blank

The Cyren IP Reputation filter is available if NoSpamProxy Protection is licensed. This filter performs the check of the IP address of the sending system, classifies it according to the classification received from Cyren and assigns corresponding SCL points:

  • No known risk (0 SCL points)
  • Medium risk (1 SCL points)
  • High risk (3 SCL points)

Depending on the setting of the evaluation criteria and additional classifications of the other filters in the applied rule, an IP address can thus lead to the rejection of the emails. This rejection can already take place during the envelope phase, so that further information – for example, the subject – is no longer transmitted.

NoSpamProxy has no influence on these evaluations. However, every affected sender can have their IP address and its classification checked and adjusted via the Cyren support page.

Further information

 

blank

The Cyren Premium AntiVirus scanner is part of the Malware Scanner action and can be used if NoSpamProxy Protection is licensed. Cyren Premium AntiVirus checks attachments that are attached to an email. In doing so, it carries out two basic checks:

  • Local checks against definitions
    • The definitions are regularly downloaded from the Cyren servers. In case of access problems to the Cyren servers, the definitions must not be older than two days.
    • During the check, the attachment is placed in the directory C:\ProgramData\Net at Work Mail Gateway\Cyren\Temp, checked and deleted again.
  • Live checks – Zero Hour Protection
    • Check for conspicuous attachments in the recent past. A hash value is generated and sent to Cyren, which then sends a response with the corresponding classification by Cyren.

Unlike with the Cyren AntiSpam filter, the NoSpamProxy support has no way of influencing this behaviour in the case of a misclassification.
In the case of misclassifications – i.e. false positives or false negatives – the sender or the recipient of the email must always contact Cyren and have this corrected accordingly.

A description of the process can be found on the respective Cyren support page.

In case of local problems or missing definitions, please refer to the Knowledge Base article Cyren Engines – Troubleshooting

Note

To ensure parallel operation with other locally installed virus scanners on the gateway role, please refer to the Knowledge Base article How to configure on-access virus scanners and define the exceptions as described!

Further information

blank

We are currently registering a wave of attacks with obsolete Microsoft Office formats that are no longer available as a file type in NoSpamProxy and should generally no longer be used.

Note

The content of this article is only a recommendation. Every NoSpamProxy user should make the settings as required or appropriate for the company in question. The article can also be applied to all other combinations and is not only relevant for Microsoft Office formats.

Configuring the content filter

Basic information on setting up content filters can be found in our training videos.

The configuration recommended here follows a whitelisting approach. This means that only file formats will be allowed that ware wanted, and that all others will be blocked.

  1. Create content filter entries for all file types (also called MIME types) that you want to allow. These content filter entries should only be configured for file types, not for file names.
    Allowed file types
  2. Now create a content filter entry that filters for file names and rejects all attachments with a certain file extension.
    Blocked file names

In the content filter itself, the order should then be such that the allowed entries are at the top and the rejecting entry below:

Order of the content filter entries

information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

Note

In order for all Cyren services to function properly, unrestricted access to *.ctmail.com must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!

blank

The Cyren URL Classification Service is available from version 13.0 if NoSpamProxy Protection is licensed. This additional service can be enabled through the Spam URI Realtime Blocklists filter and ensures that NoSpamProxy searches for malicious URLs in emails and blocks affected emails.

The Cyren URL Classification Service works within NoSpamProxy with the URL Safeguard. To improve URL detection, the URL Safeguard must actively rewrite URLs.

The Cyren URL Classification Service can also be used without the URL Safeguard, but then there is no way to report malicious URLs.

URL Safeguard

For information on activating and configuring the URL Safeguard, refer to the NoSpamProxy manuals.
Please note that this requires the installation of the NoSpamProxy Web Portal as well as an additional, usually paid SSL certificate, which is not included in the scope of delivery of NoSpamProxy.

How to access details on malicious URLs

To access details on malicious URLs, proceed as follows:

  1. Go to Monitoring > Message Tracking.
  2. Double-click or select the respective email and click Details.
  3. Go to the URL Safeguard tab.

All malicious URLs are displayed here. Click Show all URLs to display the non-malicious URLs.

How can you influence misclassifications?

In case one or more emails have been misclassified, you can report these false positives (for actually benign URLs) or false negatives (for actually malicious URLs).

  • To do this, select the respective email and click Report misclassification.

Message tracking details

False Positives:

Reporting a False Positive

Reporting a False Positive

False Negatives:

Reporting a False Negative

Reporting a False Negative

However, you or your communication partners can also check this directly via the Cyren support page and request changes.

More information

blank

To set a reverse DNS entry (RDNS entry) in Microsoft Azure, do the following:

  1. Open portal.azure.com.
  2. Go to Dashboard > Resource groups > [YourVirtualComputer] > Configuration.
  3. Enter a name for the public IP address.
    DNS-Namensbezeichnung
  4. Open Azure Shell.
    Oeffnen der Azure Shell
  5. Enter the following command:
    az network public-ip update –[NameOfTheResourceGroupWhereTheComputerIsLocated] –[NameOfTheResourceGroupThatCorrespondsToThePublicIP] –[MXName, for example mail.netatwork.de] –[TheDNSName].

 

blank

In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.

Requirements:

  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.

blank

Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
    blank
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.

blank

The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.

blank

Starting with NoSpamProxy version 13, NoSpamProxy informs about the fill level of the database if a Microsoft SQL Express version (max. 10GB per database) is filled by more than 70 percent.

In the following you will find some hints on how to react to a corresponding message in the console.

Warning Levels

NoSpamProxy warns you about a full database in two stages:

When the database is 70% full
  • a message is added to the event log,
  • a message is displayed under Incidents on the NoSpamProxy console start page, and
  • a notification is sent to the set administrator email address.
When the database is 90% full
  • a message is added to the event log,
  • a warning is displayed on the NoSpamProxy console start page under Incidents, and
  • a notification is sent to the set administrator email address.

What are possible reasons for a full database?

  • The configured period of message tracking and its details (monitoring) is too long.
  • There are problems with communication between two or more NoSpamProxy roles.
  • Expired data has not been properly deleted from the database.

How to analyse the database

To find out why the database has reached the respective size, proceed as follows:

  1. Install Microsoft SQL Management Studio on the system on which the affected database is installed.
    Microsoft SQL Management Studio is available free of charge from the Microsoft website.
  2. Start SQL Management Studio.
  3. Log on to the SQL instance where the database is located.
    These instances are usually called (local)\SQLEXPRESS or (local)\NOSPAMPROXY.
  4. After successfully logging on, execute the following SQL queries (depending on the NoSpamProxy role involved); to do this, you only need to change the first row to the following databases:

Intranet Role:
USE [NoSpamProxyAddressSynchronization]

Gateway Role:
USE [NoSpamProxyDB]

Web Portal:
USE [enQsigPortal]

USE [NoSpamProxyAddressSynchronization]
GO
SELECT
isnull(t.NAME, 'Total') AS TableName,
s.name as SchemaName,
p.rows AS RowCounts,
CAST(ROUND(((SUM(a.used_pages) * 8) / 1024.00), 2) AS NUMERIC(36, 2)) AS SizeInMB
FROM
sys.tables t
INNER JOIN
sys.indexes i ON t.OBJECT_ID = i.object_id
INNER JOIN
sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id
INNER JOIN
sys.allocation_units a ON p.partition_id = a.container_id
LEFT OUTER JOIN
sys.schemas s ON t.schema_id = s.schema_id
WHERE
t.NAME NOT LIKE 'dt%'
AND t.is_ms_shipped = 0
AND i.OBJECT_ID > 255
GROUP BY
ROLLUP(t.Name, s.Name, p.Rows)
HAVING p.rows is not null or (p.rows is null and t.name is null)
ORDER BY
sum(a.used_pages) desc
GO

How can the results be interpreted and solved?

In the output of the SQL script you can find an overview of all existing tables of the database as well as information about their size.

Output of Tables Sizes

Output of Tables Sizes

There are two specific tables that should be empty in normal operation or whose entries should change constantly each time they are called:

  • DataReplication.Artefact

    DB_TableSizes_Artefact

    Table Size of DataReplication.Artefact table

  • MessageTracking.LegacyMessageTrackEntry

    Table Size of Table MessageTrack. Legacy´MessageTrackEntry

    Table Size of Table MessageTrack. LegacyMessageTrackEntry

If data accumulates in these tables but does not degrade, this indicates that problems exist. These must be clarified and solved by the NoSpamProxy support. In this case, please contact the partner responsible for you or – if you have purchased manufacturer support – the NoSpamProxy support directly.

All other scenarios indicate that the storage period for message tracking is too long, which you can edit and reduce in the NoSpamProxy console under Configuration > Advanced Settings > Monitoring. The reduction usually takes up to 24 hours, so that a result is usually not visible until the next day.