Content Filtering AFTER Spam Filtering, not before! or OPTION
Content Filtering is currently processed BEFORE Spam Filtering. However since the new way of malware is included in .zip files, I have decided to BLOCK .zip, .7z files. Since this is possibly a legit form of sending emails that our vendors do use, I have a user notification of the quarantine so they can email me if needed to release it. I would 'not' want an end user access to the quarantine to release as someone else noted.. I just don't trust the end user to make that judgement call, as too many people decide to click these malware emails in the first place. So my point is make the content filter AFTER the spam filter. So I think it should first check malware/virus, then spam, then content filter. So if someone that is whitelisted sends a .zip they make it through malware, make it through spam (whitelisted), and blocked at content and user email goes out. A fake email sending bad .zip attachment. Makes it past malware/virus apparently, gets BLOCKED at spam level due to one of those rules, never makes it to content filter and thus no user notification goes out. THus limiting only mostly legit .zip user notifications. I think this is a better priority level, I don't see the issue with this priority scheme. Since more and more .zip is being used by spammers, most would still get caught there as normally would.
Putting Content Filtering after Spam Filtering introduces a huge vulnerability in GFI MailEssentials. This is because Spam Filtering is treated as as non harmful as much as content filtering is supposed to.
Our suggestion is to:
Deploy GFI MailEssentials in a DMZ in front of your email server. Only enable Spam Filtering and set it to delete obvious spam. The Delete option is fundamental here otherwise you would end up with the same vulnerability we do not want to include.
Note: You do not need any extra GFI MailEssentials licensing to do so. The same license can be used since it’s for the same mailboxes.
A Hofstra commented
Still quite a struggle here as well in 2017, hopefully I didn't miss a fix for this somewhere.
Fausto Matias commented
A filtragem de malware não funciona satisfatoriamente, sendo assim a melhor maneira de reduzir a quantidade de Spam´s é utilizando a maior parte dos filtros de SPAM ( Spamrazer,anti-phishing, directory harvesting ( for AD ), email blocklist, ipblocklist, header checking e etc ).
Colocar o content Filtering a frente prejudica o whitlist , que não funciona, alem de ignorar todas as outras pre-classificações dos filtros acima.
A GFI não pode ignorar as empresas que não utilizam a opção Emails Security.
Ajustem a prioridades de Filtros ou pelo menos incluam a opção do admin poder selecionar durante a instalação a ordem de processamento do Content Filtering.
Phillip Watson commented
For us, we have 200+ emails a day blocked by Content Filtering, either To or From users that don't exist on our domain. We have SPF and Directory Harvesting enabled in MailEssentials, and SPF records that are enforced.
Every one of those emails causes an email to the postmaster, and one to the recipient if the sender is forged but the recipient is valid. If anti-spam filtering were done before, or in conjunction with, content filtering, then we wouldn't have the issue.
I.e. you could still do Content Filtering first, but then ALSO run the Anti-Spam filters, and only send the notifications if the email would otherwise have been delivered (either into Inbox, Infected, etc.) If the email would have been discarded, then discard the email AND the notifications.
Petr Hanč commented
Re: Richard Powell: "If it doesn't believe it is malware, then it should pass it onto our control." All right, it has logic probably for the majority of the customers. But it's not good for my organization because we don't have malware filtering licensed. Reason is lack of finance and my opinion that malware fitering is not able to recognize big percentage of malware.
Re: Ian Bugeja: All right, but you should somehow solve big number of user and admin notifications from content filtering when dangerous attachment extensions are quarantined.
I support Theodor den Hartog's suggestion to summary user notifications. I would appreciate also admin summary notifications and configurable peridodicity of these notification.
I am considering to move from GFI ME to some cloud filtering service because od lack of GFI ME configurability. I also suppose that specialists can fight with spam and malware better than me.
Theodor den Hartog commented
I understand the way mail should be processed but also for us, users are receiving a ton of sanitized mails and 1 in 10 just may contain legite items.
My users are not even looking at the mails anymore and thus legite mails are lost.
At least create the functionality to provide users with a report mail (daily) containing summary of al mails that where sanitized. A bit like the SPAM digest mail. I think that for us that would be a step in the right direction and for my users easier to understand. They get two mails a day reporting what content was blocked and what spam was blocked.
Bill Hilton commented
The points you outline are correct. Have you factored in people (like us) who do not provide users with access to the user spam quarantine? We do not believe in the user approved quarantine. I break it down like this:
Users already know to check their Junk email folder in their client, why teach them of a new place to go "release" quarantined email? Then train every new employee... There is really no need for a user quarantine space when one already exists... Junk Email folder.
I have always used GFI to set the X-header tags for anything spam-ish and then set an Exchange transport rule to place it in their junk email folder (effectively their own personal quarantine they can drag emails out of).
Now that I have explained how we do not use the user quarantine, we never have, can you please consider making the option to change the processing order?
Content filtering is blocked before Spam filtering because if it were different then blocked content could end up spam quarantine leading to a vulnerability.
The order of processing is the following:
1) SMTP level filtering - emails deleted or rejected (no quarantine)
2) Malware scanning - (admin quarantine)
3) Content scanning - (admin quarantine)
4) Spam scanning - (user quarantine)
When an engine detects anything that should be blocked, it is blocked. The Malware and Content scanning place items in the administrative quarantine while spam is placed in the user quarantine.
The original request for this feature is that they are blocking all attachments with content filtering rules however to increasing amount of spam with attachments the administrator quarantine stared having an increased amounts of spam which was not the location for it to be.
If you want a strict policy to avoid this there are various methods to use such as enable grey listing for example to disable such emails from reaching the network in the first place.
Richard Powell commented
This is still a horrendous issue for us. Re: Petr Hanč's comment "The problem with suggested filter order would be that malware could get into the spam quarantine and users would be allowed to approve these emails containing malware.". That is a design fault: the Malware filter should filter the malware, and not "everything with an attachment". It just doesn't always work, so we have chosen to block attachments as an extra security measure.
So: the system should know an attachment is malware because it recognises the malware. If it doesn't believe it is malware, then it should pass it onto our control. And then if we think "it MIGHT be malware on the basis of an extension", we can choose what to do with it. That way, the obvious spam (i.e. blocked IP addresses etc,) would be filtered out, reducing the amount of admin work approving emails with attachments.
Petr Hanč commented
The problem with suggested filter order would be that malware could get into the spam quarantine and users would be allowed to approve these emails containing malware. And it's better to forbid potentially dangerous extensions like .EXE .SCR etc instead of .ZIP. ZIP files containing these files are automatically blocked as well (if Decompression Engine / Scan within archives is enabled).
Brian Walsh commented
I've just had a 20 minutes chat support session about this exact issue (except relating to exe attachments rather than zip attachments. Either Sanitized emails should be forwarded for further spam filtering, or content filtering should be before spam filtering.
Joe Volence commented
[Comment date: 2013-11-14]
I asked a question similar to this before - what I wondered was if it could spam scan everything first, then scan for virus and content filter.
My problem was that if the message was found to match CF/virus, and I had it set to sanitize and deliver, then the message was coming through sanitized to the inbox (attachment removed), but in fact it was spam anyway and should have been moved according to spam rules.
Rob Richman commented
[Comment date: 2014-01-14]
Yes, Content filter should be 'last' in the list.. Now that .zip extensions are being used so much now... my clients/employees are getting tons of notifications. Unfortunately I have to enable the notification for .zip because 2 out of 10 are legit.. yes people still use .zip for legitimate purposes... so they then forward to me to 'release' from the quarantine. However 8 out of 10 are virus/malware or spam. I really wish this was implemented soon to eliminate most of the unnecessary notifications for content filtering. Please... At least make it an option so we can decide which priority works best.. like we can change the spam filter priority... we should also be able to change the actual 3 filter categories (virus/spam/content). some may prefer different orders... but for me I am getting inundated with .zip notifications that would have been just deleted if malware scan was first.
Rob Richman commented
[Comment date: 2014-04-01]
Any update on this, this is becoming more and more annoying for my end users.... more malware and spam are coming in through .zip files... but since .zip may not necessarily be bad, I have it set to send an email notification to end user so if it is legit they can forward to me to release from quarantine. however maybe 5 out of 100 are legit.. so end users are inundated with notifications. Looking at the .zip quarantine.. most would have been filtered out from malware or other spam filters first... thus reducing the notification. I am begging to have the option to change the order of the content filter to be 'behind' the malware and spam filters.
Dennis K commented
[Comment date: 2014-05-16]
Agree, too ,much spam coming with exe in zip, and non of them are valid emails.