SpamTitan Skellig

Demo Instance Credentials:

User = admin

Password = hiadmin.

Introduction to what the product is.

SpamTitan is a cloud-based email filtering solution that allows for the blocking of unwanted spam, malicious emails, or phishing attempts to your email environment.

How it works.

The SpamTitan Instance is hosted in the cloud and would be on a geo-centric basis.

Instances hosted by AWS in geographic nodes, which are listed below.

USA
Europe
UK
Australia
Canada

On install, you would be supplied with 2 MX records. These would just need to be implemented on your email instance as the primary MX record

Any others can remain, but would need to be a lower priority than the ones for SpamTitan.

Starting of the UI demonstration.

MSP LEVEL UI

Overview

Below we can see the overview dashboard, which demonstrates a quick snapshot of mail flow over all active customer instances under the MSP account. This can be shown for the last 7 days or 30 days.

1. The breakdown in different messages shows the amount of mails that have been processed by the SpamTitan and the out of that, mails marked as clean, mails marked as spam, mails marked as a virus and then all other messages that do not fall into this category, for example, Geo-blocked mails.

2. Customers can be added using the Add button, which can be seen on the overview page also.

Once the add button is selected the below window will pop up where you can add the Customer name and the description of their account.

One you click add in this window, the new window to add a administrator for this account will pop up. See details to add in here below.

First Name: First Name of the Admin.
Second Name: Second Name of the Admin.
Email: Email of the admin, this cannot be the same email as the MSP admin.
Link Lock Admin: Yes/No - Do you want to give the customer account access to use Link Lock for their domain.
Password: This must be a least 10 characters and contain a letter and number.

Once the above is filled in, Click add and the customer account will be created.

Filtering Menu.

Allow/Block Lists

This page shows the Allow and Block List on the MPS level.

This can either be individual Email Addresses or a Domain, and will it show the status of the email or domain in question, whether is is blocked or allowed on the MSP level.

This in turn will then filter down to all the customer accounts on this MSP account. Meaning anything that is blocked on the MSP level will be blocked for the cusotmer level, unless the cusotmer level specifies it on their allow list. In these scenarios, the cusotmer level will always supersede the MSP level.

To add a domain to the Allow or Block list you can click the on the Add drop down menu and chose whether you are adding a Blocked or Allowed Email address.

Once you select, a pop up window will appear asking you to specify the email address and a comment associated with that entry.

The same actions can be taken by clicking "Domains" in the Allow/Block List Page and choosing to Add or Block a domain.

In this pop up window, you will also be asked if you want to include sub-domains when allowing or blocking this domain.

Geo-Blocking

This aspect of SpamTitan restricts email based on the sender’s geographic location. When enabled, it can be managed either at the MSP or Customer level. Exemptions can be added to exclude mail coming from geoblocked locations.

The settings can be implemented on the MSP and Customer levels.

In this page you ahve 2 options, Rules and Exemptions.

By adding a Rule, you are creating a rule to Block or Allow a specified region, for example Russia based on the location of the sending IP.

By adding an exemption, you are creating an exemption to a rule you have created, allowing a specific IP, domain or Email to bypass the Block rule you may have in place for a specific region.

Link Lock

Link Lock removes the possibility of a user clicking on a malicious link by rewriting all links in every inbound email. From there, the link is followed through the redirected link to the host site and the site is scanned. If the site is malicious, the user would see a block page indicating there is a security risk.

Every time the rewritten link is clicked, the site is re-checked and the moment the site in question is ruled to be malicious, the block page would appear.

Of note, the block page can be fully customized on both an MSP and Customer level.

The above configurations are available at both the MSP and the Customer level, making the Block page customisable and allow flexibility between the customer and MSP settings. Please note we always recommend enabling the "Rewrite DKIM Signed Mail", as majority of mails are DKIM signed. when this is not enabled, Links will not be re-written by Link Lock.

Under the Exemptions tab, this allows customers to add URLs to a list where link lock will not re-write them, essentially creating a bypass list.

To add a URL to the list, you click the add button as shown below and enter in the full URL you want Link Lock to not take effect on.

Settings

Main things to highlight under this tab are below.

1. Administrators - MSPs can add allowed to create Admin accounts here to help manage the MSP portion of the Portal. Any admin here will ahve access to the MSP level, adding a admin for a customer would need to be done under the customer account.

2. Interface - MSPs on this tab can white label the interface with their own logo and Page Title.

3. Support - MSPs can use their own links and emails for their own support pages to guide their customers and help during basics supporting of the product.

CUSTOMER LEVEL UI

Overview Page.

Once the customer is created on the MSP level , the credentials supplied would allow for the Admin to log into the basic Overview page for the instance.

Much like on the MSP level, there is a basic overview of the mail flow with regards to messages processed, the number of clean messages, spam messages, and virus messages seen over the following timeframes:

7 Days (default)
30 Days

Each domain covered would have the following information listed on the Overview Page:

Domain
Destination Server- this is the server we are sending their mail too.
- There is different syntaxes based on different service providers.
- Office 365 will look like - domain-com.mail.protection.outlook.com
- Google Work space will have multiple entries like this - aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.google.com. When adding multiple entries, separate out with commas.
- On-premise Exchange server will just be the IP of their mail server.
RBL Checks - These are public live blacklists that contain IPs of known spammers. If they are not using office 365, it is a good idea to check their IP on MX toolbox for a blacklist check to ensure they are not listed. Mail will be immediately rejected if it is on a blacklist.
SPF Checks - This is a spoofing prevention tool. This check will look at the sending domains SPF policy, (can be checked through MX toolbox) and will look for the sending IP in their SPF record. If the sending IP is not listed here, it means the IP is not allowed to send for that domain, meaning it is a possible spoofed mail. In this case, we reject the mail on SPF failure.
Greylisting - At start, SpamTitan will temporarily reject emails from senders it does not recognize. After a 5 minute delay, mail would be able to resend. We recommend this be turned off at the beginning, allow testing and when SpamTitan is in full use, enable it then as there can be a slight delay with this test.

Adding a Domain.

A customer can add a domain to ensure SpamTitan relays mail for that domain but click the "Add Domain" button on the overview page.

The customer can fill in the required information accordingly, using the above information provided.

Recipient Verification – This allows for mailboxes to be added and deleted automatically as they are added or removed from the Exchange server. Default setting is None, but most often, 2 are used.

Dynamic Verification – Most commonly used. To be used, the Exchange instance must be configured to allow to reject invalid addresses. This is not enabled automatically on Exchange 2013 and 2016 (and possibly 2019). On O365, Directory Based Edge Blocking (DBEB) would need to be enabled.

Syntax:

O365 – same as the Destination Server (domain-com.mail.protection.outlook.com)
Google Workspace – aspmx.l.google.com
On-Prem Exchange – same as the Destination Server (IP of the physical Exchange server)

Graphical user interface, application Description automatically generated

LDAP Verification – Can use an on-prem LDAP server to verify recipients. Setup is shown below in the following image:

Graphical user interface, application, email Description automatically generated

Once the Recipient Verification is completed, click Add Domain to add the new domain to the instance.

Admins can make more custom settings on a a per domain level also. By clicking on the domain name itself, this will open a new window specific to the domain chosen.

Here you can make the following adjustments that will only effect that one domain, rather than all domains under each customer account.

List of Users under this domain.
Overview of the messages that has gone through the system for this domain only.
Domains Configuration - RBL, SPF, Greylisting, Destination Server.
Anti-spoof settings.

This level would allow for adjustments to the Filtering options (Allow/Block Lists, Link Lock, Attachment Filtering, and Geoblocking) to be done on just that one domain (whereas the level shown earlier would apply to all domains in the Customer instance).

Policies.

The main instance here are the domain policies, which can be set up for each domain managed. This can be found by going to Policies < Domain Policies on the side bar menu.

To open up a policy of the domain, just click on the domain name.

A Domain policy consists of the following settings.

Spam Filtering.
- Mark as Spam when score is greater than - This is what the threshold is for mail before it is considered as spam. Default setting is 5, but can be adjusted accordingly and by decimals.
- Spam Should be - There are three available options
  - Quarantine(default): spam is held in quarantine to be review by the user of the admins.
  - Passed (Tagged): Spam is passed along to the recipient's inbox, but is tagged as spam. This does NOT block the address nor does it add it to the allow list.
  - Rejected: Permanently rejects mails if marked as spam, not recommended as mails are not recoverable.
- Discard Spam Scoring Above - Any message that scores above this is automatically rejected, meaning the mail will be removed from the system. The default is set to 999, but this can be adjusted by the Admin.
- Send NDR - If checked on, delivery status notification is generated for any email that is quarantine. We recommend leaving this off as when enabled can cause backscatter leading to a blacklisted IP.
- Add X-Spam Headers to Non-Spam Emails – When enabled, this adds additional headers to the email that give the result of the spam analysis (headers added are X-Spam-Status and X-Spam-Score). Only added to inbound messages.

Virus Filtering.
- Virus Should be- Same options as Spam Messages.
  - Quarantine(default): spam is held in quarantine to be review by the user of the admins.
  - Passed (Tagged): Spam is passed along to the recipient's inbox, but is tagged as spam. This does NOT block the address nor does it add it to the allow list.
  - Rejected: Permanently rejects mails if marked as spam, not recommended as mails are not recoverable.
- Sandboxing - When enabled, this will allow SpamTitan to run any attachments in a virtual environment and execute the attachments to determine if any viruses are present. Default is disabled but is recommended.

Attachment Filtering.
- Banned Attachments should be- Same options as with other filtering.
  - Quarantine(default): spam is held in quarantine to be review by the user of the admins.
  - Passed (Tagged): Spam is passed along to the recipient's inbox, but is tagged as spam. This does NOT block the address nor does it add it to the allow list.
  - Rejected: Permanently rejects mails if marked as spam, not recommended as mails are not recoverable.
- The actual attachments can be named and adjusted by going into Filtering -> Attachments (more on this later)

Quarantine Report.
- When enabled, a report is sent out to each user.
- Language - the language the report should be sent out in.
- Email report - this is the frequency the report should be sent, we normally recommend once per day, allowing the customer to be notified daily what mails were blocked by SpamTitan.
- Report Contains- We have different options for what exactly is sent out in the reports.
  - All items in Quarantine (default)
  - New Items since last report
  - All item in Quarantine except Viruses
  - New items since last report except Viruses
- Exclude Spam mails scoring above - Any spam messages scoring above the listed value is not included in the report. Default is 999, but can be adjusted.

Archive Mail
- When enabled, mail in the quarantine is kept for 14 days before being removed. The instances will start to show the quarantine, but the actual message and headers would not be able to be pulled up after it is removed from the archives. Default setting is off.

Once the settings have been reviewed and are in order, click on Save Changes at the bottom to apply the settings to the policy.

Filtering.

Allow and Block List, Geo-blocking, and Link Lock work in the same manner as shown in the MSP Level but changes would just apply to the domains on the customer instance. See above for the same description to give to a customer.

Attachment Filtering.

Attachments to emails can be banned or allowed via four different ways:

Extension
File Name
File Type
Mime Type

Once in place, rules set on the Domain Policies for Attachments would take over (if banned, they would go right into the quarantine, would be passed and tagged, or outright rejected).

Regardless what filtering you are adding, if you click on the create button under each type, this will open a pop up window where you can select what attachment you want to action and what associated action you would like to perform.

Quarantine.

Admins can check on messages in the quarantine and take appropriate actions with them. The quarantine is searchable back a certain number of days. If Archive Mail is on, anything in the quarantine would be accessible for at least 14 days.

NOTE: As of this time, the actual message itself would be unable to be fully brought back up. This is coming in a future Skellig but for now, we can only view the info and headers.

The top part of the quarantine landing screen gives the user options to search the quarantine.

Available options for the search function:

Date Range (From and To)
Domains (Specific or all domains covered)
Score
Message Type
- All
- Virus
- Sandbox
- Spam
- Archive
- Banned
- Content Filter
Email Subject
Sender/Recipient Email Address

Once filters have been set, click Apply and the table below will be populated with the refined results (as shown below).

Fields that can be shown on the search results are below.

Date
Client Address
From
To
Message Type
Subject
Delivery Status
SpamTitan ID

Note: Delivery Status and SpamTitan ID fields can be added by clicking on the chart icon in the far right corner above the search results table.

To view a specific message in the quarantine, just click on the message itself and the below window will open.

The first screen that comes up in the details screen.

This gives the details of the message, status clarification, and also shows the SpamTitan ID in the message header.

The user has the following options for the message available to them.

Delete - removes message from the quarantine.
Forward - allows the message to be forwarded to another email address.
Release - allows the message to be sent on to the recipient
Allow - same function as release, but also adds the envelope sender address to the Allowed email list (which means any email sent by the sender now bypasses the spam check going forward)

The view Source option allows the users to see the headers on the email as well. This is important as this will allow the user to see how the spam scoring was calculated per the tests used. The same options on the details page for the message appear below ( Delete, Forward, Release and Allow).

History.

The history feature allows for the user to search and view recent messages to get a "real-time" feel for the mail flow through SpamTitan to the domains being filtered. It also allows for any troubleshooting regarding any possible mis-categorized mail (such as a false positive/negative, Greylisting issues or RBL/SPF failures.)

The regular search filters only give the following options.

Date Range (From/To)
Recipient
Sender

Advanced Search gives the user more options on what they can look for in the History.

The advanced search included the added parameters which can be used with the basic search function.

Envelope From Address
Subject
SpamTitan ID
Source IP Address
Score
Message Type

Clicking on the Apply will run the search, while refresh will give you the latest information. On the table icon, the following fields can be added to the search results table.

Date
Client IP Address
From
To
Message Type
Subject
Delivery Status
SpamTitan ID

To view a message, the user would just need to click on the entry and same the instance as with the Quarantine would come up (Details and (if applicable) Header). Also, the same options with the message as on a message in Quarantine would be available as well (Delete, Forward, Release, Allow)

Reporting.

There are three options here for the instance-wide reporting that can be pulled up:

Scheduled
On-Demand
Archive

Scheduled Reports

These are reports that can be scheduled to be sent out to different users (such as local admins or others that would need certain information). The landing page for it shows any existing reports created and the following fields:

Report ID
Subject
Frequency
Type
Domain the report is run on (hidden)
Creation Date (hidden)

Clicking Add will allow you to set up a scheduled report by filling in the below information on the window that pops up.

The types of reports that can be sent out are the following:

Customer Summary Report
Top Spam Recipients
Top Virus Recipients
Top Recipients
- Mails - All Mails
- MB - Mails Blocked
Top Senders
- Mails - All Mails
- MB - Mails Blocked
Domain Summary Report
License Usage Report
Geo-blocking
Geo-blocking Clients
Top Malicious Link Recipients
Top Malicious Link Senders
Malicious Links Summary Report

The frequency can be set to either Daily, Weekly or Monthly and the reports can be sent out as either PDFs, CSVs, or in TXT format.

The ability to archive reports is available, this allows reports to be stored under the Archive Section.

Multiple recipients can be cited, but the email addresses would need to be separated by commas.

On-Demand

This allows an admin to generate a reports on a whim, not receiving the sae reports on a regular basis. There is an option to Archive these reports also.