General protection settings

Kaspersky Secure Mail Gateway protects incoming and outgoing mail traffic of the organization. You can configure the following general protection settings:

• Anti-Virus protection
• Link scanning
• Anti-Spam protection
• Anti-Phishing protection
• Content filtering of messages
• Mail Sender Authentication

General protection settings are applied when scanning all messages. You can configure actions taken on messages after the scan and additional settings using message processing rules.

Anti-Virus protection

Kaspersky Secure Mail Gateway performs anti-virus protection of messages: scans email messages for viruses and other threats and disinfects infected objects using the current (latest) version of Anti-Virus databases.

Messages are scanned for viruses and other threats by the Anti-Virus module. The Anti-Virus module scans the body of the message and all attached files in any format (attachments) using the Anti-Virus databases. The Anti-Virus module detects and blocks email attachments that are intended for a limited number of recipients and are components of targeted attacks designed to exploit software vulnerabilities.

You can configure the following settings of the Anti-Virus module:

• Heuristic analysis

  Technology designed to detect threats that cannot be detected using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

• Maximum duration of message scan
• Maximum depth of archive scan
• Exclusions from scanning for certain legitimate programs that can be used by hackers

Based on the results of the scan, the Anti-Virus module assigns a status to the message:

• Not detected means the message is not infected.
• Infected means the message is infected; either it cannot be disinfected, or disinfection has not been attempted.
• Disinfected means the message was disinfected.
• Encrypted means the message could not be scanned because it is encrypted.
• Error means an error occurred when scanning the message.
• Bases error means the message could not be scanned because of an error while applying the application databases.
• Intrusion threat means the object can be used by hackers to intrude the LAN.
• Not scanned means the message was not scanned in accordance with the application settings.
• Probably infected means the object contains signs of malware.

The Anti-Virus module is enabled by default. If required, you can disable the Anti-Virus module or disable Anti-Virus scanning for any rule.

Link scanning

Kaspersky Secure Mail Gateway checks the links in the body of the message for being malicious, advertising, or relevant to legitimate programs that can cause harm to the computer.

You can modify the following settings of link scanning:

• Maximum duration of message scan.
• Exclusions from the scan.

  You can disable the detection of advertising links and links relevant to certain legitimate programs.

Based on the results of link scanning, the application assigns one of the following statuses to the message:

• Bases error means the message could not be scanned because of an application database error.
• Not detected means the message does not contain any links that would be detectable in accordance with the application settings.
• Error means the scan returned an error.
• Detected means the message contains malicious links, advertising links, or links relevant to legitimate programs.
• Not scanned means the message was not scanned in accordance with the application settings.

Anti-Spam protection

Kaspersky Secure Mail Gateway filters messages passing through the mail server to remove unsolicited mail (spam).

Messages are scanned for spam by the Anti-Spam module. The Anti-Spam module scans each message for signs of spam. First, the Anti-Spam module scans the attributes of the message, such as sender and recipient addresses, size, and headers (including the From and To fields). Second, the Anti-Spam module analyzes the message content (including the Subject header) and attached files.

If spam or probable spam is detected in a message, a certain status is assigned to it depending on the spam rating. The spam rating of a message is an integer number from 0 to 100, which is a sum of points awarded to the message for each time the Anti-Spam module was triggered while processing the message. The spam rating takes into account the results of the SPF scan and reputation filtering of messages.

When the Anti-Spam module is enabled, protection against BEC attacks is automatically enabled. This protection helps recognize spoofed messages from hackers attempting to compromise business correspondence.

You can configure the following settings of the Anti-Spam module:

• Moebius service.

  Instant Anti-Spam database update service that allows to install critical updates in real time.

  The Moebius service compares the current Anti-Spam database used by the application with the database on the Moebius server and determines the difference. Missing entries are then sent to the Control node over HTTPS. To keep the size of transmitted data reasonable and ensure normal functioning of the Moebius server, Anti-Spam databases must be updated on a regular basis.

• Protection against Active Directory spoofing.

  A type of attack based on the falsification (spoofing) of transmitted data. Spoofing may be aimed at obtaining elevated privileges, primarily through bypassing the verification mechanism by generating a request similar to an authentic request. One variant of spoofing is to forge an HTTP header to gain access to hidden content.

  The goal of spoofing may also be to deceive a user. A classic example of such an attack is the falsification of the sender's address in emails.

  The Anti-Spam module helps prevent spoofing attacks in which hackers use a fake name (Display Name) in the From message header, and the domain from which the message was sent does not match the domain of the specific organization. You can indicate one Active Directory group containing at most 10 000 users which will be protected against spoofing.

• Check the reputation of IP addresses and domains.

  This option lets you check SMTP session data based on records of blocked IP addresses and domains in Anti-Spam module databases.

• Anti-Spam Quarantine.

  A Backup location where email messages are temporarily kept if the Anti-Spam module is unable to assign a final status after a scan.

  Anti-Spam Quarantine is available only if KSN participation is enabled.

  After a message is placed in Anti-Spam Quarantine, the application contacts KSN servers for further scanning of the message. The KSN cloud service improves the accuracy of spam detection because KSN databases contain more up-to-date information than Anti-Spam databases used by the application.

• Maximum duration of message scan.
• Maximum storage duration of a message in Anti-Spam Quarantine
• Maximum number of messages in Anti-Spam Quarantine.
• Maximum size of the Anti-Spam Quarantine.

Based on the Anti-Spam scan results, the Anti-Spam module assigns one of the following statuses to the message:

• Not detected means the message does not contain spam.
• Spam means the message is definitely diagnosed as spam.
• Probable spam means the message is probably spam.
• Massmail means the message belongs to a mass mailing campaign.
• Error means the scan returned an error.
• Bases error means the message could not be scanned because of an application database error.
• Formal message means the application treats the message as a formal automatically generated notification (for example, auto-responses by users or notifications about exceeded mailbox size).
• Not scanned means the message was not scanned in accordance with the application settings.
• Trusted means the message was received from a sender whose domain is in the list of allowed domains in databases of the Anti-Spam module and the message passed the DMARC sender authentication.

Based on the scan results, the X-MS-Exchange-Organization-SCL X-header is added to the message. This header contains the SCL rating.

By default, the Anti-Spam module is enabled. If required, you can disable the Anti-Spam module or disable Anti-Spam scanning for any rule.

Anti-Phishing protection

Kaspersky Secure Mail Gateway filters messages passing through the mail server to remove phishing.

Messages are scanned for phishing by the Anti-Phishing module. The Anti-Phishing module analyzes the message content (including the Subject header) and attached files.

You can configure the maximum duration of an Anti-Phishing scan.

Based on the results of the scan, the Anti-Phishing module assigns a status to the message:

• Not detected means the message does not contain phishing URLs, images or text that could trick users into disclosing confidential data to hackers, or links to websites with malware.
• Phishing means the message was found to contain images or text that could trick users into disclosing confidential data to hackers.
• Phishing link means the message was found to contain a link to a website with malware.
• Error means the scan returned an error.
• Bases error means the message could not be scanned because of an application database error.
• Not scanned means the message was not scanned in accordance with the application settings.

The Anti-Phishing module is enabled by default. If required, you can disable the Anti-Phishing module or disable Anti-Phishing scanning of messages for any rule.

Content filtering of messages

Kaspersky Secure Mail Gateway can perform content filtering of messages that pass through the mail server. You can restrict transmission of messages with specific parameters by the mail server.

You can configure the following settings of Content Filtering:

• Maximum duration of message scan
• Maximum depth of archive scan

As a result of content filtering, the Scan Logic message scanning control module assigns one of the following content filtering statuses to messages:

• Not detected means the message has not been found to contain any violations of the restrictions specified in content filtering settings.
• Banned file name means the message contains an attachment with a banned name.
• Banned file format means the message contains an attachment having a banned file format.
• Size exceeded means the message exceeds the maximum allowed size.
• Bases error means the message could not be scanned because of an application database error.
• Error means the message scan returned an error.
• Not scanned means the message was not scanned in accordance with the application settings.

By default, Content filtering of messages is enabled. If necessary, you can disable Content Filtering in general protection settings or per rule.

Mail Sender Authentication

Mail Sender Authentication is designed to provide additional protection for your corporate mail infrastructure against spam and phishing.

Kaspersky Secure Mail Gateway uses the following Mail Sender Authentication technologies:

• SPF authentication (Sender Policy Framework).
• DKIM authentication (DomainKeys Identified Mail).
• DMARC authentication (Domain-based Message Authentication, Reporting and Conformance).

SPF Mail Sender Authentication – comparing IP addresses of mail senders with the list of possible message sources that has been created by the mail server administrator.

Kaspersky Secure Mail Gateway receives lists of possible message sources from the DNS server.

Enable SPF message authentication if Kaspersky Secure Mail Gateway receives messages directly from the Internet. Disable SPF message authentication if Kaspersky Secure Mail Gateway receives messages from an intermediate internal server.

DKIM Mail Sender Authentication – verification of the digital signature added to messages.

A digital signature associated with the name of the organization's domain is added to messages. Kaspersky Secure Mail Gateway verifies this digital signature.

DMARC Mail Sender Authentication – Verification that determines the policy and actions taken on messages based on the results of SPF and DKIM Mail Sender Authentication.

SPF- and DKIM authentication must be enabled to perform DMARC authentication. If SPF- or DKIM authentication is disabled, DMARC authentication will also be disabled.

After the message has passed SPF and DKIM authentication, the program verifies that the domain containing the sender address in the From field of the message header matches the SPF and DKIM IDs.

To enable SPF, DKIM, and DMARC Mail Sender Authentication, you must allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, SPF, DKIM, and DMARC Mail Sender Authentication is disabled.

Based on the results of Mail Sender Authentication, one of the following statuses is assigned to the message:

• Not detected means authentication violations were not detected in the message.
• Error means an error occurred during authentication.
• Authentication failed means authentication could not be performed.
• Not scanned means the message was not scanned in accordance with application settings.
• Violation found means at least one authentication was violated.
• Violation not found means authentication violations were not detected.

By default, all Mail Sender Authentication checks are enabled. If necessary, you can disable any Mail Sender Authentication in general protection settings or per rule.

To let the remote mail server perform Message Sender Authentication of outgoing messages (when the message sender is Kaspersky Secure Mail Gateway), you must take steps to add SPF and DMARC records to the settings of your DNS server.