Regardless of whether the mail server is deployed internally or externally, NG-UTM can manage all emails passing through its interfaces.
In the email management section, “Local” represents the scenario where the mail server is deployed internally within NG-UTM. Senders from the Internet utilize NG-UTM’s WAN-type connection to deliver emails to the internal mail server. Conversely, “Remote” signifies that the mail server is deployed on the Internet. When internal users send emails via a WAN-type network, not only outbound emails can be managed, but also inbound emails received by internal users via POP3 protocol from the Internet can be intercepted and managed by NG-UTM.
NG-UTM plays a role in email processing somewhat like an email gateway, capable of performing the following functions for incoming and outgoing emails:
1. Virus scanning: Scan incoming and outgoing emails for viruses.
2. Spam filtering: Filter incoming and outgoing emails for spam.
3. Email auditing: Audit incoming and outgoing emails; emails are sent out only after being approved by the email administrator.
4. Email backup: Backup incoming and outgoing emails for future reference.
5. Email communication record query: Detailed logging of SMTP dialogues between mail servers, facilitating administrators in identifying issues related to email sending and receiving.
A typical application scenario is illustrated in the following figure:
Figure 10-1 Typical architecture of enterprise mail servers¶
NG-UTM can be configured here to enable which functionalities for incoming and outgoing emails: virus scanning, spam filtering, email auditing, and backup.
In addition to basic inbound and outbound email management, NG-UTM also provides protection against hacker attacks targeting mail servers.
For example, if a source IP address sends spam emails to the mail server exceeding a preset threshold, NG-UTM will reject email requests from that IP address.
NG-UTM acts as an email gateway, utilizing mail proxy techniques to intercept all messages into NG-UTM.
After passing through mechanisms such as spam filtering, virus scanning, auditing, and logging, the original emails are then forwarded to the original mail server, supplementing any deficiencies in the mail server’s functionality.
Because NG-UTM itself is not a mail server, for notifying recipients of detected spam emails, it relies on the original mail server to provide valid accounts.
From the perspective of NG-UTM, there are three main actions for incoming and outgoing emails:
1. External to Internal (Local) Mail Server Sending Emails.
2. Internal to External (Remote) Mail Server Sending Emails.
3. Internal to External Mail Server Receiving Emails.
Each action can independently select which functions to execute. (Figure 10-2)
Internal (Local) mail server refers to the mail server within NG-UTM, typically requiring IP mapping or virtual server setup.
External (Remote) mail server refers to a mail server deployed on the Internet, for example, housed in an ISP’s data center.
[Enable Function]: Whether to enable virus scanning, email auditing, spam filtering, and email backup for external-to-internal SMTP servers.
• SMTP Record Settings
NG-UTM can record detailed SMTP communication logs for each email, including dialogues between mail servers.
This feature helps in identifying reasons for email delivery failures and can be fully or partially enabled at the administrator’s discretion.
[Local]: Offers 3 options: Disable, Accept, All. Default is Disable.
Selecting “Accept” means only logging SMTP records that are permitted and successful in communication with the recipient; blocked SMTP communications are not logged to reduce unnecessary records.
[Remote]: Offers 3 options: Disable, Failures, All. Default is Disable.
Selecting “Failures” means only logging SMTP records where communication with the recipient fails; successful transmissions are not logged to reduce unnecessary records.
[Record Type]: Can log Simple or Detailed versions, with Detailed useful for troubleshooting email transmission issues.
For emails passing through NG-UTM, the system can back them up; backup settings can be configured here.
Backup functionality is limited to:
1. External to Internal (Local) Mail Server Sending Emails.
2. Internal to External (Remote) Mail Server Sending Emails.
3. Internal to External Mail Server Receiving Emails.
These functions are effective only when email backup is enabled.
[Email File Backup]: Attachments in emails are not recorded when the email file size exceeds the configured value. Default is 0, meaning no limit.
[Incoming]: When email file size exceeds the configured value, virus scanning and spam filtering are bypassed; only blacklisting/whitelisting is applied. Default is 640KB.
• Change Source IP Address to Device IP
This function is effective when sending emails from External to Internal (Local) Mail Server, where NG-UTM acts as an email gateway,
receiving emails, performing virus scanning, spam filtering, and forwarding processed emails to the original mail server.
Here, you can specify the source IP address used when sending processed emails to the original mail server.
[SMTP Local Send]: Enable to send emails to the mail server using NG-UTM’s IP address as the source IP address; disable to use the original sender’s mail server IP address as the source IP address.
• Release Carrying Subject
This function is restricted to email auditing enabled. When emails are approved by administrators, determine whether to prepend text to the subject line of approved emails.
[Add Subject]: Enable to prepend text to the subject line of approved emails. Default is disabled.
[Subject Content]: Enter text or insert a timestamp, such as “$Y-$m-$d $H:$i:$s”, to prepend the timestamp of approval to the subject line of approved emails, for example: 2021-5-31 12:12:30.
When NG-UTM filters emails as a mail gateway, it does not have its own email accounts. Without integration with accounts from the “near-end” mail server behind it, emails without valid accounts from the “near-end” mail server will be queued up. These queued emails cannot be delivered, and when the queue size grows, it burdens the NG-UTM system.
To reduce non-local emails, NG-UTM offers two methods: importing email accounts and real-time login to check if accounts exist on the mail server. The real-time check mechanism is suitable when the backend mail server is Microsoft Exchange Server integrated with an AD server. Email account import includes automatic addition and manual import. NG-UTM can also enable automatic learning of accounts.
SMTP Send Authentication/No Authentication
When users send emails via SMTP, the mail server requests user authentication to prevent it from being used as a gateway for spam. Currently, most mail hosts require authentication, but some internal service mail hosts or those with established Mail Relay relationships may not require SMTP authentication. Therefore, administrators must know whether SMTP authentication is required for the domains NG-UTM’s mail gateway proxies and enter valid account verifications accordingly.
If the backend mail host requires SMTP authentication during SMTP sending, add the proxy domain and account here. Enter the domain name, and all accounts successfully reaching the backend mail host via the gateway will be automatically added to the valid accounts list.
【Enable】: Whether to enable the addition of valid accounts.
【Learning Enable】: NG-UTM automatically learns legitimate and valid accounts and adds them to the email account list. For example, if NG-UTM’s mail gateway receives an email addressed to jean@abc.com and successfully forwards it to the backend mail server, jean@abc.com is automatically added to the valid accounts list, and future emails to this account won’t require verification.
【Domain List】: Enter the domains of the backend mail server, e.g., abc.com. Add multiple domains by newline. If NG-UTM receives a request to send an email to def.com, which is not in the domain list, NG-UTM rejects the email.
【Email Account】: Enter valid email accounts, one per line.
【Import】: Administrators can export email accounts from the mail host and import them into the system at once.
• Valid Email Configuration (No Authentication Needed)
If the backend mail host does not require SMTP authentication during SMTP sending, add the proxy domain and account here. Enter the domain name, and all accounts successfully reaching the backend mail host via the gateway will automatically be added to the valid accounts list.
【Enable】: Whether to enable the addition of valid accounts.
【Domain List】: Enter the domains of the backend mail server, e.g., abc.com. Add multiple domains by newline. If NG-UTM receives a request to send an email to def.com, which is not in the domain list, NG-UTM rejects the email.
【Email Account】: Enter valid email accounts, one per line.
【Import】: Administrators can export email accounts from the mail host and import them into the system at once.
• Valid Email Configuration (Exchange Server)
If the backend mail host is Microsoft Exchange Server, SMTP authentication is mandatory for SMTP sending. Account verification has two methods: manual import (synchronous enable disable) and automatic synchronization with the AD server.
Manual import operates independently without integrating with Microsoft AD server. In this case, administrators need to add the proxy domain and account here. Enter the domain name, and all accounts successfully reaching the backend mail host via the gateway will automatically be added to the valid accounts list.
With the automatic synchronization option, NG-UTM synchronizes user accounts with the AD server to obtain the latest account data.
【Enable】: Whether to enable the addition of valid accounts.
【Sync Enable】: Below explains the settings for enabling and disabling.
· 【Sync Enable】 Disable
【Domain List】: Enter the domains of the backend mail server, e.g., abc.com. Add multiple domains by newline. If NG-UTM receives a request to send an email to def.com, which is not in the domain list, NG-UTM rejects the email.
【Email Account】: Enter valid email accounts, one per line.
【Import】: Administrators can export email accounts from the mail host and import them into the system at once.
· 【Sync Enable】 Enable
【Add Exchanger Server】: Enter the IP address, domain name, administrator account password, and select the group to join in the configuration window. Click and to verify the configured data or view Ms Exchange server connection test logs.
You can also set the synchronization cycle to obtain the latest account data from the AD server every few minutes.
• Valid List Settings
【Allow Non-Valid List Domains to Pass】: Whether to allow emails from domains not listed in the valid domain list. Default is off. Enabling allows any domain to send.
【Block Log】: Click to open a new window showing records of senders attempting to use the SMTP protocol, blocked by NG-UTM’s email filtering mechanism.
Note 1: When enabling the valid accounts feature, any accounts not listed in the “Email Account” field will be immediately isolated and deleted by the system. Therefore, careful attention is required when enabling this feature to properly set up the valid accounts list.
Note 2: Besides single-entry account creation, NG-UTM also provides a quick import method, allowing files to be saved as .txt or .csv files.
Greylist filtering primarily targets spam behaviors. Typically, when advertisers send promotional emails for the first time, if the recipient rejects it, the sender usually does not attempt a second send. Greylist filtering capitalizes on this by temporarily rejecting emails from unfamiliar senders on their first attempt.
Conventional mail servers typically retry sending emails multiple times after initial failure. Thus, Greylist filters accept emails on the second attempt, ensuring subsequent emails from the same sender are not blocked unless explicitly blacklisted or subjected to other filtering criteria.
Greylist Principle
The principle behind Greylist is straightforward, focusing solely on three email transmission conditions: sender’s source IP address, sender, and recipient.
When the Greylist system encounters these conditions for the first time, it temporarily rejects the email for a certain delay period (defaulting to 15 seconds). The sender receives an error message like the following:
450 <recipient>: Recipient address rejected: Greylisted, see
http://postgrey.schweikert.ch/help/sharetech.com.tw.html
For legitimate mail servers, error code 450 indicates a temporary rejection, prompting a retry later. In contrast, spam systems often employ tactics like send-and-forget, spoofing sender addresses, or IP rotation—all effectively countered by Greylist.
Conversely, once these conditions are recognized and the delay and retry time (defaulting to 2 days) elapse, the email is accepted within a specified validity period (defaulting to 35 days). Receiving an email during this period extends its validity.
Due to the initial delay caused by Greylist, legitimate emails may experience a slight delay in delivery, depending on the retry mechanism of the sender’s mail server. This may occasionally result in later emails arriving earlier than earlier ones, but this is confined to the initial communication.
The Greylist processing flow is illustrated in the following figure:
【Greylisting】: Enable or disable Greylist functionality. Default is off.
【Receiver Delay Time】: Time interval after initial SMTP connection rejection to accept a second SMTP transmission. Default is set to 15 seconds, configurable from 1 to 1000.
【Block Log】: Display log of Greylist blocking, including timestamp, sender IP address, sender, and recipient. When log file size exceeds 100K bytes, older data is automatically purged by NG-UTM.
For an IP address, there are two DNS-specific names: forward and reverse lookups. Forward lookup resolves a domain name to an IP address, e.g., www.yourdomain.com resolves to 211.22.160.28. Reverse lookup translates an IP address back to a domain name, e.g., 211.22.160.28 reverses to www.yourdomain.com.
【IP Reverse Solution Authentication】: Defaulted to off, indicating no IP reverse lookup validation performed.
【No pass validation approach】: When NG-UTM fails to find a corresponding domain name via IP reverse lookup (common with mail servers sending EDM without IP reverse lookup), administrators can choose from the following three methods to handle such emails:
1. Direct Deletion: Treated as spam and deleted.
2. Direct Isolation: Potentially spam, initially isolated.
3. Increase Spam Score: Boosts the email’s spam score for evaluation; default increase is 5 points, configurable from 1 to 20 points.
To prevent client emails from being blocked by Greylist, enterprise user domains or IPs can be added to a trusted list. Configure IP addresses or ranges exempt from Greylist or IP reverse lookup. Data can be preserved or restored using import/export mechanisms, formatted with each entry on a new line:
Unaware of the increasingly sophisticated techniques used in spam email delivery, email servers/users often find themselves unwittingly compromised—account credentials leaked or systems breached—becoming unwitting conduits for spam operators. By the time such incidents are noticed, a backlog of emails awaiting delivery has accumulated, preventing legitimate emails from being sent.
Traditional firewalls, UTMs, and even IPSs lack the capability to block such behavior, as from a network perspective, these actions are typically allowed by administrators. It is usually the responsibility of ISP operators to identify and block external IPs or sluggish email servers, prompting investigation into log records to pinpoint the compromised device.
NG-UTM leverages advanced detection and blocking capabilities for abnormal email sending behaviors, promptly blocking any identified relay activity.
•Auth Unusual
Rapid consecutive failures from the same source IP address within a short timeframe indicate potential malicious attempts, such as password guessing, and are flagged as abnormal.
【User Authentication abnormal situation】: Enable blocking for abnormal authentication attempts, defaulting to off.
【Auth Unusual Set Rule】: Configure criteria to identify abnormal behavior. Default is 10 failed authentication attempts from the same source IP address within 120 seconds. Upon meeting this condition, NG-UTM identifies the sender or sender’s IP as potentially engaging in password attacks and initiates specified defensive actions.
• Traffic Blocking
Upon triggering blocking conditions, NG-UTM offers two mechanisms based on sender accounts or sender IP addresses for blocking.
【Block by sender】: Enable blocking for abnormal sender traffic, defaulting to off.
【IP Range】: With 【Based on Sender Blocking】 enabled, specify sender source IP addresses for inspection, one per line.
【Trusted sender】: With 【Based on Sender Blocking】 enabled, exempt senders listed here from sender inspection; other senders remain checked, akin to sender whitelisting.
【Trusted Sender Domain】: With 【Based on Sender Blocking】 enabled, exempt domains listed here from sender inspection; other domains remain checked, akin to domain whitelisting.
2. Based on IP Address Blocking
【Block by IP】: Enable IP address blocking for abnormal sender traffic, defaulting to off.
【Sender and IP rules】: With 【Based on IP Blocking】 enabled, if the system detects more than the specified count within 100 seconds from the same source IP address, NG-UTM identifies this sender IP address as non-standard for sending emails and initiates specified defensive actions.
Configure blocking duration, exception IP lists, and blocking defense logs for sources identified under abnormal system detection rules, with options for import/export of exception lists.
【Block Each Time】: Duration for blocking IP addresses or senders when triggering abnormal authentication or traffic blocking, defaulting to 600 seconds.
【Trusted IP List】: Whitelist of IP addresses exempt from blocking.
【Import】: Import/export functionality for IP address exception lists.
Click to view detailed blocking records and statuses, including date/time, sender IP address, sender, and block type.
SMTP IP blocking differs from traffic IP blocking defense mechanisms.
Traffic IP blocking primarily safeguards against the misuse of sender accounts for large-scale email sending after SMTP communication is complete.
However, prior to SMTP communication,
hackers flood email servers with numerous SMTP requests and then ignore them, aiming to incapacitate the email server—a scenario handled by SMTP IP blocking.
【Enable】: Enable abnormal SMTP blocking mechanism, defaulting to enabled.
【Blocking IP】: IPs currently blocked due to abnormal activity will remain blocked for 600 seconds; here, you can view currently blocked IPs and remaining blocking times.
Current certificate basic information for email management.
• SSL Certificate Settings
【Certificate Time】: Time when the current email management root certificate was generated.
【Download SSL Certificate】: Download the email management root certificate to the administrator’s computer.
Any modifications to the SSL root certificate content require regeneration and download by clicking 【Regenerate Certificate】, which will prompt a dialog box.
【Regenerate Certificate】: Renewal period for the certificate, selectable as 1 month, 2 months, 3 months, 6 months, 1 year, 5 years, 10 years.
In addition to server certificates self-signed, certificates obtained from external signing authorities can be imported, comprising server certificates and intermediate certificates only.
Email viruses are challenging to defend against. For network administrators familiar with virus operation principles, encountering problematic emails—such as those with special images, hyperlinks, *.exe files, etc.—typically results in cautious avoidance of clicking to prevent virus infection.
However, for most users, distinguishing between problematic executable files and hyperlinks in emails is difficult. They may click or execute these elements only to discover issues afterward. In such cases, reliance on antivirus software installed on their computers becomes necessary. If even this fails to fend off viruses, administrators must be sought for assistance.
NG-UTM’s antivirus feature aims to prevent the above scenarios. Upon entry into NG-UTM devices, problematic emails are filtered or deleted using internal virus filtering engines, avoiding delivery to user mailboxes and thereby reducing the risk of virus infiltration.
Enabling email virus scanning consumes hardware resources like CPU and RAM. If a dedicated email gateway with antivirus capabilities akin to an antivirus wall is already established in the network environment, this feature can be disabled.
NG-UTM currently integrates ClamAV and optionally offers Kaspersky antivirus engines. Emails identified as infected are categorized under the “Virus Mail Quarantine Zone,” where administrators can review isolated emails and search for specific ones based on criteria.
When the virus scanning engine detects infected emails, NG-UTM can modify the file names and email subjects to alert recipients to handle these emails with caution.
Figure 10-15 Setting for handling infected emails¶
• Basic Setting
【Sandstorm】: Based on whether Sandstorm (see 6-6. Sandstorm) is activated.
If the system detects phishing URLs or malicious attachments in email content, it processes the email according to settings in 10-3-6. Link Filter.
【Anti-Virus】: Enable the email virus scanning feature.
【Virus Engine】: Select the virus scanning engine.
If Kaspersky engine is not enabled in 6-5. Virus Engine, only ClamAV will be available here.
【Exclude File】: Establish file names not to be scanned (e.g., jpg, gif) to enhance email processing speed. Enter one file extension per line.
When NG-UTM parses received emails, if an attached file’s extension matches this setting, the virus scanning system skips this virus checking process and proceeds to the next email processing step.
【Max Scan File Size (KB)】: Virus scanning engine will not scan emails with attachments exceeding this specified file size.
• Actions on Infected Emails
NG-UTM’s actions for infected emails:
【Move to Quarantine】: When checked, recipients will not receive the infected email, and the system will place the email into the “Virus Mail Quarantine Zone.”
Default is off, indicating recipients will receive a notification email for infected emails, with customizable attachment filenames and subject.
【Rename Infected Mail Attachment】: Rename infected email attachments to this specified name (e.g., virus), preventing inadvertent execution by recipients.
【Insert Mail Subject】: Change the subject of infected emails to alert recipients (e.g., change subject to “Email Infected”).
The proliferation of spam emails not only reduces work efficiency but also raises concerns about network security due to viruses and trojan emails. Therefore, preventing spam emails has become an essential feature of email systems.
NG-UTM includes built-in spam filtering functionality, ensuring users do not receive a deluge of junk mail. This eliminates the need to sift through a pile of useless emails to find important messages, thereby boosting work efficiency and ensuring no missed business communications.
The mechanism for determining spam emails is designed to minimize false positives, where legitimate emails are mistakenly identified as spam. Users can configure methods to retrieve such emails and specify whether actions should be performed by administrators or individual users.
Within a specified time frame, NG-UTM sends a personalized spam notification email to users. If a user believes an email has been incorrectly classified, they can directly download the flagged file.
• Example of Spam Scores
NG-UTM calculates a comprehensive judgment score based on the entire email’s behavior. Typical scores for spam emails are as follows:
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words
0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without chareset
1.9 MIME_HEADER_CTYPE_ONLY ‘Content-Type found without required MIME headers
1.6 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
In the spam characteristics, ET_XXX represents unique features from ShareTech, such as ET_361_BAD_IP_PROXY, which enhance detection accuracy.
Different scores are assigned based on email behavior. For instance, if a recipient receives an email containing only a hyperlink without any other explanatory text, it is likely attempting to lure the recipient to click on a specific website, indicating a significant possibility of spam. In the example above, it would be assigned a score of 0.1.
The cumulative score of these behavior judgments determines the spam score of the email. A higher score indicates a higher likelihood of the email being spam.
In the example provided, the cumulative score is 0.1 + 0.0 + 2.2 + 0.7 + 1.9 + 1.6 + 1 = 7.5. Based on administrator settings, 7.5 would be evaluated to determine if the email should be classified as spam.
Detailed Configuration of Spam Filtering by Administrator¶
Administrators can set up the spam filtering mechanism in detail here. If you don’t know how to adjust it at first, you can use the default values first, and then adjust the detailed functions according to the user’s feedback.
Figure 10-16 Basic settings of spam filtering engine¶
Status: Indicate the current operation status of NG-UTM’s spam filtering mechanism, either “Normal operation..” or “Stopped operation”. When network connectivity is unavailable, it displays “Stopped operation.”
Spam Mail Filter: Specify whether the spam filtering function is enabled or disabled.
Spam Filter after SMTP Authentication: When enabled, emails sent by users authenticated via SMTP are not subjected to spam filtering. This is because authenticated users are less likely to send spam.
Note
If this option is disabled and the SMTP credentials of an email account are compromised, it may lead to mass spamming. Therefore, administrators must evaluate the strength of the email server’s password before deciding to enable or disable this function.
Maximum Scanned File Size: Default value is 512 Kbytes. Emails larger than this size will not be scanned by the spam filtering mechanism.
DNS Servers: Allows defining DNS servers for use, either automatically fetched (refer to local system settings > basic settings > DNS resolution settings) or custom (defined separately from local settings).
Spam Learning Share: When enabled, emails in the gray area between normal and spam are sent to a cloud-based spam learning mechanism. By leveraging big data learning, the feature automatically downloads learned feature values to NG-UTM, lowering scores for legitimate emails and raising scores for spam in subsequent comparisons.
Configuration and Status of Spam Identification Engine¶
Figure 10-17 Configuration of spam identification engine¶
NG-UTM offers a total of 3 identification mechanisms for spam filtering, which administrators can choose to enable. The ST-IP network reputation mechanism requires updates from sites providing SPAM-IP address filtering and requires functional internet connectivity to operate.
Emails from servers using dynamic IP addresses often have a high spam rate. The scanning engine requires active network connectivity, so ensure external network connectivity is operational before enabling. Default setting is enabled.
IP Rating: Query blacklist databases for the IP addresses used by sending mail servers. Emails from blacklisted databases increase the spam score.
Bayesian Filter: Score emails based on Bayesian database rules, assessing the probability of an email being spam. By default, this is enabled.
Bayesian Filter and Auto-Learning Mechanism: Enables automatic learning for the Bayesian filtering mechanism in spam filtering. Enhances accuracy through user feedback. Default setting is enabled.
NG-UTM determines how emails identified as spam are handled based on their spam score. Administrators can adjust the score based on operational needs. Initially, setting a slightly higher score, such as 7-8 points, allows adjustment based on user feedback or operational mailbox conditions to fine-tune the spam judgment score.
Four methods are available for handling spam emails, each with adjustable spam score settings, enabling administrators to choose activation as per their needs:
After performing spam analysis, NG-UTM securely passes the email to the backend mail server without modifying the email title or placing it in isolation. Beyond providing email statistics to the Dashboard, this feature also protects the backend firewall from spam attacks or tests.
Score Greater Than: Emails scoring above this threshold are statistically categorized as spam.
2. Subject Append with Text Before Sending to User
When identified as spam, NG-UTM appends text to the email subject before sending it to the recipient.
Spam Score Greater Than: Emails scoring above this threshold are categorized as spam and subject to the action of appending text before sending.
Text for Spam Email Subject: Sets the text to append to the subject of spam emails. Default is “Spam-Mail”; any text can be input, including blank.
Note
Leaving the spam email subject text blank does not affect the recipient’s email content. However, emails classified as spam are logged in the “Traffic Statistics” log, aiding administrators in analyzing misclassification rates and adjusting the spam judgment mechanism for improved accuracy.
3.Quarantined and Send Notice
Identified as spam, NG-UTM places the email in quarantine instead of forwarding it to the mail server. It periodically sends a list of quarantined spam emails to users, indicating which emails are isolated. Users can retrieve these emails by clicking the retrieve button.
Spam emails remain in quarantine for 7 days ; emails not retrieved within this period are deleted.
Spam Score Greater Than: Emails scoring above this threshold are categorized as spam and subject to the action of placing them in quarantine and sending the list.
4. Direct Deletion
Identified as spam, NG-UTM places the email directly in the delete area instead of forwarding it to the mail server. Emails in the delete area are not notified to users; only administrators can access and retrieve emails from the delete area.
Spam emails remain in the delete area for 7 days ; emails not retrieved within this period are deleted.
Spam Score Greater Than: Emails scoring above this threshold are categorized as spam and subject to the action of direct deletion.
Emails filtered to the delete area due to spam detection require administrator intervention for retrieval. Similarly, emails isolated in the quarantine area may necessitate administrator assistance for retrieval, particularly if users need to access spam emails from several days ago.
To streamline this process, administrators can enable users to access a spam email search system via a web interface. By appending /spam.php to the NG-UTM management interface IP address, users can log in using their email account and password to search and retrieve emails.
Figure 10-20 User login settings for spam email search¶
Allow Client to Use Mail Searching Interface: Specify whether users can log in to the spam email search system. Default is disabled. When enabled, authentication mechanisms must be configured under “Client Email Searching Web Interface - Server Login Settings” below.
Include Domain in Login Account: Determines whether users must input their full email address for login. If enabled, users need to enter their complete email address (e.g., jean@abc.com). If disabled, entering just “jean” automatically appends the first domain name.
Temporary IP Block After Failed Logins More Than: Specify how many failed login attempts trigger temporary blocking of the IP address attempting to access the spam email search system.
IP Unblock Period: Set the period after which temporarily blocked IP addresses are automatically unblocked. Default is 0, indicating no automatic unblocking of IP addresses.
Unblocked IP: List IP address that were blocked due to exceeding failed login attempts. Administrators can manually unblock IP addresses from this list.
Client Email Search Web Interface - Server Login Settings¶
Because NG-UTM itself does not have email server account passwords, users need a set of credentials when logging in. This set of credentials can be set to match those of the original email server.
Click to add a new set of server login settings:
Figure 10-21 Client login to email server authentication¶
【Domain】: The domain name of the email server.
【Server Address】: The IP address of the email server.
【Log in with Domain】: Whether to automatically add the domain name for users. For example, if the email account is jean@abc.com,
enabling this feature allows users to log in with just ‘jean’ and their password. If disabled, users must enter jean@abc.com and password.
【Protocol】: Choose POP3 or IMAP protocol to communicate with the backend email server.
【Security】: Select the protocol (Normal, TLS, or SSL) used for secure communication with the backend email server.
【Port】: TCP port number; POP3 is 110, IMAP is 143. If using TLS/SSL, POPS is 995, IMAPS is 993, and IMAP TLS also uses 143.
Different protocols use different port numbers.
【Certificates】: Whether to ignore certificate warnings. Since SSL certificates used for communication are not from trusted certificate authorities, warnings may appear. It is recommended to ignore these warnings.
After configuration, click 【Link Test】 to verify if the settings are functioning correctly.
• Accessing Client Spam Search Web Interface
To access the client spam email search system, append /spam.php to the NG-UTM management interface IP address. For example, if the NG-UTM management interface address is https://192.168.1.1,
After enabling “Mail> Anti-Spam > Spam Settings > Actions for Spam Mail” with either 【Quarantine and Send List】 or 【Direct Deletion】,
emails can be viewed in the isolation or delete area under , .
In the Quarantine Area, search criteria for emails mistakenly identified as spam include:
【Received Date】: Time when the spam email entered the isolation area, specified as a time range.
【Sender IP】: IP address of the sender.
【Sender】: Identity of the sender of the spam email.
【Email Size KB】: File size of the spam email.
【Recipient】: Recipient of the spam email.
【Spam Score】: Range of the spam email’s score.
【Virus】: Whether the spam email contains a virus.
【Email Subject】: Subject of the spam email.
Emails determined as spam by NG-UTM, if placed in the isolation area with spam notification enabled, recipients receive a periodic list of spam emails, as shown in the example below.
Recipients can click the button on the right to retrieve mistakenly identified spam emails or add the sender to their personal black or whitelist.
Emails identified as spam by NG-UTM, if placed in the delete area by the administrator, do not trigger spam notifications to recipients.
Only administrators can access the delete area; when administrators find mistakenly identified emails in the delete area, they can release them to the original email recipients. Search criteria for the delete area include:
【Received Date】: Time when the spam email entered the delete area, specified as a time range.
【Sender IP】: IP address of the sender.
【Sender】: Identity of the sender of the spam email.
When an email is identified as spam by NG-UTM, administrators can choose to place it in the quarantine area and decide whether to send a spam notification list to users. If this feature is enabled, NG-UTM will periodically send spam notification emails to the recipient of the email based on the configured “Transmission Time”. Users can retrieve emails they believe are not spam. If this feature is not enabled, emails classified as spam and placed in the quarantine area can only be retrieved by administrators.
• Notification Setting
The notification email language can be set to English, Traditional Chinese, or Simplified Chinese.
• User Spam List Transmission Settings
Before creating the user spam list transmission, go to “Configuration > Notification > 2-6-3. SMTP Server” to complete the relevant settings so that NG-UTM can send emails to the mail server accounts. The settings for user spam list transmission are as follows:
【Send Time】: Select the time for sending the spam list, from 1 to 24 hours, every hour can be selected.
You can also click the “Delivery” button to immediately send the current spam emails in the quarantine area as a list.
【Notice Subject】: Set the subject of the spam list, e.g., Spam Notification.
【Users not receive the Notice】: Enter the complete accounts that should not receive the spam list, one per line.
You can also switch to “Send Spam List to” to indicate which accounts will receive the list.
note
Note 1. The spam list received by users is automatically generated by the system with the sender account as “root”. However, administrators can define the sender’s IP address in : Configuration > Notification ref:2-6-3, SMTP Server, typically set to the external IP address of the mail server or a domain name (e.g., mail.yourdomain.com).
Note 2. If there are many user accounts, each with many spam emails in quarantine, it can overload the mail server during the creation and sending of the spam list. Therefore, shortening the interval for sending the list can distribute the load evenly.
• Administrator Spam Notice Settings
Before creating the spam list transmission, go to “2-6-3. SMTP Server” to complete the relevant settings so that NG-UTM can send emails to the mail server accounts.
【Administrator Spam Notice】: Enable or disable this feature.
【Send Time】: Select the time for sending the spam list, from 1 to 24 hours, every hour can be selected.
You can also click the “Delivery” button to immediately send the current spam emails in the quarantine area as a list.
【Receiver Account List】: Enter the complete accounts that will receive the spam list, one per line.
【Notice Subject】: Set the subject of the spam list, e.g., Spam Notification.
When the spam learning mechanism is enabled, the mail server periodically imports emails from blacklisted and whitelisted learning accounts into the spam learning database. The system will automatically judge subsequent emails based on this learning mechanism.
【Auto Learning】: Enable or disable automatic spam learning.
【Learning every … Hour】: Default is every 12 hours, with a range of 1 to 24 hours.
You can also click “Learning” to import emails from blacklisted and whitelisted learning accounts into the spam learning database.
【Blacklist Learning】: All emails sent to this mailbox classified as blacklisted will have their content characteristics learned by the database. The next time NG-UTM receives an email from the same sender, it will be directly classified as spam.
You can choose a file and click “Import” to upload the blacklist learning account file. The file size should not exceed 64 MB.
Clicking “Record” will display all learning records of blacklisted learning accounts imported into the spam learning database, including the total number of learning records, dates, etc.
【Whitelist Learning】: All emails sent to this mailbox classified as whitelisted will have their content characteristics learned by the database. The next time NG-UTM receives an email from the same sender, it will not be classified as spam.
You can choose a file and click “Import” to upload the whitelist learning account file. The file size should not exceed 64 MB.
Clicking “Learning Records” will display all learning records of whitelisted learning accounts imported into the spam learning database, including the total number of learning records, dates, etc.
【Clear Spam Learning Database】: Clear all learning records.
【Spam Learning Database】: Import or export the spam learning database. The file size should not exceed 64 MB.
NG-UTM supports creating two types of blacklists and whitelists: personal and system. Personal blacklists and whitelists have higher priority than system ones. Both types of blacklist and whitelist databases can be exported and imported by administrators.
• Import/Export Personal Blacklist and Whitelist
Upload in text file format, with format “email account,blacklist,whitelist” adding a new line for each new data, explained below:
Administrators can regularly export personal blacklists and whitelists to establish backups.
• Add Personal Blacklist and Whitelist
Click below the personal blacklist and whitelist list :
Figure 10-27 Add Personal Blacklist and Whitelist¶
【Account】: Enter the complete account.
【Blacklist】: Enter the blacklist account, one per line.
【Custom Personal Blacklist Handling (Receive Only)】: Set the handling method for emails sent from blacklisted accounts.
· Add text to subject and forward to recipient: This feature sets the subject text different from the system’s spam judgment mechanism, so users know which rule judged the email as spam.
· Directly delete.
【Whitelist】: Enter the whitelist account, one per line.
【Comment】: Add comments for easy identification in the list.
After creating each blacklist and whitelist entry, administrators can view detailed information in the personal blacklist and whitelist list and perform editing or deletion.
【Update Time】: Last update time of the built-in malicious URL database. Click 【Update Now】 to update immediately.
【Version】: Current version of the Content Link Filtering Database.
【Link Filter】: Enable/disable the content link filtering mechanism.
【Link Filter Custom Whitelist】: Input domains or IP addresses.
【Link Filter Custom Blacklist】: Input domains or IP addresses.
【Link Options】: Currently, there are 16 categories in the URL database (number in parentheses represents the count).
【Link Filter Test】: Click to open a new page, enter a URL, and confirm if it exists in the system’s content link filtering database.
【Sandstorm】: Enable/disable Sandstorm malicious trojan detection in email content matching. Default is for medium to high-risk URLs and attachment recognition.
Enter URLs in 【URL Test】 to check if they are already in the database.
【Link Filter Deal with】: After detection, how the email should be handled.
Note: For “Internal Mail Server to External Receive” emails, only increasing the spam score is possible, deletion or quarantining is not directly applicable.
· Delete directly: Immediately delete the email.
· Move to Spam Quarantine: Place the email directly in quarantine without forwarding to users.
· Increase spam score: Increase the spam score and further handling is based on the total spam score.
Security vulnerabilities arising from the use of email in network operations are an integral concern for enterprises.
ShareTech provides a solution for network and email auditing, enabling real-time comprehensive logging of external emails within the enterprise (including outbound emails).
It offers efficient alerting, analysis, and generates management audit reports, facilitating swift implementation for executives to promptly grasp various employee email behaviors such as accidental deletion, misuse, and leakage.
Achieve a balance between “management,” “efficiency,” and “security” effectively.
Through NG-UTM, conduct auditing actions based on email characteristics to effectively control incoming and outgoing emails.
Email auditing functionality distinguishes NG-UTM from other UTMs by auditing and filtering the content of emails passing through NG-UTM, executing subsequent steps according to pre-defined processing methods.
Filter Composition: Choose whether all configured fields must match (“ALL”) or if any one field can match (“ANY”).
Sender Including: Specify sender accounts to filter. This includes not only internal domain accounts but also external mailboxes sending emails to internal domains.
Receiver Including: Specify recipient accounts to filter. This includes not only internal domain accounts but also internal domains sending emails to external mailboxes.
Source IP from: Enter IP addresses from which all sent emails will match the filter conditions.
For example, entering “192.168.1” represents IP addresses ranging from 192.168.1.0 to 192.168.1.255.
Header Including: Enter the email header content to filter.
Email Subject Including: Enter the email subject to filter. Any outbound or inbound email with this specified subject will match the filter rule.
For example, entering “quotation” will match subjects like “news quotation data” or “quotation submission”.
Email Content Including: Enter email content to filter. Matches if the body of the email contains these specified words. Email content refers to the text body of the email, excluding attachments.
Email Size Is Larger Than: Emails larger than this specified size in bytes (including attachments) will match the filter conditions. Typically, email size refers to the size of the entire email in its original format.
Email Attachment Filename Including: Enter the filename of email attachments to filter. Matches if the attachment filename contains this specified text.
For example, entering “quotation” will match if an attachment is named “2008 latest quotation.doc”.
Personal Information Filter: Optionally select personal data filtering in email subject/content/attachment filename and assign weights to each item.
• Additional Settings Explanation:
1. Conditions marked with “*” can input special defined words:
“!” indicates “NOT”, “null” indicates “EMPTY”, and supports wildcard characters “?”, “*”.
Multiple conditions in the same field can be separated by commas (,) indicating “OR”; to require all conditions in a field, check “ALL”.
Matching mode is predicted as fuzzy matching. Starting with “*”, indicates exact matching.
For example:
In the subject field, entering “null” means the email has no subject text.
Entering “!192.168.1.” in sender IP means sender IP is not between 192.168.1.0 and 192.168.1.255.
2. Select “AND” for Condition Combination Method:
Filter activates only when all configured conditions match. For example:
Set “sender contains” as “@yourdomain.com” and “subject contains” as “quotation,” with other fields empty;
this means any account from yourdomain.com sending an email with “quotation” in the subject will match the filter.
3. Select “OR” for Condition Combination Method:
Filter activates if any configured condition matches. For example:
Set “sender contains” as “@yourdomain.com” and “subject contains” as “quotation,” with other fields empty;
this means any account from yourdomain.com sending an email or any email with “quotation” in the subject will match the filter.
4. Reverse:
Indicates the opposite meaning to the set value. For example, inputting “jean@abcd.com” in “sender contains” and selecting reverse means only emails not from jean@abcd.com match the condition.
Spam: Two spam filtering actions for emails that match filter conditions: adjust spam score and do not perform spam filtering.
· Adjust Spam Score:
NG-UTM converts overall email behavior into a comprehensive judgment score, with higher scores indicating more likely spam. Refer to Section 10-3. Anti-Spam for details on spam score adjustments.
For emails matching filter conditions, adjust their spam score accordingly.
For example, increase the spam score by 50 for emails containing “pornography” in the content, directly input “50”. To decrease by 50, input “-50”.
· Do Not Perform Spam Filtering:
For specific recipients within the internal domain who do not want email servers to perform spam filtering on their behalf, enter their account in “recipient contains” and check this option.
· Direct Isolation:
Emails matching filter conditions are directly isolated in the “Audit Filter Isolation Area.”
Administrators can manage these isolated emails in the Audit Filter Isolation Area, for example: “quotation” in subject, any internal user sending externally with quotation content will be directly isolated.
Senders do not receive a list of isolated emails, only administrators can manage these directly isolated emails.
· Direct Deletion:
Directly delete emails that match filter conditions.
When selected, system automatically deletes attachments of emails matching this filter condition.
· Carbon Copy:
For emails matching filter conditions, forward this email to specific accounts. Includes emails sent from external to internal, internal to internal, and internal to external, along with their attachments.
· Notification Function:
Sends a notification email to specific recipients if emails matching filter conditions are detected (does not forward the matched email).
Administrators can configure the subject of notification email, recipients of notification email, and whether to notify the sender.
· Stop to Match Next:
As email server filters operate sequentially, without checking this option, emails pass through every configured filter rule.
If there are 10 rules, and the 5th filter rule matches with “stop processing additional rules” checked, the email will only be matched against this rule and will not proceed to check the other 5 rules.
If there are too many audit filter conditions, batch import via CSV file can also be utilized, with columns named in sequence:
When the filtering conditions in audit filtering settings are triggered and the administrator selects IP blocking as the action, NG-UTM will execute the blocking.
Administrators can configure exception IP addresses and exception senders here.
[Block Time (seconds)]: When an email that meets the filtering conditions is matched and the action is IP blocking, NG-UTM temporarily adds the IP address to the blacklist, refusing the connection. Default value is 600 seconds.
[Permanent Block after (times)]: When the blocking count exceeds the configured value, NG-UTM permanently blocks the IP address. Default value is 3 times.
[Trusted IP Address]: Whitelist of IP addresses for audit filtering, supporting both IPv4 and IPv6 formats, one entry per line, e.g.,
10.1.1.0/16
fe80::1e6f:65ff:fe28:9d47/64
[Trusted Sender]: Whitelist of sender accounts for audit filtering, one entry per line.
[Unblock IP Address]: List IP addresses that have been blocked; administrators can unblock them here.
[IP Block Log]: Record every IP or sender account blocked by the audit filtering mechanism; records are automatically cleared when exceeding 100K.
NG-UTM logs all emails transmitted and received through it. Emails (including content and attachments) are stored on the local disk.
Once in the email query system, administrators can locate target emails based on search criteria and release them to recipients or download them to their computers.
Apart from email search functionality, if an email is blocked by NG-UTM’s own defense mechanisms such as spam filtering, virus filtering, or audit filtering, it can also be identified here.
[Date]: Date and time when the email entered NG-UTM.
[Sender IP]: IP address of the sender.
[Recipient IP]: IP address of the recipient.
[Direction]: Email direction. : External to internal mail server (near end), : Internal to external mail server sending (far end), : Internal to external mail server receiving.
[Sender]: Email sender’s account.
[Recipient]: Email recipient’s account.
[Subject]: Subject of the email.
[Email Size]: Size of the email.
[Delivery Status]: Whether delivery was successful, rejected by the recipient’s mail server, accepted, failed, or encrypted.
[Virus]: Whether the email contained a virus.
[Score]: Score assigned by the spam filter.
[Action]: Action taken on the email, such as “subject text added,” “isolated,” or “deleted”; normal emails show as blank.
[Attachments]: Whether the email contained attachments.
[Details]: Detailed processing information of the email within NG-UTM, e.g., spam filtering, virus filtering, or audit filtering actions (see figure below).
In the “Mail Search” feature, administrators can search for all emails processed by the UTM device, whether they are sent internally or received from external sources. Detailed search criteria are explained as follows.
Administrators can search detailed SMTP communication records for each email, which serve as the basis for determining reasons for unsuccessful deliveries.
NG-UTM defaults to the simple version of SMTP records, and the resulting list after a search will display reasons for unsuccessful deliveries in the “Delivery Message” column.
[Delivery Message]: Displays reasons for delivery failures.
• Detailed Version of SMTP Records
If “Detailed” is selected under “Mail > 10-1-1. Email Filtering and Logging > SMTP Log Setting > Log Type”, administrators can click on the “Detailed” link in the “Details” column of SMTP Communication Record Query Results to view detailed records of SMTP connections for an email. An example of detailed SMTP connection records for an email is shown below:
and
to verify the configured data or view Ms Exchange server connection test logs.
You can also set the synchronization cycle to obtain the latest account data from the AD server every few minutes.
to add a new set of server login settings:
, 
.
: External to internal mail server (near end), 
: Internal to external mail server sending (far end), 
: Internal to external mail server receiving.
:
