Antispam tab

Related topics:

Antispam exceptions

Commercial bulk email detection

Adding an entry to the allowlist or blocklist

Uploading a allowlist or blocklist

Select the Antispam tab on the policy to view or modify rules for spam protection, and to configure settings to detect commercial bulk mail in inbound messages.

By design, email is checked for spam under the following conditions:

Email is inbound from the Internet.

The email message is not stopped by some other rule, for example it contains a virus or a barred attachment type.

The Antispam service is enabled for the policy (i.e., you are licensed for the service).

All such email is assigned a spam score (unless it is blocked by system-wide rules that identify bulk spam). This is visible in the message header and message tracking results. The higher the spam score, the more likely it is to be spam. Many rules are used to generate the spam score, including analysis of the words within the message, where it came from, its headers, and comparisons with other spam and non-spam email.

Spam Options

Check Filter for Spam if you want inbound email filtered for spam.

There must be at least one spam rule defined. By default two rules are set up:

Quarantine all email with a spam score greater than 6.

Discard any email with a spam score greater than 15.

You can define multiple rules for different spam thresholds and associate actions with each of these. For example, you can create a rule that forces all email with a spam score greater than 6.0 to be forwarded to an administrator, all email with a score greater than 7.0 to be quarantined, and all email with a score over 10.0 to be discarded.

Lower values detect more spam at the risk of false positives - email wrongly detected as spam. Higher values reduce the risk of false positives but could miss some spam. Forcepoint Email Security Cloud aims to ensure that no false positives occur with spam scores over 6.0. This is the recommended default setting for quarantining email.

To define spam rules:

From the first Spam scoring more than drop-down list, select a spam threshold.

From the second Spam scoring more than drop-down list, select an action for that threshold.

The following actions are available:


Action	Description
Quarantine-Notify	Messages are quarantined as above and a notification is sent to an email address. This is not recommended, because you are simply replacing one email with another. It is included for those that wish to use notifications during an evaluation phase rather than the more widely used "tag" option.
Quarantine	Messages are kept in quarantine for up to 30 days. This is the normal setting used for messages identified as spam. Note that no notifications are sent for this action.
Forward	Messages are forwarded to one or more email addresses in a comma-separated list. You can use this setting to forward all spam to a single account for management purposes.
Tag subject	Message subjects are tagged with a prefix that you've assigned (in the Tag subject prefix box under Existing Rules).
Bounce	Messages are bounced back to the sender.
Discard	Messages are discarded. This is often used to discard messages with a very high spam score.

Click Add Rule>> to create a rule based on these parameters.

Depending on the action you select, you may be prompted for additional information first, such as the email address to which to forward the message.

A list of existing rules is displayed. You can also delete rules here.

Keep a copy of clean messages

By default, Forcepoint Email Security Cloud does not keep a copy of any messages unless they are quarantined, in which case they are held for 30 days before being automatically deleted. Checking Keep a copy of clean messages allows Forcepoint Email Security Cloud to keep a private copy of clean email messages, for a short period, separate from the quarantine area, to aid in the process of spam tuning when the "Report this email as Spam" link is used (see Report this email as spam for more details). If Forcepoint Email Security Cloud has the original message available, our operations staff and future automated systems can analyze it.

Commercial bulk email detection

The service offers a way to configure your settings to detect inbound commercial bulk email messages and to perform certain actions on them, such as quarantining, or tagging the message subject so that users can easily identify commercial email.

To enable commercial bulk email detection, do the following:

Under Commercial Bulk Email Detection, select Analyze for commercial bulk email.

Select the action you'd like performed when commercial bulk email is detected:

Take no action. No action is taken on the commercial bulk email detected.

Tag the message subject. The subject of detected commercial bulk email messages are tagged with "COMMERCIAL:" or a custom tag that you enter.

Quarantine the message. Commercial bulk email messages are kept in quarantine for up to 30 days. Note that no notifications are sent for this disposition.

Select the sensitivity level of the feature:

Normal detects email that comes from known commercial bulk email sources.

High detects email that comes from known commercial bulk email sources or email that contains commercial content.

Click Submit when you are finished.

Note that the subject tag that you select will also be used in all antispam exceptions.


	Note If you wish to run a report that shows the number of commercial bulk email messages you have received, these messages will only be counted if you have selected Analyze for commercial bulk email.

Allowlists and blocklists

Here you can configure allowlists and blocklists that override your spam filtering settings, affecting inbound messages for the whole policy.

Allowlist entries can include the sender's email address, domain, or IP address. Allowlists define addresses that are permitted to send mail to you without spam filtering being applied.

Blocklist entries can also include the sender's email address, domain, or IP address. Blocklists define addresses from which you do not want to receive email.

Notes

Allowlists always take priority over blocklists. If you add an address to both the allowlist and the blocklist, messages from that sender address are allowed.

Allowlists and blocklists are processed in the following order. The first match found is applied:

Policy IP address allowlists

Policy IP address blocklists

Per-user email address/domain allowlists (see Antispam exceptions)

Policy email address/domain allowlists

Per-user email address/domain blocklists (see Antispam exceptions)

Policy email address/domain blocklists

If Forcepoint Technical Support has enabled a custom antispam rule for your account, this may override any addresses in allowlist you have configured.

If you enable/select allowlist, you can also configure the following options:

Apply allowlist matching even if the message has a spoofed email addresses. If the service detects a message is spoofed, allowlist is not applied by default. However, you may wish to allow some messages that are legitimately spoofed, for example a message from an email distribution list that appears to come from a specific person. Select this option if you want to allow spoofed addresses through even if the address appears in your allowlist.

Do not apply allowlist matching on From: headers. An email message has two addresses associated with it: the envelope sender, and the From: header. The envelope sender is used by mail servers to check where the message originates and where to respond (for example, if there is an error or the message bounces); the From: header is what the message recipient sees. The envelope sender and the From: header often match, but not always. There are a number of legitimate reasons why an envelope sender might not match the From: header, for example if the message comes from a mailing list, or from an organization that has implemented a specific address for bounced messages.

Email spammers can take advantage of this, by changing the From: header on a spam email to be a domain that you recognize, while the envelope sender is related to a domain under their control.

By default, the service performs email address/domain allowlist on both the From: header and the envelope sender. If you select this option, allowlist matching applies only to the envelope sender.

To populate your allowlists and blocklists, click the links in Allowlist these addresses or Blocklist these addresses. See Adding an entry to the allowlist or blocklist for more information.

Use Forward messages with more than [N] recipients from specified domains to forward messages with more than the specified number of recipients from the specified domains.

When this rule is triggered, the intended recipients do not receive the message.

Example: To forward messages from example.com sent to more than 5 recipients, enable the option, specify 5 for the number of recipients, specify a forwarding address, and specify example.com for the domain. You can specify additional domains, if desired.


	Note The Forward messages option is a limited-availability feature, and may not be available in your account.

End user permissions

Forcepoint Email Security Cloud antispam provides a range of end-user self-service options. These are all initiated using the Forcepoint Email Security Cloud personal email report (see End-User Self Service).

You can enable or disable the ability for users to populate and manage their own individual blocklist and allowlist, and the option to release a copy of quarantined spam to themselves. These settings can be set for the policy, and can also be set for individual users, groups, or domains, using Antispam Exceptions. See Antispam exceptions.


	Note A user can never prevent an email containing a virus from being quarantined and, regardless of these settings, can never release one.

Allowlists always take priority over blocklists. If you have an email address in blocklist for the policy, a user can allowlist it and, assuming it has no other issues, such as containing a virus or contravening a Content rule, it is delivered. To prevent a user receiving certain types of email, we recommend that you configure a content filtering policy. See Content Filter tab).

Spam detection methods

For information about the methods that Forcepoint Email Security Cloud uses to identify spam, see the article Detecting spam in the Forcepoint Knowledge Base.