4.8. Alert, notification and quarantine report emails

Alert and report emails, and certain settings of notification emails can be configured under Settings > Alerts & Reports.

Trust

Risk of social engineering

Notification, alert and report messages sent by the product often resemble to phishing emails.

It is a common phishing technique to trick users into clicking on links or to provide their credentials on phishing webpages. As Email Gateway Security’s own messages also ask users to click on links and provide passwords, users with due care may get confused whether they are targets of a phishing attack in case of an Email Gateway Security notification, alert or report email..

To build trust, Email Gateway Security provides the option to digitally sign notification, alert and report messages sent by the product. This way recipients can ensure whether they are facing a real Email Gateway Security notification, or a fake one.

To configure digitally signing alert, notification and report messages, perform the following steps:

  1. Define a certificate and private key pair under Settings > Certificates for digitally singing emails.
    images/download/attachments/5716272/image-20210628-120009.png

  2. Enable Settings >Alerts & Reports / Digitally sign alerts & reports.
    images/download/attachments/5716272/image-20210628-120056.png

  3. Select the certificate created in step 1 as the S/MIME certificate
    images/download/attachments/5716272/image-20210628-120143.png

  4. Recipients can verify the digital signature.
    images/download/attachments/5716272/image-20210628-121238.png

Sender must match certificate

The sender email address set under the Sender email address and the subject of the certificate set for S/MIME certificate must match, otherwise the digital signature on the email won’t validate.

The product verifies if the sender and the certificate subject match and displays a warning if not.

Certificate must support S/MIME

The certificate set for S/MIME certificate must support digitally signing emails.

The product verifies if the certificate is appropriate and displays a warning if not.

Common properties

Some properties are common among alerts, notifications and quarantine reports.

SMTP server profile

Email Gateway Security will use a specific SMTP relay to deliver all alerts, notifications and reports. This SMTP server can be defined under Settings > Alerts & Reports / SMTP server profile. For further details see Server.

Sender email address

Email address from which the alert, notification or quarantine report emails are sent. This is used in the SMTP MAIL FROM command and the email From header.

Digitally sign alerts & reports

Whether or not to digitally sign report, notification and alert emails sent by the product.

When enabled, an S/MIME digital signature is applied to the message using the certificate configured in the S/MIME certificate field.

S/MIME certificate

The certificate that is used to generate the digital signature.

images/download/attachments/5716272/image-20210628-114944.png

Alerts

Email alerts can be configured so that certain users can instantly be notified about the occurrence of certain system events.

SMTP server not responding *

An alert is sent if the inbound SMTP server is not responding as expected

SMTP relay not responding *

An alert is sent if an SMTP relay configured in a server profile is not responding as expected

MetaDefender Core not responding *

An alert is sent if a MetaDefender Core server configured in a server profile is not responding as expected

MetaDefender Vault not responding *

A notification will be sent if a MetaDefender Vault server configured in a server profile is not responding

Scan failure **

An alert is sent if a scan failure occurs during the processing of an email

Sanitization failure **

An alert is sent if a sanitization failure occurs during the processing of an email

Delivery of sanitized blocked email content **

An alert is sent if a blocked sanitized email is delivered to recipient(s).

Note

MetaDefender Email Gateway Security will only deliver blocked sanitized content to recipient(s) when the option Security Rules > rule / ZERO-DAY MALWARE PREVENTION / Override sanitization behavior / Send sanitized version of blocked files is enabled. For further details see the Zero-Day Malware Prevention section in 4.4. Policy.

Email refused **

An alert is sent when an email is refused by MetaDefender Email Gateway Security.

Email failed **

An alert is sent when an email fails processing and is moved to Failed.

Email bypassed **

A notification will be sent if Email Gateway Security bypassed scanning an email.

Email refused by SMTP relay **

A notification will be sent if an email is refused by a configured SMTP relay server.

Example

Deep CDR processing may significantly increase the email size. As a consequence the SMTP relay might refuse the email due to email size limitations (even if the recipient is valid).

This notification can call the administrators' attention to cases like that.

Queue size *

A notification will be sent if the MetaDefender Email Gateway Security queue size exceeds the threshold configured for the QUEUE SIZE THRESHOLD value.

Note

A large queue does not necessarily indicate a failure, but can be due to a large influx of emails and processing of them is queued up to ensure optimal performance of MetaDefender Email Gateway Security.

Persistent conditions

* For persistent failures or conditions a notification email will be sent once an hour.

Example

If the queue size keeps exceeding the threshold for hours, then the alert is sent once every hour. But if the queue size is fluctuating around the threshold (sometimes exceeds, sometimes drops below) then the alert is sent every time the threshold is exceeded.

Alert for each occurrence

** These alerts are sent every time the condition evaluates to true.

Example

If EMAIL BYPASSED option is set, then an alert is sent every time an email is bypassed by Email Gateway Security.

Priority

Alert emails are handled with priority. When the processing queue is long, alerts won't suffer a delay as alert emails are put to the head of the queue.

Notifications

Notifications are sent when emails are blocked by Advanced Threat Prevention and Security Rules > rule / ADVANCED THREAT PREVENTION / Handling of the email is set to Block email.

Notifying recipients about the blocked email can be enabled by Security Rules > rule / ADVANCED THREAT PREVENTION / Notify recipients if email is blocked.

For further details see the Advanced Threat Prevention section in 4.4. Policy.

images/download/attachments/5716272/image-20210628-123442.png

A notification email informs the recipient about the fact that the email was blocked, the blocking reason and the potential next steps.

images/download/attachments/5716272/image-20200323-130104.png

Legacy quarantine reports

Obsolete function

This function is obsolete and will be removed in a future version of Email Gateway Security.

Use the new quarantine report functionality configured under Settings > Quarantine reports instead.

For details see 4.13. Quarantine reports.

Not available on secondary instances

Settings > Alerts & Reports / Quarantine Reports are not available on a secondary instance of a scalable deployment. The quarantine reports must be configured on the primary instance.

For details see 5.15. Scalable deployment operation.

MetaDefender Email Gateway Security can be configured to periodically send reports about the quarantine status.

Quarantine reports can be configured under Settings > Alerts & Reports / Quarantine Report.

The Quarantine report schedule can be the following in the MetaDefender Email Gateway Security server's time:

  1. Off: no reports are sent

  2. Hourly: a report is sent at every o'clock

  3. Daily a report is sent every day, at midday

  4. Weekly: a report is sent every Monday, at midday

  5. Monthly: a report is sent on the first day of every month, at midday

With Quarantine report rule the digest email may be restricted to inbound or outbound quarantined items only.

Both the Advanced Threat Prevention and the Zero-Day Malware Prevention (see 4.4. Policy) features can quarantine emails. With Only include quarantined emails that were blocked the quarantine report can be restricted to items quarantined by Advanced Threat Prevention only.

Quarantine report limitation

Quarantine report will not contain more than 1000 entries. If there were more than 1000 new quarantined entries since the last quarantine report you will have to check the actual quarantine for more information. If you set a restriction for reporting only blocked emails and/or reporting only inbound/outbound emails the numbers and entries in the quarantine report will reflect those options.