info icon

How to block, filter or quarantine attachments

Emails are a popular medium for distributing malware. While most malicious attachments are reliably detected by the integrated CYREN Antivirus Filter, new malware can occasionally go undetected. With the help of NoSpamProxy, however, it is possible to block potentially harmful attachments, to allow only senders considered trustworthy by the Level of Trust or to quarantine them.

Please note that the quarantine functionality requires a working Web Portal and Large Files license.

Creating a content filter to block, filter or quarantine attachments

  1. Go to Configuration > Content filter > Content filters.
  2. Click Add, enter a name for the filter and click Next.
  3. In the Content filter entries dialog, click Add.
  4. In the Content filter entry dialog, enter a name for the entry and configure the entry according to your requirements.
  5. Click Save and close.
  6. (Optional) Repeat steps 3 and 4 if needed.

Content Filter

Activating the content filter for all inbound emails

  1. Go to People and identities > Partners > Partners > Default partner settings and click Modify.
  2. On the Content filtering tab, for inbound emails select the filter you just created.
  3. Click Save and close.

Selecting the content filter

It is also possible to define your own content filtering for individual senders, e.g. to allow certain attachments from certain senders that are otherwise prohibited.

To do this, adjust the respective content filter according to your requirements and activate it

  • for the entire sender domain (e.g. example.com) or
  • for individual users within a domain (e.g. “support” as part of example.com, i.e. support@example.com).

Please note that these filters will override the global and domain-specific default settings.

List of potentially harmful attachments and recommended procedure

Please note that these are only recommendations of a general nature and are not suitable in every scenario.

Starting with version 11.1 you can automatically release files after a period of time (default 2 hours) after a new scan by the Cyren engine has been performed and returned no positive results. This procedure is especially recommended for attachments to be quarantined according to the list below. Usually, malicious content is detected after 30 minutes at the latest. While the content is not yet detected as harmful when it arrives, this can often be the case after a short time.

List of potentially harmful attachments

/by
info icon

Emails are rejected with a Base64 error

Error:
Emails are rejected by NoSpamProxy even though the Level of Trust Filter has marked them as trusted. In message tracking and in NDR the following reason is given:
“A part of the email could not be decoded. System.formatException: Invalid character in a Base-64 string.”

The following error message is displayed in message tracking:
“The Base64 encoded content was invalid.”

Status:
The problem with the email in question is the NoSpamProxy security check. NoSpamProxy detects a conflict with the RFC’s in the body. It does not have a Base64 encoding and is therefore rejected. This security check can only be disabled in the configuration file of NoSpamProxy.

Solution 1:
Version 7.x and 8.x:

The configuration file to be changed is called “antispamrole.config” and is located in the program directory of NoSpamProxy under “..\nospamproxy\AntiSpam Role\config”. Please note that you can only save the file when the NoSpamProxy service is finished. Otherwise the change will be discarded.

Please search for the following line in the file first:

</netatwork.nospamproxy.proxyconfiguration>

Insert the following key directly above this line:
<dispatchInvalidMails isEnabled="true" />

The result should look as follows:
<dispatchInvalidMails isEnabled="true" />
</netatwork.nospamproxy.proxyconfiguration>

Save the file and restart the NoSpamProxy Service. Now the emails should be received.

From version 9.x:

From Net at Work Mail Gateway 9.x or NoSpamProxy 10.x:
The configuration file to be changed is called “Gateway Role.config” and is located under “C:\ProgramData\Net at Work Mail Gateway\Configuration”. Please note that you can only save the file when the gateway role is finished. Otherwise the change will be discarded. The change must be made on all gateway roles.

Please search for the following line in the file first:

</netatwork.nospamproxy.proxyconfiguration>

Insert the following key directly above this line:
<dispatchInvalidMails isEnabled="true" />

The result should look as follows:
<dispatchInvalidMails isEnabled="true" />
</netatwork.nospamproxy.proxyconfiguration>

Save the file and restart the Gateway Role. Now the emails should be received.

Solution 2:

Version 7.x and 8.x:

Alternatively or additionally there is the possibility of a repair attempt by the Net at Work Mail Gateway. It will then try to ignore the superfluous characters or to fill in the missing characters to get a valid encoding. This does not always work, but can be helpful.

The configuration file to be changed is called “antispamrole.config” and is located in the program directory of NoSpamProxy under “..\nospamproxy\AntiSpam Role\config”. Please note that you can only save the file when the NoSpamProxy service is finished. Otherwise the change will be discarded.

Please search for the following line in the file first:

</netatwork.nospamproxy.proxyconfiguration>

Insert the following key directly above this line:
<encodingOptions invalidBase64LengthHandling="IgnoreExtraCharacters" />

The result should look as follows:
<encodingOptions invalidBase64LengthHandling="IgnoreExtraCharacters" />
</netatwork.nospamproxy.proxyconfiguration>

Save the file and restart the NoSpamProxy Service. Now the emails should be received.

From version 9.x.

The configuration file to be changed is called “Gateway Role.config” and is located under “C:\ProgramData\Net at Work Mail Gateway\Configuration”. Please note that you cannot save the file until the gateway role is closed. Otherwise the change will be discarded. The change must be made on all gateway roles.

Please search for the following line in the file first:

</netatwork.nospamproxy.proxyconfiguration>

Insert the following key directly above this line:
<encodingOptions invalidBase64LengthHandling="IgnoreExtraCharacters" />

The result should look as follows:
<encodingOptions invalidBase64LengthHandling="IgnoreExtraCharacters" />
</netatwork.nospamproxy.proxyconfiguration>

Save the file and restart the Gateway Role. Now the emails should be received.

Both solutions do not work together until version 9.2. If you choose solution 2, there is no fallback to solution 1 if the Base64 decoder cannot repair the email. Starting with NoSpamProxy 10 both can be used together.

/by
info icon

How to set up header-based routing

,

Starting with NoSpamProxy 9.2, header-based routing is available. The setting is only configurable via the configuration file itself. In order to use header-based routing, proceed as follows:

  1. Create a connector for the respective emails.
  2. Edit the files “Intranet Role.config” and “Gateway Role.config” in the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration\” as explained in steps 3 to 5.
  3. In the respective files, search for the connector that you created in the first step.
  4. In the connector settings, find the following tag:
    <headerMatches comparisonMode="Or" />
  5. Modify the tag to look like this:
    <headerMatches comparisonMode="Or">
    <match headerName="name" value="value" />
    </headerMatches>

Now you can make the appropriate settings. You can also search for several header values and combine the search function with an AND operator. The entry will look as follows:
<headerMatches comparisonMode="And">
<match headerName="name" value="value" />
<match headerName="name" value="value" />
<match headerName="name" value="value" />
</headerMatches>

Also make this change in the “Gateway Role.config” file.

IMPORTANT
Before you save the configuration file, you must stop the corresponding service. Only then can you save the configuration file properly.

/by
info icon

How to query Windows Performance Counter with PRTG

This Knowledge Base article describes the integration of the NoSpamProxy Performance Counter in PRTG.

The following performance counters are available on the server with the NoSpamProxy Gateway Role and can be integrated into PRTG.

——————————————————————————————————

\NoSpamProxy Queues(_total)\Currently active

\NoSpamProxy Queues(_total)\Delay notifications sent

\NoSpamProxy Queues(_total)\Network failures

\NoSpamProxy Queues(_total)\Non delivery Reports sent

\NoSpamProxy Queues(_total)\Pending mails

\NoSpamProxy Queues(_total)\Relay notifications sent

—————————————————————————————————–

In PRTG, select the device (Gateway Role Server) and add a “PerfCounter Custom” sensor (right-click).

When searching for the sensor to be created, restrict it via Custom Sensors/Performance Counters.

  • The sensor name can be freely assigned
  • Under “List of Counters” one of the above (cut and paste) must be specified.
  • The interval is inherited from the host by default, but can also be defined (see below).
    Then, click Create.

NoSpamProxy Performance Counter für PRTG

/by
info icon

No content can be displayed in the Management Console for user A, but for user B

Error:

The NoSpamProxy Management Console can be started, but crashes if a submenu is opened. This problem does not occur with another or new users.

Status:

The NoSpamProxy Management Console creates temporary files in the temporary folder of the user directory. However, this folder contains more than 65,535 files, which leads to problems in the NTFS file system.

Solution:

The affected user executes the following command via Start -> Run:

rmdir /s /q %temp%

When the operation is complete, the console will function properly again.

/by

Smartcards over remote USB connections do not work

Error:

If smartcard readers are used that are controlled via a network USB port, either the smartcard or the token on the smartcard itself is not displayed.

Status:

This error occurs whenever the connection is established in an RDP session.

Solution:

The smartcard connection via a network-based USB connection should be established via the Hyper-V Manager or the VMWare Manager via a direct connection to the VM.

/by
info icon

The event viewer repeatedly displays warning 1088

Behaviour:

The event viewer repeatedly shows the following message:

---------------
Gateway Role 1088:
Could not secure an inbound connection with the host 192.168.0.100:53627.
Die angegebenen Daten konnten nicht entschlüsselt werden
Error type:
System.ComponentModel.Win32Exception
Error number:2147500037
Program location:
---------------

As a result, an SChannel error will appear in the Windows applications event viewer. It may look like this:
---------------
SChannel 36887:
Es wurde eine schwerwiegende Warnung vom Remoteendpunkt empfangen. Die schwerwiegende Warnung hat folgenden für das TLS-Protokoll definierten Code: 51.
---------------

Please note that ID and code may differ.

Explanation:

Windows 2008 R2 and later does not support older, weak cipher suites, which are considered cracked. Therefore, a TLS connection is not established if the delivering server can only process these. As a result, the above-mentioned warnings and errors are logged. The delivering server must then perform a fallback to plain text. For this it is necessary that the delivering server establishes a new connection, since the old connection, where no TLS connection could be established, must be closed.

/by
info icon

Missing Large Files/De-Mail settings after Windows updates

Error:

After installing Windows updates on the Windows servers, a growing number of users are reporting that parts of the Outlook Add-in for NoSpamProxy are no longer displayed. However, the add-in seems to be installed correctly and functioning a expected.

With the latest Windows updates, Microsoft has tightened the security settings for access to group policies. As a result, users can no longer retrieve them. Microsoft describes the solution in its Knowledge Base: https://support.microsoft.com/en-us/kb/3163622

/by