Mimecast - Spam and Malware Filtering

User Email Digest

This is a report sent to users which gives details of any emails sent to you that Mimecast has placed in the Hold queue. The hold means that suspicious emails will not simply enter your inbox. The digest is sent from [email protected] and gives details for the emails that have been identified as potential spam and/or have specific types of attachments. 
You can find out more about the digest on the Mimecast Central website 

Spam Scanning

The spam scanning function rejects spam and malware. Mimecast's multiple scanning engines examine the content of inbound mail by searching for key phrases and identifiers commonly used by spammers. These scanning checks can use: 

  • Content matching rules 
  • DNS (domain name system) based filtering 
  • Checksum based filtering 
  • Statistical filtering. 

More detailed information about Mimecast’s Spam scanning policies and setup can be found on the Mimecast Central website. 

Suspected Malware Scanning

This blocks commonly exploitable document types and protects against zero-day threats. Mimecast’s Zero Hour Adaptive Risk Assessor (ZHARA) uses deep level anomaly detection and trending against its entire customer base to provide protection against previously unknown and zero-day malware and spam outbreaks. 

More detailed information about Mimecast’s Malware scanning policies and setup can be found on the Mimecast Central website 

Greylisting

Greylisting is a default compliance check applied to all inbound messages from connections not previously seen by Lincoln University. If the sender's mail server (Message Transfer Agent - MTA) complies with best practice guidelines (RFC compliance) the message will be delivered to your inbox (The vast majority of spam is sent from applications designed specifically for that purpose, which adopt a "fire-and-forget" method where they attempt to send spam to one or more MX hosts for a domain, but never attempt a retry). By using greylisting policies, any messages sent from an incorrectly configured MTA aren't accepted, helping to reduce the amount of spam. 

More detailed information about Mimecast’s Greylisting and setup can be found on the Mimecast Central website 

Content Examination

This part of Mimecast scans and analyses the content of messages, looking for matches against data types we have defined. It sets the conditions that mark a message as safe, and what action the system will take if it isn't. 

More detailed information about Mimecast’s Content Examination and setup can be found on the Mimecast Central website.

Blocked senders and DNS Authentication

Blocks and Permits – This rejects or Whitelists messages based on address, domain, and/or IP address. 

  • Blocked senders: A Blocked Senders policy restricts messages to or from specific email addresses or domains. It can apply to inbound or outbound messages, although is typically used to block inbound messages. 
  • Permitted Senders: Permitted Senders policies ensure successful delivery of inbound messages from trusted sources. Messages from trusted senders bypass Mimecast’s reputation and spam checks, avoiding the possibility of being rejected or placed in the hold queue. This is useful in situations where the sender's mail server is listed in an RBL, or for messages flagged by our content checks. 

More information on Mimecast’s blocked and permitted senders and setup can be found on the Mimecast Central website - blocked senders, and permitted senders. 

DNS Authentication (Inbound) – DNS Authentication policies control the types of email authentication checks performed when a message is sent or received. The following systems work by defining extra DNS records for the sending domain: 

  • Sender Policy Framework (SPF): This is an open standard for email authentication that tells you whether the IP address connecting to us is permitted to send mail for that domain. SPF validates the connecting IP address, by looking up the DNS record for the domain in the envelope MAIL FROM or HELO/EHLO. 
  • Domain Keys Identified Mail (DKIM) Signing: A signature is added to outbound messages, which is used to determine if the contents have been tampered with. DKIM validates the contents of the message body and headers, by creating a cryptographic hash (or signature) and adding it as a new header to the message. It confirms that a message's content was sent from a specific domain, by matching the signature to the DNS records. 
  • Domain Based Message Authentication, Reporting and Conformance (DMARC): This is an email validation system that builds protection on top of the SPF and DKIM mechanisms. It is designed to detect and prevent email spoofing. 

More information on Mimecast’s DNS Authentication and setup can be found on the Mimecast Central website.

Targeted Threat Protection and Anti-Spoofing Policies

Targeted Threat Protection (URL Protect)

This is an email security technology that protects users against spear-phishing and targeted attacks in email. It provides Lincoln University with the following benefits: 

  • Instant protection from targeted attacks and spear phishing attempts across all devices, without any client-side software 
  • Protection against good websites turning bad or delayed exploits 
  • Centrally managed, rapid deployment without any additional infrastructure to maintain 
  • Centrally visible administrative monitoring and reporting on user activity. 

More information on Mimecast’s URL Protect and setup can be found on the Mimecast Central website 

Targeted Threat Protection Attachment Protect

This Mimecast function is an advanced service that protects against the growing risk of spear phishing and other targeted attacks using email attachments. This protection is provided on all devices used for the end user's Lincoln email account, including smartphones or tablets, whether they are provided directly by the Lincoln or not. 

This feature strips attachments from inbound messages that could potentially contain malicious code (e.g. PDF, Microsoft Office files) and replaces them with a clean, transcribed version. Recipients have instant access to these clean attachments, but can request access to the original files via the sandbox by clicking a link in the notification. When an original attachment is requested, a detailed security analysis is performed on the file before it is provided to the user. This safe file approach eliminates the latency inherent in traditional sandbox solutions, confining wait time to only the minority of instances where an editable document is required. 

More information on Mimecast’s Attachment Protect and setup can be found on the Mimecast Central website. 

Targeted Threat Protection - Impersonation Protection

This feature protects against phishing, whaling and other socially engineered attacks. The increasing number of "whaling" attacks, usually targeting an organization's senior management, means additional protection is required against email threats that do not contain attachments or URLs. Traditional spam filtering systems are unable to detect these as suspicious, due to their minimal content. Targeted Threat Protection - Impersonation Protect solves this by: 

  • Looking for combinations of key identifiers commonly found in these attacks. 
  • Tagging a message to make it clear that it is coming from outside our organization. 

More information on Mimecast’s Impersonation Protect and setup can be found on the Mimecast Central website 

Anti-Spoofing policies

Spoofing is forging email headers so messages look like they from someone other than the actual source. This tactic is used in phishing and spam campaigns as recipients are more likely to open a message that looks legitimate. Anti-spoofing policies ensure external messages appearing to come from an internal domain are blocked. 

More details on Mimecast’s Anti-Spoofing policies and setup can be found on the Mimecast Central website

Mimecast Impersonation Protection

What’s happening?  

We are adding additional checks to incoming email to reduce the number of impersonation emails that are getting through, with particular attention being paid to senior management and other people with financial delegation 

What will I notice?  

Depending on the level of risk, messages will either be placed on hold or delivered with the tag [SUSPICIOUS] added to the subject line. 

Tell me more 

Mimecast’s Impersonation Protection is an additional layer of security, which scans email looking for criteria commonly used by phishers to impersonate users within an organisation. The following criteria are used to determine how risky the email is: 

  • Similar domain. Example - lincoln.org.nz, lincolnuni.org.nz, lincolnuni.nz, etc. 
  • New or recently created domaine.g.. Example - sharepoint-lincoln.com registered 24 hours ago 
  • Internal username: first and last name is the same as an internal display name. Example - [email protected] (would flag my genuine [email protected]) 
  • Reply-to mismatch. Example - From: [email protected] (Reply to: [email protected]) 
  • Target Threat Dictionary: header/subject/message body scans for suspicious words like invoice urgent payment etc. 

Messages are either passed through, marked up or placed on administrative hold depending on how many of the criteria are met and whether the user has financial delegation. 

For recipients with financial delegation: a message that meets two or more criteria will be marked [SUSPICIOUS] and delivered to the Inbox. For everyone else, a message that meets three or more criteria will be placed on administrative hold and will appear in the held message digest report. Administratively held messages must be released by the IT Service Desk.