Default Rules
System Rules
Rule name | Description |
|---|---|
(Default) Signature Verification | Adds an Authentification header ( |
(Default) Invalid Sending Domain | Verifies if a connection can be created with the sender domain, and checks it for the presence of a valid MX record and host. It also checks if the remote server responses to a |
(Default) FROM Address Check | Checks if the address in the header exists in any deny lists. If triggered, adds 144 to the spam score. |
(Default) CoreService Spam | Uses a combination of core anti-spam services to check for specific patterns, characteristics and attributes that would appear in a spam message. If triggered, it adds 180 to the spam score. |
(Default) CoreService Malware | Uses a core service to check attachments for Malware using heuristic analysis. If triggered, it adds values to the Virus score. |
(Default) CoreService Phishing | Checks and classifies the email as a known Phishing attempt. These are Messages detected as phishing either by heuristic analysis or through a fraudulent link found in it. if triggered it adds 699 to the spam score. |
(Default) CoreService2 Spam | Checks if messages have the characteristics of a known spam outbreak from confirmed spam sources. If triggered, it adds 181 to the spam score. |
(Default) CoreService2 Suspect | Checks if messages have the characteristics of a mass distribution outbreak from sources that are not confirmed spammers, but are considered as spam. If triggered, it adds 111 to the spam score. |
(Default) Password Protected Attachment | Looks for password protected zip and PDF files, and adds a message header if such a file is found. |
(Default) System Malware Detection | Runs the email and attachments through commercial anti-virus engines and checks it against known malware and threats. If triggered, it adds 108 to the virus score. |
(Default) Bitdefender AV | Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 110 to the virus score. |
(Default) SWL Safe List | Checks the IP of the sender against the commercial Safe White List. If listed, it subtracts 100 from the spam score. |
(Default) System Malware Detection | Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 108 to the virus score. |
(Default) Bitdefender AV | Runs the email and attachments through commercial anti-virus engines for known malware and threats. If triggered, it adds 110 to the virus score. |
(Default) Blog Spam | Looks for known blog spam entries in the message body and subject. If triggered, it adds 110 to spam score if it finds any. |
(Default) URL Scanner | Verifies the URLs in the email and checks their reputation using a subset of the LinkScan rule method. |
(Default) Automatically add outbound recipients to Personal Safe List | Automatically add all recipient email address to the personal safe list for outbound emails. NoteThis rule is disabled by default. |
(Default) Email Banner | Adds your customized branding to all emails. NoteThis rule is disabled by default. |
(Default) Apply DKIM signing | Applies a DKIM entry to outbound emails. |
(Default) Domain Name Detection | Detects external spoof emails that use your company domain within the Display Name (generated by the FROM header) to trick users into believing it is an internal or legitimate message. If triggered, it adds to the spam score. NoteThis rule is disabled by default. |
Standard Rules
Rule name | Description |
|---|---|
Opportunistic TLS | Marks the email for delivery by TLS if the remote server supports it. If not supported, non-TLS/Plain SMTP will be used. |
Macro and VBA Detection | Scans Macro ,VBA, and office documents for malware. This includes NoteThis rule is disabled by default. |
HTML attachments | Checks emails from senders not in safe lists for any attachment with a HTML variant attachment name. If triggered, it adds 123 to the virus score. NoteUsed if the Sandbox feature is not licensed. |
Virus | Send the message to the company quarantine if the virus score is greater than 30. |
Advanced Email Sandbox | Sends all attachments in the email to a sandbox environment where they will be scanned for any possible threats. The email will not be sent to the recipient until the attachments have been scanned. You can configure the rule to remove attachments and replace them with a report if a threat is found. NoteThis rule only applies if the add-on is licensed. New EMS companies have the feature activated by default. Users of existing companies will be prompted to activate the feature when logging in to the Email Security console. ImportantThe Send Attachments to Sandbox sandbox rule should always be placed below the Virus rule. |
DMARC Fail | Checks the Authentification header added by the (Default) Signature Verification rule. If the value is failed and the sender domain has reject/quarantine in their published DMARC policy the email will be quarantined. |
Spoofed Messages | Checks the Authentification header added by the (Default) Signature Verification rule. If the value is failed and the domain of the sender is configured as a domain for your account the rule will add 140 to the spam score. |
Executive Tracking | For more information on this rule refer to this kb article. |
Nearby Domain | For more information on this rule refer to this kb article. |
CoreService Suspect | Uses a core service to check if the email may cause financial or other damage. It checks for references to money transfers or requests for personal information. If triggered, it will add 105 to the spam score. |
Script and Executable Files | Looks for any of the following file types, and adds 178 to the spam score if such a file is detected:
|
LinkScan | For more information on this rule refer to this kb article. |
High Reputation Marketing | This rule identifies emails received from professional and know routing platforms that follow standard rules for email advertising (they provide unsubscribe lists, list cleaning, etc.). If triggered, it adds the [Marketing High] prefix to the email subject line. |
Medium Reputation Marketing | This rule identifies emails which were not which was not sent through well-known routing platforms, but still that follow standard rules for email advertising. If triggered, it adds the [Marketing Medium] prefix to the email subject line. |
Low Reputation Marketing | This rule identifies emails which were not which was not sent through well-known routing platforms and do not follow standard rules for email advertising. If triggered, it adds 109 to the spam score. |
SPF Fail | Checks the SPF status of the sender's domain. If the status is |
Confirmed Phishing | Places all messages from senders not in a safe list with a spam score over 699 in the company quarantine. |
Confirmed Spam | Places all messages from senders not in a safe list with a spam score over 140 in the company quarantine. |
Possible Spam | Places all messages from senders not in a safe list with a spam score over 100 in quarantine. |
Deliver Inbound | Routes email to DomainRoute, no NDR is sent back outbound if the customer's email server rejects the message. The message will remain in the queue for 144 hours before the message expires. For more information refer to this kb article. NoteThis rule is locked and cannot be changed or disabled. |
Disclaimer | For this Rule to be triggered, the email has run through all the other Rules, and been considered safe. If you have a company-wide disclaimer that must be appended to the email, this Rule will add it. The Disclaimer rule is only created if a disclaimer has been added. |
Deliver Outbound | Routes to MX records. An NDR will be sent to local sender if delivery fails, with an expiry of 4 hours. For more information refer to this kb article. NoteThis rule is locked and cannot be changed or disabled. |