Mimecast - Spam and Malware Filtering

Mimecast email security software is being implemented as a phased rollout over a number of weeks. Rollout commences Tuesday 5th June 2018 and staff and students will be updated via the Hub and MyDay respectively.
The first phase contains the following features: 
User Email Digest – This is a report sent to users which gives details of any emails sent to them which Mimecast has placed in the Hold queue.  This digest will be sent from Postmaster@lincoln.ac.nz and will give details of emails that have been identified as potential spam and/or have specific types of attachments.
More information about the digest can be found here.
Spam Scanning - The aim of this layer of defence is to reject unwanted spam and malware. Mimecast's multiple scanning engines examine the content of inbound mail by searching for key phrases and identifiers commonly used by spammers. These scanning checks can use:
  • Content matching rules
  • DNS based filtering
  • Checksum based filtering
  • Statistical filtering
More detailed information about Mimecast’s Spam scanning policies and setup can be found here.
Suspected Malware Scanning – This blocks commonly exploitable document types and protects against zero day threats.  Mimecast’s Zero Hour Adaptive Risk Assessor (ZHARA) uses deep level anomaly detection and trending against its entire customer base to provide protection against previously unknown and zero day malware and spam outbreaks.
More detailed information about Mimecast’s Malware scanning policies and setup can be found here.
Greylisting - Greylisting is a default compliance check applied to all inbound messages from connections not previously seen by Lincoln University.  Provided the sender's mail server (Message Transfer Agent - MTA) complies with best practice guidelines (RFC compliance) the message is successfully delivered.  (The vast majority of spam is sent from applications designed specifically for that purpose, which adopt a "fire-and-forget" method where they attempt to send spam to one or more MX hosts for a domain, but never attempt a retry.  By using greylisting policies, any messages sent from an incorrectly configured MTA aren't accepted, helping to reduce the amount of spam).
More detailed information about Mimecast’s Greylisting and setup can be found here.
Content Examination – This part of Mimecast scans and analyses the content of messages, looking for matches against data types we have defined. It sets the conditions under which a message is considered safe, or what action should be taken if it isn't.
More detailed information about Mimecast’s Content Examination and setup can be found here.

Blocked Senders and DNS Authentication

Blocks and Permits – This rejects or “Whitelists” messages based on address, domain, and/or IP address.
  • Blocked senders: A Blocked Senders policy restricts messages to or from specific email addresses or domains. It can apply to inbound or outbound messages, although is typically used to block inbound messages.
  • Permitted Senders: Permitted Senders policies ensure successful delivery of inbound messages from trusted sources. Messages from trusted senders bypass Mimecast’s reputation and spam checks, avoiding the possibility of being rejected or placed in the hold queue. This is useful in situations where the sender's mail server is listed in an RBL, or for messages flagged by our content checks.
More information on Mimecast’s blocked and permitted senders and setup can be found here (blocked senders) and here (permitted senders).
DNS Authentication - Inbound – DNS Authentication policies control the types of email authentication checks performed when a message is sent or received. The following systems work by defining extra DNS records for the sending domain:
Sender Policy Framework (SPF): This is an open standard for email authentication that tells you whether the IP address connecting to us is permitted to send mail for that domain. SPF validates the connecting IP address, by looking up the DNS record for the domain in the envelope MAIL FROM or HELO/EHLO.
Domain Keys Identified Mail (DKIM) Signing: A signature is added to outbound messages, which is used to determine if the contents have been tampered with. DKIM validates the contents of the message body and headers, by creating a cryptographic hash (or signature) and adding it as a new header to the message. It confirms that a message's content was sent from a specific domain, by matching the signature to the DNS records.
Domain Based Message Authentication, Reporting and Conformance (DMARC): This is an email validation system that builds protection on top of the SPF and DKIM mechanisms. It is designed to detect and prevent email spoofing.
More information on Mimecast’s DNS Authentication and setup can be found here.

Targeted Threat Protection and Anti-Spoofing policies

Targeted Threat Protection - URL Protect - Targeted Threat Protection - URL Protect is an email security technology that protects users against spear-phishing and targeted attacks in email. It provides Lincoln University with the following benefits:
  • Instant protection from targeted attacks and spear phishing attempts across all devices, without any client side software.
  • Protection against good websites turning bad or delayed exploits.
  • Centrally managed, rapid deployment using without any additional infrastructure to maintain.
    Centrally visible administrative monitoring and reporting on user activity.
More information on Mimecast’s URL Protect and setup can be found here.
Targeted Threat Protection - Attachment Protect - Targeted Threat Protection - Attachment Protect is an advanced service that protects against the growing risk of spear phishing and other targeted attacks using email attachments. This protection is provided on all devices used for the end user's enterprise email account, including smartphones or tablets, whether they are provided directly by the employer or not.
This feature strips attachments from inbound messages that could potentially contain malicious code (e.g. PDF, Microsoft Office files) and replaces them with a clean, transcribed version. Recipients have instant access to these clean attachments, but can request access to the original files via the sandbox by clicking a link in the notification. When an original attachment is requested, a detailed security analysis is performed on the file before it is provided to the user. This safe file approach eliminates the latency inherent in traditional sandbox solutions, confining wait time to only those minority of instances where an editable document is required.
More information on Mimecast’s Attachment Protect and setup can be found here.
Targeted Threat Protection - Impersonation Protection – This feature protects against phishing, whaling and other socially engineered attacks.  The increasing number of "whaling" attacks, usually targeting an organization's senior management, means additional protection is required against email threats that do not contain attachments or URLs. Traditional spam filtering systems are unable to detect these as suspicious, due to their minimal content. Targeted Threat Protection - Impersonation Protect solves this by:
  • Looking for combinations of key identifiers commonly found in these attacks.
  • Tagging a message to make it clear that it is coming from outside our organization.
More information on Mimecast’s Impersonation Protect and setup can be found here.
Anti-Spoofing policies - Spoofing is the forgery of email headers so messages appear to come from someone other than the actual source. This tactic is used in phishing and spam campaigns as recipients are more likely to open a message that looks legitimate.  Anti-spoofing policies ensure external messages appearing to come from an internal domain are blocked.
More details on Mimecast’s Anti-Spoofing policies and setup can be found here.