blank

We are currently registering a wave of attacks with obsolete Microsoft Office formats that are no longer available as a file type in NoSpamProxy and should generally no longer be used.

Note

The content of this article is only a recommendation. Every NoSpamProxy user should make the settings as required or appropriate for the company in question. The article can also be applied to all other combinations and is not only relevant for Microsoft Office formats.

Configuring the content filter

Basic information on setting up content filters can be found in our training videos.

The configuration recommended here follows a whitelisting approach. This means that only file formats will be allowed that ware wanted, and that all others will be blocked.

  1. Create content filter entries for all file types (also called MIME types) that you want to allow. These content filter entries should only be configured for file types, not for file names.
    Allowed file types
  2. Now create a content filter entry that filters for file names and rejects all attachments with a certain file extension.
    Blocked file names

In the content filter itself, the order should then be such that the allowed entries are at the top and the rejecting entry below:

Order of the content filter entries

information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

Note

In order for all Cyren services to function properly, unrestricted access to *.ctmail.com must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!

blank

The Cyren URL Classification Service is available from version 13.0 if NoSpamProxy Protection is licensed. This additional service can be enabled through the Spam URI Realtime Blocklists filter and ensures that NoSpamProxy searches for malicious URLs in emails and blocks affected emails. The Cyren URL Classification Service works within NoSpamProxy with the URL Safeguard. To improve URL detection, the URL Safeguard must actively rewrite URLs. The Cyren URL Classification Service can also be used without the URL Safeguard, but there is no way to report malicious URLs.

URL Safeguard

For information on activating and configuring the URL Safeguard, refer to the NoSpamProxy manuals. Please note that this requires the installation of the NoSpamProxy Web Portal as well as an additional SSL certificate, which is not included in the scope of delivery of NoSpamProxy.

How to access details on malicious URLs

To access details on malicious URLs, proceed as follows:

  1. Go to Monitoring > Message Tracking.
  2. Double-click or select the respective email and click Details.
  3. Go to the URL Safeguard tab.

All malicious URLs are displayed here. Click Show all URLs to display the non-malicious URLs.

How can you influence misclassifications?

In case one or more emails have been misclassified, you can report these false positives (for actually benign URLs) or false negatives (for actually malicious URLs).

  • To do this, select the respective email and click Report misclassification.
Message tracking details

Accessing message tracking details

False Positives:

Reporting a False Positive

Reporting a False Positive

False Negatives:

Reporting a False Negative

Reporting a False Negative

More information

For more information on the detection by the Cyren AntiSpam Filter see the Knowledge Base article Recognition of emails by the Cyren AntiSpam filter.

 

blank

To set a reverse DNS entry (RDNS entry) in Microsoft Azure, do the following:

  1. Open portal.azure.com.
  2. Go to Dashboard > Resource groups > [YourVirtualComputer] > Configuration.
  3. Enter a name for the public IP address.
    DNS-Namensbezeichnung
  4. Open Azure Shell.
    Oeffnen der Azure Shell
  5. Enter the following command:
    az network public-ip update –[NameOfTheResourceGroupWhereTheComputerIsLocated] –[NameOfTheResourceGroupThatCorrespondsToThePublicIP] –[MXName, for example mail.netatwork.de] –[TheDNSName].

 

blank

In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.

Requirements:

  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.

blank

Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
    blank
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.

blank

The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.

blank

Starting with NoSpamProxy version 13, NoSpamProxy informs about the fill level of the database if a Microsoft SQL Express version (max. 10GB per database) is filled by more than 70 percent.

In the following you will find some hints on how to react to a corresponding message in the console.

Warning Levels

NoSpamProxy warns you about a full database in two stages:

When the database is 70% full
  • a message is added to the event log,
  • a message is displayed under Incidents on the NoSpamProxy console start page, and
  • a notification is sent to the set administrator email address.
When the database is 90% full
  • a message is added to the event log,
  • a warning is displayed on the NoSpamProxy console start page under Incidents, and
  • a notification is sent to the set administrator email address.

What are possible reasons for a full database?

  • The configured period of message tracking and its details (monitoring) is too long.
  • There are problems with communication between two or more NoSpamProxy roles.
  • Expired data has not been properly deleted from the database.

How to analyse the database

To find out why the database has reached the respective size, proceed as follows:

  1. Install Microsoft SQL Management Studio on the system on which the affected database is installed.
    Microsoft SQL Management Studio is available free of charge from the Microsoft website.
  2. Start SQL Management Studio.
  3. Log on to the SQL instance where the database is located.
    These instances are usually called (local)\SQLEXPRESS or (local)\NOSPAMPROXY.
  4. After successfully logging on, execute the following SQL queries (depending on the NoSpamProxy role involved); to do this, you only need to change the first row to the following databases:

Intranet Role:
USE [NoSpamProxyAddressSynchronization]

Gateway Role:
USE [NoSpamProxyDB]

Web Portal:
USE [enQsigPortal]

USE [NoSpamProxyAddressSynchronization]
GO
SELECT
isnull(t.NAME, 'Total') AS TableName,
s.name as SchemaName,
p.rows AS RowCounts,
CAST(ROUND(((SUM(a.used_pages) * 8) / 1024.00), 2) AS NUMERIC(36, 2)) AS SizeInMB
FROM
sys.tables t
INNER JOIN
sys.indexes i ON t.OBJECT_ID = i.object_id
INNER JOIN
sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id
INNER JOIN
sys.allocation_units a ON p.partition_id = a.container_id
LEFT OUTER JOIN
sys.schemas s ON t.schema_id = s.schema_id
WHERE
t.NAME NOT LIKE 'dt%'
AND t.is_ms_shipped = 0
AND i.OBJECT_ID > 255
GROUP BY
ROLLUP(t.Name, s.Name, p.Rows)
HAVING p.rows is not null or (p.rows is null and t.name is null)
ORDER BY
sum(a.used_pages) desc
GO

How can the results be interpreted and solved?

In the output of the SQL script you can find an overview of all existing tables of the database as well as information about their size.

Output of Tables Sizes

Output of Tables Sizes

There are two specific tables that should be empty in normal operation or whose entries should change constantly each time they are called:

  • DataReplication.Artefact

    DB_TableSizes_Artefact

    Table Size of DataReplication.Artefact table

  • MessageTracking.LegacyMessageTrackEntry

    Table Size of Table MessageTrack. Legacy´MessageTrackEntry

    Table Size of Table MessageTrack. LegacyMessageTrackEntry

If data accumulates in these tables but does not degrade, this indicates that problems exist. These must be clarified and solved by the NoSpamProxy support. In this case, please contact the partner responsible for you or – if you have purchased manufacturer support – the NoSpamProxy support directly.

All other scenarios indicate that the storage period for message tracking is too long, which you can edit and reduce in the NoSpamProxy console under Configuration > Advanced Settings > Monitoring. The reduction usually takes up to 24 hours, so that a result is usually not visible until the next day.

blank

It is common that not only the user who originally performed the installation needs to perform updates, but also other administrator accounts. To do this, it is necessary to set up the appropriate permissions for these additional users. The corresponding steps are described below:

  1. Notes
      • All steps apply to all roles of NoSpamProxy; they differ only in the database names.
        • Database Intranet Role: NoSpamProxyAddressSynchronization
        • Database Gateway Role: NoSpamProxyDB
        • Database Web Portal: enQsigPortal
      • Users and user groups (local or in the domain) can be registered.
    • Log on with the user with which the installation was performed.
  2. Install the SQL Management Studio.
  3. Open SQL Management Studio and log on to the local instance  that contains the NoSpamProxy database(s), using Windows authentication.
  4. Expand the Security folder and the Logins folder.
  5. Right-click on the “Logins” folder and select “New Login” from the context menu.
  6. Under “General”, select the user to be added, but keep the “Windows Authentication” item.
    Database Rights - General
  7. Under “Server Roles” tick the checkbox for “sysadmin”.
    Database Rights - Server Roles
  8. Under “User Mapping”, check the corresponding database and additionally activate the role “db_owner”.
    Database Rights - User Mapping
  9. All other settings are optional.
  10. Save the new login and close SQL Management Studio.

To verify access, log on to the system with the added user, open SQL Management Studio, and check whether you can view the database tables. If this works, access is set up.

blank

PDF conversion as part of Content Disarm and Reconstruction (CDR), converts Microsoft Word, Microsoft Excel and PDF documents into secure PDF files by removing any active content. The PDF file can then be opened without any concerns, with the original file either left attached to the email or removed. CDR is a feature in NoSpamProxy Protection and in conjunction with NoSpamProxy Large Files provides an optimal way to disarm unsafe documents and retain the original files.

CDR is configured in the “Content filter actions” and then applied to the corresponding emails via the “Content filters”. A training video on the content filters can be found at https://www.nospamproxy.de/de/support/trainingsvideos/ (German only).

This conversion process is very time-consuming and not all documents can be converted. We have built in a protection mechanism so that the unsafe attachments are not delivered, even if the conversion fails.

  • If only Protection, but not Large Files, is licensed, the email for which the conversion did not work is first stored under “Monitoring > Emails on hold” and the configured administrator is informed. The administrator then has the task of checking the email and can then either download it as an EML file and forward it via Outlook or deactivate/change the content filter for this email for a limited time and force delivery again.
  • If Protection and Large Files are licensed, the original file will be uploaded to the Web Portal if the conversion fails (if desired even if the conversion was successful), but it will be locked there, so that it must also be released by the administrator, deviating from the settings for the successful conversion. The prerequisite for this is the setting “Upload the original document to the Web Portal” in the Content Filter action.
    The email itself is delivered to the recipient, with the corresponding information for downloading, but without the converted PDF file, as this was not possible.

This protective mechanism cannot be changed or influenced.

Note

Since the conversion component is provided by a third-party provider, we have only very limited influence on it. If the conversion cannot be performed to your satisfaction, please send us the file to be converted, if possible. Make sure that the file does not contain any personal data. We will then make this file available to the third party provider for analysis. We would like to point out that a feedback on our part is not possible, as the adaptation process can be very lengthy.