blank

As soon as certificates and their certificate chains are used for the email signature or encryption, they usually have to be checked for validity. It is important to note that certain basic requirements must be met for a final certificate to be considered valid: 

  • The certificate itself including its complete certificate chain is stored in the certificate store of NoSpamProxy.
  • The revocation check of the final certificate and all intermediate certificates contained in the certificate chain was successful.

Please note that the check is preferably carried out on the basis of the Online Certificate Status Protocol. If the respective certificate does not offer this, the check via certificate revocation list (CRL) is used. When retrieving the CRL of each certificate, three things must be fulfilled:

  1. The CRL can be retrieved from all gateways.
  2. The CRL itself is still valid.
  3. The affected certificate is not included in the certificate revocation list.

Point 2 can be checked by a simple retrieval (in the case of a list linked via HTTP) via browser and subsequent opening using Windows on-board tools. Please bear in mind any proxy settings that may apply.

Please also refer to the knowledge base article How to configure a web proxy.

The easiest way to carry out the check is with the help of an automated script. To use this script, you must log on to the system on which the Intranet Role is installed. Execute the script there. Use either the PowerShell command line or the PowerShell ISE.

After executing the script, you will be asked for the thumbprint of the certificate to be checked. This can be found in the Activities section of the message track of the email in question. In said area, you will find the name of the applicant as a link. There you will find the thumbprint of the certificate, which you can copy by right-clicking.

 

blank

The Cyren IP Reputation filter is available if NoSpamProxy Protection is licensed. This filter performs the check of the IP address of the sending system, classifies it according to the classification received from Cyren and assigns corresponding SCL points:

  • No known risk (0 SCL points)
  • Medium risk (1 SCL points)
  • High risk (3 SCL points)

Depending on the setting of the evaluation criteria and additional classifications of the other filters in the applied rule, an IP address can thus lead to the rejection of the emails. This rejection can already take place during the envelope phase, so that further information – for example, the subject – is no longer transmitted.

NoSpamProxy has no influence on these evaluations. However, every affected sender can have their IP address and its classification checked and adjusted via the Cyren support page.

Further information

 

blank

The Cyren Premium AntiVirus scanner is part of the Malware Scanner action and can be used if NoSpamProxy Protection is licensed. Cyren Premium AntiVirus checks attachments that are attached to an email. In doing so, it carries out two basic checks:

  • Local checks against definitions
    • The definitions are regularly downloaded from the Cyren servers. In case of access problems to the Cyren servers, the definitions must not be older than two days.
    • During the check, the attachment is placed in the directory C:\ProgramData\Net at Work Mail Gateway\Cyren\Temp, checked and deleted again.
  • Live checks – Zero Hour Protection
    • Check for conspicuous attachments in the recent past. A hash value is generated and sent to Cyren, which then sends a response with the corresponding classification by Cyren.

Unlike with the Cyren AntiSpam filter, the NoSpamProxy support has no way of influencing this behaviour in the case of a misclassification.
In the case of misclassifications – i.e. false positives or false negatives – the sender or the recipient of the email must always contact Cyren and have this corrected accordingly.

A description of the process can be found on the respective Cyren support page.

In case of local problems or missing definitions, please refer to the Knowledge Base article Cyren Engines – Troubleshooting

Note

To ensure parallel operation with other locally installed virus scanners on the gateway role, please refer to the Knowledge Base article How to configure on-access virus scanners and define the exceptions as described!

Further information

blank

We are currently registering a wave of attacks with obsolete Microsoft Office formats that are no longer available as a file type in NoSpamProxy and should generally no longer be used.

Note

The content of this article is only a recommendation. Every NoSpamProxy user should make the settings as required or appropriate for the company in question. The article can also be applied to all other combinations and is not only relevant for Microsoft Office formats.

Configuring the content filter

Basic information on setting up content filters can be found in our training videos.

The configuration recommended here follows a whitelisting approach. This means that only file formats will be allowed that ware wanted, and that all others will be blocked.

  1. Create content filter entries for all file types (also called MIME types) that you want to allow. These content filter entries should only be configured for file types, not for file names.
    Allowed file types
  2. Now create a content filter entry that filters for file names and rejects all attachments with a certain file extension.
    Blocked file names

In the content filter itself, the order should then be such that the allowed entries are at the top and the rejecting entry below:

Order of the content filter entries

information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

Note

In order for all Cyren services to function properly, unrestricted access to *.ctmail.com must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!

blank

To set up automatic user import via Azure Active Directory in NoSpamProxy, NoSpamProxy must be registered as an app in the Azure Portal.

Registering an app

  1. Open portal.azure.com.
  2. Go to Azure Active Directory > App registrations.
  3. Click New Registration.
  4. Enter a name for the app, for example NoSpamProxy.
  5. Select Accounts in any organizational directory (any Azure AD directory – Multitenant) as the account type.
  6. Select Web as type for the redirect URIs and enter the following URIs:
    https://www.nospamproxy.de/de/admin-consent-redirect/
    
    https://www.nospamproxy.de/en/admin-consent-redirect/

    The URIs are used as targets when returning authentication responses (tokens) after users have been successfully authenticated.

  7. Click Register.

The app registration is now complete. The following overview page displays details about your app registration.

Note: You need the Application ID (Client ID) and the Directory ID (Tenant ID) to connect to the Azure Active Directory in NoSpamProxy.

Adding API permissions

In order to use the automatic user import, you must authorize NoSpamProxy to call certain APIs.

  1. Open the overview page of your app.
  2. Go to API permissions.
  3. Click Add a permission.
  4. Click Microsoft Graph.
  5. Click Application permissions.
  6. Select Group.Read.All, User.Read.All and User.Read.
  7. Click Grant admin consent for “YourCompany”.

Uploading certificates

NoSpamProxy identifies itself to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). You must upload the certificate required for the authetication here.

  1. Open the overview page of your app.
  2. Go to Certificates and secrets.
  3. Click Upload certificate.
  4. Select the certificate you want to use. You may use the self-signed certificate created by NoSpamProxy during the installation process or another certificate qualified for client authentication.
  5. Click Add. After uploading the certificate, the fingerprint, start date and expiry date are displayed.

blank

The Cyren URL Classification Service is available from version 13.0 if NoSpamProxy Protection is licensed. This additional service can be enabled through the Spam URI Realtime Blocklists filter and ensures that NoSpamProxy searches for malicious URLs in emails and blocks affected emails.

The Cyren URL Classification Service works within NoSpamProxy with the URL Safeguard. To improve URL detection, the URL Safeguard must actively rewrite URLs.

The Cyren URL Classification Service can also be used without the URL Safeguard, but then there is no way to report malicious URLs.

URL Safeguard

For information on activating and configuring the URL Safeguard, refer to the NoSpamProxy manuals.
Please note that this requires the installation of the NoSpamProxy Web Portal as well as an additional, usually paid SSL certificate, which is not included in the scope of delivery of NoSpamProxy.

How to access details on malicious URLs

To access details on malicious URLs, proceed as follows:

  1. Go to Monitoring > Message Tracking.
  2. Double-click or select the respective email and click Details.
  3. Go to the URL Safeguard tab.

All malicious URLs are displayed here. Click Show all URLs to display the non-malicious URLs.

How can you influence misclassifications?

In case one or more emails have been misclassified, you can report these false positives (for actually benign URLs) or false negatives (for actually malicious URLs).

  • To do this, select the respective email and click Report misclassification.

Message tracking details

False Positives:

Reporting a False Positive

Reporting a False Positive

False Negatives:

Reporting a False Negative

Reporting a False Negative

However, you or your communication partners can also check this directly via the Cyren support page and request changes.

More information

blank

To set a reverse DNS entry (RDNS entry) in Microsoft Azure, do the following:

  1. Open portal.azure.com.
  2. Go to Dashboard > Resource groups > [YourVirtualComputer] > Configuration.
  3. Enter a name for the public IP address.
    DNS-Namensbezeichnung
  4. Open Azure Shell.
    Oeffnen der Azure Shell
  5. Enter the following command:
    az network public-ip update –[NameOfTheResourceGroupWhereTheComputerIsLocated] –[NameOfTheResourceGroupThatCorrespondsToThePublicIP] –[MXName, for example mail.netatwork.de] –[TheDNSName].