Best Practices for Email Filter Admin

goose06

Hi need some advice here,
Working in a fairly large organisation and we are passing control of releasing quarantined mail to individuals on the helpdesk.
Basically they will be checking blocked Images and inbound and outbound quarantines.

Now I have to put together a document to explain to them best practices for doing this, any help appreciated, really looking for simple steps they should take to determine whether email is legit or not.

Static M.e.

You very quickly become use to scanning emails and telling Spam from real.

I go though about 1000 spam emails a day I find that if you have the Subject line expanded aswell as the senders address line you can pretty much scan the whole lot in one go and pick out the non spam. I might check maybe 2-3 emails that are borderline per day

Its more of a case of getting use to what spam looks like, also make sure you sort it by subject line that way you can see the same subject line repeated so it will give them a better view that it is spam.

What filter are you using?

hmmm

You'll need to make sure that when they release a quarantined mail it's because it is a legitimate mail i.e. you don't want them releasing a virus ridden or pornographic mail just because they're asked. You might want to put a signoff by a more senior person in place who can approve the mail as legitimate, the technical release is done by the helpdesk.

So your procedure will be
- Raise helpticket from employee who requests mail release
- Investigate mail and establish whether it is legitimate
- Approval for release by (say) helpdesk manager
- Helpdesk release the mail

As to whether or not it is legitimate - I'd usually stick to "mail is for business purposes only". You'll obviously need to advise some leeway when your CEO asks you to release mails from his kids, but for most people that will do.

Cake Fiend

Make sure that stuff is being discretely categorized if the filter allows it (and if it doesn't, tbh you should try a different filter...) e.g. have seperate containers for viruses, spoofed senders, banned attachments, parked/oversized mails and finally spam (and maybe one or two other categories covering things like profanity or sexual content, depending on your policy). Viruses will generally never need to be released, same with spoofed senders, and chances are banned attachments won't either, theoretically leaving only mails detected as spam to be checked. Having said that, if you're regularly having to release spam false positives (as opposed to attachments that need to be vetted or whatever) then maybe your filtering s/w isn't up to scratch.

If you're quarantining stuff like images or multimedia files that might sometimes be legit (and therefore have to be manually released), you should have a seperate container for these files and another for files that you know you'll never want to release (*.exe, *.vbs, *.bat, etc) to simplify things further.

the_syco

hmmm wrote:

You might want to put a signoff by a more senior person in place who can approve the mail as legitimate, the technical release is done by the helpdesk.

Had something like this in a previous place I worked. You only had the email for work purpose's, so if you had an email stopped, you had to get your supervisor/manager/boss (whoever was next up the foodchain) to verify that yes, it was for work, if it was a picture, zip file, etc, that was on the "banned filename" list.