.

Possible Spam

This Rule works in much the same way as the Confirmed Spam rule, except it deals with emails that haven't reached a high enough level to be company quarantined, but which are above a set level for safety. Emails that reach this level and trigger on this rule and will be quarantined.

Deliver Inbound

Routes to DomainRoute, No NDR is sent back outbound if the customer's email server rejects the message. The message will remain in the queue for 144 hours before the message expires.

Disclaimer

In order for this Rule to be triggered, the email has run through all the other Rules, and been considered safe. If you have a company-wide disclaimer that must be appended to the email, this Rule will add it. The Disclaimer rule is only created if a disclaimer has been added.

Deliver Outbound

Routes to mxrecords.An NDR will be sent to local sender if delivery fails, with an expiry of 4 hours.

Maximum Mail Size

Automatically rejects emails above a certain size. The default is 50mb, but you easily change that limit.


How did we do?